Security in The Internet of Things Application Layer Requirements Threats and Solutions

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/366779140
Security of IoT Application Layer: Requirements, Threats, and Solutions
Chapter · January 2023

DOI: 10.1007/978-3-031-22356-3_9
CITATIONS READS
3 302
3 authors:
Mahmoud Abbasi Marta Plaza

Universidad de Salamanca Universidad de Salamanca
27 PUBLICATIONS 434 CITATIONS 20 PUBLICATIONS 89 CITATIONS
SEE PROFILE SEE PROFILE
Yeray Mezquita Martín

Universidad de Salamanca
36 PUBLICATIONS 446 CITATIONS
SEE PROFILE
All content following this page was uploaded by Mahmoud Abbasi on 19 March 2023.
The user has requested enhancement of the downloaded file.

Received 13 July 2022, accepted 31 August 2022, date of publication 8 September 2022, date of current version 20 September 2022.
Digital Object Identifier 10.1109/ACCESS.2022.3205351
Security in the Internet of Things Application

Layer: Requirements, Threats, and Solutions
MAHMOUD ABBASI 1 , (Member, IEEE), MARTA PLAZA-HERNÁNDEZ1 ,
JAVIER PRIETO 1 , (Senior Member, IEEE), AND JUAN M. CORCHADO1,2,3
1 BISITE Research Group, Edificio Multiusos I+D+I, University of Salamanca, 37007 Salamanca, Spain
2 AIR Institute, IoT Digital Innovation Hub, 47011 Valladolid, Spain
3 Department of Electronics, Information and Communication, Faculty of Engineering, Osaka Institute of Technology, Osaka 535-8585, Japan
Corresponding author: Mahmoud Abbasi ([email protected])
This work was supported by the IoTalentum Project within the Framework of Marie Skłodowska-Curie Actions Innovative Training
Networks (ITN)-European Training Networks (ETN), which is funded by the European Union Horizon 2020 Research and Innovation
Program under Grant 953442.
1 ABSTRACT Communication systems and networks are evolving as an integral part of not only of our
2 everyday life but also as a part of the industry, fundamental infrastructures, companies, etc. Current directions
3 and concepts, such as the Internet of Things (IoT), promise the enhanced quality of life, greater business
4 opportunities, cost-effective manufacturing, and efficient operation management through ubiquitous con-
5 nectivity and deployment of smart physical objects. IoT networks can collect, preprocess, and transmit vast
6 amounts of data. A considerable portion of this data is security- and privacy-critical data, which makes IoT
7 networks a tempting option for attackers. Given that these networks deal with the actual aspects of our lives
8 and fundamental infrastructures (e.g. smart grids), security in such networks is crucial. The large scale of
9 these networks and their unique characteristics and complexity bring further vulnerabilities. In this study,
10 we focus on the IoT application layer, security requirements, threats, and countermeasures in this layer, and
11 some of the open issues and future research lines.
12 INDEX TERMS Internet of Things, security, privacy, requirements, taxonomy.
13 I. INTRODUCTION and its application areas will be around 3.9 to 11.1 trillion 28
14 Generally, the Internet of Things (IoT) refers to the grow- USD worldwide by 2025 [3]. 29
15 ing network of smart-physical devices that can sense and Accordingly, many industries and companies are extending 30
16 act on their surroundings, pre-process data, communicate, IoT-powered products, services, and solutions to break into 31
17 and share data to achieve their ultimate goals [1]. In other and dominate the market [4]. In addition, the main aim of 32
18 words, IoT systems play an active part in different aspects IoT is to transform the way we live and work by developing 33
19 of human life, including daily activities, industry, self-driven smart devices and services that carry out our daily tasks. 34
20 cars, retail, healthcare, smart grids, business, farming, etc. Smart cities, smart agriculture, smart transportation, smart 35
21 The successful implementation of IoT-enabled systems in healthcare, smart environment, etc., are some of the ideas 36
22 diverse areas has led to significant growth in the number of introduced in connection with IoT [5]. 37
23 connected things. It is forecasted to reach several billion in the Despite these promising developments and efforts, there 38
24 upcoming year [2]. Cisco predicts that over 500 billion things are still several issues hindering the full and practical deploy- 39
25 (e.g., sensors, actuators, and cars) will be connected to the ment of IoT in the real world. One of the key challenges that 40
26 Internet by the end of 2025. A study by the McKinsey Global IoT deals with and must be overcome is security [6]. Due to 41
27 Institute reveals an estimated annual economic impact of IoT, the fact that these systems are increasingly used in diverse 42
aspects, fundamental questions bring up about the security 43
The associate editor coordinating the review of this manuscript and of such systems. Many investigations have provided proof 44
approving it for publication was Xiangxue Li. of security and privacy vulnerabilities such as authentication, 45
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 10, 2022 97197
M. Abbasi et al.: Security in the IoT Application Layer: Requirements, Threats, and Solutions
FIGURE 1. Key elements of the IoT application layer.
46 authorization, Denial-of-Service (DoS) attacks, and informa-

47 tion leakage in IoT-powered systems [7], [8], [9]. Indeed, not
48 only the number of IoT security threats are growing, but also
49 their complexity [10].
50 IoT security has become an overriding concern among FIGURE 2. Three-layer IoT architecture.
51 research communities, industry, and the public, necessitating
52 further extensive research. To this end, the main aim of this
53 paper is to identify and examine the fundamental security II. BACKGROUND AND MOTIVATION 92
54 requirements for the IoT application layer and then to under- IoT can be described as a computing and communication con- 93
55 stand and categorize security threats in the IoT application cept focusing on the interconnection between things and/or 94
56 layer. Furthermore, the paper analyzes existing security coun- between things and people. Kevin Ashton firstly presented 95
57 termeasures at the application layer of IoT. the IoT paradigm in 1998. In an IoT network, it is possible 96
58 In the field of IoT security, several survey articles have to have various heterogeneous devices and communication 97
59 been published, e.g., [6], [7], [8], [11], [12], [13], [14]. Nev- protocols to gather and interchange data with other nodes in 98
60 ertheless, the lack of clear focus and direction in some of the network [15]. 99
61 these papers is evident, especially those related to the IoT The definition of the most adopted IoT architectures and 100
62 application layer. In other words, few studies have been car- the description of the IoT layers and their functions is 101
63 ried out to individually examine IoT layers’ security aspects. essential to understanding IoT networks. Research commu- 102
64 In an attempt to fill this critical gap and in response to con- nities and industries have introduced multiple IoT architec- 103
65 cerns about the security of the IoT application layer, our main tures. Broadly speaking, IoT architectures can fall into three 104
66 objective is to investigate a structural survey of the security of main [16]: 105
67 the application layer by presenting the major security require- 1) Three-layer architecture: It is the most common archi- 106
68 ments, threats, and existing solutions. Also, open issues and tecture introduced for IoT networks [17]. As the name 107
69 future research lines are provided. The primary contributions indicates, there are three layers in this architecture, 108
70 of our paper are as follows: including the application layer, the network layer, and 109
71 • We examined the surveys that reviewed the security of the perception layer. 110
72 the IoT application layer and then highlighted its advan- 2) Four-layer architecture: This IoT architecture model is 111
73 tages and limitations. roughly similar to the three-layer architecture, except 112
74 • We identified and represented the main security require- that it has an extra layer, the data processing layer. 113
75 ments of the IoT application layer. Moreover, these secu- 3) Five-layer architecture: Compared to the three-layer 114
76 rity requirements are categorized based on IoT use cases architecture, this one includes two additional layers, the 115
77 and protocols. business layer and the data processing layer. 116
78 • We introduced the key security threats and the counter- In this study, the three-layer architecture is used as a ref- 117
79 measure for those threats in the IoT application layer for erence for the definition of the IoT layers and their tasks, 118
80 both IoT use cases and protocols (see Fig. 1). as this architecture is the most common architecture for IoT 119
81 • Finally, we discussed open challenges and future (see Fig. 2). Furthermore, our central focus is on the IoT 120
82 research lines of the IoT application layer’s security. application layer to narrow the search and investigate the 121
83 The rest of the paper is structured as follows: Section II pro- topic as carefully as possible. 122
84 vides the background to our study and its motivation. Related

85 published surveys are reviewed and discussed in Section III. A. APPLICATION LAYER 123
86 Section IV investigates the key security requirements in the This layer is designed as the top layer in the IoT architec- 124
87 IoT application layer. The provided classification, security ture [18]. The application layer accepts the network-level data 125
88 threats, and potential solutions for the IoT application layer from the middle layer and uses this data to deliver desired 126
89 are discussed in Section V. Section VI illustrates the chal- services and/or operations. For example, the application layer 127
90 lenges and future research directions. Finally, our paper is can provide the data analysis service to find valuable details 128
91 concluded in Section VII. for forecasting the condition of physical devices. 129
97198 VOLUME 10, 2022

130 B. NETWORK LAYER layer and providing a taxonomy of security requirements, 184
131 It is designed as the middle layer in the three-layer IoT archi- security threats, and potential solutions. To achieve the aims 185
132 tecture. It is also named the transmission layer [19]. One of its of our study, the security of the IoT application layer is inves- 186
133 major functions is to route the pre-processed data supplied by tigated from two different points of view, including IoT use 187
134 the perception layer. In other words, this layer sends the data cases and IoT application layer protocols. These are discussed 188
135 to the IoT devices, services, etc., through the communication in more detail in Sections IV and V. 189
136 network. The network layer consists of various components, In the next section, we review the surveys and papers 190
137 such as different devices (e.g., gateway, hub, and cloud) and related to the security of the IoT application layer and high- 191
138 different communication protocols (e.g., WiFi and cellular light their contributions and limitations. 192
139 network) [20].

III. RECENT SURVEYS ON THE SECURITY OF THE IoT 193
140 C. PERCEPTION LAYER APPLICATION LAYER 194
141 The sensor layer is another name for this IoT layer [21]. The A number of papers reviewed the security aspects of IoT, 195
142 perception layer is implemented as the bottom layer in the e.g., [8], [23], [30], [31]. There are also some papers in the 196
143 three-layer IoT architecture. It is capable of interacting with literature that focus on the security aspects of a specific IoT 197
144 physical objects and entities in an IoT network via smart layer, e.g., physical layer [32], [33], perception layer [34], 198
145 devices such as Radio Frequency Identification (RFID) tags [35], and network layer [36], [37], or some papers investi- 199
146 and various sensors. gate IoT security from a technological point of view, e.g., 200
147 As mentioned, IoT security is crucial. This is mainly due blockchain [38], [39], machine learning [40], [41], and net- 201
148 to the fact that there is a growing number of IoT devices work virtualization [42], [43]. Nevertheless, a limited body 202
149 integrated into security- and safety-critical services and appli- of literature focuses on IoT security from the point of view 203
150 cations, such as smart cities, industrial automation, e-health, of the application layer. This section provides an overview of 204
151 and smart mobility [7]. Moreover, IoT devices are capable of the existing work that discusses IoT application layer security 205
152 collecting, pre-processing, and transmitting security-critical and compares them with our study. 206
153 and sensitive private data; hence, they are vulnerable targets Maybe the most relevant paper to our study is [44]. In this 207
154 for various intruders [22], [23]. Accordingly, to offer the paper, the authors surveyed the security of the IoT application 208
155 greater and safe functionality of IoT systems, it is vital to layer. The paper mainly discussed the challenges of conven- 209
156 strengthen the security of the underlying components, espe- tional security measures, such as authentication, key manage- 210
157 cially their protocols, devices, and data, against adversary ment, and cryptography. However, this work differs from our 211
158 agents [24]. Compared with the traditional communication survey because it did not provide any specific classification 212
159 systems, IoT systems are more prone to security attacks due for investigating security challenges and relevant solutions in 213
160 to [12], [25]: the IoT application layer. Furthermore, this survey did not 214
discuss the security of the IoT use cases, and their discussion 215
161 • Most IoT networks adopt wireless protocols for com- on IoT application protocols is limited to the commonly used 216
162 munications (e.g., WiFi and Sigfox), where malicious protocols, such as AMQP, MQTT, and XMPP. 217
163 actors could obtain confidential data by eavesdropping In [45] Nebbione et al. conducted an in-depth survey on 218
164 on the wireless channel [26]. the IoT application layer protocols. More specifically, they 219
165 • Most IoT devices are resource-constrained in terms of investigated the most widespread IoI application layer proto- 220
166 power, storage, computation, and memory. Hence, they cols and their security threats. Nevertheless, the paper did not 221
167 cannot support complex security mechanisms [27]. cover the security of IoT use cases, e.g., smart cities and smart 222
168 • The ever-increasing complexity and heterogeneity of grids, as an important aspect of the IoT application layer. 223
169 IoT systems also complicate the security issues faced by Similar studies have been performed in [46], [47], [48], 224
170 such systems [28]. and [49]. The authors provided a brief overview of IoT appli- 225
171 • Most IoT systems use centralized data management cation protocols and their security vulnerabilities in these 226
172 approaches (e.g. cloud and local servers). These cen- papers without considering potential solutions. The papers 227
173 tralized approaches make the overall system vulnerable did not cover any security aspects regarding the IoT use cases. 228
174 because of single point of failure and probability of secu- In addition, the studies only investigated a limited number of 229
175 rity attacks [29]. IoT application protocols. 230
176 Motivated by the importance of IoT security, especially the The authors in [50] reviewed conventional and recent 231
177 IoT application layer, as well as the lack of a comprehen- advances in the application layer protocols of IoT systems 232
178 sive survey on the IoT application layer’s security, we try to and the importance of the application layer protocols in IoT 233
179 fill the gap by providing an extensive survey on this topic. use cases, such as Industrial IoT, healthcare, and smart cities. 234
180 The research gap will be discussed further in the following Moreover, they discussed machine learning as a solution 235
181 sections. for the dynamicity and intelligence of the IoT application 236
182 As mentioned, this paper considers the three-layer IoT layer protocols. However, their review did not cover security 237
183 architecture. The paper’s primary focus is on the application requirements, threats, and potential solutions. 238
VOLUME 10, 2022 97199

239 The authors in [51] provided a detailed survey of IoT secu-

240 rity based on a five-layer IoT architecture, including physical,
241 network, transport, application, and data/cloud service layers.
242 Considering the fact that the authors had to overview all the
243 five layers, they barely investigated the IoT application layer,
244 especially the key security requirements and attacks.
245 Rizvi et al. [52] discussed the security requirements and
246 challenges that IoT faces in the different layers, including per-
247 ception, application, and network layers. Given trust in IoT
248 systems, the authors referred to privacy, availability, and reli-
249 ability as the primary security classes. However, the authors
250 did not provide enough detailed information concerning secu-
251 rity requirements in each layer, potential countermeasures,
252 and security of the IoT use cases.
253 Tripathi et al. [53] reviewed the existing application layer
254 DoS attacks and defense actions. In this paper, attacks against
255 IoT application layer protocols are identified, discussed
256 and classified. Moreover, the authors compared the existing FIGURE 3. Key security requirements of the IoT application layer.
257 defense mechanisms based on relevant factors.
258 Rahman et al. [54] conducted a brief survey on the IoT
259 application layer protocols’ security, focusing on the CoAP careful investigation of the papers related to the security 294
260 protocol. Moreover, the authors discussed solutions to these of IoT use cases and the security of IoT application pro- 295
261 security challenges, such as adopting compressing mecha- tocols [56], [57], [58], [59], [60], [61], [62], [63], [64] 296
262 nisms and key management processes. (see Fig. 3). 297
263 The authors in [55] introduced IoT and its different To find related papers on the topic, different keywords 298
264 layers. Then, they discussed security in IoT based on a have been used, including ‘‘security and IoT,’’ ‘‘security and 299
265 three-layered architecture, including perception, middleware, IoT application layer,’’ ‘‘security and IoT application layer 300
266 and application layer. Moreover, they investigated the IoT’s protocols’’, ‘‘privacy and security and IoT application layer,’’ 301
267 protocol stack (e.g., 6LoWPAN and IEEE 802.15.4) and ‘‘privacy and security and IoT application layer protocols,’’ 302
268 security requirements for these protocols. Despite these pos- etc. We searched well-known digital libraries and academic 303
269 itive points, the authors did not cover the IoT application publishers, including IEEE, Elsevier, ScienceDirect, ACM, 304
270 layer’s security, including use cases and application proto- Springer, MDPI, etc., to download the literature for our work. 305
271 cols, in enough detail as they focused on all three layers. Moreover, for each IoT use case and IoT application layer 306
272 In Table 1, a summary of the reviewed papers is provided protocol discussed in this paper, we went through the same 307
273 based on their contributions and focus, i.e., IoT use cases or process to find the related literature. 308
274 application protocols.

