Traffic Measurements for Cyber Security
Traffic-Aware Patching for
Cyber Security in Mobile IoT
Shin-Ming Cheng, Pin-Yu Chen, Ching-Chao Lin, and Hsu-Chun Hsiao
Abstract
The various types of communication technol-
ogies and mobility features in IoT on one hand
enable fruitful and attractive applications, but
on the other hand facilitate malware propaga-
tion, thereby raising new challenges in handling
IoT-empowered malware for cyber security.
Compared to the malware propagation control
scheme in traditional wireless networks, where
nodes can be directly repaired and secured, in
IoT, compromised end devices are difficult to
patch. Alternatively, blocking malware via patch-
ing intermediate nodes turns out to be a more
feasible and practical solution. Specifically, patch-
ing intermediate nodes can effectively prevent the
proliferation of malware propagation by securing
infrastructure links and limiting malware propaga-
tion to local device-to-device dissemination. This
article proposes a novel traffic-aware patching
scheme to select important intermediate nodes to
patch, which applies to the IoT system with lim-
ited patching resources and response time con-
straint. Experiments on real-world trace datasets in
IoT networks are conducted to demonstrate the
advantage of the proposed traffic-aware patching
scheme in alleviating malware propagation.
Introduction
By integrating the ability to sense the physical
world and the privilege of availing communication
capabilities, the Internet of Things (IoT) enables
close interactions between humans and machines.
IoT generally consists of numerous IoT end devic-
es for sensing and action, intermediate nodes with
wired connectivity for data relaying, and appli-
cation servers in the cloud for data control and
analysis. Typically, IoT devices can communicate
with each other with minimal human intervention
and build an autonomous and complex network.
As the boundary between machines and humans
gets blurry, adversaries in cyberspace can threat-
en human users’ safety and privacy in the physical
world. Obviously, the growing popularity of devic-
es with rich wireless communication capabilities
has made IoT attractive to digital viruses and mali-
cious contents. Consequently, in recent years the
security issues in IoT have been an ever increasing
concern [1–3].
From an adversary’s perspective, the unique
features of IoT facilitate the exploitation of devic-
es as well as the propagation of IoT malware.
Shin-Ming Cheng and Ching-Chao Lin are with National Taiwan University of Science and Technology;
Pin-Yu Chen is with IBM Thomas J. Watson Research Center; Hsu-Chun Hsiao is with National Taiwan University.
IEEE Communications Magazine • July 2017
These features include constrained resources, het- The authors propose
erogeneous links, and vulnerable usability, which a novel traffic-aware
are discussed as follows. patching scheme to select
Resource-Constrained IoT Devices: Compared important intermediate
to the intermediate nodes located at the end side nodes to patch, which
of the infrastructure with wired connectivity, IoT
devices designed to perform simple sensing and applies to the IoT system
actuation operations have limited computation with limited patching
and communication capabilities. In this case, the resources and response
algorithm and mechanism applied on IoT devic- time constraint. Experi-
es are relatively simple. As a result, the attacker ments on real-world trace
can spend much less resources to break into IoT
devices, rendering them the targets of malicious datasets in IoT networks
users. For example, due to the overhead of certif- are conducted to demon-
icate management and public key cryptography, strate the advantage of
many existing IoT devices fail to support state- the proposed traffic-aware
of-the-art secure communication protocols (e.g., patching scheme in
SSL/TLS). Therefore, the adversary can eavesdrop
on sensitive sensor data and even manipulate alleviating malware
data without being detected. Another example is propagation.
that IoT devices often have limited entropy sourc-
es, which results in weak cryptographic keys that
can be predicted by the attacker. Moreover, since
most IoT devices run on embedded Linux operat-
ing systems (OSs), the attacker can easily create
IoT malware by recompiling existing Linux mal-
ware for other instruction set architectures.
Heterogeneity: In order to support different
kinds of IoT applications, IoT devices are often
equipped with heterogeneous communication
and computation capabilities for the purpose of
seamless operations. However, the heterogeneity
and potentially vast amount of IoT devices facilitate
the fabrication of identity and hiding of malware.
Moreover, as shown in Fig. 1, compromised IoT
devices might disseminate malware via heteroge-
neous communication links as described below.
Infrastructure Links: IoT malware can propa-
gate using infrastructure-based communication
technologies, such as GSM/GPRS/UMTS/LTE and
WLAN, via intermediate nodes, such as access
point (AP), base station (BS), or gateway. In par-
ticular, IoT malware inherits the threats caused
by computer malware. Similar to computer mal-
ware, most IoT malware families today scan the IP
address space for vulnerable victims and spread
via the Internet. Due to the widespread use of
weak login credentials and the fact that many
IoT devices are Internet-accessible, some botnets
have allegedly harvested more than one mil-
lion infected IoT devices (http://thehackernews.
com/2016/10/iot-dyn-ddos-attack.html).
Digital Object Identifier:
10.1109/MCOM.2017.1600993
0163-6804/17/$25.00 © 2017 IEEE 29

