5 PrePrintPaperEarlyAccess

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/341665001
An In-Depth Analysis of IoT Security Requirements, Challenges and their

Countermeasures via Software Deﬁned Security
Article in IEEE Internet of Things Journal · May 2020

DOI: 10.1109/JIOT.2020.2997651
CITATIONS READS
0 190
5 authors, including:
Waseem Iqbal Haider Abbas

National University of Sciences and Technology National University of Sciences and Technology
38 PUBLICATIONS 130 CITATIONS 135 PUBLICATIONS 1,678 CITATIONS
SEE PROFILE SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Conference Paper View project
Information Security Mechanism for Real Wireless Mesh Network Scenario (E-healthcare) View project
All content following this page was uploaded by Waseem Iqbal on 03 June 2020.
The user has requested enhancement of the downloaded file.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.2997651, IEEE Internet of
Things Journal
1
An In-Depth Analysis of IoT Security

Requirements, Challenges and their
Countermeasures via Software Defined Security
Waseem Iqbal, Haider Abbas* , Mahmoud Daneshmand, Bilal Rauf, Yawar Abbas
Abstract—Internet of Things (IoT) is transforming everyones IoT into reality, otherwise the trend of controlling devices
life by provisioning features such as controlling and monitoring by combining sensors, computers and networks has been in
of the connected smart objects. IoT applications scale from use for decades [2]. The word Internet of Things was first
smart cities, homes, cars, manufacturing, e-healthcare to smart
control system, transportation, wearables, farming and much introduced by Kevin Ashton in 1999 [3], while talking of a
more. The adaptation of these devices is growing exponentially, global networks of objects connected to RFID in a supply
which generates substantial amount of data for processing and chain application. Since then, IoT is extended to new applica-
analyzing. Thus, alongside bringing ease to the human lives, tion areas and a plethora of new technologies has emerged in
these devices are susceptible to different threats and security the IoT domain such as industry, agriculture, animal farming,
challenges which does not only worry the users for adopting
it in sensitive environments such as e-health and smart home transport, healthcare, smart homes, smart retail, supply chain,
etc., but also pose hazard for nourishment of IoT in coming smart wearables and smart security etc. Network of Things or
days. Hence, this paper thoroughly reviews the threats, security NoT is often used interchangeably with IoT [4].
requirements, challenges and the attack vectors pertinent to IoT According to worlds well known research and advisory firm
networks. Based on the gap analysis, we then draw the attention Gartner by the end of 2020, 25 billion devices will be
for a network based deployment of IoT architecture through
Software Defined Networking (SDN): an emerging paradigm for connected to the internet and will have the ability to analyze
next generation networks. This paper endevours to present an the used data and make smart decisions in an autonomous
overview of the SDN along with thorough discussion on SDN way [5]. However making computers/devices/nodes capable
based IoT deployment models i.e., centralized and decentralized. of gathering, processing and decision making without or least
We, further elaborated SDN based IoT security solutions to input of humans, remains the objective of IoT [6]. Building
present the comprehensive overview of Software Defined Security
(SDSec) technology. Furthermore, based on the literature, core blocks for IoT are not formally defined but their operation can
issues are highlighted that are the main hurdles in unifying all be defined in terms of sensors, computation, communication
IoT stakeholders on one platform and few findings that emphases and actuators, which produce data to gain knowledge and make
on a network based security solution for IoT paradigm. Finally, intelligent decisions [7].
the paper also highlights some future research directions of SDN- It is the data, produced by these sensors that have caused the
based IoT security technologies.
convergence of different fields like computer science, software
Index terms— IoT security, Software Defined Networking engineering, sensing, networking, artificial intelligence and
(SDN), SDN-IoT, Software Defined Security, SDSec communication together. Smarter systems are the products en-
visioned due to the rapid progress of IoT. Due to the diversity
I. I NTRODUCTION of IoT environment and exponential progress resultant from
Internet and web expansion into the physical reality was the immense research has indeed paved the way for lack of a
made possible through various aspects which come under standardized definition and standardization of IoT [2].
the umbrella of the term widely used i.e., Internet-of-Things More than 85% of organizations in the world will be leverag-
or IoT, which is an evolving topic of economic, social and ing IoT devices in different ways according to [8] and about
technical importance [1]. The growth of advanced enabling 90% of these enterprises are not certain about their IoT devices
technologies such as cloud computing, data analytics, IP- security. Likewise, J. Steinberg et al. in [9] state that many
based networking, ubiquitous computing etc., has brought smart home devices can spy inhabitants in their own homes.
It is discovered in a study carried out by HP [10] that 70%
Waseem Iqbal and Haider Abbas are with Department of Information of the IoT devices are susceptible to various attacks when
Security, National University of Sciences and Technology (NUST), Islamabad connected to the internet. Furthermore, the newly shifted IoT
44000, Pakistan (e-mail: waseem.iqbal, haider@mcs.edu.pk)
Mahmoud Daneshmand is with School of Engineering and Science, based industries like power, transportation, chemical, clean
Stevens Institute of Technology Hoboken, NJ 07030 USA (e-mail: Mah- water and sewerage control systems pose elevated security
moud.Daneshmand@stevens.edu) risks [11], [12]. Attacks on industrial systems are a reality and
Bilal Rauf and Yawar Abbas are with Department of Information Se-
curity,National University of Sciences and Technology (NUST), Islamabad is just not a threat anymore as more than 60,000 vulnerabilities
44000, Pakistan(e-mail: bilalrauf, yawar@mcs.edu.pk) were found by two Russian security researchers that can gain
*Corresponding author: Haider Abbas (haiderabbas-mcs@nust.edu.pk) complete control of compromised systems [13]. Moreover,
Copyright(c) 20xx IEEE. Personal use of this material is permitted. How-
ever, permission to use this material for any other purposes must be obtained 25% of enterprise attacks would be due to compromised IoT
from the IEEE by sending a request to pubs-permissions@ieee.org devices by the end of 2020 [14].
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: NUST School of Electrical Engineering and Computer Science (SEECS). Downloaded on June 03,2020 at 08:40:29 UTC from IEEE Xplore. Restrictions apply.
Things Journal
2
Huge amount of data is produced by these devices such as in ensure data transfer security. In a similar attempt of leveraging
the year 2018 (6.2 Exabyte), which is estimated to increase by SDN in IoT environment for providing security as a service,
478% (30.6 Exabyte) by the end of 2020 [15]. This alarming M. Conti et al. in [19] proposed CENSOR architecture that is a
projected data generation rise of 478%, is calling out for an lightweight and mountable remote software attestation scheme
intelligent network control and management solution. Many for maintaining the integrity of the IoT devices software being
solutions were put forward to resolve existing issues in the used for specific purposes.
IoT paradigm, however the traditional network is not capable In another effort to identify generic and layer wise threats in
of handling such an enormous number of connected devices IoT, a tremendous effort is put forward by I. Makhdoom et
and huge data manipulation. Software Defined Network (SDN) al. in [24]. Researcher’s main emphasis in the survey article
is considered a revolutionary network technology that supports is to concretely define the structure of malware attacks on IoT
heterogeneous networking with rapid evolution and dynamism ecosystem. In addition, they also presented the attack method-
using programmable planes (control and data plane). The SDN ology of various successful malware attacks and highlighted
and IoT integration can meet the expectation of control and Distributed Denial of Service (DDoS) strategy via IoT botnet.
management in diverse scenarios [16], [17]. Some open research challenges are also featured in the survey.
Though, sufficient research has been conducted on security
issues related to IoT; however by including an overview of
A. Motivation and Related Work technology shift solutions for deployment of IoT and security
To the best of our knowledge, until now many research, re- efforts through these new network paradigms like SDN and
view and survey papers have published IoT security issues and NFV can demonstrate a clear picture of IoT security and its
adaption of new networking paradigm Software Defined Net- countermeasures through SDN.
working (SDN) for the deployment of IoT networks [18]–[24].
However, the available literature does not provide complete B. Contribution of the Paper
insight of IoT security and leveraging SDN in its true essence Based on the extensive study of available literature and to
to overcome the security issues in the IoT environment. Table- the best of our knowledge, this is first of its kind effort that
I shows a detailed assessment of the existing work till date. reviews the IoT security in depth and highlights SDN based
It can be analyzed from the table that researchers focus on network security solution for IoT. To fill the gap highlighted in
few elements and do not concentrate on others to provide a the current literature as shown in Table-I, the main endeavors
complete picture. For example, F. I. Khan et al. in [20] refers of this article can be summed up as threefold.
to identification and categorization of limited generic security • The first half presents a comprehensive overview of
issues in IoT and outlining possible future research in the the characteristics of IoT security. The paper advances
area without providing outline of a complete security model rationally by presenting a generic IoT architecture fol-
for IoT security. Likewise, N. Bizanis et al. in [21] outlined lowed by IoT protocol stack and corresponding security
how SDN and Network Function Virtualization (NFV) can be challenges at various layers of IoT networks. Specific IoT
combined in wireless sensor networks specifically focusing data, communication and end-to-end applications-related
on 5G. Some generic SDN-NFV enabled IoT architectures specific security threats, vulnerabilities alongside some
along with use-cases are discussed by the authors without generic threats are also explained further. The readers are
highlighting the security aspects of IoT and provisioning of also acquainted with security requirements and challenges
any software defined secure model for the purpose. Similarly, of various IoT application domains.
work presented in [22] highlights the gap between academic • Keeping in view the limitations of the traditional network,
researchers and commercial vendors who have incorporated we did the gap analysis and emphasized on the network-
Machine Learning (ML) in SDN for augmenting security based security solutions for IoT system. SDN diverse
features to IoT and other networks. Furthermore, authors also properties like scalability, programmability, global visi-
provided few recommendations which they believed will help bility and manageability, can overcome the constraints
solution designers and researchers in building their product if of the conventional network. We then appraised the
adopted in the early phase of the design. readers with SDN generic and elaborated overview of
O. Salman et al. in [23] discussed the security and privacy con- the architecture, to get the complete insight of the new
cerns in IoT emphasizing some open research problems. The technology.Furthermore, SDN-based deployment models
article broadly covers some of the generalized threats including of IoT systems are discussed. To differentiate our work
scalability and management complications, heterogeneity and from other researchers, we presented Software Defined
interoperability issues and handling big data with security Security (SDSec) based IoT models to the best of our
and privacy apprehensions. Authors then highlights the need knowledge, alongside highlighting the available commer-
for convergence of SDN-NFV, fog computing and 5G based cial products as well.
wireless sensors network for enabling a secure IoT evolution. • Finally, the last effort standpoints by generating a dis-
While to address the data transfer in a heterogeneous IoT cussion that provides the summary of the IoT security,
environment, Y. Liu et al. in [18] presented a middlebox- findings we came across in this research and emphasizing
guard (M-G), which is an SDN-based data transfer security on the issues that are the main reason for lack of a
model with the main aim of minimizing network latency and standardized security framework. Finally we concluded
accurately managing data flows between different networks to with, open research challenges.
Things Journal
3
TABLE I: A comprehensively overview of IoT security, its deployment based on SDN, and how SDN and machine learning
are augmented to address different threats.
Elaborated Generic and IoT Real Gap Analysis Intro to Software Deployment Software Defined Machine Open
Research Overview Specific Application World and Way Defined of IoT via Security Learning Research
Work of Threats Areas IoT Forward Networking and SDN approaches for IoT for Securing Challenges
IoT to IoT Security Attacks Importance for SDN-IoT
Requirements Examples usage in IoT
and
Challenges
F. I. Discussed
only five
Khan et X X X X X X X X √
al. security threats to
IoT
Generalized Introduction to
recommendations SDN is given in a
N. Bizan X X X X for leveraging generic manner and √ X X Generic
-is et al. its use for WSN
SDN in
based IoT is
IoT highlighted only
networks
Emphasis on
T. N. Machine learning
Nguyen X X X X √ X X √ X
based general
et al.
security models
Broadly covers
Few SDN-NFV based 2-
Identity
architectures 3 architectures are
O. Salman X Management, X X X X X √
et al. are discussed only
Authentication,
discussed
Access
Controls and A Middle Box
Y. Liu Privacy
Data Guard is introduced
X X X X X X X X
et al. Transfer to safeguard
Security only data transfer
SDN-cloud based
M. Conti secure IoT
IoT devices
et al. X X X X √ X architecture CENSOR X √
remote attestation is proposed for
only remote SW
attestation of
IoT devices
Just identified SDN

I. Makhd as potential approach
-oom et for providing
al. √ √ √ √ √ security to IoT. X X X √
I. Makhdoom et al.
focused on block
chain technology
C. Taxonomy of the paper II. I OT A RCHITECTURE

Rest of the paper is structured as follows: Section 2 Different IoT applications like smart grid, healthcare, trans-
presents detailed IoT architecture followed by the generic portation system, city, supply chain, farming, retail, wearable,
security threats, challenges related to data, communication, environment, manufacturing, home, security, and emergencies
and end applications along with different IoT applications’ are generally referred as IoT system. IoT ecosystem aims at
security requirements and challenges in section 3, whereas referring all IoT applications as mentioned above. IoT archi-
section 4 highlights the identified gaps and needs for a tecture is composed of various Things that includes sensors,
network-based solution for IoT security. Section 5 uncovers actuators, gateways, protocols, cloud services, network and
the SDN paradigm and SDN-based IoT deployments along application servers which are arranged in different topologies
with SDSec solutions for SDN-IoT. Discussion, findings and to communicate with each other.
main issues are identified in the literature available on the Currently, the world is facing problems like manageability,
IoT security and SDN-based IoT deployments models in compatibility and interoperability in IoT solutions, because of
section 6. Section 7 highlights the open research challenges, the deficiencies in steadiness and standardization [25]. Sim-
and the last section 8 concludes the paper as depicted in Fig. 1. ilarly, unvarying IoT layered protocol stack and architecture
was observed in the literature review by work presented in
Things Journal
4
Motivation and Related Work

Section 1. Introduction Contribution of the Paper
Taxonomy of the Paper
Architecture
Section 2. Internet of Things
Traditional Network vs IoT Network
Generic Threats Physical/Perception Layer
Section 3. IoT Security Threats Architecture Layer Wise Threats MAC/Adaptation/Network Layer
and Challenges Application Layer
Security Challenges
IoT Applications Security Data Related Security
Communication Related Security

