NIST White Paper (Draft) Methodology for Characterizing Network Behavior of Internet of Things Devices

こんにちは、丸山満彦です。

NISTがWhite Paper (Draft) Methodology for Characterizing Network Behavior of Internet of Things Deviceを公開し、意見募集をしていますね。

ネットワークに接続されたIoTデバイスのタイプと通信動作を判断し文書化するためのアプローチについて説明していますね。この識別と文書化から製造者使用説明書（MUD）仕様に基づいたファイルを作成し、製造者やネットワーク管理者が、デバイスへのアクセスやデバイスからのアクセスを管理するために使用することができるようになりますね。Next Stepではこのアプローチの実装の現状と今後の開発のための提案にも触れられていますね。

● NIST ITL

・2020.04.01 White Paper (Draft) Methodology for Characterizing Network Behavior of Internet of Things Devices

・[PDF] White Paper (Draft)

-----

Announcement

This draft white paper from the National Cybersecurity Center of Excellence (NCCoE) demonstrates how to use device characterization techniques to describe the communication requirements of Internet of Things (IoT) devices in support of the manufacturer usage description (MUD) project. 

Securing a network is a complex task made all the more challenging when IoT devices are connected to it. This white paper delves into capturing network communications from IoT devices for analysis and generation of MUD files. Manufacturers and network administrators can use the proposed characterization techniques to describe the communication requirements of an IoT device, which can allow for the accurate management of network access to and from those devices. This can help to ensure that IoT devices perform as intended by the device manufacturers or owners.   

Companion Tool: NCCoE created a tool called MUD-PD for characterizing IoT devices, which is helpful in generating MUD files.

Abstract

This white paper describes an approach to determining and documenting the device types and communication behaviors of Internet of Things (IoT) devices connected to a network. From this identification and documentation, files based on the Manufacturer Usage Description (MUD) specification can be created and used by manufacturers and network administrators to manage access to and from those devices. The paper also describes the current state of implementation of the approach and proposals for future development.

----

 

Table of Contents

1 Introduction

1.1 Purpose and Scope
1.2 Challenges
1.3 Background

2 Network Traffic Capture Methodology

 2.1 Capture Strategy
 2.2 Capture Procedure
 2.3 Documentation Strategy

3 Analysis Use Cases and Tools

 3.1 Manual MUD File Generation
 3.2 MUD-PD
 3.3 MUD-PD Support for Privacy Analysis

4 Next Steps

 4.1 Extending MUD-PD Features
 4.2 Developing a MUD Pipeline
 4.3 Community Feedback

References

List of Appendices

 Appendix A— Example Capture Environment
 Appendix B— Acronyms

-----

1.1 Purpose and Scope

The purpose of this publication is to demonstrate how to use device characterization techniques to describe the communication requirements of IoT devices. This publication focuses on the capture of network communications involving IoT devices necessary to generate MUD files. The methodology seeks to allow for analysis of the full range of IoT device network traffic behaviors that can reasonably be expected. This includes examining a variety of factors that could potentially alter an IoT device’s behavior at each stage of the device’s life cycle. An important item to note is that this work is focused on documenting the behavior of IoT devices, not on establishing the identity of the devices themselves.

One of the primary motivators for developing this methodology is to support developing files that could be used in the application of MUD [1]. MUD provides a standard way to specify the network communications that a device requires to perform its intended function. The MUD specification supports development of MUD file that defines expected and permitted network activity and behavior. Accurately generating a MUD file for a networked device requires a comprehensive picture of the device’s potential actions.

A MUD file’s accuracy is based on two concepts: comprehensiveness—the extent to which it lists all potential communications that the device may need to perform its intended function, and correctness—the extent to which it avoids listing communications that the device does not need. An accurate MUD file will contain all the potential communications necessary for the device to perform its intended function while not listing any unneeded communications. However, because the final decision of what actions a device may perform is

In addition to prescribing a methodology for capturing an IoT device’s behavior on a network, use of this behavior information to create MUD files can be leveraged by MUD-PD, described in Section 3.2. The MUD-PD tool can be used in generating MUD files for use on a live network. Developers, network administrators, and researchers can take advantage of the methodology to develop a comprehensive data set that can be used for generating MUD files, investigating security and privacy concerns, developing machine learning algorithms, and more. The methodology described has been developed on internet protocol (IP)-based networks, but it can potentially be utilized with other types of networks as well. It is important to note that this type of analysis assumes that the IoT devices have not been tampered with or compromised by a malicious actor at any point in the process. The analysis method also assumes that the IoT devices are operating as intended by the manufacturers of the devices.

ultimately up to the local network administrator [1], the local administrator tasked with implementing the device may decide that the deployed device’s MUD file should be more or less restrictive than the MUD file provided by the manufacturer.

It should be noted that a device may have a minimum set of permissions for the device to operate at all. Additionally, a network administrator may wish to create a MUD file for a legacy device, i.e., a device for which the manufacturer has not provided a MUD file. The goal is to have an accurate MUD file. The methodology described herein provides a framework that allows capture of the often-large range of behaviors required for generating accurate MUD files.

-----

・Project Description (IoT Device Characterization NCCoE)

Building Blocks

• 5G Security
• Adversarial Machine Learning
• Attribute Based Access Control
• Continuous Monitoring for IT Infrastructure
• Consumer Home IoT Product Security
• Data Security
• Derived PIV Credentials
• DNS-Based Secured Email
• Managed Service Providers
• Mitigating IoT-Based DDoS
• Mobile Device Security
• Patching the Enterprise
• Privacy-Enhanced Identity Federation
• Secure Inter-Domain Routing
• Security for IoT Sensor Networks
• Supply Chain Assurance
• TLS Server Certificate Management
• Trusted Cloud
• Zero Trust Architecture