IoT Introduction

The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and
digital machines, objects, animals or people that are provided with unique identifiers and
the ability to transfer data over a network without requiring human-to-human or human-to-
computer interaction.
It is actually a pretty simple concept, it means taking all the physical places and things in
the world and connecting them to the internet.

Purpose of IoT
When something is connected to the internet it can send information or receive
information, or both. This ability to send and/or receive information makes things smart.
To be smart a thing needs to have access to a storage or a computer network.
In the Internet of Things, all the things that are being connected to the internet can be put
into three categories:

● Things that collect information and then send it.

● Things that receive information and then act on it.

● Things that do both.

All three of these have enormous benefits that compound on each other.

1. Collecting and Sending Information

Sensors could be temperature sensors, motion sensors, moisture sensors, air quality
sensors, light sensors, or many others.
These sensors, along with a connection, allow us to automatically collect information from
the environment which allows to make intelligent decisions.
Just as sight, hearing, smell, touch, and taste allow humans to make sense of the world,
sensors allow machines (and the humans monitoring the machines) to make sense of the
world.

2. Receiving and Acting on Information

The second benefit of IoT is Acting on Information, the ability a device has to answer to a
piece of information in order to make actions.
An example could be using Infrared car keys signal to open the doors of a car.
Every answer to a signal makes a device a “smart acting device”.

The real power of the Internet of Things, though, arises when things do both of the above.

3. Doing both: Goal of a IoT System

Using both of the benefit listed above makes a true IoT System.
The strengths of a fully automated Internet of Things ecosystem are the ability of using
sensors to send Information to devices that are able to act on those sensor signals.

An example could be made in Home Security systems, where a smartphone app (actor)
answers to signals sent by lights, alarms, and camera sensors – which are connected via
IoT to provide 24x7 security.

A different example is the farm industry:

A sensor can collect information about the soil mosture to tell the farmer how much to
water the crops, and the irrigation system can automatically turn on as needed, based on
how much moisture is in the soil.
A step further can be done as well: After irrigation system receives information about the
weather from internet connection, it could also know when it is going to rain in order to
decide to water or not the crops based on the outside weather.
Then, finally, the information about soil mosture, how much water and weather – with the
information on how well the crops actually grew can be collected and sent to
supercomputers that run algorithms that can make sense of all those data.
IoT Major Protocols

There are many different Internet Protocols used in the IoT world, for all different purpose:
from smart houses to enterprise-level industries there is no “best” one.
Here, four of the major protocols used will be descripted:

1. Constrained Application Protocol (CoAP)

Constrained Application Protocol, or CoAP, is an utility protocol for restricted gadgets.

His goal is to let communicate gadgets on the same restricted community, gadgets and
general nodes on the internet, and gadgets on different restricted communities – with both
networks joined on the internet.
It is a protocol designed for IoT systems based primarily on HTTP protocols.
CoAP functions as a sort of HTTP for restricted devices, enabling equipment such as
sensor and actuators to communicate on the IoT. These are controlled and contribute by
passing their data as part of a system.
The protocol works in a low bandwidth and high congestion ecosystem through his low
power consumption and network overhead. Where some TCP-based protocols fails due to
low bandwidth problems, CoAP can continue to work.
This protocol uses UDP as the underlying network protocol.
It is basically a client-server IoT protocol where the client makes a request and the server
gives back a response as it happens in HTTP.

2. Message Queue Telemetry Transport Protocol (MQTT)

MQTT is a Client-server publish/subscribe messaging protocol.

It is a lightweight, open, and simple to implement.
It works with a Broker, in which Publishers post topics, and from which those messages
are delivered to Subscribers – which can then communicate with it.
It runs over the TCP/IP network protocol.

MQ Telemetry Transport advantages for IoT are:

● Simplified communication – In MQTT data is logically structured and a single

connection allows a single message topic.

● Eliminate polling – This protocol allows instantaneous delivery, eliminating the need
for message consumers to periodically check or “poll” new information. This
reduces network traffic.

● Dynamic targeting – Instead of maintaining a roster of peers that an application can

send messages to, a publisher will simply post messages to a topic.

● Decouple and scale – MQTT enables scaling.

 3. Advanced Message Queuing Protocol (AMQP)

The AMQP – IoT protocol consist of a hard and fast of components that route and save
messages within a broker carrier – similarly to the MQTT.
It includes reliable queuing, flexible routing, various types of messaging, security, and
transactions.
Its most significant usage is in large-scale enterprise projects that have specific security,
reliability, and interopability requirements.
Since MQTT and AMQP are both binary messaging protocols that work on top of TCP/IP,
they are often compared.
4. Data Distribution Service (DDS)
It enables scalable, real-time, reliable, excessive-overall performance and
interoperable statistics change via the submit-subscribe technique.

