Skip to main content
SpringerLink
Log in

Triage of IoT Attacks Through Process Mining

  • Conference paper
  • First Online:
On the Move to Meaningful Internet Systems: OTM 2019 Conferences (OTM 2019)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 11877))

Abstract

The impressive growth of the IoT we witnessed in the recent years came together with a surge in cyber attacks that target it. Factories adhering to digital transformation programs are quickly adopting the IoT paradigm and are thus increasingly exposed to a large number of cyber threats that need to be detected, analyzed and appropriately mitigated. In this scenario, a common approach that is used in large organizations is to setup an attack triage system. In this setting, security operators can cherry-pick new attack patterns requiring further in-depth investigation from a mass of known attacks that can be managed automatically. In this paper, we propose an attack triage system that helps operators to quickly identify attacks with unknown behaviors, and later analyze them in detail. The novelty introduced by our solution is in the usage of process mining techniques to model known attacks and identify new variants. We demonstrate the feasibility of our approach through an evaluation based on three well-known IoT botnets, BASHLITE, LIGHTAIDRA and MIRAI, and on real current attack patterns collected through an IoT honeypot.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The name comes from the process used by ER-units in hospitals to quickly prioritize incoming patients depending on the severity of their health status.

  2. 2.

    In this phase, the botnet issues commands on the shell of a device found on the internet to identify its architecture before deploying the appropriate attack payload. See Sect. 2 for further details.

  3. 3.

    We use multisets because the same trace can appear multiple times in an event log.

  4. 4.

    Note that distinguishing attack interactions from bening interactions, namely detecting attacks, is a different problem that is out of the scope of this paper. We assume that data fed as input only contains traces of attacks.

  5. 5.

    ProM (http://www.promtools.org/) is an open-source framework for implementing process mining tools and algorithms.

  6. 6.

    Many commercial IoT devices are based on linux-like operating systems.

References

  1. Cowrie. https://github.com/cowrie/cowrie

  2. The ddos that didn’t break the camel’s vac. https://goo.gl/p9kUCy (2017)

  3. van der Aalst, W.M.P.: The application of Petri nets to workflow management. J. Circ. Syst. Comput. 8(01), 21–66 (1998)

    Article  Google Scholar 

  4. van der Aalst, W.M.P.: Data science in action. Process Mining, pp. 3–23. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49851-4_1

    Chapter  Google Scholar 

  5. van Aalst, W.M.P., van Hee, K.M., van Werf, J.M., Verdonk, M.: Auditing 2.0: using process mining to support tomorrow’s auditor. Computer 43(3), 90–93 (2010)

    Article  Google Scholar 

  6. van der Aalst, W.M.P., Alves de Medeiros, A.K.: Process mining and security: detecting anomalous process executions and checking process conformance. Electron. Notes Theor. Comput. Sci. 121, 3–21 (2005)

    Article  Google Scholar 

  7. Accorsi, R., Stocker, T.: On the exploitation of process mining for security audits: the conformance checking case. In: SAC 2012, pp. 1709–1716 (2012)

    Google Scholar 

  8. Accorsi, R., Stocker, T., Müller, G.: On the exploitation of process mining for security audits: the process discovery case. In: SAC 2013, pp. 1462–1468 (2013)

    Google Scholar 

  9. Adriansyah, A., Sidorova, N., van Dongen, B.F.: Cost-based fitness in conformance checking. In: ACSD 2011 (2011)

    Google Scholar 

  10. de Alvarenga, S.C., Zarpel, B., Miani, R.: Discovering attack strategies using process mining. In: AICT 2015, pp. 119–125 (2015)

    Google Scholar 

  11. Angrishi, K.: Turning internet of things (iot) into internet of vulnerabilities (iov): Iot botnets. Technical report. arXiv preprint arXiv:1702.03681 (2017)

  12. Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th USENIX Security Symposium, pp. 1093–1110 (2017)

    Google Scholar 

  13. Augusto, A., et al.: Automated discovery of process models from event logs: review and benchmark. IEEE TKDE 31(4), 686–705 (2018)

    MathSciNet  Google Scholar 

  14. Bernardi, M.L., Cimitile, M., Distante, D., Martinelli, F., Mercaldo, F.: Dynamic malware detection and phylogeny analysis using process mining. Int. J. Inf. Secur. 18(3), 1–28 (2018)

    Google Scholar 

  15. Bertino, E., Islam, N.: Botnets and internet of things security. IEEE Comput. 2, 76–79 (2017)

    Article  Google Scholar 

  16. Burattin, A.: Applicability of process mining techniques in business environments. Ph.D. thesis, University of Bologna, Italy (2013)

    Google Scholar 

  17. Burattin, A., Cimitile, M., Maggi, F.M., Sperduti, A.: Online discovery of declarative process models from event streams. IEEE Trans. Serv. Comp. 8(6), 833–846 (2015)

    Article  Google Scholar 

  18. Calleja, A., Martín, A., Menéndez, H.D., Tapiador, J., Clark, D.: Picking on the family: disrupting android malware triage by forcing misclassification. Expert Syst. Appl. 95, 113–126 (2018)

