Investigating Brute Force Attack Patterns in IoT Network

,


Introduction
Earlier security protocols should be pertinent to IoT to assure basic security services including authentication, confidentiality, integrity, nonrepudiation, access control, and availability.e reason is that IoT is as an extension of the classical Internet framework and technology.Nevertheless, the IoT network is constrained by several new factors such as huge numbers of devices and objects that may interact together in a complex manner, using different security techniques.Moreover, the evolution from limited access and closed networks to open ones increased the requirement for security alerts to protect all the devices in an IoT network from intrusions [1].
End nodes (sensors/devices) are attached to IoT networks and communicate with a data/application server through a gateway.Collected data are usually transmitted from the gateway to a data/application server using the FTP protocol.Unfortunately, in terms of security, the FTP server at a gateway or data sink very often is improperly set up.At the same time, password matching/theft holding is among the popular attacks as the intruders attack the IoT network.e novelty of this paper is the use of a time-sensitive statistical relationship approach and visualizing the attack patterns that identify its configurations in brute force attack (BFA) on an FTP service investigation.
e investigation focuses on attacks launched from the internal network, due to the assumption that the IoT network has already installed a firewall.e investigation provides a new insight of this type of attack with the main aim of coming up with attack patterns visualization that may help the IoT system administrator to analyze easily any similar attacks.
An insider/internal attack launched from an internal network endangers more the entire IoT security system.us, securing FTP connections from botnet attacks on IoT networks is crucial.To understand how to protect against such attacks, it is best to examine the attack from the attacker's perspective with regard to the used methods, desired goals, and the manner of launching the attacks.e authors undertake experiments to investigate several attack types, in particular in intrusions such as (i) probes that aim to obtain detailed information and (ii) brute force attacks (BFA) geared towards guessing passwords and/or gaining privileged access.
Several malware variants, as discussed by [2,3], infect hardware, software, and networks and, in some cases, can also infiltrate via spam, phishing, and drive-by download.
is paper describes brute force malware attacks on the FTP server of an IoT network to gain escalating privileged access in the IoT environment.Steiner [4] identified weaknesses in FTP service provision and strengthened by the results of research in [5].Meanwhile, Joshi et al. [6] clearly described a BFA to break FTP's encrypted password.Nevertheless, FTP remains a major alternative for the provision of data transfer services despite its vulnerability, due to the use of plain text authentication procedure.
Having done experiments and investigation, the authors describe the following relevant matters: (i) How to extract important features of data packages related to potential attack packages (ii) How to detect BFAs on FTP services on IoT networks (iii) How to visualize FTP attacks by using a timesensitive statistical relationship (iv) How to display patterns of known attacks by computing the number of alerts.
e paper is divided and arranged as follows: Section 2 discusses literature review of related works.
e research methodology is in Section 3 that consists of the scenario, the stages, and the groove in the investigation including scanning, brute force, and gaining privileges are considered.Presentations and discussions of the results are described in Section 4. Section 5 provides a conclusion.