275 To the best of our knowledge, most of the existing surveys A. CONFIDENTIALITY 309
276 of the IoT application layer’s security do not fully cover fun- When a communication system deals with private/sensitive 310
277 damental aspects of this layer, i.e., IoT uses cases and IoT information, confidentiality is a critical security requirement 311
278 application layer protocols. Compared to the existing survey that needs to be satisfied [65]. Confidentiality refers to pro- 312
279 papers, the main aim of our paper is to give a comprehensive tecting information from unauthorized access or those who 313
280 view of the security of the IoT application layer. To this end, are not allowed to view it [14]. Confidentiality may also refer 314
281 the following section answers the following question: to preserving the IoT devices and equipment from unautho- 315
282 What are the fundamental security requirements of the IoT rized access. 316
283 application layer regarding IoT use cases and IoT application Confidentiality protection is challenging when considering 317
284 layer protocols? the IoT use cases due to the different involved devices and 318
components [66]. For example, an Intelligent Transportation 319
285 IV. SECURITY REQUIREMENTS OF THE IoT APPLICATION System (ITS) has various devices such as smartphones, vehi- 320
286 LAYER cles, roadside stations, cameras, and sensors. In some IoT use 321
287 Before introducing the security threats of the IoT applica- cases (e.g., IIoT and smart grids), the lack of confidentiality 322
288 tion layer, it is important to discuss the security require- countermeasures can lead to the loss of customer and ven- 323
289 ments that this layer must fulfill for the correct operation of dors’ data and intellectual property such as trade secrets [67]. 324
290 the IoT systems. Failure to comply with a security require- Confidentiality, especially confidentiality of transmis- 325
291 ment may bring security challenges to the system. The key sions/communications, is also an essential security require- 326
292 security requirements in the IoT application layer are listed ment in IoT application layer protocols [68]. To this 327
293 below. These requirements have been identified through end, many IoT application layer protocols try to preserve 328
97200 VOLUME 10, 2022

TABLE 1. An overview of existing literature surveys on IoT application layer security. ( : The paper investigated the determining factor; : The paper
partially covered that factor; : The papers did not consider that factor.)
329 confidentiality through built-in mechanisms, such as Trans- safeguard the system against the unapproved spread, destruc- 342
330 port Layer Security (TLS) and Data TLS (DTLS) proto- tion, or changing of messages. 343
331 cols [69]. The lack of appropriate confidentiality measures In IoT use cases, it is essential to ensure the integrity of 344
332 by IoT application layer protocols can cause the disclosure of communication and computation between different system 345
333 sensitive information by attackers. entities, such as various sensors, actuators, controllers, human 346
334 As described in the next section, several security attacks agents, etc. This is mainly due to the fact that these entities 347
335 can threaten the confidentiality of an IoT application layer by can collect massive amounts of important data. For exam- 348
336 disclosing information. ple, in a smart agriculture scenario, many IoT sensors and 349
smart meters capture different types of data, e.g., humidity, 350
337 B. INTEGRITY temperature, and water data [71]. The altering of this data 351
338 Data/message integrity means that a message was not can lead to severe damage to other involved operations, e.g., 352
339 changed over its life cycle (i.e., between sending and receiv- changes in the pH of agricultural water and the applied nutri- 353
340 ing). In other words, it refers to data’s consistency, accuracy, ent solution for plants. In another instance, the lack of data 354
341 and validity over workflow [70]. In IoT systems, integrity can integrity in the industrial automation scenario can lead to 355
VOLUME 10, 2022 97201

356 damaging consequences, such as hiding and altering crucial and confirming indisputable evidence about the declared 409
357 details related to the safety parameters of industrial machin- event [80]. Non-repudiation is an essential security require- 410
358 ery or standards, degradation of product quality, and indus- ment for ITSs, especially in VANETs and V2V communi- 411
359 trial machinery breakdown [72]. cations. This is mainly because non-repudiation can protect 412
360 In IoT application layer protocols, messages, and com- communications from false denial activities [81]. The loss of 413
361 munication integrity are paramount. Hence, built-in plug- event data can lead to security risks against non-repudiation. 414
362 ins and additional mechanisms are deployed to preserve the

363 integrity [73]. F. PRIVACY 415
Based on [82], the definition of privacy in IoT environments 416
364 C. AVAILABILITY is: ‘‘privacy is a term related to persons, and their data, 417
365 Availability is vital in IoT systems and guarantees that ser- especially personal or sensitive data, which emphasizes the 418
366 vice and network continue to operate even in the presence of need to protect data should not be exploited, accessed with- 419
367 faults or malicious activities [74]. For availability, not only out the permission of the owner, or used in a way that the 420
368 security is required but also a fault management process (i.e., owner doesn’t expect’’. Privacy in IoT systems is paramount 421
369 fault detection, isolation, and then correction of the abnormal because, in such systems, many devices are connected to the 422
370 condition of the network). Internet to send data to other devices and/or communication 423
371 For IoT systems, especially safety- and mission-critical systems. This data can be personal raw or sensitive data that 424
372 IoT systems, such as smart grids and ITS, it is vital to should not be exposed to a third party. For example, one can 425
373 guarantee the availability of the systems since these systems refer to the mobility data in VANETs and V2V communi- 426
374 deal with the safety of the users and the real-time functional cations. Given the IoT application layer, the attackers in this 427
375 requirements. For example, to guarantee the safety of pas- layer can destroy privacy through a known vulnerability, such 428
376 sengers, ITS’s involved devices need to be able to operate as cross-site scripting attacks and buffer overflow [83]. 429
377 and communicate with each other [75]. The forecasting of In the next section, we will introduce security threats that 430
378 potential bottlenecks and providing bandwidth need to be can compromise the above-mentioned security requirements. 431
379 considered. In the context of IoT application layer protocols, Moreover, different potential countermeasures to prevent and 432
380 the availability of nodes and the environment are important mitigate security threats are reviewed. 433
381 and can be compromised by various threats [45].

V. SECURITY THREATS AND SOLUTIONS IN THE IoT 434
382 D. AUTHENTICATION AND AUTHORIZATION APPLICATION LAYER 435
383 This is one of the principal requirements for any communi- The security of the IoT application layer, i.e., IoT applica- 436
384 cation system and ensures that the right users (e.g., patients tions and application layer protocols, is an integral part of 437
385 and physicians in a smart healthcare system) or devices (e.g., the system design. IoT application layer protocols are the 438
386 nodes and aggregators) can get access to the resources or foundation for communications among various IoT use cases, 439
387 take certain actions, and the services provided by an IoT net- devices, and running services. In other words, IoT application 440
388 work [76]. For example, granting access to electronic health layer protocols serve as an interface between the IoT use 441
389 records and patient records. In the vast majority of IoT appli- cases and end-users [84]. Hence, considering the vital role 442
390 cations, e.g., in vehicular networks and ITSs, the authenti- of the application layer in all of the IoT use cases, security 443
391 cation of all users and messages is critical as it can prevent at this layer is crucial. The intruders in the IoT application 444
392 serious security threats such as Sybil attacks [77]. layer are probably going to disturb security through differ- 445
393 Considering IoT application layer protocols, authentica- ent attacks, such as injection attacks, unauthorized access, 446
394 tion/authorization is a key security requirement as there are cross-site scripting attacks, etc., [85]. 447
395 various authorization-related vulnerabilities. Accordingly,

396 some application layer protocols use built-in authorization A. FOCUSING ON THE IoT USE CASES 448
397 services, and some deploy custom solutions for authentica- Following extensive review and analysis, we have identified 449
398 tion [78]. We will discuss these solutions in the next section six crucial IoT applications: smart grids, smart healthcare, 450
399 in more detail. ITS, smart agriculture, IIoT, and smart cities. In the following 451
sections, we discuss the security aspects of these applications. 452
400 E. NON-REPUDIATION
401 In communication systems and networks, non-repudiation 1) SMART GRIDS 453
402 refers to the assurance that any entity participating in commu- The main security goals in smart grids are confidentiality, 454
403 nication can not deny having been involved in all or part of a integrity, and availability [86]. Concerning these security 455
404 communication event. Satisfying non-repudiation guards IoT requirements, one can refer to the following security threats. 456
405 systems against false denials related to communication [79].

406 The primary objective of non-repudiation is to handle dis- a: THREATS 457
407 putes about an event’s happening or not happening. This can Several types of attacks target confidentiality in smart grids, 458
408 be done through gathering, maintaining, making available, including password-pilfering attacks, traffic analysis attacks, 459
97202 VOLUME 10, 2022

460 eavesdropping attacks, unauthorized access, false data injec- communication mistakes can destroy data integrity in such 513
461 tion attacks, and password theft attacks. The main objec- systems during data transmission. 514
462 tive of these attacks is to gain the desired information [87]. In the smart health systems, the authenticity of the users 515
463 Another group of attacks tries to destroy the integrity of smart (e.g., patient and physicians) and devices (e.g., nodes and 516
464 grids, such as data tampering attacks, wormhole attacks, data aggregators) should be ensured in order to prevent from 517
465 injection attacks, spoofing attacks, data manipulation attacks, masquerading attacks against electronic health records and 518
466 man-in-the-middle attacks, and masquerading attacks [56]. patient health records [97]. Moreover, authorization ensures 519
467 The main goal of these attacks is to change the original that the right users (e.g., patients and physicians) or devices 520
468 data payload. The availability of smart grids can also be can access electronic health records and patient health 521
469 endangered through the availability-related attacks, such as records. 522
470 jamming, wormhole, DoS attacks (e.g., teardrop, LDoS, pup- Besides the challenges related to security, wearable devices 523
471 pet, and smurf), buffer overflow, masquerading, man-in-the- in smart health systems can be used for measuring data about 524
472 middle attacks, and spoofing attacks [88]. blood pressure, temperature, heart rate, blood sugar, etc., [98]. 525
473 In addition, using monitoring technologies such as This data is usually stored in a cloud server as Personal 526
474 Advanced Metering Infrastructure (AMI) may cause privacy Health Record (PHR) for further processing and analysis by 527
475 violation risks for users (privacy issues) [57]. For example, physicians. As this data is vital and personal, privacy concern 528
476 extracting habitual information patterns by adversaries or is the most critical security issue in healthcare-related IoT 529
477 disseminating industrial information. Moreover, the massive applications. 530
478 number of deployed devices and the heterogeneity of devices Some literature also refers to data freshness as a security 531
479 can raise key scalability issues for security providing. requirement in smart healthcare [99]. Repeat/replay attacks 532
are among the often mentioned challenges to data freshness. 533
480 b: SOLUTIONS
481 To deal with the security threats that target the confidentiality b: SOLUTIONS 534
482 of smart grids, several methods have been proposed [89]. Using cipher algorithms for data encryption is a remedy to 535
483 For example, one can use data encryption against password the security challenges arising from confidentiality. Consid- 536
484 theft attacks [90]. Deploying authentication mechanisms can ering the security challenges related to data integrity, ensur- 537
485 prevent eavesdropping attacks, unauthorized access, and false ing data integrity through cryptography algorithms such as 538
486 data injection attacks. Moreover, using encryption proto- AES128/256 and SHA is a solution [58]. 539
487 cols can prevent traffic analysis attacks. To cope with data Different authentication mechanisms should be utilized to 540
488 integrity attacks, some solutions have been introduced. Cryp- deal with authentication security challenges, such as digital 541
489 tography techniques, algorithms, and authenticity are among signatures and key-based and certificate-based authentica- 542
490 the most used methods to prevent attacks on data integrity tion. Additionally, to ensure authorization in a smart health- 543
491 attacks [91]. Moreover, methods such as power fingerprinting care system, the access control mechanisms should be used 544
492 techniques, strategies based on trusted network connect, and to define the right access for each user in the system. More- 545
493 volt-var control algorithms have also been developed [92]. over, to address the privacy-related issues in smart healthcare 546
494 Using security gateways to encrypt the traffic can be a applications, developing secure access control approaches for 547
495 remedy for man-in-the-middle attacks. In addition, end-to- wearables and PHR should be considered [100]. Further- 548
496 end encryption and authentication mechanisms are crucial to more, as PHRs are stored in cloud servers, using crypto- 549
497 reducing the consequences of the data injection attack, spoof- graphic primitives to improve the authentication protocols of 550
498 ing attacks, and data manipulation attack. The following mea- PHRs is possible [101]. When one accesses the information 551
499 sures have been taken to cope with the availability attacks. in healthcare systems, the authentication mechanisms should 552
500 For mitigation of DoS attacks, traffic filtering technologies, be human-machine authentication, while for updating the 553
501 anomaly detection methods, and air gapping are promising collected data in the server, machine-machine authentication 554
502 solutions [93]. Given jamming attacks, anti-jamming tech- works. 555
503 niques can be adopted, such as [94]. One of the ways to mitigate repeat/replay attacks is to 556
assure data freshness by verifying the data collected from 557
504 2) SMART HEALTHCARE the devices (e.g., sensors). The verification can be done 558
505 Regarding the applications of IoT in healthcare, there are seri- by looking at different factors, such as up-to-date data, 559
506 ous security concerns [95]. More specifically, when it comes non-duplication data, and the order of data. 560
507 to security, the key requirements are confidentiality, integrity,

