Chen-Yu Lee

Academic Survey of
Internet Of Things
2011-12-29
Research on the Architecture of Trusted Security System
Based on the Internet of Things.
2011 Fourth International Conference on Intelligent
Computation Technology and Automation.
Interoperability of Security-Enabled Internet of Things
Wireless Pers Commun, Vol. 61, ppt.567586, 2011.
Table of Contents
2
Research on the Architecture of Trusted
Security System Based on the
Internet of Things
2011 Fourth International Conference on Intelligent
Computation Technology and Automation
Xiong Li, Zhou Xuan,Liu Wen
Propose a general architecture of trusted security system
based on IoT.
trusted safety management system
security gateway
unified service platforms of IoT
security infrastructure
unified information exchange platform,
Architecture of trusted security system
based on IoT
4

Architecture of trusted security system
based on IoT
5
The key of trusted user module is users legitimate
identity authentication in multi-technology ways to to
achieve multiple certification, integrated authentication.

Trusted User Module
6
Many security challenges
copy and counterfeit of labels, DoS attacks of electronic tags,
unauthorized access of users, or stealing and modification of
label information by attackers through a counterfeit of legitimate
reader.
Ensure users trustfulness through authentication
mechanism
Control users access through access control mechanism
Protect the confidentiality and integrity of information
through encryption mechanism.
Audit mechanism should be introduced to supervise,
track and audit any operation on the tags and readers.
Trusted Perception Module
7

Trusted Perception Module
8
Trusted terminal can not only ensure the legality of users
and the consistency of resources, but also make users
operate only according to the authority and access
control rules.
Trusted Terminal Module
9

Trusted Terminal Module
(Trusted Platform Module)
10
IoT should securely and reliably transmit the
information gathered during the process of trusted
perception to the information processing layer.
Trusted network module and trusted agent module are
designed to analyze, evaluate and manage the network
security situations from the global perspective.
Trusted Network Security Management System (TSM)
accredits network users, the collection and distribution
of security management information.
Trusted Network Module
11

Trusted Network Module
12
TSM:
Ensures the security during the storage, use and transmission of
the data, and especially to guard against the leakage of sensitive
information inside.
Security information protection model, trusted information
transmission mechanism, users authentication and
authorization mechanism, information flow control mechanism,
and content filtering mechanism are involved.
Trusted Network Security Management
System
13

Trusted Agent Module
14
According to different locations and different functions
of trusted agent module, it can be divided into four types:
trusted agent of perception layer
terminal trusted agent
gateway trusted agent
network trusted agent
Trusted agent of perception layer
Works in the perception layer of IoT.
Collect safety status information of various sensing devices and
authentication information of readers and operation users.
Establish security communication channel with the sensor
gateway trusted agent or the sensor network trusted agent.
Trusted Agent Module
15
Terminal trusted agent
Works on the desktop systems.
Collect safety status information of terminals that will access the
trusted network and authentication information of readers and
operation users.
Establish trusted communication channel with the network
trusted agent or the gateway trusted agent of Internet.
Gateway trusted agent
Collect positioning information of associative devices, establish
trusted communication channel with TSM for information
interaction, and monitor and distribute strategies to endpoints.
Network trusted agent
Works on the network access devices.
Trusted Agent Module
16
Interoperability of Security-Enabled
Internet of Things
Wireless Pers Commun, Vol. 61, ppt.567586, 2011.
Josef Noll
A layered architecture of Internet of Things framework
where a semantically enhanced overlay interlink the
other layers and facilitate secure access provision to
Internet of Things-enabled services.
The main element of semantic overlay is security
reasoning through ontologies and semantic rules.
The interoperability of security aspect is addressed
through ontology and a machine-to-machine platform.
Only focus secure access provision to IoT-enabled
services.
Address how different security attributes and constraints
lying in different administrative domains will work
together to secure an integrated operation.
Interoperability of Security-Enabled
Internet of Things
18
The paper:
Only focus secure access provision to IoT-enabled services.
Address how different security attributes and constraints lying in
different administrative domains will work together to secure an
integrated operation.
Presented in this are the outcome of the research conducted in
an ongoing European project, pSHIELD.
Scenario: Interoperable Rail Information System (IRIS).
Interoperability of Security-Enabled
Internet of Things
19
Key contributions:
A functional architecture of IoT framework is going to be
introduced.
a semantic overlay (on top of Things) is proposed to facilitate
the intelligence in IoT.
Ontologies are designed to contrive partly the semantic overlay.
A rule-based service access mechanism is proposed.
Interoperability of security is going to be addressed through
ontology and machine to machine (M2M) technology.
Interoperability of Security-Enabled
Internet of Things
20
Need to derive some decisions based on these retrieved
information and predefined logics.
Instead of hardcoded decisions, we need dynamic update
of decisions.
Automated reasoning which is defined as the process of
deriving new facts based on predefined knowledge.
Reasoning requires structured knowledge about the
devices and sensors, sensor networks, and sensor data.
An overlay that contains a model to describe these
structured knowledge and a reasoning process.
Overlay
21
Semantics mean the explicit interpretation of domain
knowledge to make machine processing more intelligent,
adaptive and efficient.
Semantic technologies can satisfy the capabilities:
machine understandable knowledge description
machine understandable logic description
automated reasoning
Semantic Enhancement
22
Two aspects:
access to sensors and sensor data
interoperable security between different administrative domains
Standardized machine-to-machine (M2M) technology as
suggested by ETSI.
The Interoperable Rail Information
System (IRIS)
23
TS 102.690
The European Telecommunications Standards Institute (ETSI)
An architectural standard used for any infrastructure based on
the M2M concept.
Describes authentication and authorization of applications
through the Network Security Capability (NSEC).

