BSIEM-IoT: A blockchain-based and distributed SIEM for the Internet of Things
A. Pardo, F. Ardila, D. Díaz López, and F. Gómez Mármol.
17th International Conference on Applied Cryptography and Network Security (ACNS).1st International Workshop on Application Intelligence and Blockchain Security (AIBlock). Bogota, Colombia. 2019
1. Department of Information and Communication Engineering, University of Murcia, Spain
2. Faculty of Computer Science, Escuela Colombiana de Ingeniería Julio Garavito, Bogotá, Colombia
*The articles published in this section are academic publications whose property belongs to their authors and do not imply the cession of the author’s economic rights in favor of the CAP4CITY Project, its members or third parties.
Abstract– The paper at hand proposes BSIEM-IoT, a Security Information and Event Management solution (SIEM) for the Internet of Things (IoT) relying on blockchain to store and access security events. The security events included in the blockchain are contributed by a number of IoT sentinels in charge of protecting a group of IoT devices. A key feature here is that the blockchain guarantees a secure registry of security events. Additionally, the proposal allows SIEM functional components to be assigned to the ff erent miners servers composing to resilient and distributed SIEM. Our proposal is implemented using Ethereum and validated through different use cases and experiments.
The Internet of Things (IoT) has brought uncountable benefits in a number of diverse and relevant environments. Yet, one of its current major drawbacks lies in the lack of security solutions to protect these systems against cyber attacks. One approach in this regard is to process the security events coming from such ecosystem and use them to prevent, detect and mitigate security incidents. Security events, stemming either from IoT devices or from intermediate security components, are collected and sent to centralized Security Information and Event Management (SIEM) server to detect such incidents using one of its available modules (correlation rules, policies, statistic models). In this regard, the integrity of the security events is critical, since an alteration of this data could lead to false alarms. Likewise, availability is another security requirement for those security events: all the security events should be available to the SIEM modules in a timely manner, as well as resilient against denial attacks. Furthermore, traceability is also a key requirement here. A comprehensive registry of all events operations should be kept and maintained to support the effective audit in case of a potential security violation.
Finally, a centralized architecture to detect intrusions in IoT ecosystems constitutes a single-point of attack and a bottle-neck that in case of failure would impact adversely all related security functions, mainly containment and recovery. Thus, resiliency becomes another requirement for the security infrastructure, so the security functions can not be interrupted.
In this paper, we present BSIEM-IoT, a blockchain-based and distributed SIEM to detect attacks against IoT devices. This proposal is built over a blockchain architecture, allowing interoperability between components of the IoT ecosystem that contribute information related to security events. Every security event is eﬀectively protected in terms of integrity and non-repudiation due to the intrinsic features of the blockchain. Further, smart contracts (SC) in the blockchain guarantee a consistent behavior of the system, including the authorization of actions over the security events. BSIEM-IoT is able to consume local threat intelligence, enabling the detection of distributed attacks which can only be discovered by correlating security events coming from diﬀerent sources. Moreover, our proposal connects to diﬀerent external sources to get updated threat intelligence and improve the analysis of the security events within the blockchain.
The main contributions of this paper are:
– A distributed SIEM proposal for IoT scenarios leveraging the beneﬁts of a blockchain (server-less operations, integrity, non-repudiation and resiliency).
– Development of methods in a smart contract to handle blocks of security events and detect attacks from the security events available in the blockchain.
– Integration of the External and the Internal Threat Intelligence of theBSIEMIoT to make local validations originated in smart contracts.
– The evaluation of the proposal and its features through exhaustive experiments, which in turn proved the feasibility of the solution for organizations.