Capability Based Access Control Strategies to Deter DDoS Attacks Exploting IoT Devices

摘要

The prevalence of the Internet of Things (IoTs) allows heterogeneous embedded smart devices to collaboratively provide intelligent services with or without human intervention. While leveraging the large-scale IoT-based applications like Smart Gird and Smart Cities, the IoTs also incur more concerns on privacy and security. The large number of insecure smart things with high communication and computation capacity become attractive targets for attackers to build large-scale botnets, which are used for various malicious activities such as distributed denial-of-service (DDoS) attacks. Among the top security challenges that IoTs face, the access authorization is critical in resource and information protection. The extraordinary large number of nodes, heterogeneity as well as dynamicity, necessitate more fine-grained, lightweight mechanisms for IoT devices.;This thesis aims at improving the security of IoT devices by enhancing the access control (AC) mechanisms. A federated capability based access control (FedCAC) framework and a blockchain-enabled decentralized capability-based access control (BlendCAC) framework are proposed. Through federating the capability delegation mechanism, the FedCAC allows local domain owners to delegate centralized authorization decision-making policy from server to enforce access control. However, the FedCAC scheme still suffers the weaknesses inherited from the centralized schemes, such as the single point of failure and performance bottleneck problems. In order to address these shortcomings, the BlendCAC takes advantage of smart contract on the blockchain network to enable a completely decentralized access control solution in the trustless network environment. Implemented and tested on resource-constrained devices under a physical IoT network environment, the experimental results demonstrate the feasibility of the proposals to offer the scalable, lightweight and fine-grained access control strategies to deter DDoS attacks exploiting IoT devices.