**5. Real-world use case: methodology and results**

Vezeshari is a poultry and eggs farm from Zhelino, North Macedonia. They have chosen Xively (software by LogMeIn) for their needs and working processes, as well as their Xively IoT platform. By these, they can monitor the internal air temperature, air humidity, CO2 amount, and water nutrient level, and also –get a history of security alerts (**Figure 5**). Security, scalability, and expertise are important deciding factors, and by choosing an IoT solution, Vezeshari can now handle the entire network of connections. They also have overview and support for different scenarios, while getting the best guidance and advice from professionals (Xively).

By getting secure, reliable, and fast access, Vezeshari maintenance team can now excel in other areas of the farm and overall business:


*Methods for Detection and Prevention of Vulnerabilities in the IoT (Internet of Things) Systems DOI: http://dx.doi.org/10.5772/intechopen.113898*

#### **Figure 5.**

*Chicken farm application—allows monitoring of internal air temperature, air humidity, CO2 amount, water nutrient level, as well as a history of alerts (presented graphically).*

• Vezeshari employees have insight into day-to-day farm activities that gives them the ability to proactively meet customer needs, while also growing their business by selling consumables that are needed quickly based on farm usage.

Today, the entire Vezeshari working process is supported by state-of-the-art systems for detection and prevention of attacks that are updated and optimized daily. Thus, they achieve protection that is reliable even against the biggest threats and attacks in the system. Attack detection and prevention systems are composed of various antivirus and antispyware software, as well as the latest versions of firewalls for protection. Other methods using an increased level of security and data encryption, such as protection of the smartphone and tablet applications themselves through various types of generated passwords, are used in order to enable the detection and prevention systems to successfully recognize and prevent attacks in the systems.

To test the resilience of Vezeshari's network, we have implemented signaturebased IDS (intrusion detection system). We used Snort—open-source signaturebased IDS—and we have set up its rules to detect the following types of attacks:


To test our IDS, we invited ethical hackers from several countries (Hungary, Israel, France, USA, Netherlands) *via* forums and mailing lists (total of 56 participants). The attackers utilized code injections that targeted the wireless layer of the IoT system. The wireless frames from different Wi-Fi components of the IoT system are prone to these attacks—so we tested injection attacks at these points. To test our IDS, the ethical hackers conducted orchestrated attack attempts from multiple locations.

We've installed and configured Snort software in accordance with [17]. We opened the extracted folder *snortrules* then navigated to the *etc* folder and copied the snort. conf file then pasted it in *C:Snortetc* folder. Next we moved the folders so\_rules, preproc\_rules to the *C:Snort* directory path.

We entered and enabled the rules set before launching Snort, that is, we enabled ICMP rules so that Snort can detect any ping probes to the system while running. For example, a rule to detect a suspicious TCP intrusion (access rule) is in the form:

alert tcp any any -> any any (msg:"Suspicious User-Agent detected"; flow:to\_ server,established; content:"User-Agent|3a| "; nocase; content:"curl|2f|";nocase; sid:1000002; rev:1;)

The Snort software was operating in real time and results of the intrusion detection testing are presented in the following table (**Table 2**).

As we can see from the table, our IDS was able to successfully detect and alert on the attack attempts in most of the cases (over 80%). The most successful our system was for the firmware command injection attacks (95.3%), and the least successful in case of XML injection attacks. The rate of success varies for different attacks, because of the different capability to hide the harmful code within the legitimate IP packets. (The Snort rules can easily detect a harmful code within the firmware commands, rather than within XML code.)

The results indicate that our IDS for detection and prevention of attacks should be updated and optimized weekly, in order to achieve reliable and robust protection even against the most current threats and attacks, especially for this new IoT technology.

Of course our approach (usage of signature-based detection and Snort) has potential limitations, such as the following:



#### **Table 2.**

*Detection rate of four different types of attacks.*

*Methods for Detection and Prevention of Vulnerabilities in the IoT (Internet of Things) Systems DOI: http://dx.doi.org/10.5772/intechopen.113898*


To overcome these limitations we plan to extend our IDS by implementing an anomaly-based detection as the one elaborated in [10] by Tacker et al., and we are discussing this possibility in the last section of this paper (future work).

## **6. Conclusion and future work**

The Internet of Things, which is also called the fourth industrial revolution, truly deserves that name. The tendency of IoT is to connect all disconnected devices. Today, life without the Internet of Things is unimaginable. Numerous devices from households, (air conditioners, lighting, video surveillance) to numerous devices in practically all industries (agriculture, healthcare, finance, energy, the automotive industry etc.), in order to improve the quality of life and increase economic growth, are interconnected, integrated and share data in real-time with the help of networks of all networks, the Internet.