508 authentication, authorization, and non-repudiation. 3) SMART TRANSPORTATION SYSTEMS (ITS) 561
The key security requirements in ITSs are confidentiality, 562
509 a: THREATS integrity, availability, authentication/identification, and non- 563
510 Data confidentiality in smart healthcare systems can be repudiation [65], [102]. Indeed, the different security threats 564
511 endangered through unauthorized users and eavesdropping in ITSs can be classified from the point of view of the security 565
512 attacks [96]. Furthermore, adversary users and accidental requirements. 566
VOLUME 10, 2022 97203

567 a: THREATS security issues related to non-repudiation, digital signatures 622
568 Confidentiality protection in ITSs is challenging because and signature-based authentication are among the most used 623
569 there are different types of devices in an ITS, such as smart- techniques [110]. 624
570 phones, vehicles, roadside stations, and IoT devices. Hence,

571 a wide range of attacks against the involved devices can 4) SMART AGRICULTURE 625
572 destroy confidentiality. These attacks are man-in-the-middle One can classify the security risks in smart agriculture into 626
573 attacks, eavesdropping attacks, model identification attacks five main sub-categories: threats against privacy, authentica- 627
574 against machine learning techniques, and parameter infer- tion, data confidentiality and integrity, and availability. 628
575 ence attacks against controllers [103]. Moreover, in ITSs,
576 it is crucially important to ensure data integrity regarding
a: THREATS 629
577 communication and computation between different system
578 devices, such as vehicles, traffic controllers, and roadside In smart agriculture applications, many IoT sensors and smart 630
579 infrastructures. There are various potential security risks meters collect different types of data, e.g., humidity, tem- 631
580 against data integrity in ITSs, including spoofing attacks, tim- perature, and water quality monitoring [61]. The collected 632
581 ing attacks [104], Sybil attacks, man-in-the-middle attacks, data is sensitive as the analysis of this data can disclose 633
582 attacks against machine learning with adversarial examples, valuable information (e.g., the applied nutrient solution for 634
583 data poisoning, and policy manipulation attacks. plants and the locations of sensors) to a third party. Hence, 635
584 To guarantee the safety of passengers, ITS’s involved it is essential to preserve this private information from unau- 636
585 devices must be able to operate and communicate with thorized access and security threats such as insider data leak- 637
586 each other. Different attacks can restrict the availability of age and cloud data leakage. As for authentication-related 638
587 devices in ITS, such as DoS, spoofing attack, timing attack, security challenges, a malicious user (or program) tries to 639
588 jamming attack, man-in-the-middle attack, policy manipula- forge an identity in order to enter the system as an autho- 640
589 tion attacks, and data poisoning [59]. Regarding authentica- rized node [111]. To this end, the malicious actor may carry 641
590 tion/identification, it is vital for an ITS to correctly identify out different attacks, such as impersonation, spoofing, replay 642
591 and authenticate the users who want to participate in the attack, and masquerade attack. 643
592 communication and data transmission [105]. This is because When it comes to data confidentiality, the main goal of 644
593 many security threats are posed through different types of an attacker is to stand in an ideal place to eavesdrop on 645
594 attacks, including spoofing, timing attack, Sybil attacks, and the communication between IoT devices or IoT devices 646
595 man-in-the-middle attack. with an access point. There are different types of eaves- 647
596 Non-repudiation is an essential security requirement for dropping attacks in smart agriculture, including brute-force 648
597 ITSs, especially in VANETs and V2V communications. This attacks, tracing attacks, known-key distinguishing attacks, 649
598 is mainly due to the fact that non-repudiation can pro- and false data injection attacks [112]. As the name implies, 650
599 tect communications from false denial activities [106]. The the main goal of the attacks against availability is for services 651
600 loss of event data can lead to security risks against non- to become unavailable in a smart agriculture system. DoS 652
601 repudiation. Last but not least, mobility is another secu- and jamming attacks are the main types of threats in this 653
602 rity challenge in ITS applications [107]. The mobility of category [113]. 654
603 the entities in ITSs poses challenges to deploying security Smart agriculture systems are also subjected to data 655
604 solutions. integrity attacks [114]. This attack lets unauthorized entities 656
access and modify sensitive information, such as the pH of 657
605 b: SOLUTIONS agricultural water. This category includes man-in-the-middle 658
606 To alleviate confidentiality-related security challenges, a cou- attacks, forgery attacks, biometric attacks, and Trojan attacks. 659
607 ple of techniques have been proposed, including symmet-

608 ric cryptography, asymmetric cryptography, and a secure b: SOLUTIONS 660
609 steganographic algorithm [108]. Each of them has its pros and Different solutions have been proposed to deal with privacy- 661
610 cons. When considering data integrity, Message Authentica- related challenges, including privacy-preserving techniques 662
611 tion Code (MAC) is one of the main approaches to ensure during the data aggregation process in a smart agricul- 663
612 data integrity in ITSs [109]. However, using this technique ture system [115], location privacy solutions [116], content- 664
613 can cause additional computational overhead. oriented protection [117], data anonymization techniques, 665
614 To cope with the availability-related security challenges, and privacy-preserving trust evaluation methods. To reduce 666
615 signature-based authentication techniques have been pro- the threats related to data integrity, some solutions have been 667
616 posed [60]. The most important problem with this method is proposed, such as label-based access control technique [118], 668
617 that it needs additional infrastructure. In addition, challenge- content integrity verification [119], and message authentica- 669
618 response protocols and message authentication codes are tion codes [120]. 670
619 provided for security challenges related to authentication To provide authentication, different solutions have been 671
620 and identification. These methods can pose overhead in proposed. For example, RFID authentication methods alle- 672
621 terms of time and computation. And finally, to tackle viate the situation when one uses RFID tags in smart 673
97204 VOLUME 10, 2022

674 agriculture [121], delegated authentication, label-based computing and big data components, third parties, and ven- 727
675 access control, and blockchain-based access control [122]. dors should be considered [130]. 728
676 Access control algorithms based on cipher text is one of When considering the integrity of IIoT systems, one of the 729
677 the solutions to preserve confidentiality in smart agricul- proposed solutions is to use Manufacturing Security Enforce- 730
678 ture [123]. Moreover, blockchain-based access control mech- ment Device (MSED) for encryption [64]. In addition, using 731
679 anisms can be adopted in smart agriculture systems. control and report filters after sensors, defining secure data 732
exchange channels between IoT devices, IoT devices autho- 733
680 5) INDUSTRIAL IoT (IIoT) rization through digital certificates/Public Key Infrastructure 734
681 According to [62], the main security requirements in IIoT are (PKI), and data monitoring to identify possible unauthorized 735
682 authentication, data/traffic flow confidentiality, integrity, and modifications. 736
683 availability. The key measure to increase the availability of IIoT 737
systems is to protect these systems against DoS attacks. 738
684 a: THREATS To this end, various approaches have been proposed, such 739
685 In IIoT, authentication is an important security requirement to as Software Defined Networks (SDN)-based and distributed 740
686 preserve the legality of data access and, consequently, to guar- approaches and the real-time availability monitoring of IoT 741
687 antee data confidentiality. False data injection and spoofing devices [131]. 742
688 attacks can be launched in an IIoT system with an ineffective

689 authentication mechanism. These types of attacks can inject 6) SMART CITIES 743
690 adversarial code and commands into the system [124] for Due to the wide range of deployed sensory devices (e.g., cam- 744
691 different purposes, such as controlling industrial machinery eras, temperature sensors, noise level sensors, flood detec- 745
692 and performing unsafe operations. tors, etc.), heterogeneity, and Big Data content gathered, 746
693 In the context of IIoT systems, confidentiality refers to it is challenging to provide security for all the use cases in 747
694 ensuring data/traffic flow access only by authorized entities. smart cities [132]. Indeed, different security threats may make 748
695 The lack of confidentiality measures in an industrial sys- against different architecture levels (e.g., physical, network, 749
696 tem can lead to losing customers’ and vendors’ data and database, and application layers) and smart city applications 750
697 intellectual property such as trade secrets. Malware is one (e.g., smart living, smart environment, and smart energy). 751
698 of the security attacks that can threaten the confidentiality
699 of an IIoT system through the disclosure of information.
a: THREATS 752
700 Furthermore, in IIoT, there is a possibility that a malicious
As we mentioned, various security threats may occur in the 753
701 entity (e.g., man-in-the-middle, malware, and worms) manip-
smart city applications, including: 754
702 ulates data without detection and consequently destroys the
703 integrity of data [125]. The lack of data integrity in an indus- 1) DoS attacks: As the name implies, the main aim of 755
704 trial environment can lead to damaging consequences, such DoS attacks is to make the system resources or ser- 756
705 as hiding and altering crucial details related to the safety vices unavailable to the potential users in smart city 757
706 parameters of industrial pieces of machinery or standards, applications. DoS attacks can target the network layer 758
707 degradation of product quality, and industrial machinery or application layer [133]. Both classes of DoS attacks 759
708 breakdown. may have damaging effects on smart city applications 760
709 Security threats may also focus on the availability of indus- that offer monitoring services in a centralized manner. 761
710 trial systems to make them unable to do their typical tasks 2) Malware: this type of threat refers to the attack by 762
711 through overloading [63]. Different types of physical and a software program that can perform unauthorized 763
712 cyber-attacks can threaten the availability of an IIoT system, actions (e.g., illegal access, stealing or changing infor- 764
713 such as DoS attacks, DDoS attacks, Mirai botnet, BrickerBot, mation) on the infected system [134]. In smart cities, 765
714 and Reaper. the CCTV system is a prime example, in which mal- 766
ware can access the system and view privacy and 767
715 b: SOLUTIONS security-sensitive contexts, such as an individual’s 768
716 To deal with security challenges in IIoT systems that threaten home or bank. 769
717 authentication, different authentication techniques have been 3) Eavesdropping attack: eavesdropping is an example of 770
718 adopted, including trust-based authentication, proximity- a passive attack in which an attacker tries to listen 771
719 based authentication [126], and edge-assisted device authen- to unsecured communications between two or several 772
720 tication [127]. Moreover, using authentication and verifica- parties to access data. Given the smart cities, eaves- 773
721 tion methods, such as user key sets, digital signatures, and cer- dropping is a serious threat as it can compromise the 774
722 tificates, can mitigate security risks related to unauthorized integrity and confidentiality of the system [135]. 775
723 access to the system [128]. 4) Masquerade attack: refers to the situation where a 776
724 Applying cryptographic techniques is one of the common malicious actor can get unauthorized access to the 777
725 countermeasures for confidentiality- and integrity-related system and steal information through a fake identity 778
726 attacks in IIoT systems [129]. Moreover, the security of cloud (e.g., device or entity) [136]. For example, in smart 779
VOLUME 10, 2022 97205

780 transportation, this type of attack can cause the disclos- custom security services, such as encryption mechanisms 834
781 ing of restricted information and, consequently, destroy (e.g., data confidentiality is supported through TLS and 835
782 the integrity of the system or change the information in DTLS cryptographic protocols, Simple Authentication and 836
783 the system. Security Layer (SASL) framework has been used as a basis 837
784 5) Disinformation attack: In this type of attack, the for authentication and authorization mechanisms) [146], 838
785 attacker intentionally disseminates false data (e.g., sen- while built-in security services are not offered in service dis- 839
786 sor reading data) intending to affect the result or mis- covery protocols. 840
787 lead the behavior of the system’s users. In smart cities, Despite these security mechanisms, security shortcomings 841
788 disinformation attacks can lead to consequences rang- in the design of the application layer protocols need to be 842
789 ing from delays to unnecessary congestion [137]. investigated. Moreover, it is worth mentioning that security 843
790 6) Message modification attack: In this attack, an intruder services are not mandatory and must be explicitly enabled 844
791 tries to change the message header (e.g., changing the by protocol developers. Furthermore, we explore each appli- 845
792 message destination) or data (e.g., putting malicious cation protocol’s security challenges and related solutions. 846
793 content) in order to cause unexpected behaviors in sys- In the following, we discuss the security aspects of the most 847
794 tem performance [138]. Message modification attacks essential IoT application layer protocols identified during the 848
795 may also lead to delays and congestion in the system study of the associated papers. 849
796 and compromise data integrity in smart city applica-

797 tions. 1) MESSAGE QUEUING TELEMETRY TRANSPORT (MQTT) 850
798 7) Traffic analysis attack: In a traffic analysis attack, MQTT is a lightweight message passing protocol developed 851
799 a malicious may monitor and analyze the network to let many devices send data in a network [147]. MQTT 852
800 traffic in order to find the existing patterns (e.g., uses a publish/subscribe mechanism and a server (also called 853
801 when a specific user sleeps/wakes up), metadata (e.g., the broker). This makes it feasible to reliably publish mes- 854
802 when/how packets were transmitted) and useful infor- sages over networks with low bandwidth. MQTT is a de 855
803 mation [139]. Traffic analysis is a passive type of attack facto standard protocol for IoT messaging. In the first years 856
804 which can threaten information confidentiality in smart of its release, MQTT was used as a proprietary protocol 857
805 cities. by the oil and gas industries to facilitate communication in 858
806 8) Privacy-related issues: Smart city applications can raise SCADA systems. Nowadays, MQTT has become a popu- 859
807 several privacy concerns, including information on lar open source protocol for connecting millions of IoT and 860
808 lifestyle and routine extracted from CCTV systems and industrial IoT devices used in different applications, such 861
809 identity and location of the passengers derived from as remote monitoring, health parameters monitoring, and 862
810 smart transportation systems. motion detection. 863
MQTT protocol provides different authentication mecha- 864
811 b: SOLUTIONS nisms and encryption techniques based on TLS. However, 865
812 Given the security threats facing smart city applications, these security services cannot adequately protect the security 866
813 multiple solutions and technologies have been proposed, of the devices that use the MQTT protocol and the MQTT 867
814 including Blockchain [140], cryptography techniques [141], broker [148]. Accordingly, the following security vulnerabil- 868
815 biometrics, machine learning-based techniques [142], and ities can be defined in the MQTT-enabled clients. 869
816 the introduction of regulations for IoT systems. In addition,