IoT object/node/device WLAN AP
Intermediate node
BLE
BLE
BLE
NFC
Wi-Fi
WLAN AP Direct Wi-Fi WLAN AP
Direct
Cellular BS
WLAN AP
BLE
NFC
WLAN AP
Device-to-device links Infrastructure links
Figure 1. IoT platform with infrastructure and device-to-device links.
Device-to-Device Links: IoT malware could
exploit proximity-based wireless media such as
Bluetooth Low Energy (BLE), WiFi Direct, and
near field communication (NFC) to infect the
devices in the vicinity [4]. In this case, IoT mal-
ware is stored and forwarded by taking advan-
tage of mobility and ubiquity. For example, Colin
O’Flynn in Black Hat USA 2016 as well as Ronen
and Shamir [5] discussed the possibility of a light
bulb worm, which allows a reprogrammed bulb to
re-flash nearby bulbs.
Usability: Security is only as strong as its weak-
est link, and the weakest link, in many cases, is the
humans who implement, operate, and use the sys-
tem. For example, a proven secure cryptographic
primitive, if implemented or used incorrectly, can
still be circumvented. Moreover, users may choose
to ignore or even bypass a security mechanism if
it prevents (e.g., due to slow performance, badly
designed user interface, and unclear instructions)
the users from doing what they mean to do. Since
IoT devices often lack convenient input and out-
put interfaces, the original security features might
be bypassed by non-professional IT users, thereby
increasing the possibility and risk of human errors
and facilitating the spreading of malware [2].
Obviously, software updates and patch-
ing are necessary to prevent IoT devices from
being compromised. A single software flaw will
make a tremendous range of IoT devices vulner-
able to attacks since software components are
reused in different devices (http://blog.senr.io/
blog/400000-publicly-available-iot-devices-vul-
nerable-to-single-flaw). However, without a
friendly user interface (UI) through which to be
alerted about security updates, most users forget
to update software installed in IoT devices and
leave them out of date. In addition, without basic
programming knowledge and security awareness,
users might be unwilling to take a manual-down-
load-and-install approach for software updating.
As a result, it is critical to design a reasonable solu-
tion to prevent the occurrence of large-scale mal-
ware propagation among trillions of unpatched,
insecure, and even compromised IoT devices.
Instead of patching resource-constrained and
UI-unfriendly compromised IoT devices directly,
this article introduces a more feasible solution,
where operators could only patch or recover IoT
devices via infrastructure (i.e., securing the inter-
mediate nodes). In this case, a patched AP, BS,
or gateway could stop the malware propagation
by patching via infrastructure links. The concept
30
of leveraging intermediate nodes to improve IoT
security has appeared in the recent commercial
product F-Secure SENSE (https://community.f-se-
cure.com/t5/F-Secure-SENSE/What-are-the-cur-
rent-protection/ta-p/82972). However, its main
purpose is to block malicious websites and IoT
botnet masters instead of considering securing
important infrastructure links between IoT devic-
es and intermediate nodes. On the other hand,
the idea behind IoT Sentinel [6] is similar to our
solution, where the types of IoT devices are iden-
tified by intermediate nodes, and the communi-
cations of vulnerable IoT devices are constrained
by enabling enforcement of rules. Different from
our solution, software-defined networking (SDN)
is exploited in IoT Sentinel for network flow isola-
tion and prevention of malware propagation.
With limited efforts and resources, an operator
might not be able to patch all intermediate nodes
but only a portion of them. One naive method
is to simply patch those intermediate nodes in a
random order. However, a smarter approach is
to protect the most important node first, as sug-
gested by the framework of network robustness
analysis [7, 8]. This article proposes a traffic-aware
patching scheme, where the operator patches the
intermediate nodes sequentially in descending
importance order. In particular, an intermediate
node that could have contact with a large number
of IoT devices will be protected first. Moreover,
such a volume-based patching approach is effec-
tive against the current infamous distributed deni-
al of service (DDoS) attacks launched by IoT bots.
By leveraging a real-world trace dataset con-
taining communication history over device-to-
device and infrastructure links, we conduct an
extensive experiment to demonstrate the effect of
constraining malware propagation via infrastruc-
ture links. To the best of the authors’ knowledge,
this article is the first work discussing the control
of malware propagation from the perspective of
infection paths, which could avail the damage
estimation caused by the malware and improve
the development of attack detection methods for
IoT networks.
How to Compromise IoT Devices
IoT devices are an attractive attack target for
cybercriminals: IoT devices often employ weak
security measures, and their compromise can
lead to privacy breaches and safety threats in the
real world. The insecurity of existing IoT devic-
es has been highlighted repeatedly by security
researchers and practitioners. Recently, several
malware families were found to target vulnerable
IoT devices (e.g., routers, IP cameras, and CCTVs)
and form botnets for DDoS. It is estimated that
some IoT botnets comprise more than one million
infected devices, and thus can generate high-vol-
ume DDoS traffic even without amplification.
For example, in September 2016, an IoT botnet
called Mirai crippled a website with 620 Gb/s of
attack traffic, which is almost twice as much as
the biggest DDoS attack witnessed in 2015. Later,
in October 2016, the same botnet attacked the
Dyn DNS service provider, taking down a large
portion of websites in North America, includ-
ing GitHub, Twitter, Netflix, and so on (https://
www.us-cert.gov/ncas/alerts/TA16-288A). At DEF
CON 2016, security researchers showed a proof-
IEEE Communications Magazine • July 2017
of-concept IoT ransomware that demands ran-
som for a hacked smart thermostat, which will
be set to a high temperature without timely pay-
ment (https://www.pentestpartners.com/blog/
thermostat-ransomware-a-lesson-in-iot-security/).