Requirements End-Applications
Challenges
Section 4. Gap Identification and Analysis: Need Network Level Security Approach for IoT
for Standard and Secure IoT
Framework Necessity of SDN based IoT Environment
SDN Architecture
Section 5. Software Defined Network SDN-IoT Deployment Models
SDN Based Secure IoT
Security Mechanism/Frameworks for SDN-IoT
Section 6. Discussion, Findings and Issues Identified
Section 7. Open Research Challenges
Section 8: Conclusion
Fig. 1: Organization of the paper: A top down approach is used to encompass IoT security, SDN for IoT security, and future
work.
Frameworks
[26]–[30]. For example, IoT layers were stated with minor ical/perception layer. Energy utilization, security and interop-
detail of basic functionality and protocols by S. A. Kumar erability are some of the challenges faced by this layer [32].
et al. in [26]. Likewise, communication protocols at different Receiving data from sensing objects and passing it to the appli-
IoT layers were discussed by [27]. While, A. Al-Fuqaha et cation layer for processing, smart services and analytics are the
al. in [28] put together key components and technologies that responsibilities of the second layer i.e., Adaptation/Network
form an IoT system. The major stakeholders have not agreed layer. Network availability, scalability, power utilization, and
on a sole IoT reference model due to the non-uniformity and security are some issues that confront the network layer [32].
standardization [28]. To trim down this non-uniformity, we Application/Service layer is the third layer as shown in Fig.
present a generic IoT architecture in Fig. 2 and a generalized 3. This layer presents smart services to the end users. It also
layered IoT protocol stack is shown in Fig. 3. supplies processed and aggregated data to the upper layer
In an IoT ecosystem, different nodes like sensors, actuators that is semantics layer. Some of the challenges faced by this
and wearable devices are connected to gateways through layer are handing out data received from various sensors,
network communication protocols for IoT like NFC, BLE, management and storage of data, privacy and security of
RFID, 802.14.5e, 6LoWPAN, Ant, Z-Wave ZigBee, Wifi, user data and compliance with governmental and industrial
EnOcean, Miwi, DigiMesh and wireless HART. Further the regulation like Health Insurance Portability Accountability Act
gateways are linked to a network or application servers using (HIPAA) and Personal Information Protection and Electronic
LoRaWAN, SigFox, LTE, GSM, Dash-7 and OFC etc. The Documents Act (PIPEDA). The last layer in the IoT pro-
servers are usually placed in the cloud for provisioning of tocol stack is the semantic layer, which is known as the
numerous data analytical services for users, public/private or- business management layer. All of the IoT system activities
ganizations including third party users and applications. After are managed by this layer. It uses different technologies to
data aggregation and processing, the raw data is twisted into provide services such as visualization engines, data mining,
constructive information in the form of e-healthcare records business intelligence, data analysis, smart decision-making and
and stats, weather/environmental and other updates regarding marketing sales/support. Various uncommon features between
smart city services, autonomous smart home services, business IoT and traditional networks are discussed in the following
analytics and support information, industrial automation, smart subsection.
farming/environment monitoring and smart gadgets.
In a generic IoT protocol stack, Things like sensors and ac- A. Traditional Network vs IoT Network
tuators belong to the first layer that is the Physical/Perception
The resourcefulness of the end devices is the substantial
layer. The main task of this layer is to perceive environ-
difference between standard networks and IoT [33]. Resource
mental data and its collection [31]. In addition, modula-
constraint devices like sensor nodes and RFID tags/readers are
tion/demodulation, encryption/decryption, frequency selection,
usually used in IoT systems. These devices mostly operate on
data transmission and reception are added tasks of the phys-
low power, and limited memory, computing power and storage
Things Journal
5
LoRaWAN , S
TE, LoRaWAN
TE ymphony
Symphony,
RFIDNFC. BLE. Ant.
Dash SIGFOX GSM
Dash-7 SIGFOX GSM
Z-Wave, Wifi
, Enocean ,
Zigbee. 802( 14 5e
<f?. I
©
t>.
A
A 31
31
(« »)
..o
0 -o
«h*
4 DataMining
Data Mining <r '
Public
Public
Org
Org <r - -O
Cloud
Cloud
SmartloT
Smart Applications <3 - - -
loT Applications Internet
Internet - t> f
(CZZ) o) -o
Engine
* "
Visualization
Visualization Engine
a
Private
Private
Org
Org & Databases
Databases •s.
M> -o
A
T
3rd
rd
party
party
user'app
user app
8 A
Application
Application Servers BusinessModels
Servers/Business Models Gateways
Gateways
Things
Things "
Sensor/ActuatorWearable
Sensor ActuatorWearable
Fig. 2: Generic IoT Architecture: The infrastructure layer(from right to left) consists of different sensor nodes, which are further
connected to the Internet via IoT gateway. At the cloud level, different processing are done to address business applications
need such as BI, Data mining, visualization, and other different services.
area. On the other hand, traditional network is made up of 1) Hardware Vulnerabilities: Security is not the main
overflowing resource devices like laptops, computer systems, consideration of commercially developed IoT products
servers and smart phones. Therefore, without any limitations rather they are device functionality centric. Therefore,
of resources, traditional networks can sustain complex and improvised security features are usually added later
many fold security protocols. Therefore, a balance is required on. Hence, hardware vulnerabilities like open physical
between security and resource computations in IoT systems, interfaces and boot process vulnerabilities remain in
which call for the lightweight security algorithms and proto- such devices, which can be exploited remotely [35].
cols. While the integrity of the end device specifically code
Less secure wireless protocols such as ZigBee, 802.15.4e, integrity and authentic data make certain the consistent
SigFox, LoRa and 802.11x are used by IoT devices to connect and secure operations of IoT systems [36].
with gateway or internet which results in data leakage and 2) Vulnerabilities of Social Engineering: Human inter-
privacy issues. Another major difference is that OS and data actions and socializing with IoT devices have greatly
formats are identical in traditional network devices, whereas impacted the lives of users. The thorough and ubiquitous
due to different application functionalities and lack of standard collection of data, makes IoT users vulnerable to social
OS, IoT ecosystem faces diverse data formats and contents. It engineering attacks [37]. Hackers can take control of
is due to this diversity that a standard security protocol is smart devices like Google Glasses [38], smart TVs,
yet to be developed that suits all kind of IoT devices and smart refrigerators and Fitbits [39], [40] etc., to keep
systems. Conventional networks are protected by perimeter an eye on users and learning their voices, preferences
defense design pivoting on software and hardware based and habits.
firewalls, IDSs and IPSs. Host based security approach is 3) Legislation Challenges: The secure use of IoT data can-
opted for securing the end nodes by means of anti virus and not be assured by legislation however, it can compensate
security patches. But, the resource constraint behavior of IoT for the damage done through misuse of data. To the best
devices refrains from the host-based security approaches [34]. of our knowledge no standardized legislation and secure
Similarly, due to lack of physical security, deficiency of host- data policy is drafted till now. Some efforts have been
based defense methods, slow pace of software updates and made by different countries to provide safety to user
security patches, and insufficient access control mechanisms, data, like General Data Protection Regulation (GDPR)
the traditional perimeter defense methods cannot guard the IoT [41] and HIPPA [42]. HIPPA paralleled security must be
ecosystem from unauthorized users and insider attacks. provided by IoT device producers and app developers
while providing features like tapping heart rate, weight,
III. I OT S ECURITY T HREATS AND C HALLENGES blood pressure, and other health insights.
4) User Unawareness: One of the most conventional attack
Non-standardization of IoT technologies with intensified vectors is the user. Employees and end users are sus-
vulnerabilities will augment more security incidents in IoT ceptible to social engineering, phishing/spear-phishing
systems. The following paras draw attention to some generic and fortuitous security breaches due to lack of security
threats before discussing layer wise specific threats. training and awareness. Additional medium of the se-
curity breach is the transmission of sensitive data via
A. Generic Threats mobile devices over public networks. With the increase
in smart phone users, it is estimated that one-third of
This section highlights some generic threats that are appli- mobile devices will expose official data [14].
cable on all IoT systems.
Things Journal
6
Device Management
Device Management BusinessProcess Analysis
Remote
Remote Control
Control
Support inteligence
Artificial
Device Registration
Device Registration Machine Learning
Device Provisioning Marketing DataMmng
Firmware management Sales DataAnalytics
Asstmanagement Efficiency
Gain Engine
Visualization
r
Luxun
Luxun Fluent
,Fluent HDF
,HDF SS,MapReduce
MapReduce KafKa
, KafKa RapidMQ
,RapidMQ Scribe
, Scribe Plume
,Plume
Semantic
Semantic
Hadoop
Hadoop HBase
, HBase MangoDB
, MangoDB Cassandra
,Cassandra
Layer
Layer
Session
Session HTTPS
HTTPS SEP2.0
, SEP SSH, FTP
2.0, SSH FTP Telnet
, Telnet
Application
Application
Communication COAP MQTT AMQP DDSXMPP
XMPP . Layer
Layer
r
Communication COAP, MQTT, AMQP, DDS
1
r
V DigiMesh
V [DigiMesh WirelessHART
, WirelessHART ,
A Link Layer
LinkLayer
Transport
Transport
THREAD
THREAD
802.14
802.14
Miwi
Miwi
EnOcean
, EnOcean
.55ee, Ant
Ant
, 66L 00WPAN
WPAN
NFC
, NFC
RPL
, RPL
RFID
, RFID
Wave
ZWave
,Z
Insteon
, Insteon
GSM
, GSM
BLE
, BLE ,
,
4 Short
11. Short
Long
Range
Range
Range
1 Dash
Dash
22**[[LoRaWAN
LoRaWAN
Wifi
77, Wifi 802.Ha
, 802 Ha b/gg/nn ]]
/b
Symphonylink
, Symphonylink ,
Network
Network
Layer
Layer
22-Long Range
f ee-MTC
MTC
weightless
weightless
BBJOT
,BBJOT
SK3FOX
, SK
EG-GSM
,EG
FOX
GSM IOT
-IOT ||
k
Connectivity Physical
Physical \
Perception
Perception Layer
Layer
Fig. 3: Generalized Layered IoT Protocol Stack: Different protocols are used in IoT architecture for different purposes as
opposed to traditional networking. In IoT paradigm, all these protocols address resource constraint behavior such as limited
memory, limited computing, and limited coverage area.
5) DoS/ DDoS Attacks: Resource exhaustion attacks are • Battery Drainage Attack: Continuous authentic requests
carried out on IoT devices due to low memory, com- are sent to carry out power loss attack on resource
putation power, and battery consumption [30] such as constraint IoT devices which prevents the device from
jamming of communication channels, malicious utiliza- entering sleep or energy saving mode.
tion of IoT resources in terms of bandwidth, memory, • Hardware Malfunctioning: IoT devices are considered
CPU time, disk space and modifying node configuration. as salvation for domains like Intelligent Transport System
Furthermore [43] states that DDoS attacks involve 96 % (ITS), e Healthcare, smart homes/cities and smart grids
of the IoT devices which includes 3 % home routers and etc. Failure of these devices due to production fault or
1 % compromised Linux Servers. any cyber attack will lead to significant impact not only
on the system but on the lives of users as well [26], [45].
B. Architecture Layer Wise Threats Many smart devices are highlighted by researchers in [46]
Threats and vulnerabilities at different layers of IoT that are prone to cyber attacks.
architecture along with concerned security challenges • Malign Data Injection: A counterfeit device can be
summarized in Table- II. The following paras focus on the injected in an IoT system that can sniff the wireless
in depth detail of threats at different layers of IoT architecture. traffic, insert bogus messages or can downpour the wire-
less channel with fake messages, to make the system
1) Physical/Perception Layer: Some of the significant unavailable for normal users [47].
threats at physical/perception layer include: • Node Cloning: Because of no standardization, node
• Eavesdropping: Malicious devices like end nodes are
cloning i.e. forging and duplication of devices can easily
connected to IoT systems for passive sniffing of traffic be done in IoT ecosystem [48], due to no standardization.
in order to get some useful information [44]. It can be done in the production and operational phase.
Things Journal
7
An insider attacker can swap the legitimate device with mally e.g., keeping the lamp on for a longer period of
fabricated during the production phase, and also can time. Similarly, MITM attack or eavesdropping can be
clone the device during the operational phase. Mining of done to sniff the transmitted messages between the user
security parameters and firmware overwriting can further and the Philips smart bulb [62].
be performed after node cloning attack [49]. Like web-based applications, IoT systems are also sus-
• Gaining Unauthorized Access to the Device: One of the ceptible to XSS (Cross Site Scripting) attack. Researchers
main security vulnerability trending now a days is the in [61] successfully carried out XSS attack on Belkin
usage of default passwords and built-in credentials by smart home products. This vulnerability gave an attacker
the producers. For example iBaby M3S wireless monitor the leverage to run JavaScript code in the victim’s browser
is available in the market with encoded admin user name [63].
and a password [46]. Likewise insecure API’s are left
intentionally by the developers for remote access [50].
C. Security Challenges
Such an attack was carried out on the Summer Baby
Zoom Wifi camera by security researchers in [51] that There are many security challenges of IoT; however we can
used encoded credentials of admin, admin. summarize them in three broad categories namely IoT data,
communication, and end applications related security. After
2) MAC/Adaptation/Network Layer: Collision attack discussing generic and layer wise IoT threats, the following
and channel congestion attack are DoS attack types carried subsections briefly explain the challenges of the mentioned
out at this level [52] [53]. Other attacks include escalating three categories:
frame counter value and spoofing of acknowledgment frames
(battery exhaustion attack) [30], [54], abusing CSMA by 1) Data Related Security: IoT applications receives mas-
communicating on various channels [30], [53] and rogue sive amount of data generated by end nodes which can be of
PANId conflict initiation. Network Layer is susceptible to personal or confidential nature. Such data is of valuable gain
many attacks as it connects different private LAN’s. Few for attackers and commercial competitors. Furthermore, the
noteworthy threats are eavesdropping [47], MITM, spoofing trustworthiness of the IoT services like personal, manufacturer
[52], message alteration attacks [47], gaining unauthorized and societal rely greatly on the genuineness of the data that
access [26], replication of nodes [55], and injection of fake has an undeviating effect on its output. Apropos, for promising
devices [56]. Furthermore, storage attack is also a potential results from IoT services and applications, the data generated
threat to the availability of the data [26]. In addition, node, by IoT end nodes must be authentic and confidential.
servers and gateways are bombarded with fake messages to
launch DoS attacks [57], [58]. a. Confidentiality: Due to resource limitations of IoT
nodes, generic encryption algorithms cannot be used.
Thus, there is trivial need of lightweight cryptographic
3) Application Layer: Application developers around the ciphers that can provide optimal confidentiality in
world focus on the effectiveness and reliable service delivery resource-constrained nodes [64], [65].
of the product, rather than focusing on security. Therefore, Recently, many lightweight cryptographic ciphers have
applications can be compromised and legitimate users are been proposed e.g., SEA [66], LBlock [67], PRESENT
denied of authorized services, without much effort. Some main [68], mCrypton [69] and KATAN/KTANTAN
threats to the application layer are: [70]. Some researchers worked on the hardware
• Malicious Code: Vulnerabilities of the IoT devices are implementation of standardized block ciphers e.g., [71].
the main target of malware’s that compromise the nodes There is a trade-off between cost, performance and
with ease. The forfeited devices are further exploited as security in different application areas of IoT [70]. For
useful nodes in the form of bots to carry out the attack example, security level may be low for RFID tags in
on other end devices/network applications [26]. electronic tickets but the demand for low power and
• Weak Application Security: Brute force/dictionary attack, latency is high [72]. Based on mentioned parameters
unnecessary revelation of data, escalated privileges and implementation of 52 different block ciphers were
data tampering can be the consequences of weak au- evaluated by [73]. Classification of these ciphers were
thentication and authorization mechanism. Furthermore, done for different embedded end nodes. Author’s
the IoT systems accessed via websites are vulnerable, identified that due to the uncomplicated nature of the
according to the OWASP application security risk ranking majority of lightweight cryptographic ciphers, they are
[59], [60]. Few major application risks are discussed in susceptible to Side Channel Analysis (SCA) attack.
the following paras: Fault and time base side channel attacks on IoT based
IoT applications and databases are vulnerable to SQL RSA, AES and ECC were researched by [74] and
injections. Belkin smart home product was exploited proposed countermeasures for it. In another effort by
by security researchers in [61]. Malicious code can be F. Zhang et al. in [75] proposed a generic framework
injected in paired WeMo Android app that can acquire to investigate and assess algebraic fault attacks on
full control i.e. root-level control of connected home lightweight cryptographic ciphers. Many studies came
automation systems. Once the attacker is inside the IoT forward to use physical features for key generation
application system, attacker can run IoT devices abnor- and in this effort [76] proposed a unique method,
Things Journal
8
TABLE II: Layer wise security threats, vulnerabilities and corresponding security challenges are highlighted along with protocols
being used in each layer.
Layers Technology/Protocols Threat Susceptibility IoT Security challenges Ref
NFC,RFID Tags,ODB2,
Physical/
Rs-232, ModBus, PLC, Eavesdropping Lack of encryption Confidentiality H. Ning et al.
Perception
RJ-45, USB
No white listingblacklisting,
Battery drainage attacks Resource Constraintness A. Reziouk et al.
No spam control
Casualness by the manufacturers, J. Wurm et al.
Hardware failure/exploitation Lack of Standard,
Developers fault, Unprotected interfaces, O. Arias et al.
/Device compromise Physical Security
No Physical security Kumar et al.
Malign data injection Cloning Lack of strong access control, D. Puthal et al.
Integrity of Device/Data
of node No tamper-proofing P. Paganini
Unauthorized admittance to Usage of default or hard coded No standard, Integrity, Thomas Brewster
the devices credentials Confidentiality B.Fowler
NFC, RFID, BLE, Ant,
Insteon,MiMAC,
WirelessHART,
Wifi802.11, 3GPP
MAC/ DoS attacks(collision attack, A. Reziouk et al.
(NB-IoT, eMTC, EC-GSM),
Adaptation/ channel congestion attack, Flaw in communication protocols Availability, Heterogeneity T. Borgohain et al.
LoRaWAN, Symphony Link,
Network battery exhaustion attack) R. M. Savola et al.
Weightless,
SIGFOX, DASH7,
Ant+, EnOcean, ZWave,
ZigBee, DigiMesh
Eavesdropping, Lack of strong authentication Confidentiality/ Source
D. Puthal et al.
MITM attack mechanism and data security integrity
No duplication
of data storage, Centralized storage,
Storage attacks Resource Constraintness Kumar et al.
Malware threats such as crypt locker
and ransom ware
MQIT, AMQP, DDS,
No application/web security, Authentication,
XMPP, PTP, Https,
Application Malign codes Lack of authentication Authorization, A.R. Sadeghi et al.
SEP 2.0, SSH, FTP,
and authorization mechanism Integrity
Telnet, COAP,
Escalated privileges and Access control,
Weak authentication and
data tampering, SQL injection, Data Authentication, Dave
authorization mechanism
Disclosure of private data Confidentiality
Cross Site Web
acunetix
Scripting attack vulnerabilities
HDFS, MapReduce, Theft of Identity
Identity, Leak of Private
Semantic Kakfa, Rapid MQ, and compromise No data and application security K. Hamlen et al.
Data, Confidentiality
Scribe, Luxun of user privacy
Physical Unclonable Functions (PUFs) to generate keys Software, hardware and hybrid based static attestation
for identification purposes. The secret is not stored in are three main techniques highlighted in the literature.
memory in fact it is derived by PUFs using physical Side channel information is used in software-based
characteristics of ICs. It is generated without using attestation techniques to endorse the authenticity of
costly hardware [77]. end nodes without using specialized hardware. It is
further splitted into two main classes i.e. memory and
b. Authenticity: The authenticity of the end nodes can time based attestation. Time base attestation techniques
be compromised by physical attacks such as hijacking, include SWATT [78], Pioneer [79] and SCUBA [80].
replacement and node copying, etc. The authenticity Whereas memory-based attestation techniques include
of the data output as well as the integrity of the end [81] and [82]. Software and hardware designs both are
nodes, needs to be verified. Hence there must be some used to shield against potential adversaries in a multi-
lightweight attestation methods designed for IoT end hop network between prover and verifier, keeping the
nodes. hardware changes to minimal [83]. Hybrid attestation
Things Journal
9
techniques cannot guard against physical interruption