817 to cope with privacy-related threats in smart cities, a cou- a: THREATS 870
818 ple of approaches can be used, such as access control tech- 1) Authentication vulnerabilities: If the MQTT broker 871
819 niques [143], encryption algorithms [144], and anonymiza- does not conduct a proper examination of the identity 872
820 tion [145]. Nevertheless, most of these countermeasures of the publisher/subscriber and does not block multiple 873
821 are adopted to overcome outsider intruders. However, some authentication attempts, the attackers can take advan- 874
822 potential insider intruders (e.g., in a monitoring system, tage of these vulnerabilities to access MQTT-devices 875
823 an employee who accesses the captured videos) also need to or run DoS attacks against the broker [149]. 876
824 be considered. 2) Authorization vulnerabilities: The MQTT broker may 877
not appropriately assign publishing and subscribing 878
825 B. FOCUSING ON THE PROTOCOLS OF THE IoT permissions for clients (i.e., devices). Due to this vul- 879
826 APPLICATION LAYER nerability, a malicious agent can take control of the data 880
827 Broadly speaking, there are two major classes of IoT appli- and functions of MQTT-enabled devices. 881
828 cation layer protocols: 1) message passing protocols and 3) Message delivery failures: The messages have been 882
829 2) service discovery protocols [48]. More specifically, sent by a publisher and not delivered due to the lack 883
830 by messaging, we mean data sharing and data exchange of subscribers. This failure can significantly affect the 884
831 among devices, while service discovery refers to the process proper performance of the broker. 885
832 such as device detection and services being offered on the 4) Message integrity: The integrity of messages sent by a 886
833 network. Messaging protocols usually provide standard and publisher cannot be properly checked by the broker and 887
97206 VOLUME 10, 2022

888 subscribers [150]. Attackers can utilize this security Consequently, the CoAP node can be crashed under 940
889 exposure to launch many attacks. attack due to running an arbitrary remote code. 941
890 b: SOLUTIONS b: SOLUTIONS 942
891 To alleviate security challenges related to the MQTT proto- To tackle the aforementioned security challenges in CoAP 943
892 col, some approaches have been proposed, including [151]: protocol, the following remedies can be taken: 944
893 1) Client (i.e., devices) authentication. 1) Adopting the DTLS security modes to secure 945
894 2) Authorization client’s access to the server resources. CoAP-enabled nodes. 946
895 3) Privacy-preserving mechanisms for MQTT control 2) Providing effective access control mechanisms. 947
896 packets and application messages. 3) Providing secure communication. 948
897 4) Integrity checking mechanisms for MQTT control 4) A remedy for block attacks in the IoT systems is to 949
898 packets and application messages. use confirmable messages. Moreover, when a response 950
message is not received, the client should take appro- 951
899 2) CONSTRAINED APPLICATION PROTOCOL (CoAP) priate actions. 952
900 CoAP is designed to work with constrained nodes (e.g., IoT

901 devices) and networks (e.g., building automation). CoAP 3) EXTENSIBLE MESSAGING AND PRESENCE PROTOCOL 953
902 is a client-server protocol in which a CoAP-enabled node (XMPP) 954
903 (or client) can command another client by transmitting a XMPP is an open XML communication protocol that pro- 955
904 CoAP packet [54]. One of the biggest advantages of CoAP vides a broad range of services such as multi-party chat, 956
905 is the ability to allow resource-constrained devices to join an instant messaging, presence technology, voice and video 957
906 IoT network, even via networks with constrained resources calls, and collaboration [153]. The main advantages of XMPP 958
907 such as low bandwidth and low network availability. CoAP are that it is open, secure, standard, proven, decentralized, 959
908 has been mainly adopted in Machine-to-Machine (M2M) extensible, flexible, and diverse. XMPP has been effectively 960
909 use cases, such as smart homes, smart energy, and building utilized for communication in IoT embedded networking, 961
910 automation. pub/sub messaging systems, etc. XMPP is especially an ideal 962
communication protocol for use within IoT applications. 963
911 a: THREATS Different real-world projects use XMPP for IoT, including 964
912 CoAP gives the possibility to use DTLS as a separate layer, Google Cloud Print, Firebase Cloud Messaging, and Logitech 965
913 providing some security capabilities. DTLS for CoAP pro- Harmony Hub. 966
914 vides four different security modes that developers can select
915 on the basis of different factors, such as security require- a: THREATS 967
916 ments, energy consumption, and performance. Despite using Regarding security, the XMPP protocol supports authenti- 968
917 a security protocol (i.e., DTLS) on another layer, the lack of cation mechanisms through SASL and data confidential- 969
918 proper security mechanisms can lead to security risks for the ity/integrity through TLS by default [154]. Despite providing 970
919 CoAP-enabled devices, such as man-in-the-middle attacks. these security services, the protocol can face different security 971
920 Accordingly, the following security vulnerabilities could be risks (e.g., unauthorized access to a server by attackers or 972
921 defined in the CoAP environments: stanza modification/deletion/replaying by attackers) due to 973
922 1) IP spoofing: An attacker can send a spoofed response the deficiency of end-to-end encryption. 974
923 message or a flood of messages with a spoofed IP

924 address in the CoAP environment if the IP addresses b: SOLUTIONS 975
925 of CoAP nodes have been forgotten. Some extensions of this protocol have been proposed to deal 976
926 2) Vulnerabilities related to caching and proxying: If the with the security vulnerabilities in the XMPP protocol. For 977
927 access control approaches for caching and proxying are example, in [155], special measures have been adopted to 978
928 not precisely developed, their content can be compro- prevent DoS attacks, while [156] has focused on the SASL 979
929 mised [152]. authentication-related vulnerabilities. 980
930 3) Block attack: An on-path attacker can be placed

931 between a device (e.g., sensor or actuator) and the 4) MULTICAST DOMAIN NAME SYSTEM (mDNS) 981
932 server to block the delivery of the messages (requests mDNS as a service discovery protocol is an extension of 982
933 and responses). When a block attack occurs against an the DNS protocol [157]. More specifically, mDNS protocol 983
934 actuator, it can lead to a situation where the client loses is a multicast design of DNS. mDNS can be employed for 984
935 the server’s status information and consequently does locating the devices/services in a local network by name 985
936 not work properly. and without using any DNS server. In other words, mDNS 986
937 4) Parsing attacks: The root of this type of attack is is capable of handling domains. One can refer to factory 987
938 that the incoming messages have not been prop- floor networks or industrial networking as an example of 988
939 erly processed/handled by client and server parsers. using mDNS. The service discovery of mDNS is a very 989
VOLUME 10, 2022 97207

990 interesting characteristic for IoT devices because it enables is reflection/amplification DDoS attack, which can over- 1041
991 them to establish self-organizing networks on top of the fun- whelm the target device [162]. Moreover, passive attacks 1042
992 damental network infrastructure. can affect SSDP-enabled devices, in which an attacker 1043
993 The interested reader is directed to [45] for more informa- can exploit the multicast messages for eavesdropping pur- 1044
994 tion on the mDNS protocol. poses, e.g., discovering sensitive information and, conse- 1045
quently, violating privacy and confidentiality. In addition 1046
995 a: THREATS to the aforementioned security risks, SSDP-enabled devices 1047
996 Compared to the messaging protocols, no built-in security may also face poisoning attacks and device misconfiguration 1048
997 feature is offered by the mDNS protocol. Hence, the proto- attacks. 1049
998 col is vulnerable to several security risks. These risks are as

999 follows: b: SOLUTIONS 1050
1000 1) DoS attacks As SSDP services are activated by default on the majority 1051
1001 2) Poisoning attacks of devices, to mitigate DDoS attacks at the level of the indi- 1052
1002 3) Remote attacks vidual device, these services should be inactivated each time 1053
1003 Moreover, given the lack of encryption approaches and the not needed. Moreover, due to the potentially malicious usage 1054
1004 multicast type of communications in mDNS, security threats of M-SEARCH messages, these request messages should be 1055
1005 may appear, and often stay hidden and unrecognized in monitored appropriately and possibly blocked. Furthermore, 1056
1006 mDNS-enabled environments [158]. deploying encryption techniques on top of SSDP protocol 1057
can preserve the authenticity and confidentiality of content 1058
1007 b: SOLUTIONS
transmission [45]. 1059
Tables 2 and 3 summarise the security requirements, 1060

1008 As mDNS does not offer any built-in security mechanism,
threats, and solutions for IoT application layer that are dis- 1061
1009 providing efficient security services is crucially important.
cussed in Section V. 1062
1010 These security services mainly focus on DoS attacks mitiga-
1011 tion, including:
VI. OPEN ISSUES AND FUTURE RESEARCH DIRECTIONS 1063
1012 1) The mitigation of security risk through cutting mDNS This section provides a few potential open issues and future 1064
1013 services each time not needed. research lines identified from our findings. 1065
1014 2) Closing port number 5353 in order to block the mDNS
1015 UDP (User Datagram Protocol) traffic from/to outside A. THE LACK OF COMPREHENSIVE SECURITY- and/OR 1066
1016 the local link. PRIVACY-PROTECTING FRAMEWORKS 1067
1017 Regarding privacy issues, some techniques have been pro- We have reviewed and analyzed several papers related to IoT 1068
1018 posed by researchers. For example, encryption of all data security, especially application layer security [6], [8], [23], 1069
1019 in multicast communications or imposing limitations on [56], [70], [84], [94], etc. However, in all of these papers, 1070
1020 using multicast [159]. In addition, to deal with the short- there is no thorough framework that guarantees security in 1071
1021 age of built-in authentication techniques, some authentication IoT for a wide range of use cases. To fill this gap, there 1072
1022 mechanisms have been proposed by researchers [160]. is a growing need to establish a comprehensive, lightweight 1073
framework to ensure security in IoT environments. 1074
1023 5) SIMPLE SERVICE DISCOVERY PROTOCOL (SSDP)

1024 SSDP is also a service discovery protocol that can be used B. INSECURE INTERFACES 1075
1025 in small networks, e.g., home networking, to discover net- IoT devices, as smart-physical objects, are capable of com- 1076
1026 work services and advertise services [161]. SSDP is designed municating, collecting, pre-processing, and sharing this data 1077
1027 based on HTTPU. To exchange messages, this protocol uti- to achieve their defined objectives, such as environmen- 1078
1028 lizes UDP as the transport layer protocol. In an IoT net- tal monitoring, smart home, and smart grids. To this end, 1079
1029 work, SSDP allows devices to find each other on the network, an IoT device may use several interfaces. These include 1080
1030 set up communication, and coordinate operations across the interfaces for communication (wireless or wired), web inter- 1081
1031 network. For example, when an IoT node aims to discover faces, storage interfaces, Internet connectivity interfaces, 1082
1032 local devices on the network, it can send an SSDP discovery storage/memory interfaces, and input/output interfaces for 1083
1033 message and wait for reply messages from any node that sensors. The users may use these interfaces to do different 1084
1034 gets it. control, management, and configuration tasks, such as query 1085
the IoT devices, monitor their status and control them from 1086
1035 a: THREATS anywhere. 1087
1036 Similar to mDNS, SSDP protocol also does not offer any Multiple IoT security threats arise from insecure inter- 1088
1037 built-in security service. As a consequence, this protocol faces. These security vulnerabilities include the lack of device 1089
1038 becomes vulnerable to various security attacks. These attacks authentication/identification and weak encryption. For exam- 1090
1039 seriously compromised the multicast and service discov- ple, in a home automation use case, an internal or external 1091
1040 ery of SSDP protocol. One of the most referred attacks intruder may exploit the web interface to launch attacks. 1092
97208 VOLUME 10, 2022

TABLE 2. Summary of the key security requirements, threats, and potential solutions in the IoT application use cases.
VOLUME 10, 2022

97209
TABLE 2. (Continued.) Summary of the key security requirements, threats, and potential solutions in the IoT application use cases.
97210
VOLUME 10, 2022
1093 Hence, guaranteeing the proper precautions and safety steps E. NETWORK VIRTUALIZATION FOR IoT 1146
1094 to secure the interfaces is crucial. As mentioned, IoT use cases range from smart grids to 1147
smart agriculture. Due to the wide range of IoT applications, 1148
1095 C. SCALABILITY-RELATED SECURITY CHALLENGES the infrastructures of IoT become increasingly complicated 1149
and call for highly dynamic and effective management and 1150
1096 As mentioned in Section V-A1, the IoT systems are usu-
1097 ally large in the number and heterogeneity of the deployed configuration techniques. SDN and Network Function Vir- 1151
1098 devices. The large scale of these systems can raise key tualization (NFV) in working together under the umbrella 1152
1099 scalability-related security challenges [163]. The first chal- of Network Softwarization have been considerably investi- 1153
1100 lenge is low processing capability and storage capac- gated for IoT recently [166]. Following this trend, IoT man- 1154
1101 ity in large-scale IoT networks. More specifically, many agement solutions based on softwarization techniques have 1155
1102 IoT devices, e.g., smart sensors for fine-grain sensing, been one of the focuses in recent years. More specifically, 1156
1103 have a very limited process and storage capability. This considering the large scale of IoT networks, it is nearly 1157
1104 becomes them almost incapable of implementing and exe- impossible to configure remote devices manually. SDN is 1158
1105 cuting resource-demanding security techniques, such as capable of enabling effective configuration and manage- 1159
1106 anti-malware and security protocols. The second challenge ment solutions across IoT networks. These solutions can 1160
1107 is the physical protection of IoT devices. Most current IoT be adapted for IoT application deployment, network slicing, 1161
1108 security approaches are focused on defense against distant device configuration and discovery, and management of edge/ 1162
1109 adversaries and are assumed that the devices are not phys- cloud. 1163
1110 ically available to the adversaries. However, this is mostly Besides SDN, management solutions based on NFV also 1164
1111 not true for large-scale IoT networks, consisting of many have been adopted for IoT networks. These solutions may be 1165
1112 scattered devices in and outside buildings, industrial environ- related to different aspects of IoT, including security, reduc- 1166
1113 ments, cities, etc. In most cases, it is possible for attackers to ing costs in IoT, load balancing, on-demand management, 1167
1114 easily get physical access to IoT devices and do destructive etc. Moreover, virtualization-based solutions can be explicitly 1168
1115 actions, such as retrieving data and reflashing the devices. adopted for IoT security purposes. For example, as we men- 1169
1116 The last but not least challenge is the long-running sessions tioned in Section V-A1, large-scale IoT networks can present 1170
1117 of IoT devices. Usually, IoT devices have long-running ses- challenges to the security of the networks. The single-point 1171
1118 sions which may length for days, weeks, and months. Mean- programmability feature of SDN technology can bring many 1172
advantages in terms of security functions, resource opti- 1173

1119 while, most current communication protection solutions (i.e.,
1120 channel protection) are designed for short-running sessions. mization, network policy, etc. Moreover, virtualizing IoT 1174
1121 Hence, this can become problematic for IoT communication devices’ functions can enforce security procedures on physi- 1175
1122 with long-running sessions. For example, attackers can learn cal devices. 1176
1123 much by only wiretapping the communication channel.