Related Works
Previous researches [7,8] have tested the penetration of Internet service operating systems to analyze vulnerability and exploitable security lapses.eir results can be summarized as follows: (i) an advanced system is affected by many factors including its kernel engine, active services, degree of expired service engines, and time period for updates; (ii) each attack contains a unique payload that serves as a flag attack pattern; and (iii) all operating systems tested (FreeBSD, Linux, and Windows servers) have levels of vulnerability and were given risk ratings.Similar researches are also being carried out by Austin et al. [9], and Broucek and Turner [10] undertook similar investigations in preparation for an offensive cyberwar.
Currently, three methods are commonly used to elicit passwords: brute force, dictionary, and Hybrid attacks.e present work examines BFAs that are used to find the combination of password to access FTP services.BFA purposes are to break/decrypt secret codes by trying all possible keystrokes for which the probability of success is highly dependent on the level of difficulty for the password combination.
Venter's benchmark works [11,12] presented possibilities for breaking password codes both offline and online and have been referred to by many researchers.e researches present about some possibilities which can be done to break the password in both ways: offline and online.Moreover, Helkala et al. [13] reinforced Venter's research by using small instruments that yielded high impacts.In addition, Pilli et al. [14] and Vykopal [15] described other aspects of BFAs regarding taxonomy, multiple approaches, and distributions.
In essence, BFAs force the inclusion of characters that hazard guesses password and can be done remotely by an attacker machine.In brief, BFA is a password experiment that uses a mix of possible ASCII characters in isolation or in combinations.
Generally, BFAs are divided into two attack classes, insider or outsider, as reported by [3,16,17].Both of these attacks are illustrated in Figure 1.Meanwhile, online password hacking has been described in [18], and offline hacking research has demonstrated that a number of characters and password combinations greatly influence the length of time required for hacking [13,15].Overall, all cited investigators stressed that BFAs have real-time capability to actually deduce valid passwords on FTP servers.
According to Jang-Jaccard and Nepal [3] and Nithiyanandam et al. [19], several types of potential internal/insider attacks are possible.ese include the man in the middle attack, bring your own device (BYOD) attack, malware, device/physical data theft, and sabotage.e observations allowed to characterize and conclude the following: (a) e insider attack is usually perceived as a valid user of the institution/company (b) e insider attack has limited access to some services without additional coatings on different service packages and also differs from inbound packages from outside the network that are tightly scrutinized by filters with multiple DMZ services (c) An insider attack on IoT is a multiform that poses various problems related to malicious and accidental security incidents stemming from employees and outsources (d) Since the attacker is inside, they have detailed knowledge of technical matters such as the network's backbone, IP address allocations, the virtual local area network (VLAN), the service clustering application, and IT staff members who monitor the network Figure 2 demonstrates brute force attack approaches and methods and visualize patterns that describe brute force attacks.Some attack patterns were produced by using graphinfo's time-sensitive approach to statistical relationships, as discussed by Saoddodin and Ghorbani [20].Other patterns were generated and simulated with the MIT 2 Journal of Electrical and Computer Engineering DARPA dataset.Distribution values for pattern outcomes obtained during simulated attacks matched results from extracted package data.Attack detection tools are alternately used by many researchers including Snort detection software, which has a detection engine that produces alerts [21][22][23][24].Its ability expressly relies on available rules (in/etc/snort/rules/) that effectively recognize attacks.Snort also compiles a pcap file of raw data derived from its sniffing process.Both abilities have made Snort a major tool and referenced instrument in the field of systems security researches.
e Snort engine is also used to report "front-end" attacks.Its engine identifies malicious attempts during realtime traffic based on well-known attack algorithms.When Attacker Target

(a)
Pattern hash table IP Pattern Real-world network  malicious activity occurs, Snort generates hundreds of events to warn that an activity has been identified as a potential threat.Snort also uses a variety of methods that categorize and log intrusions.Best of all, Snort alerts contain copious data such as IP addresses that identify source-destination, port addresses (source and destination), attack names, alert priority, TTL, and packet length.Snort Version 2.8.5 (Build 121) uses 65 rules that identify and detect threats from pcap files and then used to produce numerous alerts in the log directory ("/var/log/snort").e number of rows generated during reiterative runs of the same data is simplified by initialization based on signature-id and priority.Each alert consists of a signature-id, priority, src_ip, src_port, dst_ip, dst_port, timestamp, TTL, ToS, IP_Len, and Dgm_Len.Total proceeds of the acquired alert information are then compared to verify all packets as "successfully identified" and "responded-to" for each penetration scenario.
Figure 3 shows the general architecture of Snort's three main modules: (i) preprocessor; (ii) detection engine; (iii) alert.A package that is successfully captured by the sniffer module is converted to the pcap library.e preprocessor sorts the content that is then classified into several categories for compilation in the Snort engine using available rules.
ese rules critically affect the attack's suggested outcome.On the contrary, researchers have proposed a modification mechanism to update and thus optimize rule capabilities [22,25].

