Security for connected devices
Cyber-attacks are on the rise. The number of attacks is increasing, and sophisticated hacker tools enable more complex attacks. The Internet of Things (IoT) is rapidly emerging, bringing new security challenges with serious consequences from any successful attacks. The sheer quantity of the billions of connected devices gives an adversary a large potential attack surface.
SECONDS is a research project run by Lund University with Ericsson as one of the industry partners. The project aims to develop techniques and practices to facilitate relevant, cost-efficient vulnerability analyses for specific products in specific environments. In this context, Ericsson has developed a machine-learning-based threat intelligence service connected to a client tool for customized ranking and recommendations of reported vulnerabilities.
Last year, it was estimated that more than 100 billion lines of new code were developed worldwide. Although efforts are made to write more secure code, the increasingly huge volume of code being produced will likely allow the number of new security vulnerabilities to continue growing every year. As an indication of this trend, the number of vulnerabilities reported to Common Vulnerabilities and Exposures (CVE) last year more than doubled compared to the year before.
Most organizations today do not build all their software from scratch. Open-source and third-party components are often incorporated into the code. This makes it important to keep track of reported vulnerabilities that are relevant in each case, along with their workarounds and updates. The security consequence of not updating the software may be complex to foresee whereas updating to a newer version of the vulnerable component may require more adaptations of the software. For many industry companies this involves major, complex effort, often with unclear practices and processes. Also, making the correct decisions requires wide expertise.
These challenges are addressed in SECONDS, a Vinnova-financed research project with both academic and industry partners. The project aims to change the way industry addresses the identification and evaluation of security vulnerabilities. This is accomplished partly by developing technical solutions that facilitate cost-efficient vulnerability analysis, and partly by developing best practice for evaluating vulnerabilities. Identifying a new vulnerability in device software is just the first step. Assessing the criticality of the vulnerability in a specific product, with a specific configuration operating in a specific environment requires domain and product expertise and an understanding of the weaknesses, threats and attack techniques.
Ericsson’s part in the project was in the development of a service, which based on data about a product, automatically sorts and ranks the vulnerabilities reported to CVE according to their relevance for the product. The vulnerability that is potentially the most severe for a product can then be analyzed and acted on first. Many organizations today use the Common Vulnerability Scoring System (CVSS) score to determine the severity of a vulnerability. This is a generic score set by the National Vulnerability Database (NVD) on each reported vulnerability after an analysis that usually takes many weeks. When a vulnerability is first made public in CVE, only a short description is available. Then discussions in mailing lists, forums and social media begin. Not until later is more detailed information on the vulnerability published on NVD.
We propose a method where a customized score used to rank the vulnerability is automatically generated when the vulnerability is made public. This score is partly based on results from analyzing the different public data resources available at that time, and partly on private data about the product and how the user (and other users) have responded to similar vulnerabilities before. The proposed system is not aimed at taking decisions about the proper actions for countering vulnerabilities, but rather at giving the user customized priorities for the analysis of multiple vulnerabilities.
Ericsson contributed proof-of-concept implementations for a number of features for the early sorting and ranking of vulnerabilities. By using Natural Language Processing (NLP) on the CVE vulnerability description, we successfully determine the affected software’s name and version automatically. This information is used together with product build files to filter out vulnerabilities that are not relevant to the product. We also use NLP on the vulnerability description to extract keywords that are used in a machine learning model to predict the likelihood that a given vulnerability will be used in an exploit. Only one vulnerability out of six in our analyzed data set is used in an exploit, so it seems reasonable to prioritize this. By also including vulnerability data from external sources in the machine learning model, we show that the accuracy of the exploit likelihood prediction can be increased over time. In the experiments, we use data from twitter activities about vulnerabilities, but data from other sources may also be included.
We also propose a system architecture based on a recommender system using content-based filtering and collaborative filtering techniques. The general idea is that the decision taken by the expert user is fed back to the system and used to increase the quality of future recommendations. Recommender systems have increased in popularity in recent years and are used in a variety of applications. In this context, we also studied privacy-preserving recommender systems where different users are able to collaborate and benefit from each other’s decisions without disclosing private data to each other or the service provider. There are several recent suggestions in recommender system literature that operate on encrypted data based on homomorphic encryption. Another approach to the privacy problem that was studied is processing the data in an isolated environment, for example based on Intel SGX, see for example this paper by Ohrimenko et. al.
Following our studies in this area, our conclusion is that a threat intelligence service based on machine learning and connected to a client tool would be highly valuable for vulnerability management in a future where open source solutions are adopted and opportunities for software attacks will increase as a consequence of more complex systems and more devices in the field. The techniques investigated by Ericsson in this project will have a role in such a service. The service and tool developed will be evaluated by the development organizations at the project partners. At the time of writing, this evaluation had not been finalized, but the initial response is very promising.
The SECONDS project is a cooperation between Lund University, Advenica, Axis, Ericsson, Prevas, Sensative, SICS and T2 data.
More reading about Security work in Ericsson:
• Ericsson white paper – 5G security – enabling a trustworthy 5G system
• Previous blog post – Smart Contracts for Identities
• Previous blog post – Secure brokering of digital identities
• Ericsson Technology Review-article – End-to-end Security Management for the IoT
• Ericsson Technology Review-article – Securing the cloud with compliance auditing