Content uploaded by Amit Kumar Sikder
Author content
All content in this area was uploaded by Amit Kumar Sikder on May 29, 2019
Content may be subject to copyright.
Content uploaded by Amit Kumar Sikder
Author content
All content in this area was uploaded by Amit Kumar Sikder on May 29, 2019
Content may be subject to copyright.
POSTER: A Digital Forensics Framework for Smart Seings
(Extended Abstract)
Leonardo Babun, Amit K. Sikder, Abbas Acar, and A. Selcuk Uluagac
{lbabu002,asikd003,aacar001,suluagac}@u.edu
Cyber-Physical Systems Security Lab (CSL),
Florida International University
Miami, Florida
ABSTRACT
Users utilize IoT devices and sensors in a co-operative manner
to enable the concept of a smart environment. This integration
generate data with high forensic value. Nonetheless, current smart
app programming platforms do not provide any digital forensics
capability to identify, trace, store, and analyze the data produced
in these settings. To overcome these limitations, in this poster, we
present our ongoing work to introduce a novel digital forensic
framework for a smart environment.
KEYWORDS
Forensic Analysis, Internet of Things, Smart Settings, App Instru-
mentation, Machine Learning
ACM Reference Format:
Leonardo Babun, Amit K. Sikder, Abbas Acar, and A. Selcuk Uluagac. 2019.
POSTER: A Digital Forensics Framework for Smart Settings (Extended
Abstract). In 12th ACM Conference on Security and Privacy in
Wireless and Mobile Networks (WiSec ’19), May 15–17, 2019,
Miami, FL, USA. ACM, New York, NY, USA, 2 pages. https:
//doi.org/10.1145/3317549.3326317
1 INTRODUCTION
The Internet of Things (IoT) has quickly evolved as a network of
Internet-enabled physical devices. These IoT devices communicate
with each other and interact with the users’ daily activities through
sensors. In general, IoT devices, which are controlled and managed
via smart apps, sense the users’ activities to change the general state
of the surroundings based on (1) what the users do, (2) the smart
environment setup policies, and (3) the state of the devices [
1
]. The
interaction between devices and users in this settings generates
data with tremendous forensic value [
5
,
7
,
9
]. Nonetheless, current
IoT programming platforms do not provide any means for forensic
analysis nor the mechanisms to access and indenitely store IoT
data in the cloud [3, 4, 8].
To overcome these limitations, in this poster, we present our
ongoing work to introduce a novel digital forensic framework for
smart settings. Our framework has two main components: Modier
(ITM) and Analyzer (ITA). The ITM analyzes smart applications to
detect forensically-relevant information inside the apps. Then, the
smart apps are instrumented by inserting specic logs that send the
forensic data to a secure Database (ITD) at runtime. Later, in the
Permission to make digital or hard copies of part or all of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for third-party components of this work must be honored.
For all other uses, contact the owner/author(s).
WiSec ’19, May 15–17, 2019, Miami, FL, USA
©2019 Copyright held by the owner/author(s).
ACM ISBN 978-1-4503-6726-4/19/05. . . $15.00
https://doi.org/10.1145/3317549 .3326317
case of a forensics investigation, the ITA applies data processing
and machine learning techniques on the ITD data to learn the
overall state of the smart environment. Our initial experimental
results demonstrate that the proposed framework achieves high
accuracy in inferring both time-dependent and time-independent
user activities and forensic behaviors.
2 PROPOSED ARCHITECTURE
Figure 1 depicts the general architecture of the proposed digital
forensics framework. First, the user downloads the original smart
app source from one of the freely available online repositories
1
.
Then, the ITM automatically analyzes and instruments the smart
app to insert forensic logs and enable the collection of forensically-
relevant data
2
. In general, the ITM process involves (1) the analy-
sis of the source code of the smart apps [
2
,
6
] and (2) the smart app
instrumentation. Then, at runtime, the modied apps send forensic
logs to the ITD 3.
Later, in the event of a forensics investigation, the ITA performs
data processing and applies machine learning techniques on the col-
lected data
4
. The purpose of this analysis is to extract forensically-
relevant information from the acquired logs. Ultimately, the frame-
work matches the inferred activities with the security policies de-
ned for the smart environment. From here, the framework is able
to detect anomalous activities from the users interacting with the
smart environment and potential malicious behaviors from users
and smart apps
5
. In the following, we describe essential aspects
of these operations.
Modier (ITM)
This part of the framework automatically analyzes
the source code from the original smart applications and ags
forensically-relevant points. Then, it automatically inserts specic
code to enable the logging of the forensic data at runtime. The
rst step toward analyzing the smart app source code is to model
the application’s structure. The benets from modeling the smart
app include the extraction of smart apps’ entry points, events, and
control ow of data.
Analyzer (ITA)
The ITD stores logs obtained from smart apps
at runtime so the information from events and actions in a smart
environment can be used later for forensic purposes. The proposed
framework implements an ITA that executes the following actions
on the ITD data.
•Labeling: This step classies and stamps the data in the ITD.