As attackers are finding creative ways to mon-
etize infected IoT devices, it is inevitable to see
an increase of new IoT malware families that are
more destructive and contagious than ever.
IoT malware can propagate via infrastructure
links and/or device-to-device links. We discuss
both cases in this section.
Compromising IoT Devices via Infrastructure Links
Many of the IoT malware families today propa-
gate via infrastructure links, particularly the Inter-
net. Moreover, they share a common infection
and spreading pattern: The attacker harvests new
vulnerable IoT devices through address space
scanning. This scanning can be performed by
external servers, such as command and control
(C&C) servers, or by the compromised devices.
The attacker targets Telnet- or SSH-accessible
devices that use default or weak login creden-
tials and thus can easily obtain root access per-
mission by brute-force password cracking. Once
the attacker gets the shell of the hacked device,
the malware payload is downloaded and installed.
IoTPOT [2], an IoT honeypot project, observed
at least four IoT malware families that can prop-
agate via Telnet. In addition to cracking weak
passwords, some malware also exploits software
vulnerabilities. For example, CCTV-targeting
RADIATION malware exploits ShellShock and
some known CCTV vulnerabilities to spread from
device to device.
Compromising IoT Devices via Device-to-Device Links
Malware can also propagate in proximity via
device-to-device links in addition to infrastruc-
ture links. Cabir and Commwarror are examples
of mobile worms that spread via Bluetooth and
infect mobile phones running the Symbian OS.
Although we have not witnessed device-to-
device IoT malware in the wild, it is theoretically
possible. For example, researchers pointed out
the possibility of light bulb worms that spread
to nearby bulbs via Zigbee [5] and worms that
infect wearable trackers and then spread to
others by Bluetooth (http://www.theregister.
co.uk/2015/10/21/fitbithack/). Moreover, since
proximity-based wireless interfaces are often
always on, and users have no control to disable
them, it would be difficult to contain malware
propagation given the large attack surface.
Regardless of how malware propagates, the
risk of self-replicating IoT malware is amplified by
unpatched IoTs. Patching vulnerable IoT devices
nevertheless remains extremely expensive and far
from successful in practice. In 2015, Charlie Miller
and Chris Valasek demonstrated remote exploita-
tion of a Jeep, which forced Chrysler to recall and
patch 1.4 million vehicles (https://www.wired.
com/2015/07/hackers-remotely-kill-jeep-high-
way/). Cui and Stolfo [9] discovered more than
540,000 publicly accessible devices using default
root passwords — an old but persistent vulnerabil-
ity since the invention of password-based authen-
tication. Worse yet, the problems encountered
when patching computers and mobile phones
IEEE Communications Magazine • July 2017
(e.g., privacy, legacy devices, and lack of incen-
tives) will linger and even exacerbate when IoT devices are an
attempting to patch IoT devices. attractive attack target
for cybercriminals: IoT
Modeling of IoT Malware
The topic of modeling malware/virus spreading devices often employ
has been investigated in a traditional scenario weak security measures,
where computers or laptops are not connected
to the Internet. Since the spread of epidemics and their compromise
among people is similar to the spread of mal- can lead to privacy
ware over networks, the current literature adopts breaches and safety
the idea from epidemiological models to build
the models for malware on the assumption of a threats in the real
homogeneous infection path [10]. In the mobile world. The insecurity
environment, malware can propagate via intermit-
tently connected networks by taking advantage of of existing IoT devices
opportunistic encounters [11]. Wang et al. [12] has been highlighted
study spreading patterns of mobile phone viruses, repeatedly by security
which may traverse through multimedia messag-
ing services (MMS) or Bluetooth by simulations. researchers and
Cheng and Chen [13] further model malware practitioners.
propagation in generalized social networks con-
sisting of delocalized and localized links.
From the discussion of the previous section,
we understand that in practice patching com-
promised IoT devices is difficult to achieve. Con-
sequently, the current formulation of malware
propagation and the control model [14] cannot
be applied directly in the IoT field. Typically, in
one of the most famous susceptible-infection-re-
cover (SIR) models, the malware is assumed to
be detected and repaired at each node, which
reflects the transition from “infected” state to
“recovered” state. Regarding the IoT device that
detects the malware, instead of directly patching
it, it is more feasible to patch on the infrastructure
side to prevent further spreading of malware. In
this case, compromised IoT devices located in
the coverage area of the patched intermediate
nodes are controlled, that is, malware cannot be
propagated via patched intermediate nodes. As
a result, the infrastructure links can be regard-
ed as “recovered” while the compromised IoT
device remains “infected,” using the terminology
of the SIR model. The observation that malware
control in IoT environment can be cast as a “link
recovery” problem instead of a “node recovery”
problem motivates a different development of
modeling and formulation.
Feasible Patching Schemes in the
IoT Environment
This section proposes patching schemes for the
IoT environment, where we can only control infra-
structure links but not the compromised nodes
themselves. The patching scheme consists of sev-
eral phases. In the detecting phase, infrastructure
leverages a traditional intrustion detection system
(IDS) or firewall to identify the existence of mal-
ware or a compromised node. Once malicious
code is found to be propagated from the com-
promised IoT devices, the patching phase starts
to analyze the malware and patches the interme-
diate nodes according to a patching sequence to
prevent the large-scale propagation of malware.
In practice, intermediate nodes are capable of
performing resource-intensive tasks and thus can
support over-the-air (OTA) update mechanisms. In
the patching phase, such OTA mechanisms allow
31

