| Abstract: | The Man-in-The-Middle attack is a kind of cyberattack where a perpetrator intercepts an ongoing communication between two parties and use this communications breach to either eavesdrop on the communicated message or alter the message prior to reaching the intended legitimate receiver. In any IoT network, the basic purpose of any smart device in the network is taking part in collecting large amount of data from various sensors located in geographical dispersed locations and relay this information to a Master-Device in the IoT network. Once these collected sensors’ data reach the Master device, it relays the sensors’ data to a central database or server via gateways wirelessly. IoT devices are usually designed to be deployed in a mass scale and are also designed to operate in remote and hard-to-reach areas. IoT nodes are usually battery powered or scavenge power from their surroundings. Hence, IoT device manufacturers give little emphasis to security. In fact, IoT device manufacturers’ main goal is designing nodes that get the job done whilst consuming as little power as possible for as long as possible. Despite their wide spread use and ubiquity, IoT networks are highly vulnerable to cyber-attacks like MitM attacks, and identification of these malicious behaviors is mandatory as tampering IoT data in a malicious manner by adversaries could lead to real-time, real-life catastrophes.
The main objective of this study is building a machine learning model that detects modified sensors’ records that originated from IoT networks infected with ARP cache poisoning based on the IoT network’s data patterns. Therefore, to build the model, both Normal and Attack data needed to be generated from an environment that mimics an IoT Network.
Hence, for this study, an IoT testbed was built using the NodeMCU ESP32 IoT Module which acts as the master device in the IoT network, a DHT22 Temperature & Humidity Sensor, an MQ2 Gas Sensor, a SW-420 Vibration sensor, and a wireless router. An Adversarial system was also built using a DELL® Core-i3 laptop which runs on Kali Linux with a processor speed of 2.1GHZ and a total installed RAM of 4GB.In this Testbed, data captured form the three sensors are Temperature, Humidity, Smoke in Parts-Per-Million and the level of vibration which are transmitted to a cloud named ThingSpeak server via a wireless router.
In the normal phase, sensors’ values are extracted by the NodeMCU device and then transmitted to the ThingSpeak cloud. This data is then labeled as ‘Normal’ data. The attack phase is performed by the adversarial system which intercepts data coming from the NodeMCU device, modifies it and sends these modified Sensors’ readings to the ThingSpeak cloud. This data is labeled as ‘Attacked’ data. Machine learning classifiers such as SVM, Naïve Bayes, Decision Trees, KNN and Adaboost are built to differentiate the sensors’ data as ‘Normal’ or ‘Attacked’ data using the Weka Explorer software based on the IoT Network’s Sensors’ records. From the five candidate algorithms, Decision Trees had the highest accuracy of 95.125 %. |
