Abstract
The impressive growth of the IoT we witnessed in the recent years came together with a surge in cyber attacks that target it. Factories adhering to digital transformation programs are quickly adopting the IoT paradigm and are thus increasingly exposed to a large number of cyber threats that need to be detected, analyzed and appropriately mitigated. In this scenario, a common approach that is used in large organizations is to setup an attack triage system. In this setting, security operators can cherry-pick new attack patterns requiring further in-depth investigation from a mass of known attacks that can be managed automatically. In this paper, we propose an attack triage system that helps operators to quickly identify attacks with unknown behaviors, and later analyze them in detail. The novelty introduced by our solution is in the usage of process mining techniques to model known attacks and identify new variants. We demonstrate the feasibility of our approach through an evaluation based on three well-known IoT botnets, BASHLITE, LIGHTAIDRA and MIRAI, and on real current attack patterns collected through an IoT honeypot.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The name comes from the process used by ER-units in hospitals to quickly prioritize incoming patients depending on the severity of their health status.
- 2.
In this phase, the botnet issues commands on the shell of a device found on the internet to identify its architecture before deploying the appropriate attack payload. See Sect. 2 for further details.
- 3.
We use multisets because the same trace can appear multiple times in an event log.
- 4.
Note that distinguishing attack interactions from bening interactions, namely detecting attacks, is a different problem that is out of the scope of this paper. We assume that data fed as input only contains traces of attacks.
- 5.
ProM (http://www.promtools.org/) is an open-source framework for implementing process mining tools and algorithms.
- 6.
Many commercial IoT devices are based on linux-like operating systems.
References
Cowrie. https://github.com/cowrie/cowrie
The ddos that didn’t break the camel’s vac. https://goo.gl/p9kUCy (2017)
van der Aalst, W.M.P.: The application of Petri nets to workflow management. J. Circ. Syst. Comput. 8(01), 21–66 (1998)
van der Aalst, W.M.P.: Data science in action. Process Mining, pp. 3–23. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49851-4_1
van Aalst, W.M.P., van Hee, K.M., van Werf, J.M., Verdonk, M.: Auditing 2.0: using process mining to support tomorrow’s auditor. Computer 43(3), 90–93 (2010)
van der Aalst, W.M.P., Alves de Medeiros, A.K.: Process mining and security: detecting anomalous process executions and checking process conformance. Electron. Notes Theor. Comput. Sci. 121, 3–21 (2005)
Accorsi, R., Stocker, T.: On the exploitation of process mining for security audits: the conformance checking case. In: SAC 2012, pp. 1709–1716 (2012)
Accorsi, R., Stocker, T., Müller, G.: On the exploitation of process mining for security audits: the process discovery case. In: SAC 2013, pp. 1462–1468 (2013)
Adriansyah, A., Sidorova, N., van Dongen, B.F.: Cost-based fitness in conformance checking. In: ACSD 2011 (2011)
de Alvarenga, S.C., Zarpel, B., Miani, R.: Discovering attack strategies using process mining. In: AICT 2015, pp. 119–125 (2015)
Angrishi, K.: Turning internet of things (iot) into internet of vulnerabilities (iov): Iot botnets. Technical report. arXiv preprint arXiv:1702.03681 (2017)
Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th USENIX Security Symposium, pp. 1093–1110 (2017)
Augusto, A., et al.: Automated discovery of process models from event logs: review and benchmark. IEEE TKDE 31(4), 686–705 (2018)
Bernardi, M.L., Cimitile, M., Distante, D., Martinelli, F., Mercaldo, F.: Dynamic malware detection and phylogeny analysis using process mining. Int. J. Inf. Secur. 18(3), 1–28 (2018)
