The University of Arizona

International Collaborative Projects

Anomaly Detection in Internet of Things Sensors with Discrete Wavelet Transform

By Clarisa Grijalva (Mexico)

Advances in mobile and pervasive computing, social network technologies and the exponential growth in Internet applications and services will lead to the development of the next generation of Internet services (Internet of Things, IoT) that are pervasive, ubiquitous, and touch all aspects of our life. The amount of data being received in real time, from heterogeneous sources in the IoT, makes it extremely difficult to detect when a system is being compromised. In an IoT environment (e.g. Smart Buildings), key components are the sensors for representing the physical world in the digital world. Sensors have been an easy target for attackers because they are typically not well protected and can be easily exploited. Hence, it is critically important to proactively detect when a sensor is compromised, and to take recovery actions. We developed an algorithm to create a sensor-DNA data structure that uniquely defines the correct operations of the sensor and can be used to detect sensor compromises and attacks. We have a variety of sensors that each behaves in a unique manner. Their behavior can be obtained from its features (e.g. frequency and address). In our approach, we use Discrete Wavelet Transform (DWT) to create a reference model, which can be used to accurately characterize the normal behavior of the sensors. Our methodology involves two stages: 1) Offline Training, in which we use the information about sensor normal operations to create the reference data structure that we refer to as s-DNA; 2) Online Testing, where a runtime s-DNA is created to be compared with the reference data structure.

Security Development Framework for Building Trustworthy Smart Car Services

By Helena Berkenbrock (Brazil)

Security Development Framework for Building Trustworthy Smart Car Services Modern and soon autonomous vehicles are controlled by complex distributed systems comprising large amount of heterogeneous nodes with rich connectivity provided by internal networks and Internet. With the exponential increase in vehicle intelligence and connectivity, security and privacy have become the main concerns for automotive systems. Researchers have shown that modern vehicles can be attacked from a variety of interfaces access such as USB, and wireless channels. By compromising a single control unit, a capable attacker may gain access to other vehicle units via internal communication buses such as controller area network (CAN), and attack critical subsystems. As CAN gets interconnected with Internet, it becomes easy target to cyber adversaries, especially since it was never designed to handle cyber threats. This makes CAN data vulnerable to falsification attacks that lead to incorrect information delivery to users, and thus causing them to take wrong and dangerous actions. It also allows adversaries to potentially execute malicious commands on control systems, causing harmful actions (e.g. Disable brake system). Therefore, it is critically important to secure and protect smart vehicle operations against any type of cyber-attacks. We are developing a trustworthy Vehicle Information and Management Portal (VIMP) services to support smart car applications. The VIMP will make all the components and/or devices within a vehicle universally accessible by visiting the vehicle portal that will be unique for each car or vehicle. The VIMP uses cloud and Internet technologies for communication (voice, video), entertainment, monitoring traffic, and emergencies. Furthermore, each VIMP is accessible in a similar way to the ubiquitous access to any internet website. By connecting cars to VIMP services, we can offer revolutionary new services in entertainment, communication, collaboration, on-line monitoring to increase safety by proactively and reactively warning about the vehicle current dangerous conditions, continuous access to field data, on-line firmware update, just to name a few. In addition, we show how VIMP services can be protected against a wide range of cyber-attacks. (See video at:

Big Data Analytics Applied to Anomaly Detection in User Behavior

By Gwenael Ambrosino-Ielpo (France)

With increase threats of hackers, cybersecurity issues and account protection are a major priority in our society. That’s why it’s important to analyze users behavior in order to guard them from any usurpation. The goal of our project will be to create a user DNA using a dataset of his/her action. In order to process billions of profiles, the approach that must be taken to solve this problem is to use Big Data technologies such as Hadoop. This software provide good way to analyze huge amount of data by distributing it in large computers cluster. A module of Hadoop called Spark is useful for this application, its architecture allows it to run and process data heavily faster than Hadoop does.
The approach took to resolve this problem was more mathematical, the first thing that was needed was to reduce as much as possible the amount of data. Even with tools like Spark, Tera octet of data is long to process, so to detect which action could present anomaly, it’s necessary to use a function to compute the probability for each user action to be suspicious. By using parameters from the user session, like his/her hours of connections, the number of times he/she connects to an address and a predictive model of his/her action, the trustworthiness can be calculate without deeply analyze the data and determine if the session is compromise or not.

Creating a Model to Prevent Eventual Suspicious Activities on a User Account

By Enzo Lebrun (France)

I.P address, account information are the only things which are identifying people on internet. Problem is: Those data are not trustworthy they can be stolen, change and people or algorithm can access to private information. That’s why it’s necessary to generate a DNA for a given user. This model will be generated by every action the user has done since he has been registered. For example, if the user is browsing on internet and after he will check his mails, those facts (with many more) will be use to generate a routine. The correct succession of those activities will be a proof to the user singularity. Then if someone is using his computer or his session different habits will be detected, and this imposture will be identified. This algorithm needs to be tolerant concerning some slight differences on the user behavior (because people doesn’t always act the same, we are not robots!). This program will also need to be self-sufficient. If the comparison of the actions on the user sessions shows nothing suspicious at all, then the model will add those data in order to adapt to the actual user behavior. Those activities are store in huge files, like a Wi-Fi network connection, it’s necessary to use big data tools such as Spark in order to extract the useful information which will create every user profile.

Anomaly Behavior Analysis for Smart Grid Automation System

By Angel Abraham Orozco Duran (Mexico)

Urban Internet of Things systems are characterized by their application domain and they are designed to support the Smart City (SC) vision. The SC objective is to exploit advanced communication technologies to support the delivery of high quality services. A key element in a SC is the Smart Grid System (SGS), which is meant to be more efficient, reliable, and secure in managing electric power resources. SGS rely in the collection and analysis of data coming from devices such as sensors across the grid, which allow automated systems to perform advanced actions to accomplish its goals of efficiency and reliability. However, with the use of SGS, we are experiencing grand security challenges to protect such advanced and complex systems against errors and cyberattacks. In this work, we present an anomaly behavior analysis (ABA) system to detect and categorize several fault scenarios that may occur in SGSs. We tested our approach to detect normal operations, physical failures, and cyber-attacks. We applied our ABA methodology to a smart phasor measurement unit (PMU) to analyze, identify, and categorize the different SGS behaviors. The results show that our methodology can be used to accurately detect threats in both SGS and PMU with high detection rates and low false alarms.

Anomaly Based Intrusion Detection System for IoT Sensors

By Jesus Ivan Amador Sanchez (Mexico)

The Internet of Things (IoT) will connect not only computers and mobile devices, but also smart buildings, homes, and even electrical grids, and water networks to mention few. None of the mentioned applications are exempt from failures, which could be triggered by external and internal factors, causing partial or complete damage to IoT systems and leading to potential life-threatening scenarios. In any IoT application, sensors are indispensable to bring the physical world into the digital world. However, IoT sensors will introduce grand security challenges as they contribute to a significant increase in the attack surface. In this work, we present an Anomaly Based Intrusion Detection System (AB-IDS) method to discover when an IoT sensor has been compromised. Our AB-IDS builds unique signatures (reference model) for each sensor, which can be used to detect if a sensor has been compromised and will alert the user in case of any drift in the behavior that can be due to a natural causes (i.e. faulty sensor battery) or to a cyber-attack. The reference model is built offline and tested in real time to classify the behavior of the sensor as normal or abnormal, based on a computed margin in which the sensor’s behavior is considered as normal. Our preliminary experimental results show that our approach can accurately authenticate sensors based on their signature and can detect known and unknown attacks with high detection and low false positive rates.

go back