Dds doesn’t use broker architecture, but instead it uses multicasting to convey high-
quality QoS to applications.

Dds can be deployed in platforms ranging from low-footprint devices to the cloud and
supports green bandwidth usage.

The DDS — IoT protocols have fundamental layers: facts centric submit-subscribe
(dcps) and statistics-local reconstruction layer (dlrl). Dcps plays the task of handing
over the facts to subscribers, and the dlrl layer presents an interface to dcps
functionalities, permitting the sharing of distributed data amongst IoT enabled objects.
 Blockchain
Blockchain is a system of recording information in a way that makes it difficult or
impossible to change, hack, or cheat the system.
A blockchain is essentially a digital ledger of transactions that is duplicated and distributed
across the entire network of computer systems on the blockchain. Each block in the chain
contains a number of transactions, and every time a new transaction occurs on the
blockchain, a record of that transaction is added to every participant’s ledger. The
decentralised database managed by multiple participants is known as Distributed Ledger
Technology (DLT).
Blockchain is a type of DLT in which transactions are recorded with an immutable
cryptographic signature called a hash.

How blockchain works

➢ As each transaction occurs, it is recorded as a “block” of data

Those transactions show the movement of an asset that can be tangible (a product) or intangible
(intellectual). The data block can record the information of your choice.

➢ Each block is connected to the ones before and after it

These blocks form a chain of data as an asset moves from place to place or ownership changes hands. The
blocks confirm the exact time and sequence of transactions, and the blocks link securely together to prevent
any block from being altered or a block being inserted between two existing blocks.

➢ Transactions are blocked together in an irreversible chain: a blockchain

Each additional block strengthens the verification of the previous block and hence the entire blockchain. This
renders the blockchain tamper-evident, delivering the key strength of immutability. This removes the
possibility of tampering by a malicious actor — and builds a ledger of transactions you and other network
members can trust.

What Is a Block?
Every chain consists of multiple blocks and each block has three basic elements:

• The data in the block.

• The nonce: “number used only once.” A nonce in blockchain is a whole number
that’s randomly generated when a block is created, which then generates a block
header hash.

• The hash: a hash in blockchain is a number permanently attached to the nonce.

What Is Decentralization in Blockchain?

One of the most important concepts in blockchain technology is decentralization. No one
computer or organization can own the chain. Instead, it is a distributed ledger via the
nodes connected to the chain. Blockchain nodes can be any kind of electronic device that
maintains copies of the chain and keeps the network functioning.
Every node has its own copy of the blockchain and the network must algorithmically
approve any newly mined block for the chain to be updated, trusted and verified. Since
blockchains are transparent, every action in the ledger can be easily checked and viewed,
creating inherent blockchain security. Each participant is given a unique alphanumeric
identification number that shows their transactions.

Advantages and Disadvantages

✔ Higher Accuracy of ✗ Limit on Transactions per

Transactions Second

✔ No Need for Intermediaries ✗ High Energy Costs

✔ Extra Security ✗ Risk of Asset Loss

✔ More Efficient Transfers ✗ Potential for Illegal Activity

Public Blockchain: These blockchains are completely open to following the idea of decentralization. They
don’t have any restrictions, anyone having a computer and internet can participate in the network.

• As the name is public this blockchain is open to the public, which means it is not owned by anyone.

• Anyone having internet and a computer with good hardware can participate in this public blockchain.

• All the computer in the network hold the copy of other nodes or block present in the network

• In this public blockchain, we can also perform verification of transactions or records

Private Blockchain: These blockchains are not as decentralized as the public blockchain only selected
nodes can participate in the process, making it more secure than the others.

• These are not as open as a public blockchain.

• They are open to some authorized users only.

• These blockchains are operated in a closed network.

• In this few people are allowed to participate in a network within a company/organization.

Hybrid Blockchain: It is the mixed content of the private and public blockchain, where some part is
controlled by some organization and other makes are made visible as a public blockchain.

• It is a combination of both public and private blockchain.

• Permission-based and permissionless systems are used.

• User access information via smart contracts

• Even a primary entity owns a hybrid blockchain it cannot alter the transaction

Consortium Blockchain: It is a creative approach that solves the needs of the organization. This
blockchain validates the transaction and also initiates or receives transactions.

• Also known as Federated Blockchain.

• This is an innovative method to solve the organization’s needs.

• Some part is public and some part is private.

• In this type, more than one organization manages the blockchain.