1124 Regarding the above-mentioned discussion, one who F. MACHINE LEARNING FOR IoT SECURITY 1177
1125 designs security solutions for IoT should consider the security Considering the number of IoT attacks is increasing at an 1178
1126 issues arising from IoT networks’ scalability characteristics. exponential rate, it is necessary to provide solutions that com- 1179
bine state-of-the-art methods and technologies from machine 1180
learning and Big Data. Machine learning-based solutions can 1181

1127 D. BLOCKCHAIN provide Embedded Intelligence (EI) in IoT systems and can 1182
1128 IoT systems are usually large-scale and distributed in nature. be used to deal with various security issues, such as intru- 1183
1129 These features turn security into a critical challenge in such sion and anomaly detection. For several reasons, machine 1184
1130 systems. In other words, IoT environments call for scalable, learning-based algorithms are promising solutions for dif- 1185
1131 decentralized, and lightweight security protection. At the ferent aspects of IoT systems, especially security. The first 1186
1132 same time, blockchain technology has the ability to respond reason is that IoT systems produce massive data that machine 1187
1133 to the above-mentioned challenges by providing distributed, learning models can use for training purposes and bring intel- 1188
1134 secure, and private mechanisms [164]. In addition, Ethereum ligence to IoT networks. Furthermore, the IoT data utilized 1189
1135 blockchain developed a new feature, named smart contracts, by machine learning techniques allow IoT networks to arrive 1190
1136 that can perform a crucial function in managing, controlling, at more intelligent and informed decisions. Machine learning 1191
1137 and securing IoT devices. Generally speaking, based on our models are widely adopted in IoT networks to deal with vari- 1192
1138 understanding of blockchain technology and IoT security, ous security issues, including attacks and malware detection, 1193
1139 we can refer to the following items as the roles that this malicious code detection, DDoS attack detection, and facial 1194
1140 technology can fulfill for IoT security: 1) Data integrity and recognition and authentication. 1195
1141 authentication, 2) Access control and privacy, and 3) Secure However, for designing machine learning-based solutions, 1196
1142 communications. one should consider the following points: 1) The scalability 1197
1143 Despite these decisive advantages, blockchain-based solu- of the solution, 2) Selecting the right datasets for training, 1198
1144 tions suffer from challenges, such as delay, computational 3) Continuous model training and data labeling, and 4) The 1199
1145 overhead, and energy hunger [165]. computational complexity of the model. 1200
VOLUME 10, 2022 97211

TABLE 3. Summary of the main security threats and potential solutions in the IoT application layer protocols.
1201 VII. DISCUSSION AND CONCLUSION [2] A. Shahraki, M. Abbasi, A. Taherkordi, and A. D. Jurcut, ‘‘A comparative 1239
1202 As our paper indicates, the IoT application layer security is study on online machine learning techniques for network traffic streams 1240
analysis,’’ Comput. Netw., vol. 207, Apr. 2022, Art. no. 108836. 1241
1203 paramount. A strong body of literature has investigated IoT [3] McKinsey Global Institute. The Internet of Things: Mapping the 1242
1204 security from different points of view. However, few stud- Value Beyond the Hype. Accessed: Jun. 20, 2022. [Online]. Available: 1243
1205 ies have been conducted to individually review the security https://www.mckinsey.com/~/media/McKinsey/Industries/Technology 1244
1206 aspects of the IoT application layer. Providing a precise clas- [4] M. Plaza-Hernandez, I. Sittón-Candanedo, R. S. Alonso, 1245
L. C. M.-D. Iturrate, J. Prieto, K. Kravari, T. Kosmanis, G. Katranas, 1246
1207 sification of the critical security requirements, threats, and M. P. Silva, and J. M. Corchado, ‘‘Edge computing and Internet of Things 1247
1208 existing solutions in the IoT application layer will facilitate based platform to improve the quality of life of the silver economy on 1248
1209 the development of novel IoT use cases and the IoT applica- leisure cruise ships,’’ in Proc. Int. Symp. Comput. Sci. Intell. Controls 1249
(ISCSIC), Nov. 2021, pp. 159–163. 1250
1210 tion layer protocols and improve the security of the existing [5] F. J. Dian, R. Vahidnia, and A. Rahmati, ‘‘Wearables and the Internet 1251
1211 IoT-based solutions. of Things (IoT), applications, opportunities, and challenges: A survey,’’ 1252
1212 In this paper, we studied the IoT application layer’s secu- IEEE Access, vol. 8, pp. 69200–69211, 2020. 1253
[6] Z.-K. Zhang, M. C. Y. Cho, C.-W. Wang, C.-W. Hsu, C.-K. Chen, and 1254
1213 rity. We first provided background on IoT and its security and S. Shieh, ‘‘IoT security: Ongoing challenges and research opportunities,’’ 1255
1214 then discussed some related papers to emphasize their differ- in Proc. IEEE 7th Int. Conf. Service-Oriented Comput. Appl., Nov. 2014, 1256
1215 ences and our work. Afterward, we categorized and discussed pp. 230–234. 1257
1216 the key security requirements of the IoT application layer, [7] F. A. Alaba, M. Othman, I. A. T. Hashem, and F. Alotaibi, ‘‘Internet of 1258
Things security: A survey,’’ J. Netw. Comput. Appl., vol. 88, pp. 10–28, 1259
1217 threats, and potential solutions. To take the right direction Jun. 2017. 1260
1218 and conduct an extensive review, our study is based primarily [8] D. Swessi and H. Idoudi, ‘‘A survey on Internet-of-Things secu- 1261
1219 on two perspectives: IoT use cases and IoT application layer rity: Threats and emerging countermeasures,’’ Wireless Pers. Commun., 1262
vol. 124, pp. 1557–1592, Jan. 2022. 1263
1220 protocols.
[9] H. HaddadPajouh, A. Dehghantanha, R. M. Parizi, M. Aledhari, and 1264
1221 Given the IoT application layer, we identified six key H. Karimipour, ‘‘A survey on Internet of Things security: Require- 1265
1222 security requirements - confidentiality, integrity, availability, ments, challenges, and solutions,’’ Internet Things, vol. 14, Jun. 2021, 1266
1223 authentication/authorization, non-repudiation, and privacy. Art. no. 100129. 1267
[10] A. Shahraki, M. Abbasi, and Ø. Haugen, ‘‘Boosting algorithms for net- 1268
1224 Satisfying these security requirements can lead to the proper work intrusion detection: A comparative evaluation of real AdaBoost, 1269
1225 operation of the IoT systems and prevent security vulnerabili- gentle AdaBoost and modest AdaBoost,’’ Eng. Appl. Artif. Intell., vol. 94, 1270
1226 ties and threats. Based on these requirements, we investigated Sep. 2020, Art. no. 103770. 1271
[11] M. A. Al-Garadi, A. Mohamed, A. K. Al-Ali, X. Du, I. Ali, and 1272

1227 the security aspects of the six key IoT use cases - smart grids, M. Guizani, ‘‘A survey of machine and deep learning methods for Internet 1273
1228 smart healthcare, ITs, smart agriculture, industrial IoT, and of Things (IoT) security,’’ IEEE Commun. Surveys Tuts., vol. 22, no. 3, 1274
1229 smart cities. Furthermore, we discussed the security chal- pp. 1646–1685, 3rd Quart., 2020. 1275
1230 lenges and potential solutions of the leading IoT applica- [12] F. Al-Turjman, H. Zahmatkesh, and R. Shahroze, ‘‘An overview of secu- 1276
rity and privacy in smart cities’ IoT communications,’’ Trans. Emerg. 1277
1231 tion layer protocols, including MQTT, CoAP, XMPP, mDNS, Telecommun. Technol., vol. 33, no. 3, p. e3677, Mar. 2022. 1278
1232 and SSDP. Given future research lines, as we mentioned, [13] N. Mazhar, R. Salleh, M. Zeeshan, and M. M. Hameed, ‘‘Role of device 1279
1233 many studies have been conducted on using blockchain identification and manufacturer usage description in IoT security: A sur- 1280
vey,’’ IEEE Access, vol. 9, pp. 41757–41786, 2021. 1281
1234 technologies and machine learning to guarantee security in
[14] V. Hassija, V. Chamola, V. Saxena, D. Jain, P. Goyal, and B. Sikdar, 1282
1235 IoT settings. ‘‘A survey on IoT security: Application areas, security threats, and solu- 1283
tion architectures,’’ IEEE Access, vol. 7, pp. 82721–82743, 2019. 1284
[15] G. Katranas, A. Riel, J. M. Corchado-Rodríguez, and 1285

1236 REFERENCES M. Plaza-Hernández, ‘‘The SMARTSEA education approach to 1286
leveraging the Internet of Things in the maritime industry,’’ in Proc. Eur. 1287
1237 [1] L. Atzori, I. A. Iera, and M. Giacomo, ‘‘The Internet of Things: A survey,’’ Conf. Softw. Process Improvement. Cham, Switzerland: Springer, 2020, 1288
1238 Comput. Netw., vol. 54, no. 15, pp. 2787–2805, May 2010. pp. 247–258. 1289
97212 VOLUME 10, 2022

