Sotirios Brotsis, Nicholas Kolokotronis, 5 July 2020
The technological evolution, which is derived from the development of the Internet of things (IoT) is accompanied by new forms of cyber-attacks that exploit the heterogeneity of IoT ecosystems and the existence of vulnerabilities in IoT devices. Thus, the detection of attacked IoT devices, as well as, the accumulation and maintenance of forensic evidences emerge as areas of immense priority [1, 4].
Most of the IoT devices are highly resource-constrained, while their computational power and storage capacity is used to deliver nothing else but only their core functionality. The strong cyber-security, which is found in today’s personal computers and laptops cannot be easily adopted by lightweight devices, since it is more resource-demanding and leads to the utilization of insecure protection mechanisms; tools, such as Shodan and IoT Seeker, can be easily used by an attacker to discover possible vulnerabilities in an IoT ecosystem. The combination of the low security controls with the complexity and the heterogeneity that the IoT networks possess, enables the cyber-attackers to compromise and then use these IoT devices to execute other attacks, such as the distributed denial of service (DDoS) attack at Dyn that was attributed to the Mirai malware.
Intrusion detection systems (IDSs) constitute the basic line of defence against cyber-attacks, as they can detect suspicious behaviour by collecting, analysing and delivering informative security alerts. IDSs typically utilize signature-based and anomaly-based techniques for identifying possible threats in a network, where the latter relies on the monitoring of a network’s devices for any abnormal behavioural patterns. IDSs can also be classified into host-based (HIDS), where only one device is monitored, and network-based (NIDS), where all the network traffic is monitored and analysed.
Blockchain solutions have recently been proposed for both intrusion detection and forensic evidence applications, since in both cases blockchain can solve issues pertaining to trust, integrity, transparency, accountability, and secure data sharing . To address the issue of trust management and the preservation of forensic evidences, the architecture of a blockchain-based solution to secure the devices in an IoT ecosystem is not straightforward . In several cases, the resources that the IoT devices possess are highly constrained, while the transaction processing needs to be at high rate.
In addition, in a forensic investigation, it is crucial that the evidences that derive from IoT devices are not modified while transmitted from one LEA to another. A blockchain-based solution can be used to verify the authenticity and legitimacy of the actions and procedures used to gather, store and transmit digital evidences, as well as, to deliver a wide-ranging view of all the interactions in the Chain-of-Custody (CoC). In a blockchain-based CoC, it is vital to assure that the entities, having read/write access to the DLT, are authenticated and accountable for their actions, as well as, that the evidence do not violate any privacy law and can be validated via a consensus algorithm.
The Cyber-Trust’s Blockchain (CTB) combats cyber-attacks and assist the evidence collection. The critical information from IoT devices is recorded so that it can be later queried from LEAs, or when a verification of proper functioning is needed and parts of the system’s software have to be patched or updated reliably. This means that properties, like the firmware of a device, the configuration files, etc., are registered into the CTB, at the beginning of the system’s operation, and verified if needed against a history of previously valid states, in order to ensure that they have not been tampered with.
The Cyber-Trust platform deploys a number of advanced tools, ranging from intrusion detection systems (IDSs), graph mining, machine learning to blockchain technology in order to define a privacy-preserving structure for achieving decentralization, accountability and trust between IoT devices. The Cyber-Trust Blockchain is built on top of Hyberledger Fabric [2, 6] that can
- implement smart contracts, which are based on a programmable application logic that is being called each time a transaction is being proposed
- create an independent Root-of-Trust (RoT) between LEAs by enforcing accountability and properly incentivizing the network to adhere to the protocol
- enable the IoT devices to defend themselves against sophisticated cyber-attacks, (such as Zero-day attacks)
- maintain the identities of all the participants nodes and
- be complied with all the new privacy laws and rules (e.g. GDPR) of the European Union.
