Skip to content

misssion/probe

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.github/workflows
.github/workflows
 
 
docker
docker
 
 
modules
modules
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
collector.py
collector.py
 
 
probe.py
probe.py
 
 
readme.md
readme.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Probe & Collector

MISSION - Process Aware Intrusion Detection in IoT Networks

Intrusion Detection Systems (IDS) allow for detecting malicious activities in organizational networks and hosts. As the Industrial Internet of Things (Industrial IoT) has gained momentum and attackers become process-aware, it elevates the focus on anomaly-based Network Intrusion Detection Systems (NIDS) in IoT. While previous research has primarily concentrated on fortifying SCADA systems with NIDS, keeping track of the latest advancements in resource-efficient messaging (e.g., MQTT, CoAP, and OPC-UA) is paramount. In our work, we straightforwardly derive IoT processes for NIDS using distributed tracing and process mining. We introduce a pioneering framework called MISSION which effectively captures, consolidates, and models MQTT flows, leading to a heightened process awareness in NIDS. Through our prototypical implementation, we demonstrate exceptional performance and high-quality models. Moreover, our experiments provide empirical evidence for rediscovering pre-defined processes and successfully detecting two distinct MQTT attacks in a simulated IoT network.

Installation

pip install -r requirements.txt

DockerHub

The docker files are available at https://hub.docker.com/u/misssion.

Probe

The probe captures network traffic from a given interface. It transforms the packets to IPFIX and sends it to a collector. In future it should support more protocols.

Command line

python probe.py --interface "LAN-Verbindung 2" --collector "localhost" --port 2055 --protocol mqtt --log-level "DEBUG"

Docker

The Dockerfile is located under /docker/probe.

Docker compose

services:
  probe:
    container_name: mqtt-probe
    image: misssion/probe:latest
    environment:
      - INTERFACE=utun7
      - COLLECTOR=127.0.0.1
      - PORT=2055
      - PROTOCOL=mqtt
      - BENCHMARK=false
      - FILE_NAME=qos
      - LOG_LEVEL=DEBUG
    network_mode: "host"
    restart: "always"
    privileged: true

Collector

The collector aggregates IPFIX flows from different probes and stores them in a MongoDB.

Command line

python collector.py --host "localhost" --port 2055 --mongo_url "mongodb://localhost:27017" --mongo_collection "flows"

Docker

The Dockerfile is located under /docker/collector.

Docker compose

services:
  collector:
    container_name: collector
    image: misssion/collector:latest
    depends_on:
      - mongodb
    environment:
      - COLLECTOR=collector
      - COLLECTOR_PORT=2055
      - MONGO_URL=mongodb://mongodb:27017/
      - MONGO_COLLECTION=flows
    ports:
      - "2055:2055"
    restart: always
  mongodb:
    container_name: mongodb
    image: mongo:latest
    ports:
      - "27017:27017"
    restart: always

About

MISSION probe and collector

Topics

mqtt coap probe internet-of-things cybersecurity opcua digital-twin

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

0.1 Latest
Sep 30, 2022

Languages