 IDS and why it’s important for IoT
IoT infrastructure still faces challenges that prevent the technology from spreading.
The most relevant ones are the security challenges, as IoT devices increase and their
security issues are posed in all every layer of the architecture.
Intrusion Detection Systems are said to have the potential to overcome those problems.

Source: Jose Costa Sapalo Sicato, Sushil Kumar Singh, Shailendra Rathore and Jong Hyuk Park “A Comprehensive
Analyses of Intrusion Detection System for IoT Environment”, Journal of Information Processing Systems, September
2020
(https://www.researchgate.net/publication/344152313_A_Comprehensive_Analyses_of_Intrusion_Detection_System_
for_IoT_Environment)

In more details, IoT suffers of different security issues in each of its layer:
1. Starting top-down, the Application Layer is the layer that serves the user and that
receives data from the Network Layer. As the top layer, the security problems that
need to be taken care of are data integrity, data reliability, and the ability to protect
private information. The most common issues in this layer involves Cloud
vulnerabilities and the fact that so much data is being shared.
2. The Network Layer is the layer responsible for the devices to communicate with the
processing center. It’s the layer with the most important role in information
coordination, and also the most aimed for attacks. There are a lot of different
 network protocols being used in this layer for different IoT ecosystems, so a good
security system is needed for this layer. Most of the IDS research is focused on
networks. The most common issues are vulnerabilities on data interchanges and
congestion attacks (DOS).
3. At the bottom of the chain there is the Perception Layer, also called Sensor Layer
since it’s the layer that include sensors, the “things” that collect data. The usual
security standards are difficult to apply to those devices, which most of them are
wireless. They can suffer from physical damage and storage vulnerabilities.

IDS as a solution
The Intrusion Detection Systems are devices or pieces of software that, through the use of
different detection approaches, can detect attacks on a system and then send a
notification or report to the administrator.
The IDS could be a single device or a network system.
It provides the three most important security services:

- Data confidentiality
- Data Availability
- Data Integrity

There are different IDS approaches and types:

NIDS (network-based IDS) and HIDS (host-based IDS), and then CIDSs (Collaborative
Intrusion Detection Systems), used in order to correlate alerts and exchange knowledge
between networks and different users.

The CIDSs come in three different network architectures: centralized, hierarchical and
distributed.
A centralized CIDS uses several IDSs to monitor the network, wherein each IDS shares
data with a single analysis unit.
Hierarchical and decentralized CIDSs also use several IDSs, but analysis units connect in
a hierarchical structure tu monitor multiple points in the network. A decentralized CIDS can
overcome the single point of failure problem.
Meanwhile, a distributed CIDS is a P2P network architecture in which each participant has
an analysis unit and then shares information with others in a distributed manner.
IDS Detection Approaches
The most well known IDS approaches are signature and anomaly.
The signature approach tries to detect attacks through the mapping between signatures
(hashes, patterns, or rules) in a database.
This is an approach which can detect known attacks easily, but it suffers because it cannot
detect a new attack with no known patterns, rules, or hash.

On the other hand, the anomaly approach can detect unknown attacks by monitoring the
system’s behavior.
The anomaly approach finds abnormal activities and generates an alarm for the network
administrator.
This approach can detect unknown attacks, but his main issue is that it may send false
positive alarms.

Using Blockchain as a IDS

Several works have used blockchain technology to implement a IDS in order to detect
attacks.
Those works have been used in both anomaly and signature detection approach.
This technology is more commonly adopted for anomaly detection than for signature
detection.
Most existing models leverage the anomaly technique instead of the signature technique
due to its benefits.
CIDS architecture is the appropriate architecture used for blockchain IDS.
The distributed CIDS is the most compatible because blockchain technology builds itself
over a P2P architecture and has a distributed model.

CIoTA has been one of the most used and impactful blockchain IDS for IoT, but it has
some limitations.
A new proposed solution: BC-HyIDS
Based on the existing IDS solutions, being both Blockchain based or not, there are some
limitations which applies to most of them:

● Existing IDS does not use both detection methodologies (signature and anomaly
based)

● None of the cooperative intrusion detection systems are creating a signature for
distribution

● These IDS are not having any secure mechanism for sharing signatures within
the network
In order to provide a solution for the above mentioned gaps of existing IDS, a new
blockchain based IDS has been developed.
Its name is BC-HyIDS, and it is the first system providing all advantages and features
required for networks to keep it secure.
Some of the highlights of BC-HyIDS are:

● It uses both signature and anomaly based detection in a hybrid manner

● It uses benchmark datased CIC-IDS 2017 for creating the signature

● It provides mechanism to exchange signatures using blockchain

● It supports distributed architecture of the network.