But there is also a real danger that these devices will be exposed to cyber-attacks and that the confidentiality, integrity, and availability of data will come into question. IoT devices generate a large amount of data; therefore the question of the security of these devices and the entire IoT ecosystem arises, as well as the question of privacy.

Of course, as for everything else, it is necessary to carry out a risk assessment, from the identification of the resource, the vulnerability of the resource itself, possible threats that can exploit the vulnerability, and in the case of an attack, to determine the consequences that the attack could cause. The practice has shown the vulnerability of IoT devices due to several reasons, from the very physical characteristics of the devices, which are small in size, mostly untested for safety before use, low price, and low energy consumption. It is this sensor layer that is most at risk, in contrast to the access, network and application layers, where the risk is mostly assessed as low to medium.

Also, IoT technologies are not followed by legislation either, only in the last two to three years have societies recognized the problem and become aware of the risks and started the process of establishing a legislative and standardization framework that will regulate the IoT area.

The only way to stop attacks is to know the techniques used to attack. Therefore, organizations' security systems will need to adopt the most robust model or mechanism that provides the strongest protection against threats to ensure that the system remains secure. The attack detection and prevention system (IDS/IPS) ensures that attacks are detected and prevented using multiple approaches. Active attack detection and prevention systems aim to limit the damage that attackers can cause by building a local network that is resistant to the appropriate attack or threat.

In the last section of the paper, we presented a real-world use case (a poultry farm) that has acquired an IoT solution (Xively) and is now able to monitor the internal air temperature, air humidity, CO2 amount, water nutrient level, and get a history of security alerts that now can be controlled. At Vezeshari, we have implemented an open-source IDS in Snort to detect four types of IoT attacks: dynamic login attempts, XML injection attacks, SQL injection attacks, and Firmware (command) injection

attacks. All of these attacks utilize code injections that target the wireless layer of the IoT system. The wireless frames from different Wi-Fi components of the IoT system are prone to these attacks so we tested injection attacks at these points.

To test our IDS we invited ethical hackers from multiple countries that conducted orchestrated attack attempts. In most of the cases (over 80%) our IDS was able to detect and alert on the attack attempts, and the results are presented in Section 5. The rate of success varies for different attacks, because of the different capabilities to hide the harmful code within the legitimate IP packets. Therefore, our system for detection and prevention of attacks should be updated and optimized weekly, to achieve reliable and robust protection even against the biggest threats and attacks in the system, especially in a new branch of technology such as the Internet of Things.

In future work, we plan to extend our IDS by implementing anomaly-based detection, i.e. by utilizing machine learning techniques. Anomaly-based IDS-s require larger processing resources, but they are superior in the detection of new, previously unknown threats. They are also adaptive and dynamic, as they can learn from the network behavior and update the baseline accordingly. There are eight methods for detecting traffic anomalies in real-time data, namely: projection-based methods, regression-based methods, support vector machines, decision tree–based methods, density-based methods, clustering, distance-based, and time series–based methods.

We plan to apply support vector machines [18] and decision trees [19]. Both of these machine learning methods are based on training the detector (IDS system), which will learn and be able to detect the real anomalies (intrusions). In the testing phase, a new data set will be used to develop the system's capacity to generalize to previously unseen intrusions. Support Vector Machine (SVM) method is a classification approach where support vectors form the boundaries of a class. In detecting anomalies, a single-class SVM will be used to define a normal class, and points that are outside the class boundaries can be defined as anomalies. Tree-based methods create a tree structure from data, where the tree will be updated with new data, but if new data causes significant changes in the tree structure, the model needs to be re-trained.

The field of IoT security is a contemporary and dynamic field of research. The broader significance of our research is that we implemented a cost-effective IDS in a real poultry farm. Our findings presented in this paper illustrate an IDS that is affordable and easy to implement in many small and medium businesses. We proved that the IoT system should not be put in function without providing its security. Our system is able to detect multiple threats, including DoS (denial of service) and malware (virus attacks). Our ultimate goal will be to develop an autonomous IDS and apply state-of-the-art techniques of machine learning and deep learning that can learn from the big IoT data. In addition, such future IoT IDS would have features such as self-configuration, self-optimization, self-protection, and self-healing.

*Methods for Detection and Prevention of Vulnerabilities in the IoT (Internet of Things) Systems DOI: http://dx.doi.org/10.5772/intechopen.113898*