Device-to-device links
Infrastructure links
Compromised device
Normal device
Device a
BS 3 Device c
Device e
Step 2
Figure 2. Illustration of malware propagation under the infrastructure patch scheme.
Input: The set of intermediate nodes, SAP; The time to start patching, tp; The percentage
of patched intermediate nodes, p
1: If currentTime < tp then
2: Collect traffic information for each intermediate node
3: else
4: If currentTime  tp then
5: Sort intermediate nodes according to the
6: importance metric in descending traffic order
7: Patch top p % SAP
8: end if
9: end if
Algorithm 1. Traffic-aware patching.
the administrator to remotely install required
update on the intermediate nodes, thereby ensur-
ing timely mitigation of compromised nodes. In
addition, since intermediate nodes are significant-
ly fewer than IoT devices, the administrator can
also manually patch legacy intermediate nodes
that do not support OTA update.
Figure 2 describes an example of how a com-
promised device propagates malware in an IoT
environment with patched and unpatched inter-
mediate nodes. For the devices located in the
coverage area of the patched intermediate nodes,
two possible operations are executed.
Compromised devices can distribute malware
via device-to-device links but not infrastructure
links. As shown in step 1 of Fig. 2, the compro-
mised device propagates malware to devices b
and c in the vicinity. However, in step 2 of Fig.
2, device b cannot propagate malware via infra-
structure link since the malware is blocked at the
patched BS.
Normal devices can only be compromised via
device-to-device links since the malware propa-
gated from infrastructure will be identified and
blocked by the patched intermediate nodes. For
example, in step 3 of Fig. 2, device d propagates
malware from BS 2 to BS 1; however, the patched
BS 1 will not relay the malware to any device in its
coverage area.
For the devices located in the coverage area
of the unpatched intermediate nodes, there
are no means to prevent malware propagation.
32
Step 1 Device d
BS 2
Device d
BS 3
Device e
Device d Device d
BS 2 BS 2
Device a
BS 3 Device
De c
Device e
Step 3
For example, in step 2 of Fig. 2, device c under
unpatched BS 3 could infect device d controlled
by unpatched BS 2 via infrastructure links. More-
over, device a moving from patched BS 1 to
unpatched BS 2 could propagate malware via
device-to-device links freely.
Algorithm 1 describes the detailed steps in
the patching phase. With limited resources and
efforts, the operator could provide a fixed amount
of patches on the intermediate nodes (e.g., p per-
centage). To alleviate the propagation from the
infrastructure links, the p percent most import-
ant intermediate nodes will be chosen for patch-
ing. It is similar to the idea of protecting the most
important node to maintain network robustness
[7]. As a result, we introduce the traffic monitor-
ing duration (lines 1 and 2, Algorithm 1) for evalu-
ating the importance of intermediate nodes. From
the monitored results, the proposed traffic-aware
patching scheme sorts the intermediate nodes
in descending order according to the traffic vol-
umes (lines 5 and 6, Algorithm 1), and the top p
percent intermediate nodes are patched (line 7,
Algorithm 1).
Obviously, the proposed volume-based
patching is effective against attacks that gener-
ate a large number of traffic volume (e.g., DDoS
attacks). The patched intermediate nodes could
prevent the redirection of malicious traffic intro-
duced by the DDoS attack launched by the IoT
botnets.
Performance Evaluation
In this section, we implement the proposed traf-
fic-aware patching scheme and compare its per-
formance with a randomized patching scheme on
real-life traffic traces collected from a mobile social
network consisting of 59 users (devices) and 1751
APs [15]. In this network, each user can communi-
cate with other users through two types of links: an
infrastructure link via (possibly multiple) APs and a
direct device-to-device link to users within transmis-
sion range. These two types of links among users
are similar to the illustration of mobile IoT in Fig. 1.
As mentioned previously, in this experiment infra-
structure links can be made secure via patching,
whereas direct device-to-device links are vulnerable
to potential security threats.
IEEE Communications Magazine • July 2017
 Following the vulnerability analysis of transmis-
sion attacks in [3], we simulate the propagation
dynamics of self-replication malicious codes by 80
first randomly selecting a user in the network as
70
the initially compromised device. Then, using the