with devoted secure hardware. Some of the hybrid attes-
tation techniques are SMART [84], SPM [85], SANCUS Production
{5,7,8} 1. Smart Grids
[86], TrustLite [87] and TyTAN [88]. Due to compro- 2. Healthcare
mised keys, both hybrid and software based methods 3. Transportation systems
cannot guard against physical attacks, as prover can be 4. Smart cities
5. Smart supply chain/Smart retail
mimicked/cloned [89]. Physical attacks can be guarded {1,6} 6. Smart farming/Smart Environment
only in hardware attestation. Hardware-based attestation {3,7,9,10}
7. Smart Wearables
8. Manufacturing
techniques rely on purpose-built functions like TPM or 9. Smart Homes
SGX which cannot be used in resource constraint end Societal
10. Security and Emergencies
devices. For this purpose IoT uses special lightweight Individual {2}
{4}
hardware characteristics i.e. PUFs [90] [91].
SEDA [92] was the first proposed swarm attestation
technique. Another swarm attestation proposal was put
forward by SANA [93]. In IoT environment, end nodes
Fig. 4: Convergence of IoT Systems
sometimes connect and leave the swarm dynamically
like in ad-hoc vehicular networks thus making it harder
to attest a swarm device. All the static attestation meth-
ods stated above validate the authenticity of binaries for data collection by different smart nodes [103] [104].
rather than their execution [83]. C-FLAT [94] and LO- Unlike, internet where users actively set their privacy
FAT [95] offered accurate attestation by manipulating at risk (e.g., asking different queries for services), IoT
attesting run time the execution path of program in IoT user data is sensed and transported with their consent
embedded end nodes. and knowledge [51, 52].
Author’s in [105] revealed that any network spectator
2) Communication Related Security:
or even ISP can deduce sensitive private residence
a. Authentication and Access Control: Devices/users in behavior of a user by probing smart homes traffic from
the IoT environment and their communication exchanges commercially existing smart devices which provide even
require security features like authentication and access encryption [106] [107]. Furthermore, another problem of
control [96]. However authorization of devices require over-privileged smart apps authorization also results in
authentication beforehand [97]. Due to the varied IoT privacy issues [108] [109].
ecosystem, diverse end nodes/sensors, varied network Astonishingly in e-healthcare sector, medical records
architecture and above all limiting resource nature of IoT and health care information in black market are of
devices, lightweight access control and authentication higher value then credit card data [110]. Researchers
processes need to be devised. have proposed pseudonym management of data [111]
Mutual authentication is necessary for IoT devices, due [112], anonymous authentication [113] [114] and access
to nonexistence of trusted third party in a decentralized control for privacy preserving in e-healthcare data [115].
IoT environment. Both data collectors and data holders In another research [116], C. Rottondi et al. have high-
need to verify each other before collecting and handing lighted that household behavior can be revealed in smart
over data to each other in heterogeneous environment grids through collection of fine grained data by smart
of IoT [98], [99]. C. Su et al. in [100] highlighted meters [117].
the privacy and security issues of RFID authentication In smart grids, gateways and control center use homo-
between tags and readers. Some researchers emphasized morphic encryption that utilizes same key for cipher
that unlink-ability and anonymity need to be deliberated texts without need of data decryption [117]. Researchers
for IoT application areas like smart healthcare, grids, in [118] [119] [120] have worked on privacy sustaining
and Internet of Vehicles (IoV). Dynamic IoT devices aggregation techniques as user load curves per house-
which need frequent change of locations calls for new hold can be used to infer individual utilization behavior
lightweight cross-domain authentication protocols. or daily living habits [121]. Hence, it is imperative
3) Security for End-Applications: Huge amount of data that anonymity of a user must be guaranteed in smart
is pulled together by IoT gateways from end nodes which is grids environment and inference of users behavior and
transported over different networks and operated by various location must not be revealed from sensed data.
IoT systems. Forensics, legal or social challenges and privacy Technologies like data mining and machine learning
issues are few issues binded with data generation, transfer and which dynamically add up business context to raw data,
usage phases. Below is the brief explanation of each issue: causes another threat to users privacy. Keeping this in
a. Privacy Concern: User private/personal data like heart- mind, extra efforts are required for users privacy via
beats and fingerprints, several environmental aspects machine learning and data mining techniques [53, 54].
sensed by end nodes can be used to deduce user prefer- b. Forensics Challenges: When IoT infrastructure
ences and tracking [101] [102]. A user can be receiver is the target or used to carry out an attack,
of services and data and at the same time can be object it will call for forensic investigations in IoT
Things Journal
10
TABLE III: Summary of IoT applications core security requirements, where (X) represents the requirement that are of utmost
importance and (x) shows the trivial requirements.
IoT APPLICATIONS Availability Confidentiality Integrity Non -Repudiation Privacy Authentication

Smart Grids X X X X X X
Healthcare X X X X X X
Transportation Systems X X X X X X
Smart Cities X X X X X X
Smart Manufacturing X X X X X X
Smart Homes X X X X X X
Smart Wearables X X X X X X
Smart Farming X X X X X X
Smart Supply Chain X X X X X X
Smart Security Systems X X X X X X
ecosystem. Data sensed and made communal by guments are raised due to the introduction of
IoT application will introduce opportunities and smart/intelligent services provided by IoT. A
challenges for forensic investigation. Due to the smart vehicle is one such example, which is
resource constrains of memory, evidence needs progressively put into operation. Every time an
to be shifted to cloud or local center’s before accident is met due to smart/automated vehicle,
overwriting in IoT devices. Therefore, researchers it calls for an updated legislation for its usage.
have recognized IoT forensic as mixture of To support automated vehicles, Australian Na-
cloud, network and device level forensics [122]. tional Transport Commission has outlined fresh
Main forensics challenges in IoT paradigm are Australian driving law [128].
1) Resource-limited characteristic of devices 2) II. Data Commodification: The pooling and treat-
Heterogeneous characteristic of devices 3) The ment of bulk of data, makes it a commodity
growth in numbers and types of devices [123] creating another problem of ownership of data
[124]. which in turn arises few questions e.g., How
A general Digital Forensic Investigation managing the data as a product be standard-
Framework DFIF-IoT [125] was presented to ized? Deciding who is the proprietor/owner of
homogenize digital investigation procedures. To the data? Is trading of data possible? Legal
simplify the procedure of evidence compilation, responsibilities concerns are invoked due to
analysis and preservation was proposed by these questions. Authorization and revocation
FAIoT [123]. Combination of 1-2-3 zones and of authorization for data collection must be the
next best thing (NBT) model was presented by right of data owners. Data owners/holders can
[126]. When investigating and correlating the share the portion of data which can be shared
composed evidence which may have individual with IoT ecosystem by applications through
personal information, privacy is another important granular authorization based on context.
element which needs to be addressed in forensic
investigation of IoT. Privacy aware IoT Forensic D. IoT Applications Security
(ProFIT) is an effort in proposing privacy enabled
IoT has enhanced the quality of lives in many fields like
forensic model for IoT [127]. In ProFIT model,
smart grids, healthcare, transportation system, cities,
evidence can be gathered with the help of nearby
supply chain, farming, retail, wearables, environment,
end devices which adds in reconstructing the
manufacturing, homes, security and emergencies, etc.
crime scene context to much accurate level. To
Although there could be much more application of
the best of our knowledge, we can deduce from
IoT but we have categorized them in ten application
the literature studied that IoT forensics is still
domains, endeavoring to create an optimal balance
evolving and most of the researchers are stretching
between generality and concreteness. These domains
the existing traditional methods for IoT forensics.
are such varied that they can mask all requirements of
Even though to some extent traditional forensic
user groups.
tools can be used in IoT environment still a
Furthermore, it can be observed that these ten
complete framework for IoT forensics is lacking.
application systems are distinct yet overlapping from
the users point of view and for this purpose we
c. Social or Legal Challenges: Below are the two
have further categorized them in three groups namely
main issues raised due to IoT adaptation in recent
individuals, societal and production as shown in Fig.
years:
4. Furthermore, two security challenges are highlighted
I. Liability Dispute: New legal responsibility ar- which are common for all IoT application areas. The
Things Journal
11
TABLE IV: Summary of IoT applications security challenges: (X) represents the challenges which needs due attention from
academia and industry from preliminary design stages of smart devices to end products, where as (x) shows that the challenge
is significant but can be given less attention due to specific IoT system.
IoT Heterogeneity Scalability Information Data Privacy Resources Mobility Physical Lack of Safety
Applications Vulnerabilities Sensitivity limitations Attacks Standardization challenges
Smart Grids √ √ √ √ √ X X X X X
Healthcare √ X X X X √ √ X X X
Transportation √ X X X X X √ X X X
Systems
Smart Cities √ √ X √ X X X X X X
Smart X √ X X X √ X √ √ √
Manufacturing
Smart Homes √ X √ √ X X X X X X
Smart √ √ √ √ X √ X √ X √
Wearables
Smart Farming √ √ X √ X √ X X √ X
Smart Supply √ √ √ √ X √ X X √ X
Chain
Smart Security √ √ X √ X √ X √ √ X
Systems
two common security challenges are 1. Vulnerabilities malware’s cannot be secured with these communication
of Social Engineering 2. Legislation Challenges. protocols [27], [30]. In reality, taking into account
Below, we have abstracted the most crucial security the huge number of IoT connected devices and their
requirements (availability, confidentiality, integrity, threats as discussed in Section-III, there is a need for a
non-repudiation, privacy and authentication) and comprehensive security framework and standardization
challenges (heterogeneity, scalability, information of IoT.
vulnerabilities, data sensitivity, privacy, resources Apropos an adaptive, novel and worthy security systems
limitations, mobility, physical attacks, lack of is required to tackle the current situation which should
standardization and safety challenges) for the ten IoT be proactive in nature providing baseline security to end
application domains stated above. Summary of the users, network, applications, data and devices. There-
security requirements and challenges are depicted in fore, to detect the present day threats, envisage future
Table-III&IV respectively. security incidents and to quickly respond to the attack,
there is a need for crisp guidelines providing ground for
the development of a secure adaptive IoT framework.
IV. G AP I DENTIFICATION AND A NALYSIS : N EED FOR In this regard, the best practices of organizations like
S TANDARD AND S ECURE I OT F RAMEWORK Cisco, TCG, IBM Watson IoT and AT&T and TCG can
In future, the technological era will witness massive be reviewed and consulted for a unified framework of
increase in the number of connected devices. The cyber IoT security.
criminals will always mark them as the first choice of
attack due to the weak embedded security mechanism
and absence of a standardized architecture. Such devices A. Network Level Security Approach for IoT
can be used as bots by attackers to launch DDoS attack IoT producers are launching the products with
and spread spy wares. It is apparent from the modern innovations and ease of use to grab the market share
cyber-attacks carried out on these connected devices that without paying due attention to the security. Due to this
current security standards and protocols for IoT have dilemma and the limited resources of IoT devices, the
failed in providing security to IoT devices [129]. conventional host-based protections like anti virus, IDS,
Current communication protocols have some built-in IPS etc, cannot be used for smart devices. Therefore,
security features to secure communication at different a network level security architecture is proposed
layers of IoT protocol stack as shown in Fig. 5. How- by researchers in [34] to secure smart devices. The
ever, different device attacks like code modification and secure system is based on SDN controller called (IoT
Things Journal
12
Software Defined Everything

SDx / SDE
Networking Storage Security Data Real Time AI Cloud Automation Virtualization

Centre Services Services n
Fig. 6: Classification of Software Defined Everything
Fig. 5: Security features offered by IoT communication pro-

V. S OFTWARE D EFINED S ECURITY S OLUTIONS
tocols.
A number of domains like Networking (SDN), Security
(SDSec), Data Centers (SDD), Storage (SDStor) etc.,
have merged in the rapidly growing SDSys technology
SENTINEL), a security gateway that is efficient enough
as shown in Fig. 6. These are all components of a
in identifying different types of devices connected to a
wide trending technology that is called Software Defined
network. Furthermore, the system eliminates potential
Everything aka SDx/SDE.
vulnerabilities by applying mitigation measures. A
Manageability, dynamism, cost-effectiveness and adapt-
vulnerability database module is also placed in IoT
ability are few major properties of SDN that make it
SENTINEL controller. Machine learning techniques
highly suitable for the high-bandwidth and dynamic
are adapted for flagging a device as benign or malign.
nature of todays applications [130], [134]. This architec-
Device type identification along with vulnerability
ture enables abstraction of the underlying infrastructure
databases’ input are fed to machine learning module
for network services/application and the network control
which can infer devices that are vulnerable in a
to be directly programmable by decoupling the network
network. Due to the global visibility of the network,
control and forwarding functions.
such solutions are viable for smart ecosystem which
A logical view of SDN architecture is depicted in Fig.
can take decision at the network level.
7 & 8, where it is highlighted that the control from
physical devices is shifted to programmable controllers.
In software based controllers the network intelligence is
(logically) centralized which upholds a global view of
B. Necessity of SDN based IoT Environment the network. This results in presenting the network as
a single, logical switch to the applications and policy
Increased use of mobile/smart devices, server virtu- engines [135], [136].
alization and the introduction of cloud services have Network design and operations are made simpler with
provoked the networking industry to reconsider the SDN single logical point, that enables enterprises and
traditional network architectures. carriers to acquire vendor-independent control over the
Due to certain traditional networking limitations like entire network. Networking devices are also made sim-
closed equipment, protocol standardization, few people plified with SDN as they do not need to be familiar with
who could innovate, expensive operation of networks and process thousands of protocol standards but simply
and buggy software in the equipment, it is impossible to allow instructions from the SDN controllers. The fol-
meet current market requirements with such limited tra- lowing section briefly highlight’s the SDN architecture.
ditional network architectures [130], where the network
cannot change dynamically according to the network
A. SDN Architecture
conditions.
These shortcomings lead to the idea of having an OS for We present a generalized SDN architecture and a con-
the network which should have a standardized control solidated layered SDN protocol stack as shown in Fig.
interface that speaks directly to the hardware [131], 9. There are three layers in the SDN controller i.e.,
[132]. To tackle with the control and management chal- infrastructure layer, control layer and application layer.
lenges in the conventional networks/platforms, Software These layers are interconnected by two communication
Defined Systems (SDSys) is proposed which conceal channels i.e. southbound interface and northbound inter-
the complexities of traditional networking from the end face. Whereas east and south bound interfaces are used
users i.e. separating the data plane from control plane for connecting different controllers.
[133]. SDN is considered revolutionary network technol- The infrastructure layer manages the devices like routers,
ogy in supporting heterogeneous networking with rapid switches, vswitches and access points connected to it.
evolution and dynamism using programmable planes Through open interfaces like Openflow [58], these devices
(control and data plane). The SDN and IoT integration are managed as they have no built-in control/software and
can meet the expectation of control and management act just as forwarding elements. The controller computes and
issues in diverse scenarios [16], [17]. allocates flow rules that are stored in flow table inside these
devices. Packets are forwarded to concerned destinations
Things Journal
13
Through OpenFlow protocol [58], [136] the forwarding