Investigation Method
e investigation uses a small-scale IoT network testbed consisting of multiple hardware including the DHT22 sensor, MQ2 sensor, soil moisture sensor, water level sensor, two Zigbee type sensors, and WeMos D1 microcontroller equipped with the ESP8266 Wi-Fi module.Two middleware modules using Raspberry Pi microcontroller are used for communicating the Zigbee and Wi-Fi types of equipment.In addition, the testbed utilizes supporting software such as MySQL database, DoS tools Hping3, Apache Web Server, and Snort as IDS. Figure 4 illustrates the topology of the testbed.Table 1 shows short descriptions of the equipment.
Figure 5 depicts the overall process flow of the packet capturing and decoding in the experiments.Figure 5(a) depicts the capturing work flow.Figure 5(b) shows the process of raw data extraction to obtain unique features after data processing and training.is process is necessary to extract parameters required to search for and identify common ground patterns of a BFA.When running a BFA scenario, the pcap file activates the sniffing process and produces raw data that is not humanly readable due to the unique structure of the IPv4 header, which has hidden layers that depend on protocols and sundry encapsulation processes.To facilitate the process of training, file types that can be processed and generally accepted are required.Here, a "csv" file type is used as the result of raw data processing.A search process for the same pattern comprises raw data derived from a harsher algorithm that classifies certain values in a field of interest.e success of the experiment relies on proving the existence of the unique attack pattern scenarios by (i) comparing attack timelines, (ii) capturing packages by the sniffer, and (iii) retrieving data log results from the targeted machine. is completed set of data is combined to prove whether the observed pattern matched the BFA profile or any other attack types.
e authors combined all three datasets with raw data compiled by the Snort engine to certify the correctly identified attack, as recognized by the Snort signature database.Results were reiteratively validated by the time line as well as by reviewing sundry information derived by the Snort alert.Hence, correct attack scenario results on the targeted machine were robustly demonstrated.
e observations will reveal a looping pattern in a single line of data packets at a certain point in time with the same value in the same field.Figure 6 shows a simplified process for sorting the data as a single plot that visualized captured alert results that were identified as an attack.Figure 7 demonstrates performance stages in attack identification as an online display that is spelled out by the pseudocode.

Experimental Results
is section presents investigation results in stages.Having completed the process of traffic sniffing on the network to produce raw data, the captured data are then extracted and read to determine the pattern for each attack model.In this case, both BFA pattern and normal FTP pattern were focal observations.Figure 8 depicts an example of the extracted data indicating that raw data hold unique reiterated fields that revealed an ongoing process.Fields of the extracted payload are timestamp, packet size, total packet length, protocol flags, windowing, protocol length, content, and signature.Figure 8 shows the traffic data with time stamp values: 12475, 12476, and 12477 are repeating.e alerts are displayed on an integrated dashboard, as depicted in Fig- ure 9. e detection system displays any attack reports that originated from Snort alerts and then visualizes them in an online manner.is application produces values by sorting and filtering fields of traffic packets that are previously analyzed by the sniffing process.
At a separate process, Snort concurrently generates groups of alerts recognized as patterns that matched the database signature.Figure 10 shows some of these alerts, which were vigorously determined by employing "rules engines" of Snort.Each rule has a unique pattern that is recognized as an attack; however, due to a major problem in the Snort detection system-high false alarms that affect matrices values for false positives (FP), false negatives (FN), true positives (TP), and true negatives (TN)-Snort cannot serve as a primary reference.Nevertheless, Snort is the standard established by prior studies as the engine for comparison.Figure 11(a) displays the frequency of attack when it happened (from 21.05 to 21.10 hours).e attacker uses two techniques: brute force and dictionary.Figures 11(b) and 11(c) show the number of attacks per-second for brute force attack and dictionary attack, respectively.Both types show similar pattern that explain the attacks have same main characteristics.During the "FTP SITE EXEC attempt" attack-included in the remote to local (R2L)-the attacker can perform the command "SITE EXEC" on the targeted machine by providing the path name using certain characteristics.In other words, a remote attacker can execute commands on the FTP server, including the creation of certain directories.Consequently, this attack allows the attacker to gain rootlevel access to the system.
Figure 12 shows the traffic from one node to another during the BFA happens.Both FTP SITE EXEC command and FTP parameters were malformed and hence identified by the "pattern of attack" rules identification procedure.e red line indicates a successful attack.us, the IoT system administrator visually is able to spot something wrong is happening on the IoT network.
Figure 13 shows a characteristic/pattern of a change working directory (CWD) attack where the attack is included in R2L.R2L focuses on successful anonymous logins that access the right to write in the system and plant backdoor or other malware.Here, the attacker repeatedly assaults the system with a pattern that differs from previous attacks.e pattern reflects several CWD stages.Having successfully entered anonymously, the attacker attempts to change the directory, which is preceded by a passive mode command (PASV) that enables responsive communication.
e attacker then follows with a Network Services Lead Team (NLST) to restore files to a specified directory.Figure 13 also displays traffic during BFA scenario testing, scanning Denial-of-Service (DOS) flooding of the target.e traffic information in Figure 13 clearly illustrates offensive package flow from the attacker to the targeted machine.
Information inside the box A of Figure 13 indicates alert from Snort that is displayed in the form of information on suspected attacks. is information is to be compared with proof that attacks occurred from the detection procedure.Information inside the box B of Figure 13 shows extraction results from the raw data using the identification procedure in Figure 7.Both information shows similar attack characteristic/pattern that generated alerts along with unique field values that repeated in a single attack scenario.Hence, it is clear that the simulated BFA scenario has generated a unique characteristic/pattern. is conclusion was confirmed by Snort alert results.us, the pattern identification procedure shown in Figure 7 works well in detecting the BFA.

