物聯網端點設備具有上市時間短、異質性高、資源受限及界面不友善等特點，使得傳統電腦的安全機制像是防毒系統並不適用於物聯網設備。基於網路層面的安全檢測系統如 IDS，並無法達到完全檢測及減緩日益見增的無檔案攻擊。本文通過韌體模擬技術實現物聯網端點設備的數位分身 (Digital Twins; DT)，並且搭建出智慧物聯網端點檢測及回應 (EDR) 平台。將實際設備的流量鏡像傳輸至平台內的數位分身，為了解決實體設備無法進行深度檢測，將系統層的監控模組整合進軟體化的數位分身來實現深度物聯網端點檢測。此外，利用機器學習演算法可以從系統層的系統呼叫及網路層的封包辨識出惡意行為，並更進一步地找出帶有惡意指令的可疑封包，再經由 EDR 更新 IDS 規則來識別及阻擋具有相同惡意酬載的物聯網端點設備的流量，從而實現端點回應。在本次實驗中，我們針對不同的 CPU 架構如 ARM、MIPS 及 X86 進行物聯網端點設備的模擬，並且實現 Mirai 惡意程式及 RCE 攻擊來驗證平台的準確率。從實驗結果表明，攻擊判定的準確率為 99.94%，我們認為提出的解決方法對於物聯網端點設備是可行的，由此結果可以確定利用韌體模擬的數位分身可以有效的保護現有的物聯網設備。

The properties of short time-to-market, heterogeneity, constrained resource, and unfriendly interface for IoT endpoint devices make the system-based security mechanisms in traditional desktops, such as antivirus, not applicable. Moreover, the popular network-based security solution, such as IDS might not completely detect and mitigate the rising fileless IoT attacks. This paper leverages the recent innovation, firmware emulation, to enable a digital twin (DT) of a targeted actual IoT endpoint device and to realize an intelligent IoT endpoint detection and response (EDR) platform. The inbound traffic to the actual IoT endpoint device is mirrored to the DT in the platform, and the system-level monitoring module integrated into the softwarized DT provides a deep IoT endpoint detection in ways that are not possible on IoT endpoint physical devices. Machine Learning algorithms are proposed to identify malicious behavior from the system calls and network packets collected from system-level and network-level monitors, and suspicious packets containing the harmful commands are further determined. The EDR consequently update the IDS rules so that the traffic to the actual IoT endpoint device with same malicious patterns are recognized and blocked, thereby achieving endpoint response. In the experiment, we enable emulation of IoT endpoint devices with ARM, MIPS, and X86 architectures and realize Mirai malware and RCE attacks to validate the proposed EDR platform. With a 99.94% accuracy rate in attack determination, we believe that the proposed solution is feasible for the protection of IoT endpoint devices behind the edge. Such outcomes identify secure functionalities that DT using firmware emulation could offer in IoT paradigm, thereby opening the door of innovating mechanisms to combat IoT attacks.

[1] S.-M. Cheng, P.-Y. Chen, C.-C. Lin, and H.-C. Hsiao, “Traffic-aware patching
for cyber security in mobile IoT,” IEEE Commun. Mag., vol. 55, no. 7, pp.
29–35, Jul. 2017.
[2] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the IoT: Mirai
and other botnets,” Computer, vol. 50, pp. 80–84, Jul. 2017.
[3] F. Dang, Z. Li, Y. Liu, E. Zhai, Q. A. Chen, T. Xu, Y. Chen, and J. Yang,
“Understanding fileless attacks on linux-based IoT devices with HoneyCloud,”
in Proc. ACM MobiSys 2019, Jun. 2019, p. 482–493.
[4] N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani, “Demystifying IoT security: An exhaustive survey on IoT vulnerabilities and a
first empirical look on Internet-scale IoT exploitations,” IEEE Commun. Surveys Tuts., vol. 21, no. 3, pp. 2702–2733, 3rdquarter 2019.
[5] J. Habibi, D. Midi, A. Mudgerikar, and E. Bertino, “Heimdall: Mitigating the
Internet of insecure things,” IEEE Internet Things J., vol. 4, no. 4, p. 968–978,
Aug. 2017.