App App App App App App
devices communicate with controller. Whereas, REST API is
Operating System Operating System
most widely used for communication between the controller
Specialized Packet Specialized Packet
Forwarding Forwarding and the third-party applications.
Many controllers are available, but the most famous controllers
are RYU [138], ONOS [139], Open Daylight [140], Floodlight
App App App
[141], NOX [142] and POX [143]. M. Karakus et al. in
Operating System
App App App
[144] highlighted multiple-topology approaches to deploy
Specialized Packet
Forwarding Operating System
controller(s) in SDN i.e. Centralized Controller Designs,
Distributed Controller Designs, Hierarchical Controller
Specialized Packet
App App App Forwarding Designs and Hybrid Designs. SDN controller in control plane
Operating System is interacted by four different interfaces which are explained
Specialized Packet
below:
Forwarding
Southbound Interface (SBI): It assists in controlling the
network behavior through flow entries on the devices. Many
SBI APIs exist like OpenFlow, IRS, ForCES, POF [145] and
Fig. 7: Closed Network: Device’s with million lines of source code for
Open vSwitch Database (OVSDB) [146]. However, OpenFlow
different networking features/OS and billions of gates for specialized packet protocol is the most widely used interface due to its open
forwarding hardware. It is difficult to modify proprietary code or add architecture. Open Networking Foundation (ONF) consider it
innovations.
the de facto standard for SDN architecture [136].
Northbound Interface (NBI): The communication channel

between the application layer and the controller is NBI.
Applications communicate with controller to access network
control for managing services and gathering information like
state and services from the network [144]. REST API is
adopted by majority of controllers [147]. Java API, Frenetic
[148], NetKAT [149], NetCore [150] and Pyretic [151] are few
other protocols that are used as NBIs.
B. SDN Based Secure IoT Frameworks

This section presents a detailed description of various se-
curity mechanism/framework for the SDN based IoT deploy-
ment. However before moving further, it is essential to high-
light various IoT deployments leveraging SDN architecture in
order to acquaint the readers with different deployment models
Fig. 8: The intelligence is abstracted from networking devices and placed in a and the future scope of IoT by adopting this new technological
remote programmable controller that has control of devices forwarding deci-
sions. The SDN architecture is depicting three layers and two communication
paradigm. Following paras discusses the SDN-IoT deployment
interfaces. models followed by software defined security (SDSec) based
solutions for IoT:
1) SDN-IoT Deployment Models: To the best of our
based on the flow rules in flow table [136]. knowledge, we have presented a consolidated overview of
Application layer accommodates all third-party applications the models put forth by the academicians till now. Table-V
written for a specific purpose and operates on a higher level & VI present the summary of deployment models of SDN
than the controller. Underlying devices in the infrastructure based IoT. In SDN, IoT systems can be implemented in one
layer are connected to application via the controller. of the two ways i.e., centralized and decentralized controller
Northbound interface bridge the communication between architecture as depicted in Fig. 10. Following paras discusses
controllers and applications and vice versa [134]. Some of the the IoT deployments in both architectures:
most frequently adopted third-party applications are routing, Centralized Controller Architecture: SDN is an evolving
access control, network virtualization, application security, paradigm and yet is not utilized to the fullest, therefore
network monitoring, IDS/IPS, traffic engineering etc. many proof of concepts are presented to augment the
As depicted in Fig. 9, the control layer makes up the core need for SDN based IoT deployment. In [152], J. Li et
modules that are Network Manager, Network APIs, Network al. presented an overview of the IoT, SDN and Network
Operating System (NOS), drivers and internal services. Function Virtualization (NVF) architectures and proposed a
These major functionalities should be in any simple/basic generalized model of SDN-IoT leveraging NVF. To make the
controller [137] [137]. Installation of flow rules onto the IoT management process simple and to cater the generated
underlying devices is the responsibility of the controller. data challenges in the traditional IoT architecture like
Things Journal
14
Application Layer
Registration Access Control Authentication Monitoring Balancing
NorthBound API: Rest, Java, Nettle, Netcore, Procera, Frenetic, FML etc
NorthBound API: Rest, Java, Nettle, Netcore, Procera,
IDS / IPS
Control Layer
Beacon, DISCO, ElastiCon, Fleet, Floodlight, HP VAN
SDN, HuperFlow, Kandoo, Onix, Maestro, Meridian,
MobileFlow, MuL, NOX, NOX-MT, NVP Controller,
Southbond API: OpenFlow, IRS OpenContrail, OpenDaylight, ONOS, PANE, POX,
Frenetic, FML etc

Rosemary, RYU, text
Trema, Yanc etc
Firewall
Infrastructure / Data
POF, OVSDB, ForCES etc
Layer Controller Internal

Southbond API: . ForCES,
Services e.g. Path,

Security, SAN etc
West Bound text
API e.g Controllers
Access Point Switch HyperFLow Controller
Routing
text Network Network API s
East Bound
Manager Network OS API e.g.
Drivers for OpenFLow etc HyperFlow
Router VSwitch
Physical Device
Controllers
Fig. 9: SDN Protocol Stack: At different levels, SDN provides different set of protocols. Security services like IDS, IPS, and
DPI can be performed on the go without a dedicated appliances as was in traditional networking.
Z. Qin et al. in [155] designed a software defined methodology

for IoT ecosystem to vigorously attain distinguished
quality levels of different tasks in heterogeneous scenarios.
Furthermore, I. Bedhief et al. in [156] presented a SDN-
Docker based architecture catering the heterogeneity at
network and device level. It provides an easy and fast
mode to deploy IoT application because it virtualizes
the OS without overhead and also extend portability
features. Further, M. Tortonesi et al. in [157] introduced
SPF (Sieve, Process, Forward) model that expands the
reference architecture of ONF by swapping the Information
A
Processing and Dissemination Plane with the SDN Data
B
Plane. Programmable information processors are positioned
Fig. 10: SDN-IoT implementation techniques. (A) depicts at the IoT edge and through proposed SPF model, IoT
centralized controller whereas (B) presents decentralized con- applications and services are defined and managed.
troller. Centralized controller provides easy maintenance but Likewise, D. Sinh et al. in [158] proposed combination of
encounters a single point of failure. Decentralized approach SDN/NFV technologies for IoT deployment and proposed
addresses the single point of failure, however, it faces the a mechanism to meet obligations of deploying IoT services
problem of consistency. from different providers via slicing end to-end network
fragments. Furthermore, their mechanism can recover an IoT
service when it is down. W. Cerroni et al. in [159] projected a
forward, store, and security , a software based integration of reference architecture that is basically motivated by the ETSI
the SD network, SD storage, and SD security is proposed MANO framework. An intent-based north bound interface
by Y. Jararweh et al. in [153]. Similarly, M. Ojo et al. in for end-to-end service orchestration across multiple technical
[154] proposed a basic and all-purpose SDN-IoT architecture domains is presented. IoT systems are connected by SDN to
together with NFV application with explicit options on the relevant cloud-based services.
how and where to embrace SDN and NFV technologies to Y. Li et al. in [160] offer SDN based IoT architecture in which
overcome the challenges of the IoT. gateways, devices, and generated data can be programmed
Things Journal
15
TABLE V: Summary of SDN based IoT deployment models depicting centralized architectures its implementation and purpose.
Centralized Models
Ref Year Proposed Model Implementation IoT Application Area
Flow scheduling algorithm is designed for heterogeneous networks Heterogeneous wireless
Z. Qin et al. 2014 Qualnet simulation platform
to vigorously attain distinguished quality networking environment
A general model of SDN/NFV based IoT architectures is presented
J. Li et al. 2015 Proof of concept General purpose
with emphasis on highlighting the characteristics of these technologies
Introduced SDN and SDStor modules to cater data
Y. Jararweh et al. 2015 Proof of concept General purpose
management related traditional IoT system challenges
Introduced NVF coupled with SDN to overcome scalability,
M. Ojo et al. 2016 Proof of concept General purpose
elasticity and dynamism properties of heterogeneous IoT networks
Dockers are used to manage different smart devices in heterogeneous Mininet simulation of small
I. Bedhief et al. 2016 Generic
environment network with 4 devices
SPF an SDN middle ware model is presented for processing the Prototype/Simulation in
M. Tortonesi et al. 2016 Urban area small metwork
raw data collected from IoT devices on the edge node mininet only
Authors proposed that new services can be offered promptly with
their architecture. Multi services support in different domains with Heterogeneous wireless
Y. Li et al. 2016 Campus network deployment
different scenarios is presented where smart devices and data can environment
be reprocessed
A reference architecture motivated by the ETSI MANO framework
W. Cerroni et al. 2017 is proposed. An intent-based north bound interface for end-to-end Mininet simulation only Smart homes, office
service orchestration across multiple technical domains is presented
An architecture is proposed for IoT wherein SDN/NFV orchestrates Small WSN like: home,
D. Sinh et al. 2018 Simulation in mininet only
the complete network via SDN controller office etc
IoT communication application is proposed that merge SDN with Deployed in Heating Control
Y. Wang et al. 2018 publish/subscribe paradigm, with an aim to ease smart applications/ and Information Service Smart homes, office
services System. Simulated in Mininet
TABLE VI: Summary of SDN based IoT deployment models depicting decentralized architectures, its implementation and
working environment.
Decentralized Models
Ref Year Proposed Model Implementation IoT Application Area
Multiple controllers are used to connect different IoT domains using SDN
O. Flauzac et al. 2015 Proof of concept Smart Home/ campus network
architecture in equal interaction mode
A SDN-based new network architecture with multiple controllers is
F. Olivier et al. 2015 Proof of concept Ad Hoc Network
presented for Ad-hoc networks and IoT
Leveraging SDN/NVF to deploy urban scale heterogeneous IoT by dividing
D. Wu et al. 2017 OMNeT++ simulation Urban area
it into different geographic divisions
by service operators and application developers. Furthermore, flow control and mobility management software-defined
interoperability and data provisioning features are also IoT system for multi networks. UbiFlow works on multiple
supported at different levels. An amalgamated communication controllers to distribute urban-scale SDN into geographic
middle ware solution SDNPS (SDN-based publish/subscribe divisions. To maintain network consistency and scalability,
system) for IoT services is proposed by Y. Wang et al. a distributed hashing overlay structure is put forward. A
in [161]. They have merged SDN with publish/subscribe new IoT architecture is presented by S. Tomovic et al.
(topic-oriented) middle ware, which can assist customers of in [165] which merge the advantages of two evolving
varied smart services to access network along with relieving technologies: SDN and Fog computing. SDN augments
hassle for service providers and application developers to resource management and traffic control implementation
administer and enhance IoT applications. of complex mechanisms whereas, Fog computing supports
Decentralized Controller Architecture: O. Flauzac et al. in network edge level data management and analysis, therefore
[162] proposed distributed controllers based SDN network delivering provision for applications with low and foreseeable
architectures that can be adopted in in Ad-hoc and IoT latency.
network. The new architecture works in equal interaction
with multiple SDN controllers. It is also scalable with
several SDN domains which can be or without network 2) SDSec Mechanisms/Frameworks for SDN-IoT: In this
infrastructure where controller is accountable for that domain. section, we present the Software Defined Security (SDSec)
Border controller is introduced to bridge the communications solutions for enabling secure IoT systems. Although, this
between domains. F. Olivier et al. in [163] deliberated SDN domain is still in its infancy, however there are few research
based architectural design for access control and global efforts, which are elaborated in the following paras:
traffic observation for Ad-hoc networks and discusses their Dos/DDos Solutions: To counter Dos attack one of the
performance consequences. very first effort is proposed by [166] that incorporates (Trust,
D. Wu et al. in [164] introduced UbiFlow, a ubiquitous Zone-ID, Permissions and Scope) parameters in the host and
all security techniques are delegated to SDSec controller
Things Journal
16
TABLE VII: Summary of Dos/DDoS security solution for IoT: mechanism, implementation technique, and limitations.
DoS/DDoS Security Solution
SDSec
Ref Year Mechanism Implementation Limitations
Solution
Security policies are embedded in controller
Mininet simulation only, no Suitable for small network.
M. Al-Ayyoub et al. 2015 SDSecurity to check in-coming packets against defined
real world implementation Bottleneck for large networks
parameters to detect anomaly
A secure flexible method for IoT devices is
Flow Based No real IoT scenario defined. Static rules are used, not
P. Bull et al. 2016 proposed through SDN gateway to counter
Security Mininet simulation only suitable for adaptive environments
flooding attacks using flow rules
Limited to TCP and ICMP
Machine Learning approach is used at the SDN
Mininet Simulation only packets only. Limited number
Y. Jararweh et al. 2017 SoftThings gateway to detect and mitigate abnormal
using basic ML technique of packets are addressed for
traffic behavior at the gateway/network level
simulation
SLICOTS: A lightweight module for defense No real world scenario is Limited to TCP SYN attack
R. Mohammadi et al. 2017 SLICOTS against SYN flooding attacks, residing at considered, only mininet only, large number of packets
the network edge simulation can cause controller overload
SEAL framework is designed with three
Traffic generated for result
different modules to meet application wise Mininet
N. Z. Bawany et al. 2019 SEAL analysis is in controlled
precise security criteria for detection simulation only
environment
of DDoS attacks using EWMA filters
in order to take action against an incoming packet against Data and Communication Security Solutions: S.
the defined parameters. Such a solution is viable for small Chakrabarty et al. in [171] introduced Black SDN to secure
scale networks however it can be a bottleneck for large scale SDN based IoT network communication from traffic analysis
networks as all intelligence is abstracted from underlying and inference attacks. Authors have suggested using SDN
layer and summed up in one controller. P. Bull et al. in controller as a middle box for encrypting the header, meta-
[167] introduced the idea of a flexible flow based security data and payload at the network layer of the IEEE 802.15.4
mechanism using SDN gateway for monitoring the traffic LR-WPAN. Black SDN aims at protecting IEEE 802.15.4
which is initiated and directed to IoT devices. This gateway traffic by introducing symmetric encryption along with
can detect anomalous behavior and perform an appropriate complicated routing algorithm thus trading off the efficiency
response like blocking, forwarding, or applying QoS. of the network.
S. S. Bhunia et al. in [168] proposed an IoT security O. Flauzac et al. in [162] presented a secure networking
framework leveraging SDN as gateway called SoftThings. architecture for Ad-hoc and IoT networks, utilizing SDN
The main objective is to monitor IoT traffic at the edge of the with multiple controllers in equal interaction mode. It is
network despite core network for detection and mitigation of scalable with manifold SDN domains, where every domain
an anomalous behavior. Machine learning techniques are used controller is accountable for its domain. Furthermore, border
to detect abnormality in the traffic. SLICOTS is a mechanism controllers are introduced to regulate the communications
proposed by R. Mohammadi et al. in [169], for countering between domains. Border controller works in distributed
TCP SYN flooding attack in SDN. SLICOTS module resides interaction to assure domain independence in case of failure.
in controller and leverage the dynamic programmable feature The whole network security is augmented with the concept of
of SDN to monitor TCP connection requests and detect and grid of security implanted in individual controller to counter
prevent TCP SYN attacks. attacks.
N. Z. Bawany et al. in [170] introduced the SEAL framework Similarly to simplify IoT data management process, Y.
that adopts SDN key features to improve the security and Jararweh et al. in [153] proposed to integrate SDN, SDStor
resilience of an IoT system. SEAL framework has three and SDSec in one control model to achieve security. C.
modules that can effectively detect and mitigate DDoS attacks Gonzalez et al. in [172], presented a cluster network of
on application servers and network resources. It promises 500 devices using SDN augmenting network virtualization
reliability, scalability and fault tolerance in the smart city and OpenFlow technologies. The proposed system handles
applications. In addition of estimated-weighted moving the communication between clusters through a cluster head
average scheme is used to achieve adaptability. Summary of with predefined rules, based on IP headers managed by
Dos/DDoS security solutions are depicted in Table-VII. an SDN controller. C. Gonzalez et al. in [173] presents a
new mechanism based on SDN architectures utilizing ARP
Things Journal
17
TABLE VIII: Summary of Data and Communication security solutions for IoT: mechanism, implementation technique, and
limitations.
Data and Communication Security Solutions
Ref Year SDSec Solution Mechanism Implementation Limitations