Conclusion and Future Works
is paper investigated brute force attack that attempts to gain escalating privileges on an FTP server of the IoT network.e attack likely occurs due to weaknesses in the FTP's service that lacks encryption at a moment when running the process of a three-way handshake.Moreover, attacks can originate within the network and potentially occur because an extensive upholstery system was improperly set up to limit local user access, which, in turn, affects the entire security of the system.
Experimental observations recognized BFA patterns on an FTP service that matched the Snort analysis of captured data.Snort provides information to the system administrator in the form of a warning alert to report network occurrences.Findings from the experiments provide some visual protection assistance for researchers and practitioners.e authors intend to investigate IoT attack patterns with more complicated network topologies and scenarios, specifically, those launched by botnets on the IoT network.Finally, Table 2 summarizes the findings from the experiments.
Table 2 shows the patterns (features) used as signature in the identification procedure of Figure 7 accurately characterizing the attacks, and thus, the attack is successfully detected.is result was confirmed by Snort that also produces an alert on the detection.erefore, this result indirectly confirms that the statistical relationship is     12 Journal of Electrical and Computer Engineering used for analyzing the attack works well.Visualization assists the network administrator to identify any anomalies/attacks easily.

Figure 2 :
Figure 2: (a) Brute force attacks.(b) Attack pattern based on the correlation approach.

Figure 6 :
Figure 6: Flowchart of the sorting process.

Figure 7 :
Figure 7: Pseudocode for performing stages in identifying the attacks procedure.

Figures 11 and 12
Figures 11 and 12  show attack patterns after insider brute force attacks happened on the FTP server.Figure11(a) displays the frequency of attack when it happened (from 21.05 to 21.10 hours).e attacker uses two techniques: brute force and dictionary.Figures11(b) and 11(c) show the number of attacks per-second for brute force attack and dictionary attack, respectively.Both types show similar pattern that explain the attacks have same main characteristics.During the "FTP SITE EXEC attempt" attack-included in the remote to local (R2L)-the attacker can perform the command "SITE EXEC" on the targeted machine by providing the path name using certain characteristics.In other words, a remote attacker can execute commands on the FTP server, including the creation of certain directories.Consequently, this attack allows the attacker to gain rootlevel access to the system.Figure12shows the traffic from one node to another during the BFA happens.Both FTP SITE EXEC command and FTP parameters were malformed and hence identified by the "pattern of attack" rules identification procedure.e red line indicates a successful attack.us, the IoT system administrator visually is able to spot something wrong is happening on the IoT network.Figure13shows a characteristic/pattern of a change working directory (CWD) attack where the attack is included in R2L.R2L focuses on successful anonymous logins that access the right to write in the system and plant

Figure 12 :
Figure 12: Snapshot of the node-to-node traffics during the attack.

Figure 13 :
Figure 13: Confirmation of alert on attack by the detection algorithm (A) and by Snort (B).

Table 1 :
List of equipment for the testbed.