Fraction of compromized users (%)

actual traces of communication patterns provid- 60
ed by the dataset [15], each infected device can
100 50
compromise its contact through an infrastructure
link with probability  inf, and can compromise 100 40
50
its contact through a direct device-to-device link 90
80 30
with probability dir. Specifically, if one of the APs 70
0
in the communication path between one infect- 50
60
P s (%
) 20
d A
ed device and its contact has been successfully 0
Pat 20 40 40 t c h e
ch 30 n of pa 10
patched, malware propagation is in vain due to tim 60 80 20 Frac
tio
e ( 100
enhanced security. s) 10 0
For traffic-aware patching, we are interested
in investigating the trade-offs between the time Figure 3. Fraction of compromised users with respect to different patch time
spent on analyzing traffic volume (i.e., the traf- and patched APs under the traffic-aware patching scheme. linf = 0.00004
fic monitoring duration) and the time instance and ldir = 0.00001.
to patch APs (i.e., the patch time). As described
in the previous section, given a fixed amount
of patches, the proposed traffic-aware patching
scheme sorts the APs in descending order accord-
ing to the traffic volume in the traffic monitoring 35
duration, and provides patches to the top APs.
Intuitively, longer traffic monitoring duration bet- 30
ter specifies the important APs in communicat-
Fraction of compromized users (%)