The adoption of Fabric as a permissioned blockchain solution for Cyber-Trust’s case was not random at all. Other permissioned blockchain solutions follow the order-execute architecture, in which the transactions are ordered first, via the consensus protocol and then are executed in sequence on each peer. This model has several limitations, from which several threats and risks may arise. Fabric follows the execute-order-validate architecture to execute untrusted code in adversarial environments and provide a more reliable network to meet the needs of privacy between different organizations.
As mentioned, the CTB addresses the most prominent privacy challenges in the area of IoT by supporting two important privacy mechanisms. The first one rests to the channels, which allow to separate the information that is stored on the blockchain; and the second one is the concept of the privatedata, which allows to isolate data between different peers (LEAs and ISPs) within the same channel. The channels are associated with the network level, whereas the private data are associated with the chaincode (application) level. Such privacy mechanisms are very important in cases of providing blockchain network and applications into a consortium environment; which in our case is actually the case of the Cyber-Trust’s system.
In addition, the critical information that derives from the IoT environment regarding the suspicious network traffic or any potential malicious activity (which will be used in the subsequent evidence analysis) is being safely stored only to an off-chain database, and not to the blockchain mechanism itself. Only the logging information of any such activity, so as to provide a proof-of-existence service, will be stored to the CTB. Therefore, having access only to the metadata and not to the – securely stored – off-chain database (in which the actual evidence exists), does not allow identification of network/device communication data (which are being considered as personal.
Concluding the Cyber-Trust platform relies on advanced intrusion detection tools to identify malicious activities and enhance the security of IoT environments by inspecting compromised devices and collecting forensic evidence so as to determine the source of cyber-attacks. The evidentiary information is safely stored as raw data in an off-chain database, while the hashes and metadata of the evidence are stored on the blockchain. The CTB is a permissioned distributed platform, which is built on top of Hyperledger Fabric in order to provide a proper digital CoC by recording and preserving a chronological history of each digital evidence.
 N. Kolokotronis, S. Shiaeles, E. Bellini, L. Charalambous, D. Kavallieros, O. Gkotsopoulou, C. Pavué, A Bellini, G. Sargsyan, ” Cyber-Trust: The Shield for IoT Cyber-Attacks,” in NATO Science for Peace and Security Series – D: Information and Communication Security, Vol. 55: Resilience and Hybrid Threats, I. Linkov et al. (Eds.) IOS Press, 2019.
 E. Androulaki, A. Barger, V. Bortnikov, C. Cachin, K. Christidis, A. De Caro, D. Enyeart, C. Ferris, G. Laventman, Y. Manevich, et al. “Hyperledger fabric: a distributed operating system for permissioned blockchains.” Proceedings of the 13th EuroSys conference. 2018.
 K. Bendiab, N. Kolokotronis, S. Shiaeles and S. Boucherkha, ” A Novel Blockchain-Based Trust Model for Cloud Identity Management,” 2018 IEEE 16th Intl Conf on Dependable, Autonomic and Secure Computing, Congress (DASC), Athens, 2018, pp. 724-729.
 N. Kolokotronis, K. Limniotis, S. Shiaeles and R. Griffiths, “Secured by Blockchain: Safeguarding Internet of Things Devices,” in IEEE Consumer Electronics Magazine, vol. 8, no. 3, pp. 28-34, May 2019.
 N. Kolokotronis, S. Brotsis, G. Germanos, C. Vassilakis and S. Shiaeles, “On Blockchain Architectures for Trust-Based Collaborative Intrusion Detection,” 2019 IEEE World Congress on Services (SERVICES), Milan, Italy, 2019, pp. 21-28.
 S. Brotsis, N. Kolokotronis, K. Limniotis, S. Shiaeles, D. Kavallieros, E. Bellini, and C. Pavué, “Blockchain Solutions for Forensic Evidence Preservation in IoT Environments,” 2019 IEEE Conference on Network Softwarization (NetSoft), Paris, France, 2019, pp. 110-114..