[6] E. Benkhelifa, T. Welsh, and W. Hamouda, “A critical review of practices
and challenges in intrusion detection systems for IoT: Toward universal and
resilient systems,” IEEE Commun. Surveys Tuts., vol. 20, no. 4, pp. 3496–3509,
4thquarter 2018.
[7] Y. Jia, F. Zhong, A. Alrawais, B. Gong, and X. Cheng, “FlowGuard: An
intelligent edge defense mechanism against IoT DDoS attacks,” IEEE Internet
Things J., vol. 7, no. 10, p. 9552–9562, Oct. 2020.
[8] A. Mudgerikar, P. Sharma, and E. Bertino, “Edge-based intrusion detection for
IoT devices,” ACM Trans. Manag. Info. Systems, vol. 11, no. 4, Oct. 2020.
[9] M. Eskandari, Z. H. Janjua, M. Vecchio, and F. Antonelli, “Passban IDS: An
intelligent anomaly based intrusion detection system for IoT edge devices,”
IEEE Internet Things J., vol. 7, no. 8, pp. 6882–6897, Aug. 2020.
[10] P. M. S. Sánchez, J. M. J. Valero, A. H. Celdrán, G. Bovet, M. G. Pérez,
and G. M. Pérez, “A survey on device behavior fingerprinting: Data sources,
techniques, application scenarios, and datasets,” IEEE Commun. Surveys Tuts.,
vol. 23, pp. 1048–1077, 2ndquarter 2021.
[11] D. D. Chen, M. Egele, M. Woo, and D. Brumley, “Towards automated dynamic
analysis for Linux-based embedded firmware,” in Proc. NDSS 2016, Feb. 2016.
[12] E. Gustafson, M. Muench, C. Spensky, N. Redini, A. Machiry, Y. Fratantonio,
D. Balzarotti, A. Francillon, Y. R. Choe, C. Kruegel, and G. Vigna, “Toward
the analysis of embedded firmware through automated re-hosting,” in Proc.
RAID 2019, Sep. 2019.
[13] M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim, “FirmAE: Towards
large-scale emulation of IoT firmware for dynamic analysis,” in Proc. ACSAC
2020, Dec. 2020, p. 733–745.
[14] C. Wright, W. A. Moeglein, S. Bagchi, M. Kulkarni, and A. A. Clements,
“Challenges in firmware re-hosting, emulation, and analysis,” ACM Computing
Surveys, vol. 54, no. 1, pp. 1–36, Apr. 2021.
[15] A. Rasheed, O. San, and T. Kvamsdal, “Digital twin: Values, challenges and
enablers from a modeling perspective,” IEEE Access, vol. 8, pp. 21 980–22 012,
Jan. 2020.
[16] R. Minerva, G. M. Lee, and N. Crespi, “Digital twin in the IoT context: A
survey on technical features, scenarios, and architectural models,” Proc. IEEE,
vol. 108, no. 10, pp. 1785–1824, Oct. 2020.
[17] R. Eramo, F. Bordeleau et al., “Conceptualizing digital twins,” IEEE Softw.,
2021, accepted for publication.
[18] H. Alasmary, A. Anwar et al., “SHELLCORE: Automating malicious IoT software detection using shell commands representation,” IEEE Internet Things
J., 2021, accepted for publication.
[19] Y. Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “Firm-AFL: highthroughput greybox fuzzing of IoT firmware via augmented process emulation,”
in Proc. USENIX Security 2019, Aug. 2019, p. 1099–1114.
[20] C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution
is possible: A concolic execution approach for peripheral emulation,” in Proc.
ACMAC 2020, Dec. 2020, p. 746–759.
[21] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran,
Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis et al., “Understanding the Mirai botnet,” in Proc. USENIX 2017, Aug. 2017, pp. 1093–1110.
[22] S. Herwig, K. Harvey, G. Hughey, R. Roberts, and D. Levin, “Measurement
and analysis of Hajime, a peer-to-peer IoT botnet,” in Proc. NDSS Symposium
2019, Feb. 2019.
[23] J. Haseeb, M. Mansoori, and I. Welch, “A measurement study of IoT-based
attacks using IoT kill chain,” in Proc. IEEE Trustcom 2020, Dec. 2020.