ing devices. However, longer traffic monitoring 25

duration also leads to more exploits in security
vulnerabilities due to later patch time. As a result, 40
20
given a fixed amount of patches, we aim to study 30
20 100
the nontrivial optimal patch time that collects suf- 90
15
10 80
ficient traffic information for patching while mini- 70
mizing the security risks. 0 60 )
50 APs (% 10
Figure 3 shows the fraction of compromised Pat 0
20 40 p a t c hed
ch o f
users with respect to different patch time and tim
40
60 30 tion
e( 80 20 Frac 5
patched APs under the traffic-aware patching s 100
) 10
scheme. To demonstrate the effectiveness of the
proposed traffic-aware patching scheme, Fig. 4
further compares the difference of compromised Figure 4. Performance comparison of traffic-aware patching scheme vs. the
users between the no-patching scheme and the no-patching scheme. This figures shows the difference of compromised
traffic-aware scheme. It can be observed that users between the no-patching scheme and the traffic-aware scheme. linf =
the best patching strategy that leads to a max- 0.00004 and ldir = 0.00001. The results are averaged over 500 trials.
imal decrease in the number of compromised
users compared to the no-patching scheme is to
monitor the traffics for 40 seconds and then pro- better than random patching in the regime of a
vide patches to all APs. Note that 100 percent few patched APs (e.g., below 30 percent). More-
patched APs (i.e., securing all infrastructure links) over, given a fixed fraction of patched APs, for
with patch time 0 may not be the optimal patch traffic-aware patching, there is at least one patch
strategy since the malicious codes are still able to time that leads to either better or identical per-
propagate through direct device-to-device links. formance compared to random patching, which
To further understand the effect of traffic-aware suggests the robustness and reliability of the
patching, for a given fraction of patched APs, Fig. proposed patching scheme. Even in the regime
5 shows the optimal patch time that leads to the of many patched APs (e.g., above 90 percent),
lowest total number of compromised users. We the performance of traffic-aware patching is still
observe that if one is able to patch more APs, late superior to random patching, which suggests the
patch time can have better performance, which importance of patching APs with high traffic vol-
suggests that traffic volumes are indeed important ume for enhanced security.
information for patching.
For fair comparison, we also compare the per- Some Ongoing Challenges and
formance of traffic-aware patching with random
patching. Random patching provides immediate Open Research Questions
patches (i.e., has patch time 0 ) and randomly Here we discuss several ongoing challenges and
selects a fraction of APs to patch. Figure 6 shows open research questions related to IoT malware
the difference between the fraction of compro- propagation and patching.
mised users under random patching to that of Transfer Learning for Optimal Patch Time:
traffic-aware patching, where larger positive val- In the experiments, we find that the patch time
ues imply that traffic-aware patching is more effec- is crucial to preventing malware propagation.
tive in securing the network and vice versa. We How to design and simulate realistic testbeds to
observe that traffic-aware patching is significantly assist in determining the optimal patch time and

IEEE Communications Magazine • July 2017 33

 the topology of intermediate nodes, in order to
100 100 design a more effective importance metric for
determining the patching sequence. For exam-
ple, the betweenness metric could be leveraged,
which is defined as the fraction of all shortest
paths passing through the node among all short-

Fraction of compromized users (%)

est paths between each node pair in the network.
Patching via Path-Based Traffic Patterns: The
Optimal patch time (s)

proposed traffic-aware patching scheme only con-

siders the one-hop traffic information in terms of
50 50 the traffic volume from IoT devices to interme-
diate nodes. The patching scheme could benefit
from the knowledge beyond one-hop informa-
tion, such as the path-based end-to-end traffic pat-
terns. However, path-based traffic patterns are
relatively difficult to collect or acquire compared
to one-hop traffic information.
How to Achieve (Virtual) Patching: IoT devices
often lack user-friendly interfaces and are left unat-
0
0 20 40 60 80 100
0 tended after installation. As a consequence, users
Fraction of patched APs (%) have trouble knowing whether a device is hacked,
and even if they do, they may find it challenging to
Figure 5. Optimal patch time and the corresponding number of compromised manually patch the device: they need to retrieve
users given patched APs. linf = 0.00004 and ldir = 0.00001. The results are updated firmware online, access the hacked
averaged over 500 trials. device, install the firmware, and so on. Thus, auto-
matic patching is needed to secure IoT at scale.
One promising direction is for IoT devices to
support firmware OTA (FOTA), as most PCs and
0.15 mobile phones do nowadays. However, an effi-
cient and secure FOTA for IoT remains an open
challenge due to the heterogeneity of IoT net-
0.1 works. For example, transport security and code
Fraction of compromized users (%)

signing are required to ensure the authenticity

0.2
of the updated firmware. The IoT gateway might
0.05
help reduce the overhead by caching and offload-
0 100 ing the security check. Moreover, the human fac-
90 tors need to be taken into consideration as well.
80 0
70 As in the PC and mobile phone worlds, forcing
–0.2 60 ( )
%
software update without explicit user consent can
50 APs
t c hed
0
Pat 20 40 40 of p
a
−0.05 be disastrous. It can even be life-threatening if the
ch 60 30 tion
tim 80 20 Frac update happens at the wrong time (e.g., updating
e ( 100
s) 10 a vehicle while driving).

