| The Internet of Things(IoT)service system has become an important part of novel critical infrastructure in various countries.With the rapid development of internet,malware and attack technologies,malicious attacks on critical infrastructure around the world show a significant increase,and the impact and scope of security incidents are also continuously expanding.Therefore,how to ensure an open IoT service system running in a security and safety state has become a critical issue.In view of the characteristics of IoT service system and its security&safety requirements,this thesis mainly studies the runtime monitoring solution based on virtualization,which refers to the runtime guarantee on IoT service systems with the isolation of runtime monitor from the target system.In this thesis,key technologies for nonintrusive runtime monitoring are studied,and an out-of-box based runtime protection mechanism is proposed,which exploits a variety of technologies such as runtime monitoring,virtual machine introspection(VMI),memory forensics,event fusion of multiple observations,and concurrent monitoring in an open adversary environment.The main innovations are as follows.(1)A non-intrusive acquisition method of IoT runtime state.In view of the shortcomings of log-based monitoring and code instrummentation,and the requirements of the non-intrusive runtime monitoring,a runtime acquisition framework for IoT service system is constructed,and a stack-oriented method for runtime state acquisition is proposed.The proposed method involves an algorithm for semantic reconstruction of C process-stack parameters,a bottomup memory forensic method for Java stack,and a memory acquisition technique for specified processes running in Docker.Experiments show that the runtime acquisition is realtime,dynamic and continuous,and the forensics process is essentially transparent to the target system.With the proposed method,the runtime state acquisition of non-intrusive runtime monitoring is resolved,as well as to further support for applying memory forensics to electronic forensics,anomaly detection,runtime verification and other researches.(2)A non-intrusive runtime monitoring based on out-of-box mechanism.In view of the problems that the traditional host-based runtime monitoring,a non-intrusive runtime-monitoring protection framework based on out-of-box is proposed by incorporating VMI technology with memory forensics.In the framework,by abstractly executing IoT system events and refining them with the inner states of IoT services,the system execution traces are established.Then,an improved mandatory result automaton suitable for non-intrusive monitoring is constructed.On this basis,the safety attributes are verified on the IoT resource model,which can guarantee only events meeting safety specifications to be issued to physical devices.The experimental results show that the method is effective,and the runtime monitor can achieve runtime guarantee on the IoT service system without modifying it.(3)Trustworthiness estimation and concurrent property verification based on event fusion.Considering the uncertainty and inconsistency of events from different observations,a novel certainty measure scheme is proposed based on the possibilistic logic to estimate the service trace’s certainty on a necessityvalued knowledge set by fusing events from multi-observations.Aiming at the verification of safety attributes of physical devices in an open adversary environment,the IoT resource model and the inferring ability of the adversary are introduced and immerged into the knowledge set.Then,a concurrent and incremental property verification algorithm is proposed,and the solution space is concurrently searched for real-time performances,with the criteria of minimizing breadth certainties and maximizing depth certainties in the model tree.Experiments are conducted to validate the proposed mehod,which is effective and can solve the uncertainty problem of multi-observation events/data in an open environment. |
PDF Full Text Request