1290 [16] C. C. Sobin, ‘‘A survey on architecture, protocols and challenges in IoT,’’ [40] I. H. Sarker, A. I. Khan, Y. B. Abushark, and F. Alsolami, ‘‘Internet of 1365
1291 Wireless Pers. Commun., vol. 112, no. 3, pp. 1383–1429, Jun. 2020. Things (IoT) security intelligence: A comprehensive overview, machine 1366
1292 [17] P. P. Ray, ‘‘A survey on Internet of Things architectures,’’ J. King Saud learning solutions and research directions,’’ Mobile Netw. Appl., vol. 27, 1367
1293 Univ.-Comput. Inf. Sci., vol. 30, no. 3, pp. 291–319, 2018. pp. 1–17, Mar. 2022. 1368
1294 [18] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, and M. Ayyash, [41] I. Kotenko, K. Izrailov, and M. Buinevich, ‘‘Static analysis of infor- 1369
1295 ‘‘Internet of Things: A survey on enabling technologies, protocols, mation systems for IoT cyber security: A survey of machine learning 1370
1296 and applications,’’ IEEE Commun. Surveys Tuts., vol. 17, no. 4, approaches,’’ Sensors, vol. 22, no. 4, p. 1335, Feb. 2022. 1371
1297 pp. 2347–2376, 4th Quart., 2015. [42] R. Kanagavelu and K. M. M. Aung, ‘‘A survey on SDN based secu- 1372
1298 [19] A. Nauman, Y. A. Qadri, M. Amjad, Y. B. Zikria, M. K. Afzal, and rity in Internet of Things,’’ in Proc. Future Inf. Commun. Conf. Cham, 1373
1299 S. W. Kim, ‘‘Multimedia Internet of Things: A comprehensive survey,’’ Switzerland: Springer, 2018, pp. 563–577. 1374
1300 IEEE Access, vol. 8, pp. 8202–8250, 2020. [43] A. Al Hayajneh, M. Z. A. Bhuiyan, and I. McAndrew, ‘‘Improving Inter- 1375
1301 [20] J. Chen, C. Touati, and Q. Zhu, ‘‘Optimal secure two-layer IoT network net of Things (IoT) security with software-defined networking (SDN),’’ 1376
1302 design,’’ IEEE Trans. Control Netw. Syst., vol. 7, no. 1, pp. 398–409, Computers, vol. 9, no. 1, p. 8, Feb. 2020. 1377
1303 Mar. 2020. [44] K. S. Sudha and N. Jeyanthi, ‘‘A review on privacy requirements and 1378
1304 [21] M. B. M. Noor and W. H. Hassan, ‘‘Current research on Internet of application layer security in Internet of Things (IoT),’’ Cybern. Inf. Tech- 1379
1305 Things (IoT) security: A survey,’’ Comput. Netw., vol. 148, pp. 283–294, nol., vol. 21, no. 3, pp. 50–72, Sep. 2021. 1380
1306 Jan. 2019.
[45] G. Nebbione and M. C. Calzarossa, ‘‘Security of IoT application layer 1381
1307 [22] D. E. Kouicem, A. Bouabdallah, and H. Lakhlef, ‘‘Internet of Things
protocols: Challenges and findings,’’ Future Internet, vol. 12, no. 3, p. 55, 1382
1308 security: A top-down survey,’’ Comput. Netw., vol. 141, pp. 199–221,
Mar. 2020. 1383
1309 Aug. 2018.
1310 [23] A. E. Omolara, A. Alabdulatif, O. I. Abiodun, M. Alawida, [46] L. Nastase, ‘‘Security in the Internet of Things: A survey on applica- 1384
1311 A. Alabdulatif, W. H. Alshoura, and H. Arshad, ‘‘The Internet of tion layer protocols,’’ in Proc. 21st Int. Conf. Control Syst. Comput. Sci. 1385
1312 Things security: A survey encompassing unexplored areas and new (CSCS), May 2017, pp. 659–666. 1386
1313 insights,’’ Comput. Secur., vol. 112, Jan. 2022, Art. no. 102494. [47] S. N. Swamy, D. Jadhav, and N. Kulkarni, ‘‘Security threats in 1387
1314 [24] A. Canito, K. Aleid, I. Praça, J. Corchado, and G. Marreiros, ‘‘An ontol- the application layer in IoT applications,’’ in Proc. Int. Conf. I- 1388
1315 ogy to promote interoperability between cyber-physical security systems SMAC (IoT Social, Mobile, Analytics Cloud) (I-SMAC), Feb. 2017, 1389
1316 in critical infrastructures,’’ in Proc. IEEE 6th Int. Conf. Comput. Commun. pp. 477–480. 1390
1317 (ICCC), Dec. 2020, pp. 553–560. [48] D. Johnson and M. Ketel, ‘‘IoT: Application protocols and security,’’ Int. 1391
1318 [25] S. Zhu, S. Yang, X. Gou, Y. Xu, T. Zhang, and Y. Wan, ‘‘Survey of J. Comput. Netw. Inf. Secur., vol. 11, no. 4, pp. 1–8, Apr. 2019. 1392
1319 testing methods and testbed development concerning Internet of Things,’’ [49] J. Ferdows, S. T. Mehedi, A. S. M. D. Hossain, A. A. M. Shamim, 1393
1320 Wireless Pers. Commun., vol. 123, no. 1, pp. 165–194, 2022. and G. M. R. I. Rasiq, ‘‘A comprehensive study of IoT application layer 1394
1321 [26] S. A. Haider, M. N. Adil, and M. Zhao, ‘‘Optimization of secure wireless security management,’’ in Proc. IEEE Int. Conf. for Innov. Technol. 1395
1322 communications for IoT networks in the presence of eavesdroppers,’’ (INOCON), Nov. 2020, pp. 1–7. 1396
1323 Comput. Commun., vol. 154, pp. 119–128, Mar. 2020. [50] P. K. Donta, S. N. Srirama, T. Amgoth, and C. S. R. Annavarapu, 1397
1324 [27] M. Salimitari, M. Chatterjee, and Y. P. Fallah, ‘‘A survey on consensus ‘‘Survey on recent advances in IoT application layer protocols and 1398
1325 methods in blockchain for resource-constrained IoT networks,’’ Internet machine learning scope for research directions,’’ Digit. Commun. Netw., 1399
1326 Things, vol. 11, Sep. 2020, Art. no. 100212. Oct. 2021. 1400
1327 [28] X. Luo, L. Yin, C. Li, C. Wang, F. Fang, C. Zhu, and Z. Tian, [51] H. Mrabet, S. Belguith, A. Alhomoud, and A. Jemai, ‘‘A survey of IoT 1401
1328 ‘‘A lightweight privacy-preserving communication protocol for heteroge- security based on a layered architecture of sensing and data analysis,’’ 1402
1329 neous IoT environment,’’ IEEE Access, vol. 8, pp. 67192–67204, 2020. Sensors, vol. 20, no. 13, p. 3625, Jun. 2020. 1403
1330 [29] Z. Xiong, Y. Zhang, N. C. Luong, D. Niyato, P. Wang, and N. Guizani, [52] S. Rizvi, A. Kurtz, J. Pfeffer, and M. Rizvi, ‘‘Securing the Internet of 1404
1331 ‘‘The best of both worlds: A general architecture for data management Things (IoT): A security taxonomy for IoT,’’ in Proc. 17th IEEE Int. Conf. 1405
1332 in blockchain-enabled Internet-of-Things,’’ IEEE Netw., vol. 34, no. 1, Trust, Secur. Privacy Comput. Commun./12th IEEE Int. Conf. Big Data 1406
1333 pp. 166–173, Jan. 2020. Sci. Eng. (TrustCom/BigDataSE), Aug. 2018, pp. 163–168. 1407
1334 [30] T. A. Ahanger, A. Aljumah, and M. Atiquzzaman, ‘‘State-of-the-art sur- [53] N. Tripathi and N. Hubballi, ‘‘Application layer denial-of-service attacks 1408
1335 vey of artificial intelligent techniques for IoT security,’’ Comput. Netw., and defense mechanisms: A survey,’’ ACM Comput. Surv., vol. 54, no. 4, 1409
1336 vol. 206, Apr. 2022, Art. no. 108771. pp. 1–33, 2021. 1410
1337 [31] I. Ahmad, M. S. Niazy, R. A. Ziar, and S. Khan, ‘‘Survey on IoT: Security [54] R. A. Rahman and B. Shah, ‘‘Security analysis of IoT protocols: A focus 1411
1338 threats and applications,’’ J. Robot. Control, vol. 2, no. 1, pp. 42–46, 2021. in CoAP,’’ in Proc. 3rd MEC Int. Conf. Big Data Smart City (ICBDSC), 1412
1339 [32] N. Wang, P. Wang, A. Alipour-Fanid, L. Jiao, and K. Zeng, ‘‘Physical- Mar. 2016, pp. 1–7. 1413
1340 layer security of 5G wireless networks for IoT: Challenges and oppor- [55] A. Tewari and B. B. Gupta, ‘‘Security, privacy and trust of different layers 1414
1341 tunities,’’ IEEE Internet Things J., vol. 6, no. 5, pp. 8169–8181, in Internet-of-Things (IoTs) framework,’’ Future Gener. Comput. Syst., 1415
1342 Oct. 2019. vol. 108, pp. 909–920, Jul. 2020. 1416
1343 [33] L. Sun and Q. Du, ‘‘A review of physical layer security techniques for
[56] M. Z. Gunduz and R. Das, ‘‘Cyber-security on smart grid: Threats 1417
1344 Internet of Things: Challenges and solutions,’’ Entropy, vol. 20, no. 10,
and potential solutions,’’ Comput. Netw., vol. 169, Mar. 2020, 1418
1345 p. 730, 2018.
Art. no. 107094. 1419
1346 [34] H. A. Khattak, M. A. Shah, S. Khan, I. Ali, and M. Imran, ‘‘Percep-
1347 tion layer security in Internet of Things,’’ Future Gener. Comput. Syst., [57] M. B. Gough, S. F. Santos, T. AlSkaif, M. S. Javadi, R. Castro, and 1420
1348 vol. 100, pp. 144–164, Nov. 2019. J. P. S. Catalão, ‘‘Preserving privacy of smart meter data in a smart grid 1421
1349 [35] K. Aarika, M. Bouhlal, R. A. Abdelouahid, S. Elfilali, and E. Benlahmar, environment,’’ IEEE Trans. Ind. Informat., vol. 18, no. 1, pp. 707–718, 1422
1350 ‘‘Perception layer security in the Internet of Things,’’ Proc. Comput. Sci., Jan. 2022. 1423
1351 vol. 175, pp. 591–596, Jan. 2020. [58] F. Alshehri and G. Muhammad, ‘‘A comprehensive survey of the Internet 1424
1352 [36] B. Balamurugan and D. Biswas, ‘‘Security in network layer of IoT: Pos- of Things (IoT) and AI-based smart healthcare,’’ IEEE Access, vol. 9, 1425
1353 sible measures to preclude,’’ in Security Breaches and Threat Preven- pp. 3660–3678, 2021. 1426
1354 tion in the Internet of Things. Hershey, PA, USA: IGI Global, 2017, [59] R. H. et. al., ‘‘A survey: Security challenges of vanet and their current 1427
1355 pp. 46–75. solution,’’ Turkish J. Comput. Math. Educ., vol. 12, no. 2, pp. 1239–1244, 1428
1356 [37] D. Puthal, S. Nepal, R. Ranjan, and J. Chen, ‘‘Threats to networking cloud Apr. 2021. 1429
1357 and edge datacenters in the Internet of Things,’’ IEEE Cloud Comput., [60] I. Ali, Y. Chen, M. Faisal, and M. Li, ‘‘Certificateless signature- 1430
1358 vol. 3, no. 3, pp. 64–71, May/Jun. 2016. based authentication scheme for vehicle-to-infrastructure communica- 1431
1359 [38] D. Minoli and B. Occhiogrosso, ‘‘Blockchain mechanisms for IoT secu- tions using bilinear pairing,’’ in Efficient and Provably Secure Schemes 1432
1360 rity,’’ Internet Things, vols. 1–2, pp. 1–13, Sep. 2018. for Vehicular Ad-Hoc Networks. Singapore: Springer, 2022, pp. 91–119. 1433
1361 [39] A. Abdelmaboud, A. I. A. Ahmed, M. Abaker, T. A. E. Eisa, H. Albasheer, [61] X. Yang, L. Shu, J. Chen, M. A. Ferrag, J. Wu, E. Nurellari, and K. Huang, 1434
1362 S. A. Ghorashi, and F. K. Karim, ‘‘Blockchain for IoT applications: ‘‘A survey on smart agriculture: Development modes, technologies, and 1435
1363 Taxonomy, platforms, recent advances, challenges and future research security and privacy challenges,’’ IEEE/CAA J. Autom. Sinica, vol. 8, 1436
1364 directions,’’ Electronics, vol. 11, no. 4, p. 630, Feb. 2022. no. 2, pp. 273–302, Feb. 2021. 1437
VOLUME 10, 2022 97213

1438 [62] T. Gebremichael, L. P. Ledwaba, M. H. Eldefrawy, G. P. Hancke, [84] T. Salman and R. Jain, ‘‘A survey of protocols and standards for Internet 1512
1439 N. Pereira, M. Gidlund, and J. Akerberg, ‘‘Security and privacy in the of Things,’’ 2019, arXiv:1903.11549. 1513
1440 industrial Internet of Things: Current standards and future challenges,’’ [85] F. Nizzi, T. Pecorella, F. Esposito, L. Pierucci, and R. Fantacci, ‘‘IoT 1514
1441 IEEE Access, vol. 8, pp. 152351–152366, 2020. security via address shuffling: The easy way,’’ IEEE Internet Things J., 1515
1442 [63] N. Agrawal and R. Kumar, ‘‘Security perspective analysis of industrial vol. 6, no. 2, pp. 3764–3774, Apr. 2019. 1516
1443 cyber physical systems (I-CPS): A decade-wide survey,’’ ISA Trans., [86] Y. Yan, Y. Qian, H. Sharif, and D. Tipper, ‘‘A survey on cyber security 1517
1444 Mar. 2022. for smart grid communications,’’ IEEE Commun. Surveys Tuts., vol. 14, 1518
1445 [64] L. L. Dhirani, E. Armstrong, and T. Newe, ‘‘Industrial IoT, cyber threats, no. 4, pp. 998–1010, 4th Quart., 2012. 1519
1446 and standards landscape: Evaluation and roadmap,’’ Sensors, vol. 21, [87] A. D. Jurcut, P. Ranaweera, and L. Xu, ‘‘Introduction to IoT security,’’ 1520
1447 no. 11, p. 3901, Jun. 2021. [Online]. Available: https://www.mdpi.com/ in IoT Security: Advances in Authentication. Hoboken, NJ, USA: Wiley, 1521
1448 1424-8220/21/11/3901 2020, pp. 27–64. 1522
1449 [65] D. A. Hahn, A. Munir, and V. Behzadan, ‘‘Security and privacy issues in [88] H. Zhang, B. Liu, and H. Wu, ‘‘Smart grid cyber-physical attack and 1523
1450 intelligent transportation systems: Classification and challenges,’’ IEEE defense: A review,’’ IEEE Access, vol. 9, pp. 29641–29659, 2021. 1524
1451 Intell. Transp. Syst. Mag., vol. 13, no. 1, pp. 181–196, Spring 2021. [89] S. Sengan, V. Subramaniyaswamy, V. Indragandhi, and L. Ravi, ‘‘Detec- 1525
1452 [66] F. Al-Turjman and S. Alturjman, ‘‘Confidential smart-sensing frame- tion of false data cyber-attacks for the assessment of security in smart 1526
1453 work in the IoT era,’’ J. Supercomput., vol. 74, no. 10, pp. 5187–5198, grid using deep learning,’’ Comput. Electr. Eng., vol. 93, Jul. 2021, 1527
1454 Oct. 2018. Art. no. 107211. 1528
1455 [67] S.-X. Wang, H.-W. Chen, Q.-Y. Zhao, L.-Y. Guo, X.-Y. Deng, W.-G. Si, [90] Y. Li, P. Zhang, and R. Huang, ‘‘Lightweight quantum encryption for 1529
1456 and Z.-Q. Sun, ‘‘Preserving scheme for user’s confidential information secure transmission of power data in smart grid,’’ IEEE Access, vol. 7, 1530
1457 in smart grid based on digital watermark and asymmetric encryption,’’ pp. 36285–36293, 2019. 1531
1458 J. Central South Univ., vol. 29, no. 2, pp. 726–740, Feb. 2022. [91] J. Zavala-Díaz, E. Reyes-Archundia, J. C. Olivares-Rojas, 1532
1459 [68] A. Sharma, K. Gautam, and T. K. Koirala, ‘‘Comparison of IoT applica- M. V. Chávez-Báez, J. A. Gutiérrez-Gnecchi, and A. Méndez-Patiño, 1533
1460 tion layer protocols on soft computing paradigms: A survey,’’ in Advances ‘‘Study of public key cryptography techniques for authentication in 1534
1461 in Communication, Devices and Networking. Singapore: Springer, 2022, embedded devices for smart grids,’’ in Proc. IEEE Int. Autumn Meeting 1535
1462 pp. 307–317. Power, Electron. Comput. (ROPEC), Nov. 2021, pp. 1–5. 1536
1463 [69] P. Li, J. Su, and X. Wang, ‘‘ITLS: Lightweight transport-layer security [92] S. Singh, V. B. Pamshetti, A. K. Thakur, and S. P. Singh, ‘‘Multistage 1537
1464 protocol for IoT with minimal latency and perfect forward secrecy,’’ IEEE multiobjective Volt/VAR control for smart grid-enabled CVR with solar 1538
1465 Internet Things J., vol. 7, no. 8, pp. 6828–6841, Aug. 2020. PV penetration,’’ IEEE Syst. J., vol. 15, no. 2, pp. 2767–2778, Jun. 2021. 1539
1466 [70] C. Machado and A. A. M. Fröhlich, ‘‘IoT data integrity verification for
[93] A. Huseinović, S. Mrdović, K. Bicakci, and S. Uludag, ‘‘A survey of 1540
1467 cyber-physical systems using blockchain,’’ in Proc. IEEE 21st Int. Symp.
denial-of-service attacks and solutions in the smart grid,’’ IEEE Access, 1541
1468 Real-Time Distrib. Comput. (ISORC), May 2018, pp. 83–90.
vol. 8, pp. 177447–177470, 2020. 1542
1469 [71] O. Friha, M. A. Ferrag, L. Shu, L. Maglaras, and X. Wang, ‘‘Internet
[94] H. Pirayesh and H. Zeng, ‘‘Jamming attacks and anti-jamming strategies 1543
1470 of Things for the future of smart agriculture: A comprehensive survey
in wireless networks: A comprehensive survey,’’ IEEE Commun. Surveys 1544
1471 of emerging technologies,’’ IEEE/CAA J. Autom. Sinica, vol. 8, no. 4,
Tuts., vol. 24, no. 2, pp. 767–809, 2nd Quart., 2022. 1545
1472 pp. 718–752, Apr. 2021.
[95] I. Masood, Y. Wang, A. Daud, N. R. Aljohani, and H. Dawood, ‘‘Towards 1546
1473 [72] S. Madhawa, P. Balakrishnan, and U. Arumugam, ‘‘Roll forward valida-
smart healthcare: Patient data privacy and security in sensor-cloud infras- 1547
1474 tion based decision tree classification for detecting data integrity attacks
tructure,’’ Wireless Commun. Mobile Comput., vol. 2018, pp. 1–23, 1548
1475 in industrial Internet of Things,’’ J. Intell. Fuzzy Syst., vol. 36, no. 3,
Nov. 2018. 1549
1476 pp. 2355–2366, 2019.
1477 [73] T. Sultana and K. A. Wahid, ‘‘Choice of application layer protocols for [96] H. Ghayvat, S. Pandya, P. Bhattacharya, M. Zuhair, M. Rashid, S. Hakak, 1550
1478 next generation video surveillance using internet of video things,’’ IEEE and K. Dev, ‘‘CP-BDHCA: Blockchain-based confidentiality-privacy 1551
1479 Access, vol. 7, pp. 41607–41624, 2019. preserving big data scheme for healthcare clouds and applications,’’ IEEE 1552
J. Biomed. Health Informat., vol. 26, no. 5, pp. 1937–1948, May 2022. 1553
1480 [74] S. Pal, M. Hitchens, T. Rabehaja, and S. Mukhopadhyay, ‘‘Security
1481 requirements for the Internet of Things: A systematic approach,’’ Sensors, [97] K. Renuka, S. Kumari, and X. Li, ‘‘Design of a secure three-factor 1554
1482 vol. 20, no. 20, p. 5897, Oct. 2020. authentication scheme for smart healthcare,’’ J. Med. Syst., vol. 43, no. 5, 1555
1483 [75] J. Yan, J. Liu, and F.-M. Tseng, ‘‘An evaluation system based on the pp. 1–12, May 2019. 1556
1484 self-organizing system framework of smart cities: A case study of smart [98] D. He, R. Ye, S. Chan, M. Guizani, and Y. Xu, ‘‘Privacy in the Internet 1557
1485 transportation systems in China,’’ Technol. Forecasting Social Change, of Things for smart healthcare,’’ IEEE Commun. Mag., vol. 56, no. 4, 1558
1486 vol. 153, Apr. 2020, Art. no. 119371. pp. 38–44, Apr. 2018. 1559
1487 [76] M. T. Ahvanooey, M. X. Zhu, Q. Li, W. Mazurczyk, K.-K.-R. Choo, [99] C. Xu, H. H. Yang, X. Wang, and T. Q. S. Quek, ‘‘Optimizing information 1560
1488 B. B. Gupta, and M. Conti, ‘‘Modern authentication schemes in smart- freshness in computing-enabled IoT networks,’’ IEEE Internet Things J., 1561
1489 phones and IoT devices: An empirical survey,’’ IEEE Internet Things J., vol. 7, no. 2, pp. 971–985, Feb. 2020. 1562
1490 vol. 9, no. 10, pp. 7639–7663, May 2022. [100] S. M. Ahmed and A. Rajput, ‘‘Threats to patients’ privacy in smart health- 1563
1491 [77] R. G. Engoulou, M. Bellaïche, S. Pierre, and A. Quintero, ‘‘VANET care environment,’’ in Innovation in Health Informatics. Amsterdam, 1564
1492 security surveys,’’ Comput. Commun., vol. 44, pp. 1–13, May 2014. The Netherlands: Elsevier, 2020, pp. 375–393. 1565
1493 [78] P. Gupta and M. I. O. Prabha, ‘‘A survey of application layer protocols for [101] A. Algarni, ‘‘A survey and classification of security and privacy research 1566
1494 Internet of Things,’’ in Proc. Int. Conf. Commun. Inf. Comput. Technol. in smart healthcare systems,’’ IEEE Access, vol. 7, pp. 101879–101894, 1567
1495 (ICCICT), Jun. 2021, pp. 1–6. 2019. 1568
1496 [79] F. Armknecht, A. Festag, D. Westhoff, and K. Zeng, ‘‘Cross-layer privacy [102] A. Maimaris and G. Papageorgiou, ‘‘A review of intelligent transportation 1569
1497 enhancement and non-repudiation in vehicular communication,’’ in Proc. systems from a communications technology perspective,’’ in Proc. IEEE 1570
1498 Commun. Distrib. Syst., ITG/GI Symp. Frankfurt, Germany: VDE, 2007, 19th Int. Conf. Intell. Transp. Syst. (ITSC), Nov. 2016, pp. 54–59. 1571
1499 pp. 1–12. [103] V. Behzadan and A. Munir, ‘‘Models and framework for adversarial 1572
1500 [80] C.-L. Chen, Y.-Y. Deng, C.-T. Li, S. Zhu, Y.-J. Chiu, and P.-Z. Chen, attacks on complex adaptive systems,’’ 2017, arXiv:1709.04137. 1573
1501 ‘‘An IoT-based traceable drug anti-counterfeiting management system,’’ [104] F. Azam, S. Kumar, K. P. Yadav, N. Priyadarshi, and S. Padmanaban, 1574
1502 IEEE Access, vol. 8, pp. 224532–224548, 2020. ‘‘An outline of the security challenges in VANET,’’ in Proc. IEEE 7th 1575
1503 [81] H. Hasrouny, A. E. Samhat, C. Bassil, and A. Laouiti, ‘‘VANet security Uttar Pradesh Sect. Int. Conf. Electr., Electron. Comput. Eng. (UPCON), 1576
1504 challenges and solutions: A survey,’’ Veh. Commun., vol. 7, pp. 7–20, Nov. 2020, pp. 1–6. 1577
1505 Jan. 2017. [105] M. Wazid, B. Bera, A. K. Das, S. P. Mohanty, and M. Jo, ‘‘Fortifying 1578
1506 [82] A. A. A. Sen, F. A. Eassa, K. Jambi, and M. Yamin, ‘‘Preserving privacy smart transportation security through public blockchain,’’ IEEE Internet 1579
1507 in Internet of Things: A survey,’’ Int. J. Inf. Technol., vol. 10, no. 2, Things J., vol. 9, no. 17, pp. 16532–16545, Sep. 2022. 1580
1508 pp. 189–200, Jun. 2018. [106] M. Gayathri and C. Gomathy, ‘‘An overview of security services and 1581
1509 [83] V. Sharma, I. You, K. Andersson, F. Palmieri, M. H. Rehmani, and J. Lim, trust-based authentication schemes in VANET,’’ in Micro-Electronics 1582
1510 ‘‘Security, privacy and trust for smart mobile-Internet of Things (M-IoT): and Telecommunication Engineering. Basel, Switzerland: MDPI, 2022, 1583
1511 A survey,’’ IEEE Access, vol. 8, pp. 167123–167163, 2020. pp. 193–205. 1584
97214 VOLUME 10, 2022

