This website lists information for the 2018/2019 course Security Services for the IoT (SSI) at the University of Twente. Last updated at 8th July 2019. # Overview  |  ----|----- Course code | 201700083 Coordinator | Cristian Hesselman (SIDN Labs and University of Twente) ( Credits | 5EC (140 hours) Lecturers| - dr. Cristian Hesselman (SIDN Labs and University of Twente)
- dr. Elmer Lastdrager (SIDN Labs)
- Caspar Schutijser MSc (SIDN Labs)
- prof.dr. Aiko Pras (University of Twente)
Room|RA 2237 ([except 15/5 and 5/6](#room-exceptions)) Mailing list| Quartile | 2B: 22 April to 5 July 2019 # Assessment SSI uses papers and (draft) IETF [RFCs]( in combination with a lab assignment to assess to what extend you attained the course’s learning outcomes (see Background). Your individual assessment will be based on your deliverables for SSI, which are: - A **presentation** based on an in-depth study of one of the papers/RFCs - A **completed review form** for two other SSI papers/RFCs - A four-page report on your **lab assignment** To pass SSI, your score will need to be 5.5 or higher, which we calculate as follows: (score presentation) $\times$ 25% + (score two reviews) $\times$ 25% + (score lab assignment) $\times$ 50% Where each of the scores (a) is between 1 (worst) and 10 (best) and (b) must be larger than or equal to 5.5. We will not evaluate the third learning goal (operational business of DNS operators), which serves as a bonus to help you understand how the Internet works operationally. ## Presentation SSI involves 9 interactive technical lectures (see Schedule), in one of which you'll need to present a scientific paper or an IETF (draft) RFC on IoT security. Your lecturers will assign a paper to you based on a random number generator (see [Python code]( In total, SSI involves 26 presentations distributed over 9 lectures. You'll need to study the paper/RFC in depth and present it in 30 minutes, including 10 minutes of questions and discussion. Please use slides to explain what the paper is about and include your observations and critique. RFCs are typically longer than papers, but also contain a lot of detail you can skip, while the information density in academic papers is typically much higher than in RFCs. RFCs cover technical standards (e.g., protocols and best practices) and give you a broader view on the IoT beyond academic papers. RFCs are peer-reviewed in IETF working groups, which typically consist of engineers of equipment manufacturers, service providers, and network operators. Your fellow students score the clarity of your presentation through a simple **presentation review form**, which your lecturers may use to round off the score for your presentation. We'll hand out the evaluation forms at the beginning of each lecture and you must return them before leaving the room. We will put your presentations on the SSI site so they’re available to everyone taking SSI. ## Paper Reviews In addition to your presentation on a paper/RFC, you will need to study two other papers/RFCs and complete the SSI paper review form ([docx](reviewform.docx) or [pdf](reviewform.pdf), see also an [example](reviewform-example.pdf)) for each. Your lecturers will score both review forms and their average score is the score that will account for 25% of your overall score (see [Assessment](#assessment)). The SSI paper review form enables us to evaluate to what degree you understood a paper. It will also help you developing your academic skills because the review form is similar to the review forms typically used in academic paper reviewing. We'll explain the academic reviewing process in the introduction lecture and will provide an example of a completed review form (for a paper not covered in SSI). The SSI paper review form is a separate document that your lecturers will send you and that you must hand in before the lecture in which one of your fellow students presents the paper. Please email it to and Please prefix the subject line with "[ssi]" (without the quotes). Your lecturers will assign the two papers/RFCs to you, as shown in Table [reviews]. Paper | Reviewed by (individually) -----|-------------- [#1] | Dion & Dylan [#2] | Ahmed & Mathay [#3] | Danique & Thomas [#4] | Samarjeet & Shubham [#5] | Harry & Wouter [#6] | Noël & FangFang [#7] | Sam & Mathay [#8] | Sander & Ahmed [#9] | Julik & Shubham [#10] | Tariq & Tom [#11] | Jeroen & Thanasis [#12] | Samarjeet & Tariq [#13] | Dennis & Samiksha [#14] | Niek & Sander [#15] | Joël & Danique [#16] | Harry & Thomas [#17] | Zewei & Jeroen [#18] | Niek & FangFang [#19] | Thanasis & Ruben [#20] | Wouter & Zewei [#21] | Dion & Ander [#22] | Dennis & Noël [#23] | Tom & Dylan [#24] | Julik & Sam [#25] | Samiksha & Joël [#26] | Ruben & Ander [Table [reviews]: The paper assignment