Introduction of symmetric Degraded network
encryption to secure 802.15.4 performance with
Simulated on
Chakrabarty et al. 2015 Black SDN IoT devices communication, the introduction of
Black Network
meta data and payload at encryption, suitbable
the link and network layers for small networks
Border controller are presented
No implement- Computational over-
to secure Ad-hoc and IoT
Border ation or simula- head is introduced,
Flauzac et al. 2015 networks, using SDN with
Controller tion, just proof may cause per-
multiple controllers in equal
of concept formance bottleneck
interaction mode
Complex scheme in
Combining SDN, SDStor, No implement-
presented for large
and SDSec into one ation or simula-
D. Sinh et al. 2015 SDIoT networks. Performance
controller to yield better tion, just proof
bottleneck for single
results of concept
controller
Controlling clusters by lev- Fixed cluster comm-
Simulation is
eraging SDN cluster head unication mechanism
SDN-IoT being carried
C. Gonzalez et al. 2016 communication with pre- with static rules
Cluster out on mini-
defined rules based on IP defined via IP
net
headers headers only
A routing protocol that can
Simulation is Fixed communication
manage routing in Ad-hoc
being carried based on ARP
C. Gonzalez et al. 2016 SDNCH networks using ARP req-
out on request pre-installed
uests in SDN clustered net-
mininet rules
work with pre-installed flows
SDN-IoT based middle box Complex algorithms
Mininet simula-
Middle Box (M-G) is introduced to man- are used for packet
tor is used only,
Y. Li et al. 2018 Guard age data flows by inspecting inspection causing
no real world
(M-G) packet status for security performance bottle-
implementation
and stability neck
Cloud/Fog/SDN enab-
SDN assisted cloud-enabled
Mininet simulat- led complex security
secure IoT network archite-
or is used only, solution is proposed
M. Conti et al. 2019 CENSOR cture is proposed for softw-
no real world without catering real
are attestation and commun-
implementation world smart system
ication security
traffic
requests to regulate and secure Ad-hoc network information program (ILP) algorithm to handle switch capacity limitations.
exchanges. Pre-installed flows are used for routing the Moreover, a lightweight scheme for remote attestation of the
communication between controllers and devices. softwares is put forward by M. Conti et al. in [19] named as
Middle Box Guard (M-G) is presented by Y. Liu et al. CENSOR. It ensures the integrity of the software that is being
in [18], which is SDN-based data transfer security model run by IoT devices to attain secure application services for
that trim down network latency and manage data flows to achieving specific goals in the network. Summary of data and
ensure the network run securely. The proposed data flow communication security solutions are depicted in Table-VIII.
management protocol determine correct route by checking the
status of a packet. Furthermore, to safeguard middlebox from
Privacy Solutions: Smart IoT devices are exposed to
turning into a hotspot, M-G proposes an offline integer linear
confidentially and data privacy issues, due to insecure web
Things Journal
18
TABLE IX: Summary of Privacy solutions for IoT: mechanism, implementation technique, and limitations.
Privacy Solutions

Limited to Hue Bulb and
Designing a security solution (SPM) that
Implementation on Campus Nest smoke alarm, more
Sivaraman develops, customizes, and delivers extra
2015 SMP Network and Home Network smart devices may be
et al. security to IoT smart home users at the
using real world testbed introduced to check the
network level
efficacy of the solution
No real world simulation
The authors presented IoT-SDNPP, where privacy
Gheisari Visual studio.Net CSharp or implementation is
2018 IoT-SDNPP is conserved in the smart city, IoT device
et al. version 2018 is used. No carried out, furthermore
by varying the privacy behavior dynamically
mechanism is not explained
Context-aware privacy preserving
smart cities mechanism is presented This mechanism may work for
M. Gheisari Context-aware Simulations are carried out using
2019 by authors to differentiate sensitive small network but is not
et al. privacy mininet wifi with six devices
and non-sensitive data based on the suitable for large networks
smart devices.
applications and APIs, like in the case of Philips Hue Smart

Bulb [62]. The data exchange is via HTTP in plain text
and an attacker can eavesdrop on the insecure transmitted
data between the user and bulb. Furthermore, the attacker
can mark himself as legitimate user in the list extracted ZigBee Light
from the Ethernet Bridge as shown in Fig. 11. To counter
such attack, [62] proposed an external third party module
known as Security Management Provider (SMP) that enables
network level security solution utilizing SDN architecture, Ethernet-Bridge 2. Masquerade as
Legitimate User
unlike the traditional solution which focuses on enhancing Whitelist Users
device embedded security. SPM can recognize and quarantine

1. Eavesdrop
device level threats at the network level. SPM offers security-
as-a-service to smart-home devices.
M. Gheisari et al. in [174] proposed a mechanism, IoT-SDNPP Http-Plain Text
for preserving privacy in smart cities. It divides the smart

devices into two distinct classes via clustering techniques.
Internet
If the device is with privacy tag up, the controller sends a
message to smart device for encrypting all messages through
a specified encryption algorithm, else if the smart device is not Fig. 11: Smart Philip Bulb Attack Pattern. This scenarios
privacy enabled, it does not use any encryption. No real world explains how an attacker can eavesdrop an insecure small IoT
implementation or simulation is performed by the authors. home network.
Likewise to augment privacy in smart cities, another approach
is put forward by M. Gheisari et al [175]. Here, the SDN
controller takes the decision grounding on the IoT devices, proposed mechanism targets to defuse identified attack patterns
data sensitivity level and attributes of the routes for catego- by pre-installed flow entries in the flow table. Similarly IOT
rization of devices as normal or privacy preserving. Further, SENTINEL is proposed by M. Miettinen et al. in [177] to
the privacy aware devices split their sensitive data and route it efficiently identify different types of IoT devices automatically
through VPN mechanism. Summary of privacy solutions are by device model and software version. It also neutralize the
depicted in Table-IX. communication of vulnerable devices from further propaga-
Anomaly Detection Solutions: R. Vilalta et al. in [176] tion in the network. Vulnerable devices are identified by
proposed SDN enabled secure architecture for IoT devices. device type identification and information from the vulnerable
The mechanism encompasses an algorithm to detect anomaly databases.
detection based on statistical analysis. For this purpose P. K. Sharma et al. in [178] presented SHSec- SDN based
ADRENALINE and IOTWORLD testbeds are used for sim- architecture which can effective and concisely mange and
ulating IoT network, running on SDN/NFV edge node. The secure the smart home IoT. SHSec acts as a middle ware to
provide interoperability to varied resource-constrained devices.
Things Journal
19
TABLE X: Summary of Anomaly detection solutions for IoT: mechanism, implementation technique, and limitations.
Anomaly Detection Solutions

SDN/NFV edge node, SDN controller
IoTWorld Testbed and Proposed solution is suitable
and an E2E security application modules
the ADRENALINE for small scale SDN-IoT,
R. Vilalta et al. 2016 Secure SDN-IoT are orchestrated to detect and mitigate
testbed is used to carry may cause performance
anomalies by pre-installed flow entries
out experiments bottleneck in large networks
in the flow table
Software updates are not
IoT SENTINEL is proposed to identify
Simulations are carried considered in the identification
vulnerable devices by device type
Miettinen et al. 2017 IoT SENTINEL out using mininet along of vulnerable devices, only
identification and information from the
with real world tests vulnerable databases are
vulnerable databases
considered
A SDN based middleware architecture
is presented to assess network Results are generated using
No real world experimental
performance and viability using link controllerd environment which
testbed, simulations are
Sharma et al. 2019 SHSec failures. The proposed model is evaluated resulted in high accuracy and
performed on mininet
on various metric parameters. It protects sensitivity. Real traffic needs to
simulator
against threats and mitigate network be included for validation of results
security attacks
It protects against threats mitigate network security attacks. academicians working on enhancing security via SDN, it is
Summary of anomaly detection solutions are depicted in worth mentioning the SDSec inputs from the industry as well.
Table-X. Although the pace of vendor specific commercially available
tools are not up to the mark as expected but still there are
few commercially developed security applications that are
General Security Solutions: An identification and authen- designed to integrate with SDN controllers. Catbird [183]
tication schemes is proposed by [179] for heterogeneous IoT is one of the first commercially available tool that provide
networks based on SDN architecture. Different technologies dynamic security based on policies. Furthermore, security and
reliant device identities are brought into a shared identity compliance policies are configured to achieve secure network
working on virtual IPv6 addresses, for authenticating devices controls. vARMOUR DSS Deception [184] is yet another
and gateways. F. I. Khan et al. in [180] have highlighted commercially available product that is simple, scalable, and
security management challenges in IoT and to deliver security secure cyber deception solution. It allow organizations to inte-
services, a SDN based management framework is proposed by grate proactive approach into their defense-in-depth strategies
researchers. The proposed mechanism consist of a centralized by luring attackers to step outside the realm of legitimate traffic
controller with trust, key management, privacy, authentication so that they can be easily recognized and properly tackled.
and security attack mitigation module. VMware vShield data security [185], is another effort by
I. Farris et al. in [181] presented new framework that can commercial realm that defends important data in the virtual
effectively combine security features supported by NFV and and cloud infrastructure. Furthermore it can track any attack
SDN to augment IoT implementation scenarios. Orchestration generation. OneControl [186] by NetCitadel is a security so-
module is designed to assist different communication tech- lutions that generates security alerts with context and provide
nologies for achieving the desired objectives by applying pre- organizations with a single integrated view of security events
defined policies and provide reactive response to unexpected in order to enable analysis, ranking and threat response. De-
behavior. Furthermore, two case studies have been examined to fenseFlow [167] is created by Radware-Opendaylight project
evaluate and adopt the proposed framework. J. Budakoti et al. that is an SDN based DDoS mitigation package. It joins
in [182] presented an a lightweight IoT middle ware solution all network gadgets to become part of the DDoS mitigation
which can augment interoperability between varied devices process. Mainly it performs two tasks i.e. protected traffic is
like sensor, nodes, and mobile phones that transfer data on monitored and then forwarding the attack generated traffic
different networks using various protocols. The middle ware to abating centers. Summary of the vendor specific SDSec
solution is deployed on the IoT Gateway i.e., on edge node solutions are depicted in Table-XII.
which can foster well organized data analysis for real time,
critical applications. Summary of general security solutions
are depicted in Table-XI.
Furthermore, adding on to the efforts of researchers and
Things Journal
20
TABLE XI: Summary of General security solutions for IoT: mechanism, implementation technique, and limitations.
General Security Solutions