1585 [107] A. Lamssaggad, N. Benamar, A. S. Hafid, and M. Msahli, ‘‘A survey [128] H. Khalid, S. J. Hashim, S. M. S. Ahmad, F. Hashim, and 1661
1586 on the current security landscape of intelligent transportation systems,’’ M. A. Chaudhary, ‘‘SELAMAT: A new secure and lightweight multi- 1662
1587 IEEE Access, vol. 9, pp. 9180–9208, 2021. factor authentication scheme for cross-platform industrial IoT systems,’’ 1663
1588 [108] Y. Sun, K. Yu, A. K. Bashir, and X. Liao, ‘‘Bl-IEA: A bit-level image Sensors, vol. 21, no. 4, p. 1428, 2021. 1664
1589 encryption algorithm for cognitive services in intelligent transportation [129] K.-K. R. Choo, S. Gritzalis, and J. H. Park, ‘‘Cryptographic solutions 1665
1590 systems,’’ IEEE Trans. Intell. Transp. Syst., early access, Nov. 30, 2021, for industrial Internet-of-Things: Research challenges and opportunities,’’ 1666
1591 doi: 10.1109/TITS.2021.3129598. IEEE Trans. Ind. Informat., vol. 14, no. 8, pp. 3567–3569, Aug. 2018. 1667
1592 [109] X. Shen, Y. Lu, Y. Zhang, X. Liu, and L. Zhang, ‘‘An innovative data [130] S. R. Chhetri, N. Rashid, S. Faezi, and M. A. A. Faruque, ‘‘Security trends 1668
1593 integrity verification scheme in the Internet of Things assisted infor- and advances in manufacturing systems in the era of industry 4.0,’’ in 1669
1594 mation exchange in transportation systems,’’ Cluster Comput., vol. 25, Proc. IEEE/ACM Int. Conf. Comput.-Aided Design (ICCAD), Nov. 2017, 1670
1595 pp. 1791–1803, Jan. 2022. pp. 1039–1046. 1671
1596 [110] E. F. Cahyadi and M.-S. Hwang, ‘‘A comprehensive survey on certificate- [131] R. F. Babiceanu and R. Seker, ‘‘Cyber resilience protection for industrial 1672
1597 less aggregate signature in vehicular ad hoc networks,’’ IETE Tech. Rev., Internet of Things: A software-defined networking approach,’’ Comput. 1673
1598 pp. 1–12, Jan. 2022. Ind., vol. 104, pp. 47–58, Jan. 2019. 1674
1599 [111] M. Gupta, M. Abdelsalam, S. Khorsandroo, and S. Mittal, ‘‘Security and [132] P. M. Rao and B. Deebak, ‘‘Security and privacy issues in smart 1675
1600 privacy in smart farming: Challenges and opportunities,’’ IEEE Access, cities/industries: Technologies, applications, and challenges,’’ J. Ambient 1676
1601 vol. 8, pp. 34564–34584, 2020. Intell. Hum. Comput., vol. 13, no. 1, pp. 1–37, Feb. 2022. 1677
1602 [112] S. Salamatian, W. Huleihel, A. Beirami, A. Cohen, and M. Médard, [133] S. T. Zargar, J. Joshi, and D. Tipper, ‘‘A survey of defense mechanisms 1678
1603 ‘‘Why botnets work: Distributed brute-force attacks need no synchroniza- against distributed denial of service (DDoS) flooding attacks,’’ IEEE 1679
1604 tion,’’ IEEE Trans. Inf. Forensics Security, vol. 14, no. 9, pp. 2288–2299, Commun. Surveys Tuts., vol. 15, no. 4, pp. 2046–2069, 4th Quart., 2013. 1680
1605 Sep. 2019. [134] D. Popescul and L. D. Radu, ‘‘Data security in smart cities: Challenges 1681
1606 [113] M. A. Ferrag, L. Shu, H. Djallel, and K.-K.-R. Choo, ‘‘Deep learning- and solutions,’’ Inf. Economică, vol. 20, no. 1, pp. 29–38, Mar. 2016. 1682
1607 based intrusion detection for distributed denial of service attack in agri- [135] H. Habibzadeh, B. H. Nussbaum, F. Anjomshoa, B. Kantarci, and 1683
1608 culture 4.0,’’ Electronics, vol. 10, no. 11, p. 1257, May 2021. [Online]. T. Soyata, ‘‘A survey on cybersecurity, data privacy, and policy issues in 1684
1609 Available: https://www.mdpi.com/2079-9292/10/11/1257 cyber-physical system deployments in smart cities,’’ Sustain. Cities Soc., 1685
1610 [114] S. Sontowski, M. Gupta, S. S. Laya Chukkapalli, M. Abdelsalam, vol. 50, Oct. 2019, Art. no. 101660. 1686
1611 S. Mittal, A. Joshi, and R. Sandhu, ‘‘Cyber attacks on smart farming [136] S. Abbas, M. Faisal, H. U. Rahman, M. Z. Khan, M. Merabti, and 1687
1612 infrastructure,’’ in Proc. IEEE 6th Int. Conf. Collaboration Internet Com- A. U. R. Khan, ‘‘Masquerading attacks detection in mobile ad hoc net- 1688
1613 put. (CIC), Dec. 2020, pp. 135–143. works,’’ IEEE Access, vol. 6, pp. 55013–55025, 2018. 1689
1614 [115] R. Lu, K. Heung, A. H. Lashkari, and A. A. Ghorbani, ‘‘A lightweight [137] M. Sookhak, H. Tang, Y. He, and F. R. Yu, ‘‘Security and privacy of smart 1690
1615 privacy-preserving data aggregation scheme for fog computing-enhanced cities: A survey, research issues and challenges,’’ IEEE Commun. Surveys 1691
1616 IoT,’’ IEEE Access, vol. 5, pp. 3302–3312, 2017. Tuts., vol. 21, no. 2, pp. 1718–1743, 2nd Quart., 2019. 1692
1617 [116] P. Appavoo, M. C. Chan, A. Bhojan, and E.-C. Chang, ‘‘Efficient and [138] L. Bariah, D. Shehada, E. Salahat, and C. Y. Yeun, ‘‘Recent advances 1693
1618 privacy-preserving access to sensor data for Internet of Things (IoT) based in VANET security: A survey,’’ in Proc. IEEE 82nd Veh. Technol. Conf. 1694
1619 services,’’ in Proc. 8th Int. Conf. Commun. Syst. Netw. (COMSNETS), (VTC-Fall), Sep. 2015, pp. 1–7. 1695
[139] M. Abbasi, A. Shahraki, and A. Taherkordi, ‘‘Deep learning for network 1696
1620 Jan. 2016, pp. 1–8.
traffic monitoring and analysis (NTMA): A survey,’’ Comput. Commun., 1697
1621 [117] K. Gai, K.-K. R. Choo, M. Qiu, and L. Zhu, ‘‘Privacy-preserving content-
vol. 170, pp. 19–41, Feb. 2021. 1698
1622 oriented wireless communication in Internet-of-Things,’’ IEEE Internet [140] B. Bhushan, A. Khamparia, K. M. Sagayam, S. K. Sharma, M. A. Ahad, 1699
1623 Things J., vol. 5, no. 4, pp. 3059–3067, Aug. 2018. and N. C. Debnath, ‘‘Blockchain for smart cities: A review of architec- 1700
1624 [118] Q. Wang, D. Chen, N. Zhang, Z. Qin, and Z. Qin, ‘‘LACS: A lightweight
tures, integration trends and future research directions,’’ Sustain. Cities 1701
1625 label-based access control scheme in IoT-based 5G caching context,’’
Soc., vol. 61, Oct. 2020, Art. no. 102360. 1702
1626 IEEE Access, vol. 5, pp. 4018–4027, 2017. [141] T. K. Dang, C. D. M. Pham, and T. L. P. Nguyen, ‘‘A pragmatic elliptic 1703
1627 [119] Q. Li, X. Zhang, Q. Zheng, R. Sandhu, and X. Fu, ‘‘LIVE: Lightweight
curve cryptography-based extension for energy-efficient device-to-device 1704
1628 integrity verification and content access control for named data network-
communications in smart cities,’’ Sustain. Cities Soc., vol. 56, May 2020, 1705
1629 ing,’’ IEEE Trans. Inf. Forensics Security, vol. 10, no. 2, pp. 308–320,
Art. no. 102097. 1706
1630 Feb. 2015. [142] Z. Ullah, F. Al-Turjman, L. Mostarda, and R. Gagliardi, ‘‘Applications 1707
1631 [120] T. Song, R. Li, B. Mei, J. Yu, X. Xing, and X. Cheng, ‘‘A privacy preserv-
of artificial intelligence and machine learning in smart cities,’’ Comput. 1708
1632 ing communication protocol for IoT applications in smart homes,’’ IEEE
Commun., vol. 154, pp. 313–323, Mar. 2020. 1709
1633 Internet Things J., vol. 4, no. 6, pp. 1844–1852, Dec. 2017. [143] M. Drozdowicz, M. Ganzha, and M. Paprzycki, ‘‘Semantic access control 1710
1634 [121] P. Gope, R. Amin, S. K. H. Islam, N. Kumar, and V. K. Bhalla, for privacy management of personal sensing in smart cities,’’ IEEE Trans. 1711
1635 ‘‘Lightweight and privacy-preserving RFID authentication scheme for Emerg. Topics Comput., vol. 10, no. 1, pp. 199–210, Jan. 2022. 1712
1636 distributed IoT infrastructure with secure localization services for smart [144] M. Rasori, P. Perazzo, and G. Dini, ‘‘A lightweight and scalable attribute- 1713
1637 city environment,’’ Future Gener. Comput. Syst., vol. 83, pp. 629–637, based encryption system for smart cities,’’ Comput. Commun., vol. 149, 1714
1638 Jun. 2018. [Online]. Available: https://www.sciencedirect.com/science/ pp. 78–89, Jan. 2020. 1715
1639 article/pii/S0167739X17313043 [145] Y. Lin, Z. Shen, and X. Teng, ‘‘Review on data sharing in smart city 1716
1640 [122] M. A. Ferrag, M. Derdour, M. Mukherjee, A. Derhab, L. Maglaras, planning based on mobile phone signaling big data: From the perspective 1717
1641 and H. Janicke, ‘‘Blockchain technologies for the Internet of Things: of China experience: Anonymization VS de-anonymization,’’ Int. Rev. 1718
1642 Research issues and challenges,’’ IEEE Internet Things J., vol. 6, no. 2, Spatial Planning Sustain. Develop., vol. 9, no. 2, pp. 76–93, 2021. 1719
1643 pp. 2188–2204, Apr. 2019. [146] J. Myers, Simple Authentication and Security Layer (SASL), docu- 1720
1644 [123] S. I. Hassan, M. M. Alam, U. Illahi, M. A. Al Ghamdi, S. H. Almotiri, and ment RFC 2222, Kanazawa, Japan, 1997. 1721
1645 M. M. Su’ud, ‘‘A systematic review on monitoring and advanced control [147] E. B. Sanjuan, I. A. Cardiel, J. A. Cerrada, and C. Cerrada, ‘‘Message 1722
1646 strategies in smart agriculture,’’ IEEE Access, vol. 9, pp. 32517–32548, queuing telemetry transport (MQTT) security: A cryptographic smart 1723
1647 2021. card approach,’’ IEEE Access, vol. 8, pp. 115051–115062, 2020. 1724
1648 [124] N. Tuptuk and S. Hailes, ‘‘Security of smart manufacturing systems,’’ [148] D. Dinculeană and X. Cheng, ‘‘Vulnerabilities and limitations of MQTT 1725
1649 J. Manuf. Syst., vol. 47, pp. 93–106, Apr. 2018. [Online]. Available: protocol used between IoT devices,’’ Appl. Sci., vol. 9, no. 5, p. 848, 1726
1650 https://www.sciencedirect.com/science/article/pii/S0278612518300463 2019. 1727
1651 [125] S. B. ElMamy, H. Mrabet, H. Gharbi, A. Jemai, and D. Trentesaux, [149] A. J. Hintaw, S. Manickam, M. F. Aboalmaaly, and S. Karuppayah, 1728
1652 ‘‘A survey on the usage of blockchain technology for cyber-threats in the ‘‘MQTT vulnerabilities, attack vectors and solutions in the Internet of 1729
1653 context of industry 4.0,’’ Sustainability, vol. 12, no. 21, p. 9179, 2020. Things (IoT),’’ IETE J. Res., vol. 68, pp. 1–30, 2022. 1730
1654 [126] U. M. Qureshi, G. P. Hancke, T. Gebremichael, U. Jennehag, [150] F. Chen, Y. Huo, J. Zhu, and D. Fan, ‘‘A review on the study on MQTT 1731
1655 S. Forsström, and M. Gidlund, ‘‘Survey of proximity based authentication security challenge,’’ in Proc. IEEE Int. Conf. Smart Cloud (SmartCloud), 1732
1656 mechanisms for the industrial Internet of Things,’’ in Proc. 44th Annu. Nov. 2020, pp. 128–133. 1733
1657 Conf. IEEE Ind. Electron. Soc. (IECON), Oct. 2018, pp. 5246–5251. [151] M. S. Harsha, B. M. Bhavani, and K. R. Kundhavai, ‘‘Analysis of vulner- 1734
1658 [127] Y. Lu, D. Wang, M. S. Obaidat, and P. Vijayakumar, ‘‘Edge-assisted intel- abilities in MQTT security using Shodan API and implementation of its 1735
1659 ligent device authentication in cyber-physical systems,’’ IEEE Internet countermeasures via authentication and ACLs,’’ in Proc. Int. Conf. Adv. 1736
1660 Things J., early access, Feb. 16, 2022, doi: 10.1109/JIOT.2022.3151828. Comput., Commun. Informat. (ICACCI), Sep. 2018, pp. 2244–2250. 1737
VOLUME 10, 2022 97215