•
Detection: The proposed framework is capable of not only labeling
the logs based on forensic criteria, but also analyzing the data to
infer user activity and detect forensic behavior of users, smart
apps, and devices.
•
Device Cooperation: The forensics framework is capable of detect-
ing tampered devices based on the analysis of collected logs from
multiple devices. We call this process device cooperation. During
device cooperation analysis, if one device is compromised or
tampered, the information collected from other trusted devices
332
Smart App Cloud Backend
IOTDOTS-modified
Smart App
Device Handlers
Events
Actions
Smart Environment
Smart App Repository
Modifier (ITM)
Source Code Analysis
Forensically-relevant Points
Smart App Instrumentation
1
2
34
Analyzer (ITA)
User Activity Inference
Forensic Behavior
Security Policies
Forensic Decision
Secure Database
5
Figure 1: Overview of the proposed framework for enabling forensics analysis in the smart environment.
1 2 3 4 5 6 7 8 9 10
Number of Users
50
60
70
80
90
100
Accuracy (%)
Forensic Activity-1
Forensic Activity-2
Forensic Activity-3
Forensic Activity-4
Forensic Activity-5
Figure 2: Some preliminary results that demonstrate the e-
cacy of the proposed framework in inferring user activities
inside the smart environment.
that share similar types of data logs is analyzed to detect the one
reporting fake or unexpected data.
•
Multi-class Approach: We utilize a multi-class classication ap-
proach to infer dierent forensic activities and behaviors in the
smart environment.
3 IMPLEMENTATION AND INITIAL RESULTS
We implemented the proposed forensics framework in a Samsung
SmartThings-supported smart environment to test its performance.
Figure 2 shows the accuracy of the framework in inferring user
activities in scenarios with multiple users. One can observe how
the accuracy values decrease with the increment of the number of
users. For time-independent activities (i.e., Activity-1 and Activity-
2), the framework achieves accuracy in the range between 98% to
95%. For time-dependent activities (i.e., Activity-3, Activity-4, and
Activity-5), the accuracy varies in the range between 96% to 86%,
as the number of users increases.
4 CONCLUSIONS
We introduced an ongoing research work that proposes a novel
framework used to extract forensically-relevant logs from the smart
environment. Preliminary results demonstrate that the proposed
framework is highly eective.
5 ACKNOWLEDGMENTS
This work is partially supported by the US National Science Foun-
dation (Awards: NSF-CAREER-CNS-1453647, NSF-1663051) and
Florida Center for Cybersecurity’s Capacity Building Program. Any
opinions, ndings, and conclusions or recommendations expressed
in this material are those of the authors and do not necessarily
reect the views of the funding agencies.
REFERENCES
[1]
H. Aksu, L. Babun, M. Conti, G. Tolomei, and A. S. Uluagac. 2018. Advertising in
the IoT Era: Vision and Challenges. IEEE Communications Magazine (2018), 1–7.
https://doi.org/10.1109/MCOM .2017.1700871
[2]
Z. Berkay Celik, Leonardo Babun, Amit Kumar Sikder, Hidayet Aksu, Gang Tan,
Patrick McDaniel, and A. Selcuk Uluagac. 2018. Sensitive Information Track-
ing in Commodity IoT. In 27th USENIX Security Symposium (USENIX Security
18). USENIX Association, Baltimore, MD. https://www
.
usenix
.
org/conference/
usenixsecurity18/presentation/celik
[3]
Sudhir Chitnis, Neha Deshpande, and Arvind Shaligram. 2016. An investigative
study for smart home security: Issues, challenges and countermeasures. Wireless
Sensor Network (2016), 61.
[4]
Malware found in surveillance cameras sold through Amazon. 2017.
https://www
.
techworm
.
net/2016/04/malware-found- surveillance-cameras-
sold-amazon.html. [Online; accessed 10-January-2018].
[5]
Sukhvir Notra, Muhammad Siddiqi, Hassan Habibi Gharakheili, Vijay Sivaraman,
and Roksana Boreli. 2014. An experimental study of security and privacy risks
with emerging household appliances. In Communications and Network Security
(CNS), 2014 IEEE Conference on. IEEE, 79–84.
[6]
SaINT Project, L. Babun, Z. Berkay Celik and A. Kumar Sikder. [n. d.]. http:
//saint-project.appspot.com/. [Online; accessed August-2018].
[7]
Amit Kumar Sikder, Hidayet Aksu, and A. Selcuk Uluagac. 2017. 6thSense: A
Context-aware Sensor-based Attack Detector for Smart Devices. In USENIX Secu-
rity.
[8]
SmartThings Logging, Matt J Frank. [n. d.]. https://github
.
com/krlaframboise/
SmartThings/blob/
\
master/smartapps/krlaframboise/simple-event- logger
.
src/
simple-event- logger.groovy. [Online; accessed May-2018].
[9]
Biljana L Risteska Stojkoska and Kire V Trivodaliev. 2017. A review of Internet of
Things for smart home: Challenges and solutions. Journal of Cleaner Production
140 (2017), 1454–1464.
333