Cell-Based M2M Standardisation
24
Conventional Security Requirements for IoT
Confidentiality, integrity, availability, trustworthiness, auditing.
Authentication, authorization, access control.
Security Proxy Model
Policy Enforcement Point (PEP): connected to a Policy Decision
Point (PDP) and an Identity manager (IdM).
Audit is responsible for managing the logs of service calls-out
and maintains the history of service interaction.
Plays a role of edge-oriented policy enforcement point, which
uses a PDP to get access decisions.
Handling Security in IoT
25
Security Proxy Model
Handling Security in IoT
26
The Conceptual View of IoT Framework
The core idea is to provide the semantic description of node
types, capabilities of an IoT cloud and expose nodes capabilities
in the form of web services.
This will not only integrate the IoT with service-world but it will
also allow third party applications to query about the data
resided in the IoT cloud.
Functional Architecture
Communication and Real-world Access Layer
Semantic Overlay Layer
Service Virtualization Layer
Application Layer
From Concepts to Architecture
27
Functional Architecture
From Concepts to Architecture
28
Functional Architecture
Communication and Real-world Access Layer
Provides an interface with an underlying IoT cloud
Discovering nodes, receiving events from nodes
Dispatching them to upper layers both for making sense of the events and
sending them to their subscriber
Iinvoking services hosted on the nodes
Semantic Overlay Layer
Provides the semantic model of an underlying IoT cloud by maintaining IoT
ontology, sensor ontology, event ontology and service access polices.
Facilitating create, read, update and delete (CRUD) operations on the
semantic model, and translating SensorML [7] description into OWL
description.
From Concepts to Architecture
29
Functional Architecture
Service Virtualization Layer
Provides web service interface for the functional aspects of the nodes.
Translating virtual service into web service definition
Generating micro-formats of available web service, publishing services both
in service registries and social network sites, and notifying subscribers about
the IoT cloud events.
Application Layer
Real applications created using the data, semantics of data and application
logics.
Resolving the interoperability issues between different service providers
platforms is
From Concepts to Architecture
30

Implementation
31
Formal Knowledge Base
Web Ontology Language (OWL)
Knowledge base is divided:
Sensor Ontology: describes the sensors and the retrieved data by
the sensors
Event Ontology: describes faults and their characteristics. Most
of the instances of these classes are derived from the Sensor
Ontology using certain policies.
Access Control Ontology: describes the actors involved in secure
access provisioning
Use Protg Ontology editor platform to design these
ontologies.
Implementation
--Security Reasoning
32

Implementat
ion
--Security
Reasoning
33
Implemented the policies using the Semantic Web Rule
Language (SWRL) and the Semantic Web Query
Enhanced Web Rule Language (SQWRL).
The logical explanation of rule to generate decisions on
access authorization provision is:


semantic rule using the SWRL syntax:

Implementation
--Semantic Rules
34
Different Role Group
Different organizations maintain their Roles/Responsibilities in
a different way.
The mapping (inside the mapping ontology) was done using
owl:equivalentClass constructs.
Different Security Level
Different organizations maintain their security level in a
different way.
The mapping was done using owl:sameAs constructs between
these two Security Level instances.
Implementation
--Interoperability Through Ontology
35
Rule Execution Environment
SWRLJess bridge (a java class) allows the rule engine to interact
with the knowledge base and SWRL-SQWRL rules.
Sensor Integration to M2M Platform
Using SunSPOT sensors being integrated into the Telenor
Objects M2M platform.
M2M Platform
Used Shepherd, an M2M platform from Telenor Objects,
Norway which is an instance of ETSI TS 102 690.
Implementation
36
Shepherd M2M platform:
Service Management for monitoring, device configuration, SLAs, and supporting.
Service Enabler has a specific API that allows further access to other modules.
Message Engine handles and secures the process of message flow, including
capturing, processing, routing and storage of data in an environment.
Notification services that inform about the status of devices and applications.
Device library consists of interfaces for tools and services recognition.
The Shepherd offers two methods for establishing
connection:
HTTP Connection API
The Connected Objects Operating System (COOS) which is a Java based open
source tool.
Implementation
37
Thanks For Your Listening !
Fortune favors the bold
~by Sheryl Sandberg