An identity-based authentication scheme Simulation is performed Complex solution for
Salman for heterogeneous IoT networks using in mininet whereas SPAN low processing nodes,
2016 Identity Management
et al. SDN is designed, that is validated by and AVISPA tools are used causing procssing over
AVISPA and SPAN tool for validation head
Designed a framework for provisioning
No implementation Overall overhead and
Khan of trust, key management, privacy,
2017 SDN-IoT or simulation, just resource consumption
et al. authentication and security attack mitigation
proof of concept are not considered
services to IoT systems
SDN-NFV based security service No implementation Scalability is not kept
Farris
2017 SDN-NFV based IoT orchestration have been proposed to or simulation, just as consideration of the
et al.
provide security to IoT proof of concept smart systems
A lightweight IoT Middleware solution is
presented which augment interoperability Real world testbed is created Suitable for small scale
Budakoti Middleware IoT for
2018 between varied devices like sensor, nodes, using laptop and different SDN-IoT systems,
et al. SDN
and mobile phones that transfer data on sensors scalability is not considered
different networks using various protocols
TABLE XII: List of commercially available SDSec solution. These solutions can be incorporated in a cloud and data-center
networks.
Ref Vendor Application Area Solution Remarks
Catbird formerly called Hybrid and Private Multi firewalls and hyper Supports Microsoft, VMware vCloud and Cisco Virtual
[183]
vSecurity Cloud using SDN visors integration solution Security Gateway (VSG)
Protects distributed data located across several servers
SDN based
[184] VArmour VArmour DSS Deception in an efficient manner to allow the enterpriseto adapt
Data Centers
with the new business changes in the world
Allows customers to build policy based groups and
[185] Vshield Data Security SDN Virtual Security Framework
establish logical boundaries between them
Eliminated manual configuration and response actions
[186] NetCitadel SDN OneControl
to when an event or change occurs
DefenseFlow is SDN based DDoS abating software
Radware-OpenDaylight
[167] SDN DefenseFlow and hardware package that permits all gadgets of the
Controller
network to become part of the DDoS mitigation process
VI. D ISCUSSION , F INDINGS AND I SSUES I DENTIFIED anti-jamming protection which are completely different
from mechanisms providing security against eavesdrop-
• This section discusses some of the findings and issues ping. Hence, unique security mechanisms are required
identified to depict the overall summary of the IoT depending on various IoT application areas and their
security situation and way forward. To accomplish a corresponding threat vectors.
specific malign objective, diverse vulnerabilities and dif- • Due to compromised IoT devices, DDoS is the most
ferent attack vectors are exploited at various layers of widely carried out attack [33]. Therefore, keeping in mind
IoT like physical, MAC/Network and application layer as the resource constraints of the IoT devices, a proper
shown in Table-II. For example, in IoT devices hardware, network mechanism needs to be placed at the entry and
some open interfaces are left open by manufacturers exit point of the IoT network.
for a specific use. However, the attacker exploits this • The security requirement of different IoT applications are
vulnerability and gain unauthorized access into these not fulfilled by security protocols, of numerous IoT tech-
devices for manipulating the normal operation of the nologies available. However, specific security require-
devices [35]. Likewise, availability of the network ser- ments are provided by all technologies. Extra security
vices and network itself is targeted from jamming per- mechanism can be provided to a specific application area,
spective. Apropos, different mechanisms are required for
Things Journal
21
if the provided security is not enough. Nevertheless, it de- VI.B (SDSec Mechanisms/Frameworks for SDN-IoT)
mands an extra cost for additional hardware computation respectively, it can be inferred that significant research
and bandwidth etc. and development is being done both by academia and
• A single parameter cannot relate the security features of the commercial sectors to diminish IoT threats. All of
two different technologies. these threats are related to the security triad i.e. threat to
• It is important to examine different IoT applications and secrecy, integrity and accessibility of data. Consequently,
their related threats in order to provide complete and Table-VII,VIII,IX,X,XI shows that various academic
effective privacy and security solutions. Smart building and research community security solutions proposed
and smart home are tough similar but have different to provide defensive, detective, reactive and remedial
environments. For a specific threat, there must be tailor measures. For example, device security related issues
made solution, specifically the one comprising physical such as device identity [177], [179] tamper proofing [19],
layer security and traditional cryptography. The objective registration and management [162] have been addressed
is to deliver a cost-effective solution, while additionally by various researchers. Likewise, data management [18],
considering the low energy constraints of the different [153], [172], anomaly detection [176], [180], privacy
solutions as it may be operated by battery [129]. preserving techniques [62], [177], DoS/DDoS mitigation
• While designing IoT products, security is usually not techniques [166]–[168], [170] and secure gateways
the key concern. Product producers are keen to deliver [171], [187]. [19] have also been diligently undertaken.
devices with minimal price, low power greediness, wide Similarly Table-XII highlights some commercial off-the-
coverage, high bit rate and easy configurations. shelf (COTS) products for SDN based secure IoT.
• Due to the resource constraints, installation of standard IT
security protocols is not possible in smart devices. How-
ever, if different features offered as optional are removed,
VII. O PEN R ESEARCH C HALLENGES
certain standard security protocols can be customized.
• Because of the promising features of centralized access • Fundamental Security Standard:There are security,
and collected information from the network due to the conformity and interoperability issues in IoT currently
global view, SDN can configure the devices and regulate due to no devices standardization, heterogeneous IoT
the network with dynamism. Therefore, for IoT networks applications and varied IoT products [188]. Majority
it is considered to be an appropriate choice of network of the IoT devices are being produced without any
deployment. In addition, services like data gathering, fundamental security standard [25]. However, there is
security, analysis, decision making and configuration of a dire need of cohesive security steps, keeping in view
remedial mechanisms turn out to be quicker and simpler the present threats of IoT devices. These steps include
by the amalgamation of SDN and IoT. but are not limited to mandatory user authentication
• An expandable distributed system with millions of IoT and authorization, encrypting data during transmission
devices can easily be managed by SDN technology. Mul- and at rest, device security for preventing tampering
tiple SDN controllers which may be distributed physically and application security. Nevertheless the resource
are responsible for controlling number of sub networks constraints of several IoT devices such as sensors,
with IoT devices. As all the controllers are logically micro-controller devices, CCTV, childcare products
connected in a centralized manner therefore application like baby cam, lighting systems for homes along
developers (controller) have the leverage of controlling with the computation and memory rich obligations of
all smart devices via single controller. conventional cryptographic encryption and authentication
• The hardware and data format is abstracted from the un- mechanisms, there is a need for fostering lightweight
derlying IoT applications hardware through the data plane cryptographic protocols for IoT devices. Minimal
of SDN. This provides enhanced resource utilization for manufacturing cost and low energy consumption in
different IoT applications and numerous operators who terms of application specific functionalities are also
can utilize the re usability of the current IoT networks to believed to be the restraining factors in fostering a
for the development of future IoT services. Furthermore, generic solution for all IoT devices. Respectively, to
it has magnified the desperately desirable horizontal compel bare minimum security standards in IoT devices
market which delivers IoT services that are autonomous there is a desperate need of international standards body
of a particular application area. Apropos, SDN is a for IoT.
much envisioned concept for the future-generation IoT
architectures. • Authentication and Access Control: One of the main
• SDN controller is exploited to efficiently apply security security requirements of IoT is authentication. In
policies on some or all of the networking devices si- order to access the IoT application or/and services
multaneously. Modifying security policies in SDN needs the user must be authenticated beforehand. Although
either adding up security services at control plane or only substantial work is done to provide authentication and
updating the security applications, instead of physically access control mechanism in IoT [180], [181], however
modifying the underlying network firmware or hardware. the adaptive nature of IoT networks demands further
• As discussed in Section III (Threats to IoT) and Section attention to it. Characteristically, several platforms
Things Journal
22
use data exchange for accessing IoT services and ML and DL techniques to enable IoT systems a better
applications. The data is obtained from the IoT devices and smart decision. Few ML based security oriented
in raw form and forwarded to a decision making real world applications are a) software and applications
process for a meaningful information. Depending on malicious code identification b) behavior analysis based
fundamental IoT architecture, these processes may differ detecting of DDoS attacks. In traditional networks ML
but the data flow remains the same in IoT systems. and DL have been greatly utilized in security solutions
Therefore, when an IoT device is accessed by any user like IDS, IPS, privacy etc. Hence DL techniques can
or application, it must be validated/authenticated to also be utilized for IoT security solution along with
IoT network and be assured that it has the essential SDN like network based technology [191].
access rights for retrieving the data else access must be
denied. Similar to traditional networks, access control • Problems in Practical Deployment of SDN-IoT: IoT
holds ample significance in IoT networks. Moreover, network is growing at an exponential speed as compared
subject to the data sensitivity of some IoT services with the traditional networks [162]. Therefore an agile
and applications, it is imperative to revoke and grant and flexible network based technology is required for the
access to certain users. Hence an adaptive authentication next-generation IoT like SDN. But there are following
and access control mechanism is needed for IoT systems. few problems in the deployment of SND based IoT
that needs to be addressed from the initial planning and
• Software Code Integrity:Various IoT end device design phase:
integrity ensuring solution exists. Hardware-based
techniques are the most reliable solutions that require 1 OpenFlow is constantly evolving, resulting in the
a safe/secure environment for the execution of whole multiple flow tables and addition of new matching
attestation process. Producing hardware based secure fields like MPLS and IPv6 thus creating more
IoT products is not a practical approach because of flexibility vis-a-vis complicating the forwarding
the low cost and alternative high scale deployment. plane.
Therefore, as an alternative, it is a must to discover
secure software-based techniques that can easily be 2 SDN based IoT is usually the centralized controller
configured in low power IoT devices with the elasticity architecture and the data from the forwarding
of timely up gradation. The next generation of networks devices are constantly being forwarded to the
will probably be equipped with the mammoth number controller thus resulting in delays in pushing flow
of heterogeneous devices. Consequently in order to tables and may even result in packet loss.
correctly detect and then adjust any malign software
alteration with efficacy, a swarm attestation technique is 3 The IoT devices and traditional network nodes
a challenging task for huge heterogeneous network [189]. are increasing mammoth in number, hence shifting
the single controller regime to multiple distributed
• Machine Learning for IoT Security: Machine Learning controllers are needed. Interaction and coordination
(ML) algorithms build behavioral models using between these distributed controllers is a serious
mathematical expression techniques on enormous data issue in practice.
sets. Without explicitly programming, ML can empower
the smart devices to learn. Based on new input data, VIII. C ONCLUSION
these models serve as a source for future predictions. The paper focuses on highlighting the generic and well-
ML is used in scenarios when either human skills do known attacks and threats pertinent to different layers of
not exist or are unable to leverage their expertise e.g., IoT architecture. These threats span from eavesdropping of
speech recognition etc. In addition, it is also utilized the transmitted messages, identity theft, unauthorized access
in adaptive nature scenarios like routing algorithms in to malicious software code injection etc. We illustrated a
networks or observing the software code integrity of an real world successful attack carried on smart homes. This
application. Tough in several areas ML techniques are paper also presented security requirements and challenges of
known for performing well however, these are machines different IoT application areas. Furthermore, based on the gap
and there is always a chance of true negative and false analysis to counter heterogeneity and security issues of IoT, it
positives [190]. Hence, management and alteration of is highlighted that a network based deployment and security
the model is required when ML techniques predicts solution like SDN is needed for IoT paradigm. Moreover, IoT
inaccurately. On the other hand, Deep Learning (DL) deployments using SDN and SDN-IoT based security models
is a new type of ML in which the model itself can are also discussed in detail to better understand the work done
govern the accuracy of prediction. IoT systems with by the academicians and researchers. To acquaint the readers,
contextual and adapted assistance, DL models are best we then presented discussion, findings and issue which are
fit for classification and prediction due to self-service actually causing standstill in the vast deployment of IoT and
nature. ML and DL can provide promising results for SDN-based IoT architectures. Finally, IoT security and SDN-
IoT networks in several ways e.g., huge amount of data IoT deployment models centric open research challenges are
is produced by IoT systems which can be utilized by discussed.
Things Journal
23
With respect to todays threat landscape, the innate security [16] S. K. Tayyaba, M. A. Shah, O. A. Khan, and A. W. Ahmed, “Software
given by the conventional communication protocols doesn’t defined network sdn based internet of things iot a road ahead,” in
Proceedings of the International Conference on Future Networks and
ensure against code modification, node/device compromise Distributed Systems. ACM, 2017, p. 15.
attack and overwhelming malware attacks. It is also evident [17] A. Mosenia and N. K. Jha, “A comprehensive study of security of
from the modern cyber-attacks carried out on IoT devices that internet-of-things,” IEEE Transactions on Emerging Topics in Com-
puting, vol. 5, no. 4, pp. 586–602, 2016.
current security standards and protocols for IoT have failed in [18] Y. Liu, Y. Kuang, Y. Xiao, and G. Xu, “Sdn-based data transfer security
providing security to IoT devices. Hence an adaptive, novel for internet of things,” IEEE Internet of Things Journal, vol. 5, no. 1,
and worthy IoT security systems is required to tackle the pp. 257–268, 2017.
current security landscape which should be proactive in nature [19] M. Conti, P. Kaliyar, and C. Lal, “Censor: Cloud-enabled secure
iot architecture over sdn paradigm,” Concurrency and Computation:
providing baseline security to end users, network, applications, Practice and Experience, vol. 31, no. 8, p. e4978, 2019.
data and devices. [20] F. I. Khan and S. Hameed, “Understanding security requirements
Therefore, machine learning technology with its inherent and challenges in internet of things (iots): A review,” arXiv preprint
arXiv:1808.10529, 2018.
adaptive nature and promising results is suggested as a tool [21] N. Bizanis and F. A. Kuipers, “Sdn and virtualization solutions for
bundled with SDN to address the privacy and security concerns the internet of things: A survey,” IEEE Access, vol. 4, pp. 5591–5606,
of IoT. As ML can solve various security issues in traditional 2016.
[22] T. N. Nguyen, “The challenges in sdn/ml based network security: A
networks due to its trained behavioral model based on strong survey,” arXiv preprint arXiv:1804.03539, 2018.
mathematical expressions and SDN can provide network level [23] O. Salman, I. Elhajj, A. Chehab, and A. Kayssi, “Iot survey: An sdn
security services to IoT as a third party application. Apropos, and fog computing perspective,” Computer Networks, vol. 143, pp.
we intend to foster a security solution for IoT systems in 221–246, 2018.
[24] I. Makhdoom, M. Abolhasan, J. Lipman, R. P. Liu, and W. Ni,
future, based on SDN and Machine learning approaches with “Anatomy of threats to the internet of things,” IEEE Communications
the goal to defend the IoT systems against most of the security Surveys & Tutorials, vol. 21, no. 2, pp. 1636–1675, 2018.
attacks. [25] A. Banafa, “Iot standardization and implementation challenges,” IEEE
Internet of Things Newsletter, 2016.
[26] S. A. Kumar, T. Vealey, and H. Srivastava, “Security in internet of
ACKNOWLEDGEMENT things challenges solutions and future directions,” in 2016 49th Hawaii
International Conference on System Sciences (HICSS). IEEE, 2016,
This research is supported by the Higher Education Com- pp. 5772–5781.
mission (HEC), Pakistan through its initiative of National [27] J. Granjal, E. Monteiro, and J. S. Silva, “Security for the internet of
Center for Cyber Security for the affiliated lab National Cyber things: a survey of existing protocols and open research issues,” IEEE
Security Auditing and Evaluation Lab (NCSAEL), Grant No: Communications Surveys & Tutorials, vol. 17, no. 3, pp. 1294–1312,
2015.
2(1078)/HEC/M&E/2018/707. [28] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, and
M. Ayyash, “Internet of things: A survey on enabling technologies,
R EFERENCES protocols, and applications,” IEEE communications surveys & tutorials,
vol. 17, no. 4, pp. 2347–2376, 2015.
[1] S. Kraijak and P. Tuwanut, “A survey on iot architectures, protocols, [29] M. Khari, M. Kumar, S. Vij, P. Pandey et al., “Internet of things:
applications, security, privacy, real-world implementation and future Proposed security aspects for digitizing the world,” in 2016 3rd Interna-
trends,” 2015. tional Conference on Computing for Sustainable Global Development
[2] K. Rose, S. Eldridge, and L. Chapin, “The internet of things: An (INDIACom). IEEE, 2016, pp. 2165–2170.
overview,” The Internet Society (ISOC), vol. 80, 2015. [30] A. Reziouk, E. Laurent, and J.-C. Demay, “Practical security overview
[3] K. Ashton et al., “That internet of things thing,” RFID journal, vol. 22, of ieee 802.15. 4,” in 2016 International Conference on Engineering
no. 7, pp. 97–114, 2009. & MIS (ICEMIS). IEEE, 2016, pp. 1–9.
[4] J. Voas, B. Agresti, and P. A. Laplante, “A closer look at iot ’s things,” [31] D. Uckelmann, M. Harrison, and F. Michahelles, “An architectural
IT Professional, vol. 20, no. 3, pp. 11–14, May 2018. approach towards the future internet of things,” in Architecting the
[5] G. Inc. (1999) worlds well known trusted advisor in it. [Online]. internet of things. Springer, 2011, pp. 1–24.
Available: https://www.gartner.com/en [32] A. Banafa, “Iot standardization and implementation challenges,” IEEE
[6] J. Mocnej, A. Pekar, W. K. Seah, and I. Zolotova, “Network traffic Internet of Things Newsletter, 2016.
characteristics of the iot application use cases,” Retrieved June, vol. 20,
[33] Q. Jing, A. V. Vasilakos, J. Wan, J. Lu, and D. Qiu, “Security of
p. 2018, 2017.
the internet of things: perspectives and challenges,” Wireless Networks,
[7] J. Voas, “Primitives and elements of internet of things (iot) trustwor-
vol. 20, no. 8, pp. 2481–2501, 2014.
thiness,” National Institute of Standards and Technology, Tech. Rep.,
2016. [34] T. Yu, V. Sekar, S. Seshan, Y. Agarwal, and C. Xu, “Handling a trillion
[8] A. Meola, “How the internet of things will affect security & privacy,” (unfixable) flaws on a billion devices: Rethinking network security for
Business Insider, vol. 8, 2016. the internet-of-things,” in Proceedings of the 14th ACM Workshop on
[9] J. Steinberg, “These devices may be spying on you (even in your own Hot Topics in Networks. ACM, 2015, p. 5.
home),” Forbes. Retrieved 27 May 2014, 2014. [35] G. Hernandez, O. Arias, D. Buentello, and Y. Jin, “Smart nest thermo-
[10] H. Fortify, “Internet of things security study: Smartwatches,” 2015. stat: A smart spy in your home,” Black Hat USA, pp. 1–8, 2014.
[11] T. Hahn, S. Matthews, L. Wood, J. Cohn, S. Regev, J. Fletcher, [36] S. Zonouz, J. Rrushi, and S. McLaughlin, “Detecting industrial control
E. Libow, C. Poulin, and K. Ohnishi, “Ibm point of view: Internet malware using automated plc code analytics,” IEEE Security & Privacy,
of things security,” White paper, April, 2015. vol. 12, no. 6, pp. 40–47, 2014.
[12] A. R. Sfar, E. Natalizio, Y. Challal, and Z. Chtourou, “A roadmap for [37] J. Deogirikar and A. Vidhate, “Security attacks in iot: A survey,” in
security challenges in the internet of things,” Digital Communications 2017 International Conference on I-SMAC (IoT in Social, Mobile,
and Networks, vol. 4, no. 2, pp. 118–137, 2018. Analytics and Cloud)(I-SMAC). IEEE, 2017, pp. 32–37.
[13] D. Storm, “Hackers exploit scada holes to take full control of critical [38] B. Javed, M. W. Iqbal, and H. Abbas, “Internet of things (iot) design
infrastructure,” Computerworld, vol. 15, 2014. considerations for developers and manufacturers,” in 2017 IEEE Inter-
[14] AT&TCybersecurityInsights. (2016) The ceos guide to data national Conference on Communications Workshops (ICC Workshops),
security protect your data through innovation. [Online]. Available: May 2017, pp. 834–839.
https://www.business.att.com/cybersecurity/docs/vol5-datasecurity.pdf [39] S. Katz and B. L. Marshall, “Tracked and fit: Fitbits, brain games,
[15] C. V. N. Index, “Cisco visual networking index: Global mobile data and the quantified aging body,” Journal of aging studies, vol. 45, pp.
traffic forecast update, 2015-2020 white paper,” Accessed date, 2016. 63–68, 2018.
Things Journal
24
[40] M. L. Hale, K. Lotfy, R. F. Gamble, C. Walter, and J. Lin, “Developing and mobile computing, networking and communications (WiMob).
a platform to evaluate and assess the security of wearable devices,” IEEE, 2015, pp. 163–167.
Digital Communications and Networks, vol. 5, no. 3, pp. 147–159, [63] acunetix. (2018) Cross-site scripting (xss) attack. [Online]. Available:
2019. https://www.acunetix.com/websitesecurity/cross-site-scripting/
[41] P. Voigt and A. Von dem Bussche, “The eu general data protection [64] B. J. Mohd, T. Hayajneh, and A. V. Vasilakos, “A survey on lightweight
regulation (gdpr),” A Practical Guide, 1st Ed., Cham: Springer Inter- block ciphers for low-resource devices: Comparative study and open
national Publishing, 2017. issues,” Journal of Network and Computer Applications, vol. 58, pp.
[42] P. F. Edemekong and M. J. Haydel, “Health insurance portability 73–93, 2015.
and accountability act (hipaa),” in StatPearls [Internet]. StatPearls [65] H. Ning, H. Liu, and L. T. Yang, “Cyberentity security in the internet
Publishing, 2019. of things,” Computer, vol. 46, no. 4, pp. 46–53, 2013.
[43] I. Makhdoom, M. Abolhasan, J. Lipman, R. P. Liu, and W. Ni, [66] S. R. Moosavi, T. N. Gia, A.-M. Rahmani, E. Nigussie, S. Virtanen,
“Anatomy of threats to the internet of things,” IEEE Communications J. Isoaho, and H. Tenhunen, “Sea: a secure and efficient authentication
Surveys & Tutorials, vol. 21, no. 2, pp. 1636–1675, 2018. and authorization architecture for iot-based healthcare using smart
[44] K. Hamlen, M. Kantarcioglu, L. Khan, and B. Thuraisingham, “Secu- gateways,” Procedia Computer Science, vol. 52, pp. 452–459, 2015.
rity issues for cloud computing,” International Journal of Information [67] W. Wu and L. Zhang, “Lblock: a lightweight block cipher,” in Inter-
Security and Privacy (IJISP), vol. 4, no. 2, pp. 36–48, 2010. national Conference on Applied Cryptography and Network Security.
[45] J. Wurm, K. Hoang, O. Arias, A.-R. Sadeghi, and Y. Jin, “Security Springer, 2011, pp. 327–344.
analysis on consumer and industrial iot devices,” in 2016 21st Asia [68] A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann, M. J.
and South Pacific Design Automation Conference (ASP-DAC). IEEE, Robshaw, Y. Seurin, and C. Vikkelsoe, “Present: An ultra-lightweight
2016, pp. 519–524. block cipher,” in International Workshop on Cryptographic Hardware
[46] T. Brewster. (2015) Its depressingly easy to spy on and Embedded Systems. Springer, 2007, pp. 450–466.
vulnerable baby monitors using just a browser. [Online]. Avail- [69] C. H. Lim and T. Korkishko, “mcrypton–a lightweight block cipher for
able: https://www.forbes.com/sites/thomasbrewster/2015/09/02/baby- security of low-cost rfid tags and sensors,” in International Workshop
surveillance-with-a-browser/n2508d85b1aa0 on Information Security Applications. Springer, 2005, pp. 243–258.
[47] D. Puthal, S. Nepal, R. Ranjan, and J. Chen, “Threats to networking [70] C. DeCanniere, O. Dunkelman, and M. Kne, “Katan and ktantan a
cloud and edge datacenters in the internet of things,” IEEE Cloud family of small and efficient hardware-oriented block ciphers,” in Cryp-
Computing, vol. 3, no. 3, pp. 64–71, 2016. tographic Hardware and Embedded Systems-CHES 2009. Springer,
[48] B. Balamurugan and D. Biswas, “Security in network layer of iot: 2009, pp. 272–288.
Possible measures to preclude,” in Security Breaches and Threat [71] A. Moradi, A. Poschmann, S. Ling, C. Paar, and H. Wang, “Pushing
Prevention in the Internet of Things. IGI Global, 2017, pp. 46–75. the limits: a very compact and a threshold implementation of aes,” in
[49] P. Paganini. (2014) MS Windows NT Annual International Conference on the Theory and Applications of
kernel description. [Online]. Available: Cryptographic Techniques. Springer, 2011, pp. 69–88.
https://securityaffairs.co/wordpress/30320/security/microsoft-patch-
[72] M. A. Orumiehchiha, J. Pieprzyk, and R. Steinfeld, “Cryptanalysis of
kerberos-bug.html
wg-7: a lightweight stream cipher,” Cryptography and Communica-
[50] O. Arias, J. Wurm, K. Hoang, and Y. Jin, “Privacy and security in
tions, vol. 4, no. 3-4, pp. 277–285, 2012.
internet of things and wearable devices,” IEEE Transactions on Multi-
[73] G. Hatzivasilis, K. Fysarakis, I. Papaefstathiou, and C. Manifavas,
Scale Computing Systems, vol. 1, no. 2, pp. 99–109, 2015.
“A review of lightweight block ciphers,” Journal of Cryptographic
[51] B.Fowler, “Some top baby monitors lack basic security features report
Engineering, vol. 8, no. 2, pp. 141–184, 2018.
finds,” 2015.
[52] T. Borgohain, U. Kumar, and S. Sanyal, “Survey of security and [74] A. T. Lo’ai and T. F. Somani, “More secure internet of things using
privacy issues of internet of things,” CoRR, vol. abs/1501.02211, robust encryption algorithms against side channel attacks,” in 2016
2015. [Online]. Available: http://arxiv.org/abs/1501.02211 IEEE/ACS 13th International Conference of Computer Systems and
[53] V. B. Misic, J. Fang, and J. Misic, “Mac layer security of 802.15. Applications (AICCSA). IEEE, 2016, pp. 1–6.
4-compliant networks,” in IEEE International Conference on Mobile [75] F. Zhang, S. Guo, X. Zhao, T. Wang, J. Yang, F.-X. Standaert, and
Adhoc and Sensor Systems Conference, 2005. IEEE, 2005, pp. 8–pp. D. Gu, “A framework for the analysis and evaluation of algebraic
[54] N. Sastry and D. Wagner, “Security considerations for ieee 802.15. fault attacks on lightweight block ciphers,” IEEE Transactions on
4 networks,” in Proceedings of the 3rd ACM workshop on Wireless Information Forensics and Security, vol. 11, no. 5, pp. 1039–1054,
security. ACM, 2004, pp. 32–42. 2016.
[55] D. Puthal, S. Nepal, R. Ranjan, and J. Chen, “A dynamic prime number [76] M. Majzoobi, M. Rostami, F. Koushanfar, D. S. Wallach, and S. De-
based efficient security mechanism for big sensing data streams,” vadas, “Slender puf protocol: A lightweight, robust, and secure authen-
Journal of Computer and System Sciences, vol. 83, no. 1, pp. 22–42, tication by substring matching,” in 2012 IEEE Symposium on Security
2017. and Privacy Workshops. IEEE, 2012, pp. 33–44.
[56] J. Murphy. (2016) Ms windows nt kernel description. [Online]. [77] C. Herder, M.-D. Yu, F. Koushanfar, and S. Devadas, “Physical
Available: https://developer.ibm.com/iotplatform/2016/09/23/enhanced- unclonable functions and applications: A tutorial,” Proceedings of the
security-controls-for-ibm-watson-iot-platform IEEE, vol. 102, no. 8, pp. 1126–1141, 2014.
[57] R. M. Savola, H. Abie, and M. Sihvonen, “Towards metrics driven [78] A. Seshadri, A. Perrig, L. Van Doorn, and P. Khosla, “Swatt: Software-
adaptive security management in ehealth iot applications,” in proceed- based attestation for embedded devices,” in IEEE Symposium on
ings of the 7th International Conference on Body Area Networks. ICST Security and Privacy, 2004. Proceedings. 2004. IEEE, 2004, pp. 272–
(Institute for Computer Sciences, Social-Informatics and , 2012, pp. 282.
276–281. [79] A. Seshadri, M. Luk, E. Shi, A. Perrig, L. Van Doorn, and P. Khosla,
[58] A. Kanuparthi, R. Karri, and S. Addepalli, “Hardware and embedded “Pioneer: verifying code integrity and enforcing untampered code
security in the context of internet of things,” in Proceedings of the execution on legacy systems,” in ACM SIGOPS Operating Systems
2013 ACM workshop on Security, privacy & dependability for cyber Review, vol. 39, no. 5. ACM, 2005, pp. 1–16.
vehicles. ACM, 2013, pp. 61–64. [80] A. Seshadri, M. Luk, A. Perrig, L. van Doorn, and P. Khosla, “Scuba:
[59] A.-R. Sadeghi, C. Wachsmann, and M. Waidner, “Security and Secure code update by attestation in sensor networks,” in Proceedings
privacy challenges in industrial internet of things,” in 2015 52nd of the 5th ACM workshop on Wireless security. ACM, 2006, pp.
ACM/EDAC/IEEE Design Automation Conference (DAC). IEEE, 2015, 85–94.
pp. 1–6. [81] Y. Yang, X. Wang, S. Zhu, and G. Cao, “Distributed software-based
[60] Dave. (2017) Ten most critical web application security risks. [Online]. attestation for node compromise detection in sensor networks,” in 2007
Available: https://www.owasp.org 26th IEEE International Symposium on Reliable Distributed Systems
[61] C. Staff. (2016) Sqli xss zero days expose (SRDS 2007). IEEE, 2007, pp. 219–230.
belkin iot devices android smartphones. [Online]. Avail- [82] T. AbuHmed, N. Nyamaa, and D. Nyang, “Software-based remote code
able: https://www.csoonline.com/article/3138935/sqli-xss-zero-days- attestation in wireless sensor network,” in GLOBECOM 2009-2009
expose-belkin-iot-devices-android-smartphones.html IEEE Global Telecommunications Conference. IEEE, 2009, pp. 1–
[62] V. Sivaraman, H. H. Gharakheili, A. Vishwanath, R. Boreli, and 8.
O. Mehani, “Network level security and privacy control for smart home [83] T. Abera, N. Asokan, L. Davi, F. Koushanfar, A. Paverd, A.-R. Sadeghi,
iot devices,” in 2015 IEEE 11th International conference on wireless and G. Tsudik, “Things, trouble, trust: on building trust in iot systems,”
Things Journal
25
in Proceedings of the 53rd Annual Design Automation Conference. [105] N. Apthorpe, D. Reisman, S. Sundaresan, A. Narayanan, and N. Feam-
ACM, 2016, p. 121. ster, “Spying on the smart home: Privacy attacks and defenses on
[84] K. Eldefrawy, G. Tsudik, A. Francillon, and D. Perito, “Smart: Secure encrypted iot traffic,” arXiv preprint arXiv:1708.05044, 2017.
and minimal architecture for (establishing dynamic) root of trust.” in [106] J. Liu, C. Zhang, and Y. Fang, “Epic: A differential privacy framework
NDSS, vol. 12, 2012, pp. 1–15. to defend smart homes against internet traffic analysis,” IEEE Internet
[85] R. Strackx, F. Piessens, and B. Preneel, “Efficient isolation of trusted of Things Journal, vol. 5, no. 2, pp. 1206–1217, 2018.
subsystems in embedded systems,” in International Conference on [107] T. Song, R. Li, B. Mei, J. Yu, X. Xing, and X. Cheng, “A privacy pre-
Security and Privacy in Communication Systems. Springer, 2010, serving communication protocol for iot applications in smart homes,”
pp. 344–361. IEEE Internet of Things Journal, vol. 4, no. 6, pp. 1844–1852, 2017.
[86] J. Noorman, J. V. Bulck, J. T. Mühlberg, F. Piessens, P. Maene, [108] Y. Tian, N. Zhang, Y.-H. Lin, X. Wang, B. Ur, X. Guo, and P. Tague,
B. Preneel, I. Verbauwhede, J. Götzfried, T. Müller, and F. Freiling, “Smartauth: User-centered authorization for the internet of things,” in
“Sancus 2.0: A low-cost security architecture for iot devices,” ACM 26th {USENIX} Security Symposium ({USENIX} Security 17), 2017,
Transactions on Privacy and Security (TOPS), vol. 20, no. 3, p. 7, pp. 361–378.
2017. [109] E. Fernandes, A. Rahmati, J. Jung, and A. Prakash, “Security impli-
[87] P. Koeberl, S. Schulz, A.-R. Sadeghi, and V. Varadharajan, “Trustlite: cations of permission models in smart-home application frameworks,”
A security architecture for tiny embedded devices,” in Proceedings of IEEE Security & Privacy, vol. 15, no. 2, pp. 24–30, 2017.
the Ninth European Conference on Computer Systems. ACM, 2014, [110] M. A. Sahi, H. Abbas, K. Saleem, X. Yang, A. Derhab, M. A.
p. 10. Orgun, W. Iqbal, I. Rashid, and A. Yaseen, “Privacy preservation in
e-healthcare environments: State of the art and future directions,” Ieee
[88] F. Brasser, B. El Mahjoub, A.-R. Sadeghi, C. Wachsmann, and
Access, vol. 6, pp. 464–478, 2017.
P. Koeberl, “Tytan: tiny trust anchor for tiny devices,” in 2015 52nd
[111] B. Riedl, V. Grascher, and T. Neubauer, “A secure e-health architecture
ACM/EDAC/IEEE Design Automation Conference (DAC). IEEE, 2015,
based on the appliance of pseudonymization.” JSW, vol. 3, no. 2, pp.
pp. 1–6.
23–32, 2008.
[89] T. Abera, N. Asokan, L. Davi, F. Koushanfar, A. Paverd, A.-R. Sadeghi, [112] X. Liu, Y. Li, J. Qu, and Y. Ding, “A lightweight pseudonym authenti-
and G. Tsudik, “Things, trouble, trust: on building trust in iot systems,” cation and key agreement protocol for multi-medical server architecture
in Proceedings of the 53rd Annual Design Automation Conference. in tmis.” TIIS, vol. 11, no. 2, pp. 924–944, 2017.
ACM, 2016, p. 121. [113] X. Li, M. H. Ibrahim, S. Kumari, A. K. Sangaiah, V. Gupta, and K.-
[90] A.-R. Sadeghi, S. Schulz, and C. Wachsmann, “Short paper: K. R. Choo, “Anonymous mutual authentication and key agreement
Lightweight remote attestation using physical functions,” WiSec’11, scheme for wearable sensors in wireless body area networks,” Com-
2011. puter Networks, vol. 129, pp. 429–443, 2017.
[91] J. Kong, F. Koushanfar, P. K. Pendyala, A.-R. Sadeghi, and [114] A. M. Koya and P. Deepthi, “Anonymous hybrid mutual authentication
C. Wachsmann, “Pufatt: Embedded platform attestation based on and key agreement scheme for wireless body area network,” Computer
novel processor-based pufs,” in 2014 51st ACM/EDAC/IEEE Design Networks, vol. 140, pp. 138–151, 2018.
Automation Conference (DAC). IEEE, 2014, pp. 1–6. [115] K. Seol, Y.-G. Kim, E. Lee, Y.-D. Seo, and D.-K. Baik, “Privacy-
[92] N. Asokan, F. Brasser, A. Ibrahim, A.-R. Sadeghi, M. Schunter, preserving attribute-based access control model for xml-based elec-
G. Tsudik, and C. Wachsmann, “Seda: Scalable embedded device tronic health record system,” IEEE Access, vol. 6, pp. 9114–9128, 2018.
attestation,” in Proceedings of the 22nd ACM SIGSAC Conference on [116] C. Rottondi, G. Verticale, and A. Capone, “Privacy-preserving smart
Computer and Communications Security. ACM, 2015, pp. 964–975. metering with multiple data consumers,” Computer Networks, vol. 57,
[93] M. Ambrosin, M. Conti, A. Ibrahim, G. Neven, A.-R. Sadeghi, and no. 7, pp. 1699–1713, 2013.
M. Schunter, “Sana: Secure and scalable aggregate network attestation,” [117] S. Ge, P. Zeng, R. Lu, and K.-K. R. Choo, “Fgda: Fine-grained data
in Proceedings of the 2016 ACM SIGSAC Conference on Computer and analysis in privacy-preserving smart grid communications,” Peer-to-
Communications Security. ACM, 2016, pp. 731–742. Peer Networking and Applications, vol. 11, no. 5, pp. 966–978, 2018.
[94] T. Abera, N. Asokan, L. Davi, J.-E. Ekberg, T. Nyman, A. Paverd, [118] C.-I. Fan, S.-Y. Huang, and Y.-L. Lai, “Privacy-enhanced data aggrega-
A.-R. Sadeghi, and G. Tsudik, “C-flat: control-flow attestation for tion scheme against internal attackers in smart grid,” IEEE Transactions
embedded systems software,” in Proceedings of the 2016 ACM SIGSAC on Industrial informatics, vol. 10, no. 1, pp. 666–675, 2013.
Conference on Computer and Communications Security. ACM, 2016, [119] H. Shen, M. Zhang, and J. Shen, “Efficient privacy-preserving cube-
pp. 743–754. data aggregation scheme for smart grids,” IEEE Transactions on
[95] G. Dessouky, S. Zeitouni, T. Nyman, A. Paverd, L. Davi, P. Koeberl, Information Forensics and Security, vol. 12, no. 6, pp. 1369–1381,
N. Asokan, and A.-R. Sadeghi, “Lo-fat: Low-overhead control flow 2017.
attestation in hardware,” in Proceedings of the 54th Annual Design [120] M. A. Rahman, M. H. Manshaei, E. Al-Shaer, and M. Shehab, “Secure
Automation Conference 2017. ACM, 2017, p. 24. and private data aggregation for energy consumption scheduling in
[96] D. Dragomir, L. Gheorghe, S. Costea, and A. Radovici, “A survey on smart grids,” IEEE Transactions on Dependable and Secure Comput-
secure communication protocols for iot systems,” in 2016 International ing, vol. 14, no. 2, pp. 221–234, 2015.
Workshop on Secure Internet of Things (SIoT). IEEE, 2016, pp. 47–62. [121] D. Engel and G. Eibl, “Wavelet-based multiresolution smart meter
[97] H. Kim and E. A. Lee, “Authentication and authorization for the privacy,” IEEE Transactions on Smart Grid, vol. 8, no. 4, pp. 1710–
internet of things,” IT Professional, vol. 19, no. 5, pp. 27–33, 2017. 1721, 2015.
[98] A. Alcaide, E. Palomar, J. Montero-Castillo, and A. Ribagorda, [122] S. Zawoad and R. Hasan, “Faiot: Towards building a forensics aware
“Anonymous authentication for privacy-preserving iot target-driven eco system for the internet of things,” in 2015 IEEE International
applications,” computers & security, vol. 37, pp. 111–123, 2013. Conference on Services Computing. IEEE, 2015, pp. 279–284.
[123] L. Caviglione, S. Wendzel, and W. Mazurczyk, “The future of digital
[99] A. Farahzadi, P. Shams, J. Rezazadeh, and R. Farahbakhsh, “Middle-
forensics: Challenges and the road ahead,” IEEE Security & Privacy,
ware technologies for cloud of things: a survey,” Digital Communica-
vol. 15, no. 6, pp. 12–17, 2017.
tions and Networks, vol. 4, no. 3, pp. 176–188, 2018.
[124] M. Conti, A. Dehghantanha, K. Franke, and S. Watson, “Internet of
[100] C. Su, B. Santoso, Y. Li, R. H. Deng, and X. Huang, “Universally com- things security and forensics: Challenges and opportunities,” 2018.
posable rfid mutual authentication,” IEEE Transactions on Dependable [125] V. R. Kebande and I. Ray, “A generic digital forensic investigation
and Secure Computing, vol. 14, no. 1, pp. 83–94, 2017. framework for internet of things (iot),” in 2016 IEEE 4th International
[101] R. H. Weber, “Internet of things: Privacy issues revisited,” Computer Conference on Future Internet of Things and Cloud (FiCloud). IEEE,
Law & Security Review, vol. 31, no. 5, pp. 618–627, 2015. 2016, pp. 356–362.
[102] J. H. Ziegeldorf, O. G. Morchon, and K. Wehrle, “Privacy in the [126] E. Oriwoh, D. Jazani, G. Epiphaniou, and P. Sant, “Internet of things
internet of things: threats and challenges,” Security and Communication forensics: Challenges and approaches,” in 9th IEEE International
Networks, vol. 7, no. 12, pp. 2728–2742, 2014. Conference on Collaborative computing: networking, Applications and
[103] J. Lopez, R. Rios, F. Bao, and G. Wang, “Evolving privacy: From Worksharing. IEEE, 2013, pp. 608–615.
sensors to the internet of things,” Future Generation Computer Systems, [127] A. Nieto, R. Rios, and J. Lopez, “Iot-forensics meets privacy: towards
vol. 75, pp. 46–57, 2017. cooperative digital investigations,” Sensors, vol. 18, no. 2, p. 492, 2018.
[104] R. Mendes and J. P. Vilela, “Privacy-preserving data mining: methods, [128] N. T. Commission, N. T. Commission et al., “Changing driving laws
metrics, and applications,” IEEE Access, vol. 5, pp. 10 562–10 582, to support automated vehicles,” Discussion Paper, October 2017, NTC,
2017. Melbourne, Tech. Rep., 2017.
Things Journal
26
[129] I. Makhdoom, M. Abolhasan, J. Lipman, R. P. Liu, and W. Ni, [156] I. Bedhief, M. Kassar, and T. Aguili, “Sdn-based architecture chal-
“Anatomy of threats to the internet of things,” IEEE Communications lenging the iot heterogeneity,” in 2016 3rd Smart Cloud Networks &
Surveys & Tutorials, vol. 21, no. 2, pp. 1636–1675, 2018. Systems (SCNS). IEEE, 2016, pp. 1–3.
[130] O. N. Fundation, “Software-defined networking: The new norm for [157] M. Tortonesi, J. Michaelis, A. Morelli, N. Suri, and M. A. Baker, “Spf:
networks,” ONF White Paper, vol. 2, pp. 2–6, 2012. An sdn-based middleware solution to mitigate the iot information ex-
[131] M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and plosion,” in 2016 IEEE Symposium on Computers and Communication
S. Shenker, “Ethane: Taking control of the enterprise,” in ACM SIG- (ISCC). IEEE, 2016, pp. 435–442.
COMM Computer Communication Review, vol. 37, no. 4. ACM, 2007, [158] D. Sinh, L.-V. Le, B.-S. P. Lin, and L.-P. Tung, “Sdn nfv a new
pp. 1–12. approach of deploying network infrastructure for iot,” in 2018 27th
[132] M. Casado, T. Garfinkel, A. Akella, M. J. Freedman, D. Boneh, Wireless and Optical Communication Conference (WOCC). IEEE,
N. McKeown, and S. Shenker, “Sane: A protection architecture for 2018, pp. 1–5.
enterprise networks.” in USENIX Security Symposium, vol. 49, 2006, [159] W. Cerroni, C. Buratti, S. Cerboni, G. Davoli, C. Contoli, F. Foresta,
p. 50. F. Callegati, and R. Verdone, “Intent-based management and orches-
[133] S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “Sdn security: tration of heterogeneous openflow/iot sdn domains,” in 2017 IEEE
A survey,” in 2013 IEEE SDN For Future Networks and Services Conference on Network Softwarization (NetSoft). IEEE, 2017, pp.
(SDN4FNS). IEEE, 2013, pp. 1–7. 1–9.
[134] K. Benzekki, A. El Fergougui, and A. Elbelrhiti Elalaoui, “Software- [160] Y. Li, X. Su, J. Riekki, T. Kanter, and R. Rahmani, “A sdn-based
defined networking (sdn): a survey,” Security and communication architecture for horizontal internet of things services,” in 2016 IEEE
networks, vol. 9, no. 18, pp. 5803–5833, 2016. International Conference on Communications (ICC). IEEE, 2016, pp.
[135] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, 1–7.
J. Rexford, S. Shenker, and J. Turner, “Openflow enabling innovation [161] Y. Wang, Y. Zhang, and J. Chen, “An sdn-based publish/subscribe-
in campus networks,” ACM SIGCOMM Computer Communication enabled communication platform for iot services,” China communica-
Review, vol. 38, no. 2, pp. 69–74, 2008. tions, vol. 15, no. 1, pp. 95–106, 2018.
[136] ONF. (2013) Open networking foundation. [Online]. Available: [162] O. Flauzac, C. Gonzalez, A. Hachani, and F. Nolot, “Sdn based
https://www.opennetworking.org architecture for iot and improvement of the security,” in 2015 IEEE
[137] I. Alsmadi and D. Xu, “Security of software defined networks: A 29th International Conference on Advanced Information Networking
survey,” computers & security, vol. 53, pp. 79–108, 2015. and Applications Workshops. IEEE, 2015, pp. 688–693.
[138] RYU. (2015) osrg.githubioryu. [Online]. Available: [163] F. Olivier, G. Carlos, and N. Florent, “New security architecture for
https://osrg.github.io/ryu/ iot network,? procedia comput,” 2015.
[139] ONOS. (2015) Open networking operating system project. [Online]. [164] D. Wu, D. I. Arkhipov, E. Asmare, Z. Qin, and J. A. McCann,
Available: https://onosproject.org “Ubiflow: Mobility management in urban-scale software defined iot,”
[140] ODL. (2018) Openday light project. [Online]. Available: in 2015 IEEE conference on computer communications (INFOCOM).
https://www.opendaylight.org IEEE, 2015, pp. 208–216.
[141] FDL. (2019) Flood light project. [Online]. Available: [165] S. Tomovic, K. Yoshigoe, I. Maljevic, and I. Radusinovic, “Software-
http://www.projectfloodlight.org/floodlight/ defined fog network architecture for iot,” Wireless Personal Communi-
[142] N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and cations, vol. 92, no. 1, pp. 181–196, 2017.
S. Shenker, “Nox: towards an operating system for networks,” ACM [166] M. Al-Ayyoub, Y. Jararweh, E. Benkhelifa, M. Vouk, A. Rindos et al.,
SIGCOMM Computer Communication Review, vol. 38, no. 3, pp. 105– “Sdsecurity: A software defined security experimental framework,”
110, 2008. in 2015 IEEE International Conference on Communication Workshop
[143] M. McCauley. (2018) Pox controller. [Online]. Available: (ICCW). IEEE, 2015, pp. 1871–1876.
https://github.com/noxrepo/ [167] P. Bull, R. Austin, E. Popov, M. Sharma, and R. Watson, “Flow
[144] M. Karakus and A. Durresi, “A survey: Control plane scalability based security for iot devices using an sdn gateway,” in 2016 IEEE
issues and approaches in software-defined networking (sdn),” Computer 4th International Conference on Future Internet of Things and Cloud
Networks, vol. 112, pp. 279–293, 2017. (FiCloud). IEEE, 2016, pp. 157–163.
[145] H. Song, “Protocol-oblivious forwarding: Unleash the power of sdn [168] S. S. Bhunia and M. Gurusamy, “Dynamic attack detection and mitiga-
through a future-proof forwarding plane,” in Proceedings of the second tion in iot using sdn,” in 2017 27th International Telecommunication
ACM SIGCOMM workshop on Hot topics in software defined network- Networks and Applications Conference (ITNAC). IEEE, 2017, pp.
ing. ACM, 2013, pp. 127–132. 1–6.
[146] B. Pfaff and B. Davie, “The open vswitch database management [169] R. Mohammadi, R. Javidan, and M. Conti, “Slicots: An sdn based
protocol,” 2013. lightweight countermeasure for tcp syn flooding attacks,” IEEE Trans-
[147] D. Kreutz, F. Ramos, P. Verissimo, C. E. Rothenberg, S. Azodolmolky, actions on Network and Service Management, vol. 14, no. 2, pp. 487–
and S. Uhlig, “Software-defined networking: A comprehensive survey,” 497, 2017.
arXiv preprint arXiv:1406.0440, 2014. [170] N. Z. Bawany and J. A. Shamsi, “Seal sdn based secure and agile
[148] N. Foster, R. Harrison, M. J. Freedman, C. Monsanto, J. Rexford, framework for protecting smart city applications from ddos attacks,”
A. Story, and D. Walker, “Frenetic: A network programming language,” Journal of Network and Computer Applications, vol. 145, p. 102381,
ACM Sigplan Notices, vol. 46, no. 9, pp. 279–291, 2011. 2019.
[149] C. J. Anderson, N. Foster, A. Guha, J.-B. Jeannin, D. Kozen, [171] S. Chakrabarty, D. W. Engels, and S. Thathapudi, “Black sdn for the
C. Schlesinger, and D. Walker, “Netkat: Semantic foundations for internet of things,” in 2015 IEEE 12th International Conference on
networks,” Acm sigplan notices, vol. 49, no. 1, pp. 113–126, 2014. Mobile Ad Hoc and Sensor Systems. IEEE, 2015, pp. 190–198.
[150] C. Monsanto, N. Foster, R. Harrison, and D. Walker, “A compiler and [172] C. Gonzalez, S. M. Charfadine, O. Flauzac, and F. Nolot, “Sdn-
run-time system for network programming languages,” ACM SIGPLAN based security framework for the iot in distributed grid,” in 2016
Notices, vol. 47, no. 1, pp. 217–230, 2012. International Multidisciplinary Conference on Computer and Energy
[151] J. Reich, C. Monsanto, N. Foster, J. Rexford, and D. Walker, “Modular Science (SpliTech). IEEE, 2016, pp. 1–5.
sdn programming with pyretic,” Technical Reprot of USENIX, 2013. [173] C. Gonzalez, O. Flauzac, F. Nolot, and A. Jara, “A novel distributed
[152] J. Li, E. Altman, and C. Touati, “A general sdn-based iot framework sdn-secured architecture for the iot,” in 2016 International Conference
with nvf implementation,” 2015. on Distributed Computing in Sensor Systems (DCOSS). IEEE, 2016,
[153] Y. Jararweh, M. Al-Ayyoub, E. Benkhelifa, M. Vouk, A. Rindos et al., pp. 244–249.
“Sdiot: a software defined based internet of things framework,” Journal [174] M. Gheisari, G. Wang, S. Chen, and H. Ghorbani, “Iot-sdnpp a method
of Ambient Intelligence and Humanized Computing, vol. 6, no. 4, pp. for privacy-preserving in smart city with software defined networking,”
453–461, 2015. in International Conference on Algorithms and Architectures for Par-
[154] M. Ojo, D. Adami, and S. Giordano, “A sdn-iot architecture with nfv allel Processing. Springer, 2018, pp. 303–312.
implementation,” in 2016 IEEE Globecom Workshops (GC Wkshps). [175] M. Gheisari, G. Wang, W. Z. Khan, and C. Fernandez-Campusano,
IEEE, 2016, pp. 1–6. “A context-aware privacy-preserving method for iot-based smart city
[155] Z. Qin, G. Denker, C. Giannelli, P. Bellavista, and N. Venkatasubrama- using software defined networking,” Computers & Security, vol. 87, p.
nian, “A software defined networking architecture for the internet-of- 101470, 2019.
things,” in 2014 IEEE network operations and management symposium [176] R. Vilalta, R. Ciungu, A. Mayoral, R. Casellas, R. Martinez, D. Pubill,
(NOMS). IEEE, 2014, pp. 1–9. J. Serra, R. Munoz, and C. Verikoukis, “Improving security in internet
Things Journal
27
of things with software defined networking,” in 2016 IEEE Global

