The results presented here are obtained using the data collected from the prototype system in university laboratory setup. During the experimentation, we tried to simulate the behavior of an average house hold user to get better estimate of system performance in terms of user experiences. However, these results can vary in real world deployment setups depending on the mode of deployment. For example, the communication latency between Securebox and SMS is very low≈1.56(±0.1)mscompared to real world setups where SMS is deployed by a remote service. During evaluation, we have tried to model the number of simultaneous traffic flows in the networks equivalent to what we expect in a common house hold with 10-15 devices. The performance of system can be affected by the increase in number of simultaneous traffic flows in the network. The layout of network was also static compared to public Wi-Fi or enterprise networks where devices join/leave frequently. We have not evaluated the performance hit for the system in such scenarios.
Similarly, the system was also not evaluated for the out-of-band devices communications where IoT devices can directly influence other devices to perform an action e.g. “upon sensing an increase in room temperature by
temperature sensor, alarm rings and sounds of alarm results in activation of fire safety system”. Currently, we have a performed limited evaluation on securing D2D interactions within user network. We expect that this area will be explored to evaluate system performance in securing D2D interactions with single level or multilevel cross-device dependencies.
6 Features and Use Cases
The proposed system design is motivated by the need to developed a unified platform which can be deployed across a number of different scenario ranging from SOHO to enterprise network. The flexibility in deployment of proposed system allows the system to get a comprehensive view of disjoint network segments and use this global view to improve security situation in all those individual network segments. In this chapter, we discuss various features and use cases of our proposed platform including SOHO and enterprise scenarios.
We highlight the advantages and limitations of using the proposed system in each of these scenarios.
6.1 Device Discovery and Profiling
The proposed system uses device discovery and identification mechanism for improving network security and management. With growing popularity of IoT and smart devices, typical networks are expected to connect a number of devices. These devices can be specialized to perform different activities and average users may not be able to characterize these devices based on their network activity. Sect. 1 explains how these devices can be can be vulnerable and raise different security issues.
In order to deal with the security issues, the proposed system uses a dynamic access control mechanism. Securebox acts as sensor and enforcer of this dynamic control mechanism and SMS acts as the control plane deciding what access control should be applied. In order to minimize the solution’s reliance on human efforts, our system automates the task of device identification and security profiling. However, the automated services are always take suggestive or preventive measures only and their actions can be overridden by user’s choice.
Device discovery mechanism allows the system to identify any devices connected to the Securebox. Once the device is identified, Securebox can obtain device specific policies from SMS and enforce them in the network.
Device discovery mechanism is particularly useful to secure networks where unknown devices are frequently connected to the network. Using this mecha-nism, Securebox can actively prevent any attacks due to vulnerable device connected to the network.
SMS maintains a database of all identified devices and related security threats. This database is maintained by combing information from third parties, vulnerability databases and human experts. This database also contains devices related activity fingerprints, user registrations and data from device manufacturers, which is used to identify the devices when they are connected to the network. This information is also updated periodically using new device registrations and other data.
Securebox can use a variety of methods for device identification. The
proposed system requires users to register their personal devices with SMS for using device and context specific services at different Securebox. Device registration requires a user to give some information about the device and user preferences. This information is stored along with user profile and later used to identify the device when it is connected at different Secureboxes.
For the devices which are not registered to the Securebox e.g. in an enterprise guest networks, where unknown device connected to the network.
Securebox can use device activity to recognize the devices. For this purpose, SMS needs to maintain a database of device activity signatures. These signatures can also be obtained from user’s registered devices and user anonymity can be ensured by removing any user related information from these signatures. When a device connects to the network, Securebox analyzes its network activity to obtain a signature for device activity, which is used by SMS to identify the device and enforce required policies to the network.
SMS also allows users to setup device profiles which is a quick and handy way to set up device preferences. Each of these profiles include a set of preferences e.g. “parental control”profile will include all preference which are required for parental control setup. Users can dynamically set these profiles on any of the devices. As soon as the device profile is updated, SMS will generate a policy database update for Securebox where the device is currently connected so that device activity is limited by the profiles preferences.
Device profile reduces the effort to individually setup and update policies for each of the user registered devices. This is very useful in enterprise scenarios, where the number of device is huge and network management team can easily update or limit the access to set of devices by updating device profile preferences.