1738 [152] J. Mišić and V. B. Mišić, ‘‘Proxy cache maintenance using multicas- MARTA PLAZA-HERNÁNDEZ received the 1791
1739 ting in CoAP IoT domains,’’ IEEE Internet Things J., vol. 5, no. 3, Graduate degree in physics from the University of 1792
1740 pp. 1967–1976, Jun. 2018. Salamanca, the master’s degree in environmental 1793
1741 [153] P. Saint-Andre, Extensible Messaging and Presence Protocol (XMPP): management from Brunel University London, and 1794
1742 Instant Messaging and Presence, RFC 3921, Oct. 2004. the master’s degree in smart cities and intelligent 1795
1743 [154] M. B. Yassein, M. Q. Shatnawi, and D. Al-Zoubi, ‘‘Application layer
1744 protocols for the Internet of Things: A survey,’’ in Proc. Int. Conf. Eng. buildings from the University of Salamanca. She 1796
1745 MIS (ICEMIS), Sep. 2016, pp. 1–4. has worked as a Research Fellow at the Institute of 1797
1746 [155] P. Saint-Andre. XEP-0205: Best Practices to Discourage Denial Science and Technology Studies (ECYT, USAL) 1798
1747 of Service Attacks. Accessed: Jun. 23, 2022. [Online]. Available: and the Institute of Environment, Health, and Soci- 1799
1748 https://xmpp.org/extensions/xep-0205.html eties (Brunel University London). She currently 1800
1749 [156] P. S.-A. Millard. XEP-0178: Best Practices for Use of SASL Exter- combines her Ph.D. studies in intelligent applications to industrial and envi- 1801
1750 nal With Certificates. Accessed: Jun. 23, 2022. [Online]. Available: ronmental problems with her research and teaching work with the BISITE 1802
1751 https://xmpp.org/extensions/xep-0178.html Group. She manages European projects, such as SMARTSEA, TECTONIC, 1803
1752 [157] S. Cheshire and M. Krochmal, Multicast DNS, RFC 6762, Feb. 2013.
1753 [158] I. Dolnák, A. Jantošová, and J. Litvik, ‘‘An overview of DNS security in IoTalentum, and QFORTE. She is also involved in the organization of 1804
1754 V2X networks,’’ in Proc. 17th Int. Conf. Emerg. eLearn. Technol. Appl. international conferences (PAAMS and co-events, SSCTIC, Globecom, and 1805
1755 (ICETA), Nov. 2019, pp. 156–159. ICCBR). She is also responsible for generating and delivering content in 1806
1756 [159] A. R. Kang, J. Spaulding, and A. Mohaisen, ‘‘Domain name sys- different international master’s and courses. 1807
1757 tem security and privacy: Old problems and new challenges,’’ 2016,
1758 arXiv:1606.07080.
1759 [160] D. J. Wu, A. Taly, A. Shankar, and D. Boneh, ‘‘Privacy, discovery, and JAVIER PRIETO (Senior Member, IEEE) received 1808
1760 authentication for the Internet of Things,’’ in Proc. Eur. Symp. Res. Com- the degree in telecommunication engineering, the 1809
1761 put. Secur. Cham, Switzerland: Springer, 2016, pp. 301–319. degree in marketing research and techniques, and 1810
1762 [161] G. Singh and B. Singh, ‘‘Simple service discovery protocol based dis- the Ph.D. degree in information and communi- 1811
1763 tributed reflective denial of service attack,’’ Int. J. Recent Trends Eng. cation technologies from the University of Val- 1812
1764 Res., vol. 3, no. 12, pp. 143–150, 2017.
1765 [162] M. Asim, ‘‘A survey on application layer protocols for Internet of Things
ladolid, in 2008, 2010, and 2012, respectively. 1813
1766 (IoT),’’ Int. J. Adv. Res. Comput. Sci., vol. 8, no. 3, pp. 996–1000, 2017. Since 2007, he has been working in different 1814
1767 [163] S. N. Swamy and S. R. Kota, ‘‘An empirical study on system level aspects public and private research centers, such as 1815
1768 of Internet of Things (IoT),’’ IEEE Access, vol. 8, pp. 188082–188134, the Foundation Center for the Development of 1816
1769 2020. Telecommunications of Castilla y León (CEDE- 1817

1770 [164] E. A. Shammar, A. T. Zahary, and A. A. Al-Shargabi, ‘‘A survey of IoT TEL), the University of Valladolid, Spain, and the Massachusetts Institute 1818
1771 and blockchain integration: Security perspective,’’ IEEE Access, vol. 9, of Technology (MIT), Cambridge, MA as a Visiting Researcher. He was 1819
1772 pp. 156114–156150, 2021. a Distinguished Researcher at the Department of Computer Science and 1820
1773 [165] S. Singh, A. S. M. S. Hosen, and B. Yoon, ‘‘Blockchain security attacks,
Automation, University of Salamanca. He is currently an Associate Profes- 1821
1774 challenges, and solutions for the future distributed IoT network,’’ IEEE
sor at the Bioinformatics, Intelligent Systems and Educational Technology 1822
1775 Access, vol. 9, pp. 13938–13959, 2021.
1776 [166] I. Alam, K. Sharif, F. Li, Z. Latif, M. M. Karim, S. Biswas, B. Nour, (BISITE) Research Group, University of Salamanca. He is a member of 1823
1777 and Y. Wang, ‘‘A survey of network virtualization techniques for Internet the Institute of Biomedical Research of Salamanca (IBSAL), the Editor- 1824
1778 of Things using SDN and NFV,’’ ACM Comput. Surv., vol. 53, no. 2, in-Chief of the Internet of Things Section of the Smart Cities journal, and 1825
1779 pp. 1–40, Mar. 2021. a Senior Editor of the IEEE COMMUNICATIONS LETTERS. He has received the 1826
Extraordinary Performance Award for Doctorate Studies from the University 1827
of Valladolid. 1828
JUAN M. CORCHADO received the Ph.D. degree 1829

in computer science from the University of Sala- 1830
1780 MAHMOUD ABBASI (Member, IEEE) received manca, and the Ph.D. degree in artificial intelli- 1831
1781 the B.Eng. degree from the Department of Com- gence from the University of the West of Scotland. 1832
1782 puter Engineering, Islamic Azad University of He is currently a Professor at the University of 1833
1783 Birjand, and the M.Sc. degree from the Depart- Salamanca. He was the Vice-Rector for Research, 1834
1784 ment of Computer Engineering, Islamic Azad Uni- from 2013 to 2017, and the Director of the Science 1835
1785 versity of Mashad. He is currently pursuing the Park with the University of Salamanca. He was 1836
1786 Ph.D. degree in the IoTalentum with the BISITE elected twice as the Dean of the Faculty of Sci- 1837
1787 Research Group, University of Salamanca. His ences. He directs the Recognized Research Group 1838
1788 current research interests include the general area Bioinformatics, Intelligent Systems and Educational Technology (BISITE), 1839
1789 of communication systems and networks and ML, in 2000. 1840

1790 the Internet of Things, and blockchain. 1841
97216 VOLUME 10, 2022
View publication stats

Security in The Internet of Things Application Layer Requirements Threats and Solutions

Uploaded by

Copyright:

Available Formats

Security in The Internet of Things Application Layer Requirements Threats and Solutions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security in The Internet of Things Application Layer Requirements Threats and Solutions

Uploaded by

Copyright:

Available Formats

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

Security of IoT Application Layer: Requirements, Threats, and Solutions

Chapter · January 2023

Mahmoud Abbasi Marta Plaza

SEE PROFILE SEE PROFILE

Yeray Mezquita Martín

The user has requested enhancement of the downloaded file.

Security in the Internet of Things Application

12 INDEX TERMS Internet of Things, security, privacy, requirements, taxonomy.

aspects, fundamental questions bring up about the security 43

FIGURE 1. Key elements of the IoT application layer.

46 authorization, Denial-of-Service (DoS) attacks, and informa-

66 objective is to investigate a structural survey of the security of main [16]: 105

84 vides the background to our study and its motivation. Related

97198 VOLUME 10, 2022

139 network) [20].

140 C. PERCEPTION LAYER APPLICATION LAYER 194

VOLUME 10, 2022 97199

239 The authors in [51] provided a detailed survey of IoT secu-

274 application protocols.

components [66]. For example, an Intelligent Transportation 319

97200 VOLUME 10, 2022

smart meters capture different types of data, e.g., humidity, 350

VOLUME 10, 2022 97201

362 ins and additional mechanisms are deployed to preserve the

Based on [82], the definition of privacy in IoT environments 416

381 and can be compromised by various threats [45].

382 D. AUTHENTICATION AND AUTHORIZATION APPLICATION LAYER 435

395 various authorization-related vulnerabilities. Accordingly,

sections, we discuss the security aspects of these applications. 452

405 systems against false denials related to communication [79].

97202 VOLUME 10, 2022

469 endangered through the availability-related attacks, such as records. 522

477 disseminating industrial information. Moreover, the massive applications. 530

are among the often mentioned challenges to data freshness. 533

assure data freshness by verifying the data collected from 557

507 to security, the key requirements are confidentiality, integrity,

The key security requirements in ITSs are confidentiality, 562

509 a: THREATS integrity, availability, authentication/identification, and non- 563

VOLUME 10, 2022 97203

567 a: THREATS security issues related to non-repudiation, digital signatures 622

570 phones, vehicles, roadside stations, and IoT devices. Hence,

access and modify sensitive information, such as the pH of 657

605 b: SOLUTIONS agricultural water. This category includes man-in-the-middle 658

607 ple of techniques have been proposed, including symmet-

97204 VOLUME 10, 2022

exchange channels between IoT devices, IoT devices autho- 733

682 authentication, data/traffic flow confidentiality, integrity, and modifications. 736

systems is to protect these systems against DoS attacks. 738

688 attacks can be launched in an IIoT system with an ineffective

715 b: SOLUTIONS security-sensitive contexts, such as an individual’s 768

VOLUME 10, 2022 97205

796 and compromise data integrity in smart city applica-

810 smart transportation systems. motion detection. 863

MQTT protocol provides different authentication mecha- 864

816 the introduction of regulations for IoT systems. In addition,

824 be considered. 2) Authorization vulnerabilities: The MQTT broker may 877

not appropriately assign publishing and subscribing 878

97206 VOLUME 10, 2022