[24] O. Alrawi, C. Lever, K. Valakuzhy, R. Court, K. Snow, F. Monrose, and M. Antonakakis, “The circle of life: A large-scale study of the IoT malware lifecycle,”
in Proc. USENIX Security 2021, Aug. 2021, pp. 3505–3522.
[25] R. Trimananda, J. Varmarken, A. Markopoulou, and B. Demsky, “Packet-level
signatures for smart home devices,” in Proc. NDSS Symposium 2020, Feb. 2020.
[26] H. Elayan, M. Aloqaily, and M. Guizani, “Digital twin for intelligent contextaware IoT healthcare systems,” IEEE Internet Things J., vol. 8, no. 23, pp.
16 749–16 757, Dec. 2021.
[27] L. Zhao, G. Han, Z. Li, and L. Shu, “Intelligent digital twin-based softwaredefined vehicular networks,” IEEE Netw., vol. 34, no. 5, pp. 178–184, Sep./Oct.2020.
[28] B. Fan, Y. Wu, Z. He, Y. Chen, T. Q. Quek, and C.-Z. Xu, “Digital twin
empowered Mobile Edge Computing for intelligent vehicular lane-changing,”
IEEE Netw., 2021, accepted for publication.
[29] T. Liu, L. Tang, W. Wang, Q. Chen, and X. Zeng, “Digital twin assisted task
offloading based on edge collaboration in the digital twin edge network,” IEEE
Internet Things J., 2021, accepted for publication.
[30] F. Granelli, R. Capraro, M. Lorandi, and P. Casari, “Evaluating a digital twin
of an IoT resource slice: An emulation study using the ELIoT platform,” vol. 3,
no. 3, pp. 147–151, Sep. 2021.
[31] G. Mylonas, A. Kalogeras et al., “Digital twins from smart manufacturing to
smart cities: A survey,” IEEE Access, vol. 9, pp. 143 222–1 432 492, Oct. 2021.
[32] M. M. Rathore and S. A. Shah, “The role of AI, machine learning, and big data
in digital twinning: A systematic literature review, challenges, and opportunities,” IEEE Access, vol. 9, pp. 32 030–32 052, Feb. 2021.
[33] S.-M. Cheng and S.-H. Ma, “Demo: An emulator-based active protection system against IoT malware,” in Proc. IEEE S&P 2019 Workshop, May 2019.
[34] Z. Gui, H. Shu, F. Kang, and X. Xiong, “FIRMCORN: Vulnerability-oriented
fuzzing of IoT firmware via optimized virtual execution,” IEEE Access, vol. 8,
pp. 29 826–29 841, Feb. 2020.
[35] M. Muench, J. Stijohann, F. Kargl, A. Francillon, and D. Balzarotti, “What
you corrupt is not what you crash: Challenges in fuzzing embedded devices,”
in Proc. NDSS 2018, Jan. 2018.
[36] A. A. Clements, E. Gustafson, T. Scharnowski, P. Grosen, D. Fritz, C. Kruegel,
G. Vigna, S. Bagchi, and M. Payer, “HALucinator: Firmware re-hosting
through abstraction layer emulation,” in Proc. USENIX Security 2020, Aug.
2020, pp. 1201–1218.
[37] B. Feng, A. Mera, and L. Lu, “P2IM: Scalable and hardware-independent
firmware testing via automatic peripheral interface modeling,” in Proc.
USENIX Security 2020, Aug. 2020, pp. 1237–1254.
[38] C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution
is possible: A concolic execution approach for peripheral emulation,” in Proc.
ACSAC 2020, Dec. 2020, p. 746–759.
[39] E. Johnson, M. Bland, Y. Zhu, J. Mason, S. Checkoway, S. Savage, and
K. Levchenko, “Jetset: Targeted firmware rehosting for embedded systems,”
in Proc. USENIX Security 2021, Aug. 2021, pp. 321–338.
[40] W. Zhou, L. Guan, P. Liu, and Y. Zhang, “Automatic firmware emulation
through invalidity-guided knowledge inference,” in Proc. USENIX Security
2021, Aug. 2021, pp. 2007–2024.
[41] Wikipedia, “Tf-idf.” [Online]. Available: https://en.wikipedia.org/wiki/Tf-idf