RU2796800C1 - Method for detecting anomalies in the operation of a smart home device at the hardware level - Google Patents

Abstract

FIELD: smart home.

SUBSTANCE: method for analyzing the device at the hardware level, that is, monitoring not the state of the network and the transmitted data, but the device itself and its performance. The method for detecting anomalies in the operation of smart home devices. In the method, a local network is formed operating in parallel with a network of smart home devices, consisting of security controllers, wherein each smart home device is connected to the security controller of the formed local network, and each of the security controllers is connected to the server, the parameters of each security controller are measured, including temperature measurement of the safety controller processor, current measurement by accessing the common ground contact of the safety controller, voltage measurement by accessing the common earth contact and power contact of the safety controller, form a dataset for training, which is a data packet consisting of a time stamp and measured parameters of the security controller, send the generated dataset to the server, perform real-time training of the anomaly prediction model on the server based on the received datasets, while each security controller and smart home device on the server corresponds to a separate prediction model module, launch the predictive model on the server in real time for detecting anomalies in the operation of smart home devices.

EFFECT: increasing the reliability of detecting anomalies in the operation of smart home devices.

1 cl, 1 dwg

Description

The invention relates to the field of computer systems, namely to the detection of anomalies in the operation of a smart home device at the hardware level.

There is a known method of using a model of an IoT device to detect anomalies in the operation of the device (patent No. RU2772072 pub. 05/16/2022). The method covers a wide range of vulnerabilities in smart home and IoT systems. The invention offers a solution to security problems for IoT devices at different levels: at the level of the device itself, at the network level, at the infrastructure level.

The method relies on using an IoT device model to detect anomalies in the operation of a device in which a new device is defined; receive data about the device for forming a profile; create a device rollup based on the profile; choose from the database of convolutions a convolution similar to the created convolution; if there is a known model, then the already known device behavior model associated with the selected convolution is used, otherwise, data is collected in the device profile to create and train the device model and then use the trained model, while using the model involves identifying anomalies in the device operation.

This invention has the following disadvantages:

The system is too heavy for low-power devices, that is, those devices that do not have enough resources to support the specified configurations and protocols. In this regard, the proposed method cannot be implemented in systems operating at a lower level. Devices related to data collection or communication, sensors, brokers.

1. The protection system is located inside the working system, that is, when the target system is attacked, the protective system will also be attacked, which reduces the fault tolerance of smart home and IoT systems.

2. There is no hardware protection, that is, if the device is subject to, for example, a “pulse power attack” to skip password verification or other needs of an attacker, such an attack cannot be determined using this method, since the device will not change the algorithm of actions nested in it.

There is a known method for detecting unauthorized use of network devices with limited functionality from a local network and preventing distributed network attacks emanating from them (patent No. RU2703329 published on May 19, 2022).

The main idea of the proposed method is that anomalous activity can be detected by the limited functionality network device itself in real time using a classifying module built into its software that is capable of highlighting anomalies in network traffic signs that go beyond the area of signs of allowed network interaction of the device, predefined in the classifier. This invention has the following disadvantages:

1. A large number of cheap devices do not have their own operating system, which makes it impossible to use this method of protection against network attacks.

2. Additional load on low power devices is not a good solution, as this will increase the wear of the device.

A method for assessing the degree of wear of an IoT device on the part of a network infrastructure element is known (No. RU2703329 pub. 10/16/2019).

The method for assessing the wear rate of an IoT device on the part of a network infrastructure element comprises the steps of: collecting data on device operation; generate a report on the operation of the device based on the collected data; calculating the degree of wear of the device using the wear model based on the generated report. Next, it is calculated whether the degree of wear is above the threshold value of this device and further actions are determined.

This invention has the following disadvantage - if the device does not fail and the indicators are normal, then such a system will not be able to determine the trend of device wear and tear, since it is working with the device API and network traffic, and not with the actual device indicators.

The technical problem of the claimed invention is the development of a method for detecting anomalies in the operation of a smart home device at the hardware level.