Communications Conference (GLOBECOM). IEEE, 2016, pp. 1–6.
[177] M. Miettinen, S. Marchal, I. Hafeez, N. Asokan, A.-R. Sadeghi,
and S. Tarkoma, “Iot sentinel: Automated device-type identification
for security enforcement in iot,” in 2017 IEEE 37th International
Conference on Distributed Computing Systems (ICDCS). IEEE, 2017,
pp. 2177–2184.
[178] P. K. Sharma, J. H. Park, Y.-S. Jeong, and J. H. Park, “Shsec: sdn
based secure smart home network architecture for internet of things,”
Mobile Networks and Applications, vol. 24, no. 3, pp. 913–924, 2019.
[179] O. Salman, S. Abdallah, I. H. Elhajj, A. Chehab, and A. Kayssi,
“Identity-based authentication scheme for the internet of things,” in
2016 IEEE Symposium on Computers and Communication (ISCC).
IEEE, 2016, pp. 1109–1111.
[180] F. I. Khan and S. Hameed, “Software defined security service provision-
ing framework for internet of things,” arXiv preprint arXiv:1711.11133,
2017.
[181] I. Farris, J. B. Bernabé, N. Toumi, D. Garcia-Carrillo, T. Taleb,
A. Skarmeta, and B. Sahlin, “Towards provisioning of sdn/nfv-based
security enablers for integrated protection of iot systems,” in 2017
IEEE Conference on Standards for Communications and Networking
(CSCN). IEEE, 2017, pp. 169–174.
[182] J. Budakoti, A. S. Gaur, and C.-H. Lung, “Iot gateway middleware for
sdn managed iot,” in 2018 IEEE International Conference on Internet
of Things (iThings) and IEEE Green Computing and Communications
(GreenCom) and IEEE Cyber, Physical and Social Computing (CP-
SCom) and IEEE Smart Data (SmartData). IEEE, 2018, pp. 154–161.
[183] CatBird. (2014) Private cloud security. [Online]. Available:
https://docplayer.net/2298462-Catbird-6-0-private-cloud-security.html
[184] vArmour. (2015) varmour dss deception data sheet. [Online]. Available:
https://www.varmour.com
[185] vmware. (2010) The technology foundations of vmware vshield. [On-
line]. Available: https://www.vmware.com/files/pdf/techpaper/vShield-
Tech-Foundations-WP.pdf
[186] N. Team, “Netcitadels one control platform the key to intelligent,
adaptive network security, white paper, netcitadel,” ed: Inc, 2012.
[187] O. Flauzac, C. González, A. Hachani, and F. Nolot, “Sdn based
architecture for iot and improvement of the security,” in 2015 IEEE
29th International Conference on Advanced Information Networking
and Applications Workshops. IEEE, 2015, pp. 688–693.
[188] H. Aftab, K. Gilani, J. Lee, L. Nkenyereye, S. Jeong, and J. Song,
“Analysis of identifiers in iot platforms,” Digital Communications and
Networks, 2019.
[189] N. Asokan, F. Brasser, A. Ibrahim, A. R. Sadeghi, M. Schunter,
G. Tsudik, and C. Wachsmann, “Seda scalable embedded device
attestation,” in Proceedings of the 22nd ACM SIGSAC Conference on
Computer and Communications Security. ACM, 2015, pp. 964–975.
[190] J. Qiu, Q. Wu, G. Ding, Y. Xu, and S. Feng, “A survey of machine
learning for big data processing,” EURASIP Journal on Advances in
Signal Processing, vol. 2016, no. 1, p. 67, 2016.
[191] K. Sha, T. A. Yang, W. Wei, and S. Davari, “A survey of edge
computing based designs for iot security,” Digital Communications and
Networks, 2019.
Authorized licensed use stats
View publication limited to: NUST School of Electrical Engineering and Computer Science (SEECS). Downloaded on June 03,2020 at 08:40:29 UTC from IEEE Xplore. Restrictions apply.