This is a novel architecture because none of the IDS works on a hybrid approach of
combining both detection techniques.
Blockchain is used for signature transfer, and this model is proposed for a distributed
environment where each node is connected to the other in a distributed way. Each node is
able to detect attacks by analyzing packets entering through the network.

Whenever a packet reaches at node, it gets captured and detected for a malicious pattern
using signature-based detection phase.
In this phase, all classifiers are trained using CIC-IDS 2017 dataset.
If the packet is analyzed as an attack, it gets directly rejected by the node, otherwise it
would be forwarded to the second phase – the anomaly detection.

This phase improves security of the network since IDS validates each packet twice by both
detection techniques. If the dataset is not up-to-date with the signatures of modern attacks,
malicious pattern is also analyzed.
Then, signature creation and transfer using blockchain framework phase is used once the
attack is detected by the anomaly detection phase. This phase is added in this architecture
to securely transfer signatures from one node to another. During this phase, the node is
responsible for creating and encrypting the signature of the new attack.It is then
incorporated as a block in the blockchain, which will be used for transferring the signatures
in the network. All the other nodes will at this point receive the new block with the
signature and update their dataset to ensure that next time the same attack would be
taken care by the signature detection system at the first phase.

This will reduce the detection time as well as the processing time of the node, making it
only work on the first phase.

Blockchain phase

In BC-HyIDS, last phase is used to distribute signatures over the distributed network, in a secure
way.
The inputs received in this phase are packets which are predicted as attacks by the anomaly
detection phase (2nd one).

This phase works in three steps.

During first step, a signature is created from the received packet, and in the second step the signatur
eis uploaded as a block and verification is done. Third step, instead, will distribute the signature
over all nodes connected in the network.

A permissioned private blockchain i sussed o transfer signatures in this phase.

The blockchain is distributed over a distributed network. All nodes in the network are
attached in a distributed manner which follows of the consensus protocol such as PoW,
PoS or PoA (proof of Authority).

In BC-HyIDS architecture, phase 3 makes use of the blockchain platform for signatur
eextracion, upload and distribution.

The permissioned blockchain is developed with the help of Hyperledger which uses proof
of stake.
Hyperledger is a platform used to build custom applications on the permissioned
blockchain.

Those blockchains consists of nodes which have the authority to be part of them.
Each of those node is authorized to extract the signature, to create a block and to
distribute it among all remaining nodes of the network.

Each node has an analysis unit (AU) and a distribution unit (DU). Analysis units mainly analyzes
packets entering in the node through the network, and uses both of the first two phases of the BC-
HyIDS (signature and anomaly-based detection). This then helps to update the dataset with new
signatures.
Along those units, all nodes will consist in a complete ledger of the blockchain, and the transactions
in this blockchain is nothing but signatures extracted by nodes from the packet.

Extraction of signature

Standard format for signature creation is:

Mac address, IP address, Public Key, Private Key, Type, Port, Features

● Mac address of the node responsible for extraction

● IP address of the node responsible for extraction
● Public key of the node responsible for extraction
● Private key of the node responsible for extraction from a pair of public/private key of
node
● Type of attack whose signature is extracted
● Active communication port of the node
● Feature of the dataset extracted from packet
Validation of signature

BC-HyIDS has some of he nodes working as validator nodes. The responsibility of validator nodes
is to check validity, authorization, and significance of the signature befor eincorporating it to the
blockchain.

The checklist followed by the validator node is:

● The signature submitted as a TX in the prescribe format and generated using the smart
contract used for signature creation
● Verifies whether or not the same signature has been uploaded in the ast by some other
initatior.
● If the signature is valid and created by the anomaly detection phase of the initiatior node
● If the initiator is an authorized node
If all the conditions are satisfied then the signatures are verified by the validator, otherwise
they are refused and signature gets dropped.

Signature block creation

The block is divided into three sections as header, data and metadata.
 1. Header: It is a block header which gives information about the block. It consists of
the following information
a. Block number
b. Previous block hash value
c. Current block hash value
2. Data: Block second section is Data section. This section consists of a data
signature created in the standard format.
3. Metadata: Metadata consists of the data about the block like timestamp, consensus
protocol, private key of the initiator and validator, and signature details if any.

Distribution of signature

Last step after block creation is the distribution of the block to all nodes in the blockchain.
Once the block is created, validator nodes add the block to the existing blockchain.
This information is then broadcasted in the network to all nodes.

Once the validator block is received by all nodes, the updating of the ledger occurs.
Once all nodes finish with the operation, blockchain is committed and the block is permanently
attached to the chain.

Updating the dataset then helps nodes for further analysis of packets entering in the network.