Concluding Remarks
Figure 6. Performance comparison between random patching and traffic-aware This article considers the security threats incurred
patching in terms of the difference between the fraction of compromised by the heterogeneous links of IoT and designs
users under random patching to that of traffic-aware patching. linf = a novel patching scheme to alleviate malware
0.00004 and ldir = 0.00001. The results are averaged over 500 trials. propagation. Instead of the impractical solution
of directly patching compromised IoT devices,
to enable transfer learning for defending real-life we propose to patch important intermediate
unknown security threats are ongoing challenges. nodes based on the traffic volumes to prevent
Predictive Malware Propagation Models for major security exploits and to avoid catastroph-
Mobile IoT: In this article, we have addressed ic malware propagation. With the proposed
patching issues in mobile IoT as link recovery traffic-aware patching scheme, malware propaga-
instead of node recovery, where the latter has tion is restricted to direct device-to-device con-
been extensively studied in traditional wireless nection, and therefore the damage of malware
networking scenarios. How to establish effective propagation can be significantly reduced. We
mathematical models for predicting malware conduct experiments in an IoT environment to
propagation dynamics in mobile IoT that take into demonstrate the effectiveness of the proposed
account the traffic-aware and random patching traffic-aware patching scheme, and we also dis-
schemes are new research challenges. cuss some ongoing research challenges and open
Various Importance Metrics for Intermedi- research questions related to IoT patching.
ate Nodes: The proposed scheme simply applies The proposed traffic-aware patching scheme
traffic volume as the metric to determine the and the experimental results bring new insights to
importance of intermediate nodes and the patch- IoT security. For instance, the infeasibility of direct
ing sequence. It can be regarded as protecting patching on IoT devices calls for new IoT malware
the entire network by patching a relatively small models and security assessment approaches. The
fraction of intermediate nodes with the highest experimental results can assist in developing new
degree metric. The operator could consider more attack detection techniques and patching strate-
information about intermediate nodes, such as gies for preventing malware propagation.