Bertino, E., Islam, N.: Botnets and internet of things security. IEEE Comput. 2, 76–79 (2017)
Burattin, A.: Applicability of process mining techniques in business environments. Ph.D. thesis, University of Bologna, Italy (2013)
Burattin, A., Cimitile, M., Maggi, F.M., Sperduti, A.: Online discovery of declarative process models from event streams. IEEE Trans. Serv. Comp. 8(6), 833–846 (2015)
Calleja, A., Martín, A., Menéndez, H.D., Tapiador, J., Clark, D.: Picking on the family: disrupting android malware triage by forcing misclassification. Expert Syst. Appl. 95, 113–126 (2018)
Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding linux malware. In: 39th IEEE Symposium on Security and Privacy (SP), pp. 161–175 (2018)
De Giacomo, G., Maggi, F.M., Marrella, A., Patrizi, F.: On the disruptive effectiveness of automated planning for LTLf-based trace alignment. In: AAAI 2017, pp. 3555–3561 (2017)
van Dongen, B.F.: Efficiently computing alignments. In: BPM 2018 (2018)
Dumas, M., La Rosa, M., Mendling, J., Reijers, H.A., et al.: Fundamentals of Business Process Management, vol. 1. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-662-56509-4
Hossain, M.M., Fotouhi, M., Hasan, R.: Towards an analysis of security issues, challenges, and open problems in the internet of things. In: SERVICES 2015 (2015)
Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I., Tygar, J.: Adversarial machine learning. In: AISEC 2011, pp. 43–58 (2011)
Jang, J., Brumley, D., Venkataraman, S.: Bitshred: feature hashing malware for scalable triage and semantic analysis. In: CCS 2011, pp. 309–320 (2011)
Jans, M., Alles, M., Vasarhelyi, M.: The case for process mining in auditing: sources of value added and areas of application. Int. J. Acc. Inf. Syst. 14(1), 1–20 (2013)
Kirat, D., Nataraj, L., Vigna, G., Manjunath, B.: Sigmal: a static signal processing based malware triage. In: ACSAC 2013, pp. 89–98 (2013)
de Leoni, M., Marrella, A.: Aligning real process executions and prescriptive process models through automated planning. Expert Syst. Appl. 82, 162–183 (2017)
Maggi, F.M., Burattin, A., Cimitile, M., Sperduti, A.: Online process discovery to detect concept drifts in ltl-based declarative process models. In: CoopIS 2013 (2013)
Maggi, F.M., Di Francescomarino, C., Dumas, M., Ghidini, C.: Predictive monitoring of business processes. In: CAiSE 2014, pp. 457–472 (2014)
Marzano, A., et al.: The evolution of Bashlite and Mirai IoT Botnets. In: ISCC 2018, pp. 813–818 (2018)
Shen, Y., Stringhini, G.: Attack2vec: Leveraging temporal word embeddings to understand the evolution of cyberattacks. In: 28th Usenix Security Symposium (2019)
The OSWAP Fundation: OWASP Internet of Things Project. https://tinyurl.com/yc3plqr9 (2014)
Weijters, A.J.M.M., van der Aalst, W.M.P.: Rediscovering workflow models from event-based data using little thumb. Int. Comp.-Aided Eng. 10(2), 151–162 (2003)
Acknowledgments
This work has been partially supported by the Estonian Research Council Grant IUT20-55, the Italian “Dipartimento di Eccellenza” grant for DIAG at Sapienza University of Rome, the Sapienza grants IT-SHIRT, ROCKET and METRICS, the PANACEA project under the grant agreement 826293, and a student grant from Vitrociset S.p.A.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Coltellese, S., Maria Maggi, F., Marrella, A., Massarelli, L., Querzoni, L. (2019). Triage of IoT Attacks Through Process Mining. In: Panetto, H., Debruyne, C., Hepp, M., Lewis, D., Ardagna, C., Meersman, R. (eds) On the Move to Meaningful Internet Systems: OTM 2019 Conferences. OTM 2019. Lecture Notes in Computer Science(), vol 11877. Springer, Cham. https://doi.org/10.1007/978-3-030-33246-4_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-33246-4_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-33245-7
Online ISBN: 978-3-030-33246-4
eBook Packages: Computer ScienceComputer Science (R0)