The technical result consists in using a parallel protection system to detect anomalies in the operation of smart home devices. Since the system is locally separated from the main smart home system, there is no way to influence it and the smart home at the same time, which increases the fault tolerance of the system.

The solution to this problem is to create a local network that will be parallel to the smart home network, that is, each device will be connected to a security controller. Each of the security controllers will be connected to the server, thereby organizing a local network for device analysis. Next, the controller sends the device readings to the server. On the server, the module is trained according to the received data, then the forecast errors of this module are calculated, and it is launched to work on this device in real time.

The invention is illustrated in FIG. 1 showing the operation of the method.

The importance of working with the hardware of the controller is justified by the fact that information about the performance of the device itself will make it possible to detect an attack on the controller earlier, by analyzing the load of the device.

The importance of solving this problem is also related to the fact that smart sensor systems are increasingly being added to industrial areas, the failure of one area can lead to incorrect operation of the entire sector.

The main feature of the proposed method is the hardware shell around the system of a smart home or enterprise. There is no need to have a specific device with a specific amount of memory or internal capabilities, devices will not be loaded in parallel with their payload. Since there is now a huge market of companies producing cheap, low-quality equipment with constant updates, it is difficult to keep track and take the necessary measures within the system, since attackers have complete information about such devices. But in combination with this method, it is possible to limit both the physical impact on devices and many network attacks, as this will be noticeable on the recorded indicators.

A few obvious cyber threats to controllers that can be easily detected in this way:

- DDoS attacks, when the load on the processor increases, the temperature of the processor will begin to rise.

- Firmware change, if the controller was reflashed via OTA, its signature will change.

- Power surge attacks, fuzzing, password bypass, etc.

- An attacker's physical access to the controller.

The main disadvantage of this method is the need for certain modules as part of the controller for analysis: a WiFi module, an ADC of at least 10 bits.

The main optimization is the use of a controller that already has such modules, thereby reducing the size of the device, its consumption and determining the exact order of data transfer.

The following indicators are used for the analysis:

1. Temperature. To read the temperature, you must have access to the processor, to install a thermal sensor, or access to an internal processor thermal sensor.

2. Current. To read the current, you must have access to the common ground contact of the controller, a low-resistance resistor (hereinafter referred to as the shunt) will be connected in series there, which will read everything that goes to the ground from the board. By measuring the voltage at the point between the board and the shunt, you can get the voltage and calculate the current drawn by the microcontroller.

3. Tension. To read the voltage, you need to have access to two pins, common ground and controller power.

Each of the devices implies a TCP client that sends data in encrypted packets for authentication. The package is a generated string for the csv table: "time stamp, parameter1, parameter2, parameter3". A table of such rows is formed on the server, after which the model is trained. Each module works separately from the others, which means that each device has its own and learns separately from others, which allows you to expand the system for a larger number of devices.

The following method for detecting anomalies in the operation of smart home devices is proposed:

1. Waiting and connecting a new device

2. Receiving data from the controller

3. Verification and transformation of data into a data set for training

4. Train the state prediction model and check the error

5. Running the Model for Device Analysis

Thus, the developed method ensures the safety of any low-power devices without burdening the device itself.

As a result, the developed system in the future will help to unify all low-power, cheap devices and make it possible to use them in large industrial areas without the risk of industrial accidents or possible negative events during their operation.

Claims (7)

A method for detecting anomalies in the operation of smart home devices, comprising the steps of: form a local network operating in parallel with a network of smart home devices, consisting of security controllers, wherein each smart home device is connected to the security controller of the formed local network, and each of the security controllers is connected to the server, measuring the parameters of each safety controller, including measuring the temperature of the processor of the safety controller, measuring current by accessing the common ground contact of the safety controller, measuring voltage by accessing the common earth contact and the power supply contact of the safety controller, form a dataset for training, which is a data packet consisting of a time stamp and measured parameters of the safety controller, send the generated dataset to the server, perform real-time training of the anomaly prediction model on the server based on the received datasets, with each security controller and smart home device on the server corresponding to a separate prediction model module, running a trained prediction model on the server in real time to detect anomalies in the operation of smart home devices.

Images