34 IEEE Communications Magazine • July 2017

 Obviously, the resource-constrained, user-un-
friendly, and heterogeneous features of IoT devic-
es hinder the security design and development for
IoT. However, the experimental results indicate a
promising method to secure the entire IoT system
by patching intermediate nodes. In summary, we
provide the following two guidelines for how to
consider cyber security when designing IoT sys-
tems accordingly
•The consideration of intermediate nodes that
bridge the gap between resource-constrained IoT
devices and powerful IoT application servers is
necessary when designing cyber security for IoT.
By shifting computation-consuming, security relat-
ed functionalities (e.g., flow identification, filter-
ing, and isolation) to intermediate nodes, they
can play the role of onsite guards. In particular,
the flexibility and reconfigurability of intermedi-
ate nodes could easily introduce patches and
updates to mitigate the IoT malware propagation
or attacks in a timely manner.
•The future cyber security solution for IoT
should take into consideration that adversaries
might leverage IoT devices with unpatched vul-
nerabilities to propagate malware via device-to-de-
vice links. In other words, the security mechanisms
developed for IoT shall coexist with insecure,
unpatched legacy IoT devices with uncontrolled
device-to-device channels. A notification mech-
anism is suggested to help users identify the IoT
devices at risk and further deny possible device-
to-device connections.
Acknowledgment
This work was supported in part by the Taiwan
Information Security Center (TWISC), Academia
Sinica, and the Ministry of Science and Technolo-
gy, Taiwan, under grants MOST 104-2923-E-011-
006-MY2, 105-2221-E-002-146-MY2, and
105-2218-E-001-001.
References
[1] J. Granjal, E. Monteiro, and J. Silva, “Security for the Inter-
net of Things: A Survey of Existing Protocols and Open
Research Issues,” IEEE Commun. Surveys & Tutorials, vol. 17,
July 2015, pp. 1294–1312.
[2] Y. Minn et al., “IoTPOT: Analysing the Rise of IoT Compro-
mises,” Proc. USENIX Wksp. 2015, Aug. 2015.
[3] P.-Y. Chen et al., “Decapitation via Digital Epidemics: A
Bio-Inspired Transmissive Attack,” IEEE Commun. Mag., vol.
54, no. 6, June 2016, pp. 75–81.
[4] G. Zyba et al., “Defending Mobile Phones from Proximi-
ty Malware,” Proc. IEEE INFOCOM 2009, Apr. 2009, pp.
1503–11.
[5] E. Ronen and A. Shamir, “Extended Functionality Attacks
on IoT Devices: The Case Of Smart Lights,” Proc. IEEE S&P
Europe 2016, Mar. 2016.
[6] M. Miettinen et al., “IoT Sentinel: Automated Device-Type
Identification for Security Enforcement in IoT,” CoRR, vol.
abs/1611.04880v2, 2016.
[7] P.-Y. Chen and S.-M. Cheng, “Sequential Defense against
Random and Intentional Attacks in Complex Networks,”
Phys. Rev. E, vol. 91, Feb. 2015, p. 022805.
[8] P.-Y. Chen and A. O. Hero, “Assessing and Safeguarding
Network Resilience to Nodal Attacks,” IEEE Commun. Mag.,
vol. 52, no. 11, Nov. 2014, pp. 138–43.
IEEE Communications Magazine • July 2017
[9] A. Cui and S. J. Stolfo, “A Quantitative Analysis of the Insecu-
rity of Embedded Network Devices: Results of a Wide-Area The resource-con-
Scan,” Proc. ACSAC 2010, Dec. 2010, pp. 97–106.
[10] S. Peng, S. Yu, and A. Yang, “Smartphone Malware and Its strained, user-unfriend-
Propagation Modeling: A Survey,” IEEE Commun. Surveys & ly, and heterogeneous
Tutorials, vol. 16, no. 2, Apr. 2014, pp. 952–41.
[11] S. Tanachaiwiwat and A. Helmy, “Encounter-Based Worms: features of IoT devices
Analysis and Defense,” Ad Hoc Net., vol. 7, no. 7, Sept.
2009, pp. 1414–30. hinder the security
[12] P. Wang et al., “Understanding the Spreading Patterns of
design and develop-
Mobile Phone Viruses,” Science, vol. 324, no. 5930, May
2009, pp. 1071–75. ment for IoT. However,
[13] S.-M. Cheng et al., “On Modeling Malware Propagation in
Generalized Social Networks,” IEEE Commun. Lett., vol. 15, the experimental results
no. 1, Jan. 2011, pp. 25–27.
[14] P.-Y. Chen, S.-M. Cheng, and K.-C. Chen, “Optimal Con- indicate a promising
trol of Epidemic Information Dissemination over Net-
works,” IEEE Trans. Cybernetics, vol. 44, no. 12, Dec. 2014, method to secure the
pp. 2316–28. entire IoT system by
[15] W. Dong, B. Lepri, and A. Pentland, “Modeling the Co-Evo-
lution of Behaviors And Social Relationships Using Mobile patching intermediate
Phone Data,” Proc. MUM 2011, Dec. 2011, pp. 134–43.
nodes.
Biographies
S hin -M ing C heng [S’05, M’07] received his B.S. and Ph.D.
degrees in computer science and information engineering from
National Taiwan University, Taipei, in 2000 and 2007, respec-
tively. He was a postdoctoral research fellow at the Graduate
Institute of Communication Engineering, National Taiwan Uni-
versity, from 2007 to 2012. Since 2012, he has been with the
Department of Computer Science and Information Engineering,
National Taiwan University of Science and Technology, Taipei,
as an assistant professor. His current research interests include
mobile networks, wireless communication, cyber security, and
complex networks. He was a recipient of the IEEE PIMRC 2013
Best Paper Award and the 2014 ACM Taipei/Taiwan Chapter K.
T. Li Young Researcher Award.
Pin-Yu Chen [S’10, M’16] received his B.S. degree in electri-
cal engineering and computer science (undergraduate honors
program) from National Chiao Tung University, Taiwan, in
2009, his M.S. degree in communication engineering from
National Taiwan University in 2011, and his Ph.D. degree in
electrical engineering and computer science and M.A. degree
in statistics from the University of Michigan Ann Arbor in
2016. He is currently a research scientist of AI Foundations
Group at IBM Thomas J. Watson Research Center. His
research interest is graph data analytics and their applications
to data mining, machine learning, and cyber security. He is a
member of the Tau Beta Pi Honor Society and the Phi Kappa
Phi Honor Society, and was the recipient of the Chia-Lun Lo
Fellowship from the University of Michigan Ann Arbor. He
was also the recipient of the IEEE GLOBECOM 2010 GOLD
Best Paper Award and several travel grants, including IEEE
ICASSP 2014 (NSF), IEEE ICASSP 2015 (SPS), IEEE Security
and Privacy Symposium 2016, Graph Signal Processing Work-
shop 2016, and ACM KDD 2016.
Ching-Chao Lin received his B.S. degree in computer science
and information engineering from National Taiwan University
of Science and Technology in 2015. He is currently working
toward an M.S. degree in computer science and information
engineering at the National Taiwan University of Science and
Technology. His research interests include cyber security and
wireless networks.
Hsu-Chun Hsiao is an assistant professor in the Department
of Computer Science and Information Engineering, and the
Graduate Institute of Networking and Multimedia at National
Taiwan University. She also holds an adjunct assistant research-
er position in the Center of Information Technology and Inno-
vation at Academia Sinica. She completed her B.S. (2006)
and M.S. (2008) at National Taiwan University, and her Ph.D.
at Carnegie Mellon University (2014). Her research interests
include network security, anonymity and privacy, and applied
cryptography.
35