5 PrePrintPaperEarlyAccess

Uploaded by

Copyright:

Available Formats

You might also like

5 PrePrintPaperEarlyAccess

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

5 PrePrintPaperEarlyAccess

Uploaded by

Copyright:

Available Formats

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

An In-Depth Analysis of IoT Security Requirements, Challenges and their

Article in IEEE Internet of Things Journal · May 2020

Waseem Iqbal Haider Abbas

SEE PROFILE SEE PROFILE

Conference Paper View project

The user has requested enhancement of the downloaded file.

An In-Depth Analysis of IoT Security

Just identified SDN

C. Taxonomy of the paper II. I OT A RCHITECTURE

Motivation and Related Work

Communication Related Security

techniques cannot guard against physical interruption

IoT APPLICATIONS Availability Confidentiality Integrity Non -Repudiation Privacy Authentication

Software Defined Everything

Networking Storage Security Data Real Time AI Cloud Automation Virtualization

Fig. 6: Classification of Software Defined Everything

Fig. 5: Security features offered by IoT communication pro-

Through OpenFlow protocol [58], [136] the forwarding

Northbound Interface (NBI): The communication channel

B. SDN Based Secure IoT Frameworks

Registration Access Control Authentication Monitoring Balancing

NorthBound API: Rest, Java, Nettle, Netcore, Procera,

Frenetic, FML etc

Layer Controller Internal

Services e.g. Path,

Z. Qin et al. in [155] designed a software defined methodology

DoS/DDoS Security Solution

Data and Communication Security Solutions

Ref Year SDSec Solution Mechanism Implementation Limitations

Ref Year SDSec Solution Mechanism Implementation Limitations

applications and APIs, like in the case of Philips Hue Smart

device embedded security. SPM can recognize and quarantine

for preserving privacy in smart cities. It divides the smart

Anomaly Detection Solutions

Ref Year SDSec Solution Mechanism Implementation Limitations

General Security Solutions

Ref Year SDSec Solution Mechanism Implementation Limitations

of things with software defined networking,” in 2016 IEEE Global

You might also like