    Article  Google Scholar 

  19. Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding linux malware. In: 39th IEEE Symposium on Security and Privacy (SP), pp. 161–175 (2018)

    Google Scholar 

  20. De Giacomo, G., Maggi, F.M., Marrella, A., Patrizi, F.: On the disruptive effectiveness of automated planning for LTLf-based trace alignment. In: AAAI 2017, pp. 3555–3561 (2017)

    Google Scholar 

  21. van Dongen, B.F.: Efficiently computing alignments. In: BPM 2018 (2018)

    Google Scholar 

  22. Dumas, M., La Rosa, M., Mendling, J., Reijers, H.A., et al.: Fundamentals of Business Process Management, vol. 1. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-662-56509-4

    Book  Google Scholar 

  23. Hossain, M.M., Fotouhi, M., Hasan, R.: Towards an analysis of security issues, challenges, and open problems in the internet of things. In: SERVICES 2015 (2015)

    Google Scholar 

  24. Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I., Tygar, J.: Adversarial machine learning. In: AISEC 2011, pp. 43–58 (2011)

    Google Scholar 

  25. Jang, J., Brumley, D., Venkataraman, S.: Bitshred: feature hashing malware for scalable triage and semantic analysis. In: CCS 2011, pp. 309–320 (2011)

    Google Scholar 

  26. Jans, M., Alles, M., Vasarhelyi, M.: The case for process mining in auditing: sources of value added and areas of application. Int. J. Acc. Inf. Syst. 14(1), 1–20 (2013)

    Article  Google Scholar 

  27. Kirat, D., Nataraj, L., Vigna, G., Manjunath, B.: Sigmal: a static signal processing based malware triage. In: ACSAC 2013, pp. 89–98 (2013)

    Google Scholar 

  28. de Leoni, M., Marrella, A.: Aligning real process executions and prescriptive process models through automated planning. Expert Syst. Appl. 82, 162–183 (2017)

    Article  Google Scholar 

  29. Maggi, F.M., Burattin, A., Cimitile, M., Sperduti, A.: Online process discovery to detect concept drifts in ltl-based declarative process models. In: CoopIS 2013 (2013)

    Chapter  Google Scholar 

  30. Maggi, F.M., Di Francescomarino, C., Dumas, M., Ghidini, C.: Predictive monitoring of business processes. In: CAiSE 2014, pp. 457–472 (2014)

    Google Scholar 

  31. Marzano, A., et al.: The evolution of Bashlite and Mirai IoT Botnets. In: ISCC 2018, pp. 813–818 (2018)

    Google Scholar 

  32. Shen, Y., Stringhini, G.: Attack2vec: Leveraging temporal word embeddings to understand the evolution of cyberattacks. In: 28th Usenix Security Symposium (2019)

    Google Scholar 

  33. The OSWAP Fundation: OWASP Internet of Things Project. https://tinyurl.com/yc3plqr9 (2014)

  34. Weijters, A.J.M.M., van der Aalst, W.M.P.: Rediscovering workflow models from event-based data using little thumb. Int. Comp.-Aided Eng. 10(2), 151–162 (2003)

    Article  Google Scholar 

Download references

Acknowledgments

This work has been partially supported by the Estonian Research Council Grant IUT20-55, the Italian “Dipartimento di Eccellenza” grant for DIAG at Sapienza University of Rome, the Sapienza grants IT-SHIRT, ROCKET and METRICS, the PANACEA project under the grant agreement 826293, and a student grant from Vitrociset S.p.A.

Author information

Authors and Affiliations

  1. DIAG, Sapienza Universitá di Roma, Rome, Italy

    Simone Coltellese, Andrea Marrella, Luca Massarelli & Leonardo Querzoni

  2. University of Tartu, Tartu, Estonia

    Fabrizio Maria Maggi

Authors
  1. Simone Coltellese
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabrizio Maria Maggi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrea Marrella
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Luca Massarelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Leonardo Querzoni
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrea Marrella .

Editor information

Editors and Affiliations

  1. University of Lorraine, Vandoeuvre Les Nancy Cedex, France

    Hervé Panetto

  2. Trinity College Dublin, Dublin, Ireland

    Christophe Debruyne

  3. Universität der Bundeswehr München, Munich, Germany

    Martin Hepp

  4. Trinity College Dublin, Dublin, Ireland

    Dave Lewis

  5. Università degli Studi di Milano Crema, Crema, Italy

    Claudio Agostino Ardagna

  6. TU Graz, Graz, Austria

    Robert Meersman

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Coltellese, S., Maria Maggi, F., Marrella, A., Massarelli, L., Querzoni, L. (2019). Triage of IoT Attacks Through Process Mining. In: Panetto, H., Debruyne, C., Hepp, M., Lewis, D., Ardagna, C., Meersman, R. (eds) On the Move to Meaningful Internet Systems: OTM 2019 Conferences. OTM 2019. Lecture Notes in Computer Science(), vol 11877. Springer, Cham. https://doi.org/10.1007/978-3-030-33246-4_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-33246-4_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-33245-7

  • Online ISBN: 978-3-030-33246-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation