隨著近年來IoT物聯網的蓬勃成長，眾多不安全的裝置和惡意軟體的威脅也隨之而來，恐成為物聯網未來發展的最大隱憂之一。其中常見的就是入侵者在登入IoT設備取得控制權後，在某些特定目錄中植入惡意檔案/軟體，進而遂行其接下來的行動。通常嵌入式系統裝置在使用者登入以及發生系統異常事件時，會在日誌檔案中紀錄這些內容，包含入侵者的動作，都會被記錄下來。但是通常入侵者不但不會讓系統管理者發現他的入侵動作，也不希望在系統內留下相關的足跡和證據，所以就有可能會想辦法刪除或是修改事件發生當時的日誌檔案內容。
因此，本研究設計了一個IoT裝置的軟體架構，其功能為當入侵者在一個或是多個特定的可執行目錄下植入檔案時，IoT裝置能夠即時發出警告通知系統管理者採取相對應的措施。此外也利用了具備前向安全性的加密演算法，即使在入侵者成功取得設備的控制權之後，裝置的系統仍然可以確保過去所有已產生的日誌檔案內容都是安全而無法被修改的。
本研究以樹莓派(不可信賴的裝置)、安全伺服器(可信賴的機器)和乙太網路交換器等環境設計，來模擬驗證本系統是否可以發揮預期的作用。根據實驗結果，當入侵者取得IoT裝置的控制權並新增或修改特定目錄下的檔案時，系統會將異常事件的內容以具有前向安全特性的加密演算法被加密，系統管理者也可以第一時間得知此異常事件，安全伺服器也會同步接收到此加密過異常事件紀錄。因為持有共同金鑰，所以可以解密出此異常紀錄的明文，並也可根據此紀錄對IoT裝置做進一步安全查核的動作。而且日誌檔案皆以具有前向安全特性的加密演算法被加密過，以至於入侵者無法去偽造過去的事件記錄，因此在異常事件發生之前的日誌檔案安全性得以確保。

With the rapid growth of the IoT (Internet of Things), information security is considered one of the biggest concerns to the upcoming applications. It is common for intruders to implant malware in some directory after logging in to the IoT device to gain control, or after utilizing loopholes of network communication protocols. Usually, intruders try to remove footprints and evidences of intrusion action, like the records of login and abnormal events in the log files. Therefore, this research aims to realize a mechanism to secure intrusion detection ability of IoT devices.
The core function of the proposed mechanism is that when an intruder implants or alters a file in any one of the folders for executable binaries, the soon to be compromised IoT device immediately issue a warning to notify the system administrator. In addition, a cryptographic algorithm with forward security is utilized. Even after the intruder successfully gets control of the device, the operating system of the device ensures that all existing records in the log file cannot be faked.
In this research, an experimental implementation including a Raspberry Pi (untrusted device), a secure server (trusted machine), and an Ethernet switch are deployed to simulate whether the system can perform its intended function. According to the experiment results, when the intruder obtains control of the IoT device and adds or modifies the file in a specific directory, the system encrypts the content of the abnormal events with an encryption algorithm with forward security features. The system administrator can also know the abnormal event as soon as possible. The secure server also receives this encrypted abnormal event record synchronously. Because the common key is held, the records of abnormal events can be decrypted, and the IoT device is able to be further checked for security according to the record. Moreover, the log files are encrypted with a cryptographic algorithm with forward security features, so that the intruder cannot falsify past event records, so the log file security before the abnormal event occurs is ensured.

[1] “ The Internet of Things , How the Next Evolution of the Internet Is Changing Everything.” https://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf
[2] “Number of Connected IoT Devices Will Surge to 125 by Billions by 2030, HIS Markit Says.”
https://technology.ihs.com/596542/number-of-connected-iot-devices-will-surge-to-125-billion-by-2030-ihs-markit-says
[3] “FDA confirms St. Jude heart monitors can be hacked .”
https://www.rt.com/usa/373157-fda-st-jude-cybersecurity/
[4] “2016 Dyn cyberattack
”https://en.wikipedia.org/wiki/2016_Dyn_cyberattack
[5] Mihir Bellare and Sara K. Miner, “A Forward-secure Digital Signature Scheme,” Advances in Cryptology — CRYPTO’99, Lecture Notes in Computer Science, vol. 1666, pp. 431-448, 1999, Springer.
[6] Christoph G. Günther. An Identity-Based Key-Exchange Protocol. In Advances in Cryptology— EUROCRYPT '89, pages 29–37, Houthalen , Belgium, 1989. Springe.
[7] Ross Anderson, “Two Remarks on Public Key Cryptology,” In Manuscript and Invited Lecture at the 4th ACM Conference on Computer and Communications Security, April 1997.
[8] Bruce Schneier and John Kelsey, “Cryptographic Support for Secure Logs on Untrusted Machines,”USENIX Security Symposium, January 26-29, 1998.
[9] Bruce Schneier and John Kelsey, “Secure Audit Logs to Support Computer Forensics,” ACM Transactions on Information and System Security (TISSEC) Vol. 2, Is. 2, pp. 159-176, May 1999.
[10] Douglas R. Stinson, Cryptography: Theory and Practice (2nd ed.). 2002, CRC Press.
[11] Bruce Schneier, Applied Cryptography (2nd ed.): Protocols, Algorithms, and Source Code in C. 1996, John Wiley & Sons.
[12] Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography. 1997, CRC Press.
[13] Stuart Haber, Scott Stornetta,“How to Time-Stamp a Digital Document,” Advances in Cryptology (CRYPTO ’90), Lecture Notes in Computer Science, vol. 537, pp. 437-455, 1990, Springer-Verlag.
[14] Bruce Schneier and John Kelsey, Automatic event-stream notarization using digital signatures. Security Protocols, International Workshop April 1996 Proceedings, Springer-Verlag, pp. 155-169 ,1997.
[15] A. Perrig, J. Stankovic, and D. Wagner. “Security in wireless sensor networks,” Vol. 47, Is. 6 , pp. 53-57, June 2004.
[16] Kenneth C. Barr, and K. Krste Asanović,“Energy aware lossless data compression.” ACM Transactions on Computer Systems (TOCS) , Vol. 24, Is.3, pp. 250-291, August 2006.
[17] Di Ma ,Gene Tsudik,“Forward-secure sequentical aggregate authentication.”Proceedings of the 2008 ACM symposium on Information, pp. 86-91 , May 2007.
[18] D. Boneh, B. Lynn, and H.Shacham , “Short signatures from the Weil pairing”, In proceedings of Advances in cryptology –CRYPTO’01, LNCS (2001), pp. 514-532 , 2004
[19] Anna Lysyanskaya, Silvio Micali, Leonid Reyzin, and Hovav Shacham ,“Sequential aggregate signatures from trapdoor permutations”, Advances in Cryptology - EUROCRYPT 2004 pp. 74-90 , May 2004.
[20] Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham , and Brent Waters ,“Sequential aggregate signatures and multi signatures without random oracles”,In Prof. of Eurocrypt 2006, May 2006.
[21] D. Boneh, B. Lynn, and H.Shacham , “Aggregate and veri£ably encrypted signatures from bilinear maps”. In Proc. of Proceedings of Eurocrypt 2003, vol. 2656 of LNCS May 2003.
[22] Sepideh Avizheh , Tam Thanh Doan, Xi Liu and Reihaneh Safavi-Naini , “A Secure Event Logging System for Smart Homes” , Session 3: Defense against IoT Hacks, IoT S&P'17, November 3, 2017.
[23] Vishal Karande, Erick Bauman, Zhiqiang Lin, Latifur Khan,“SGX-Log: Securing System Logs With SGX”, ASIA CCS '17 Proceedings of ACM on Asia Conference on Computer and Communications Security ,2017.
[24] “Linux Filesystem Events with inotify.”
https://www.linuxjournal.com/content/linux-filesystem-events-inotify