for the reviews.] ## Lab Assignment The goal of the lab assignment is for you to gain hands-on experience with measuring and analyzing the network behavior of IoT devices and capturing this behavior in a device profile. In SSI, we'll be using the emerging Manufacturer Usage Description (MUD) standard [#28] [#29] for this purpose. We ask you to measure the network traffic of an IoT device because it gives you insight into how an IoT device works, for instance how it responds to external triggers and what services on the Internet it uses. MUD is an easy to understand language that the IETF standardized in March of 2019. We will provide a GLiNet mini-router for you to carry out the traffic measurements. It runs OpenWRT and [SIDN Labs' software module for IoT security in homenets]( We'll be handing out the mini-routers at the beginning of the course and it’s yours to keep. If you're measuring an IoT device of your own, then please use one with a limited number of tasks such as a light bulb, an audio speaker, or a light switch. The reason is that these types of devices interact with people’s physical world rather, while multi-purpose devices (like web browsers and smart speakers) focus on enabling human users to interact with content and services. We also have a few IoT devices at our disposal that you can use in case you do not have one at home. Your output for the lab assignment consists of: 1. A **four-page report** in the [standard two-column IEEE format]( that discusses the results of your measurements and your proposal on how to use or extend the MUD specification to describe the behavior you measured (an actual MUD spec). You may use text, graphs, tables, or a combination thereof. 2. A **capture** of the IoT device’s network traffic, for instance using TCPdump. You will need to carry out the lab assignment in teams of two (see Table [labs]). Please send your report and traffic captures to and The deadline for both is Sunday June 23, 2019, 23:59 CET. In addition to checking SSI’s learning goals, we’ll also be evaluating your report on parameters such as clarity and soundness of the methodology you used. Team | Members -----|-------- 1 | Ahmed & Dion 2 | Wouter & Julik 3 | Mathay & Niek 4 | Dennis & Thomas 5 | Ruben & Sander 6 | Sam & Joël 7 | Noël & Tom 8 | Shubham & Ander 9 | Jeroen & Tariq 10 | Samarjeet & Thanasis 11 | Danique & Samiksha 12 | FangFang & Dylan 13 | Zewei & Harry [Table [labs]: Lab teams.] # Schedule Table [schedule] shows SSI’s schedule for 2018-2019, which consists of a total of 11 lectures: an introduction, 1 guest lecture, and 9 interactive technical sessions with presentations on papers and RFCs. Upon request, we can also provide a Q&A slot to help you with the SSI lab assignment following one of the lectures. You **must** attend all lectures because of their interactive nature and because you’ll need to provide feedback on the presentations of your fellow students (see We will not evaluate the third learning goal (operational business of DNS operators), which serves as a bonus to help you understand how the Internet works operationally. Lecture | Date | Contents | Presentation #1 | Presentation #2 | Presentation #3 --------|------|----------|-----------------|-----------------|---------------- 1 | April 24 | **Course Introduction**
Lecturer: Elmer Lastdrager
- SSI assessment, schedule, and background.
- Admin matters, such as signing up for the lab assignment
- Collect your GLiNET mini-router
[Lecture slides (pdf)](slides/lecture1a.pdf)

**Guest lecture**: IoT: DDoS victims and device cleanup
Lecturer: Arman Noroozian (TU Delft)
[Lecture slides (pdf)](slides/lecture1b.pdf) 2 | May 1 | **Guest lecture on how the core of the internet is organized**
Lecturer: Marco Davids (SIDN Labs)
Host: Cristian Hesselman
[Lecture slides (pdf)](slides/lecture2.pdf) 3 | May 8 | **Interactive lecture**: IoT Concepts and Applications
Papers/RFCs: [#1] [#2] [#3]
Lecturer: Cristian Hesselman, Elmer Lastdrager, Caspar Schutijser | Jeroen [#1]
[Slides](slides/lecture3a.pdf) | Sander [#2]
[Slides](slides/lecture3b.pdf) | Tom [#3]
[Slides](slides/lecture3c.pdf) 4 | May 15 | **Interactive lecture**: Iot Architectural Considerations
Papers/RFCs: [#4] [#5] [#6]
Lecturer: Cristian Hesselman, Elmer Lastdrager
**Room: CR 3B (!)** | Niek [#4]
[Slides](slides/lecture4a.pdf) | Zewei [#5]
[Slides](slides/lecture4b.pdf) | Joël [#6]
[Slides](slides/lecture4c.pdf) 5 | May 22 | **Interactive lecture**: IoT Standards and Requirements
Papers/RFCs: [#7] [#8] [#9]
Lecturer: Cristian Hesselman, Elmer Lastdrager
[Slides](slides/lecture5intro.pdf) | n/a | Harry [#8]
[Slides](slides/lecture5b.pdf) | Danique [#9]
[Slides](slides/lecture5c.pdf) 6 | May 29 | **Interactive lecture**: IoT Botnet Measurements
Papers/RFCs: [#10] [#11] [#12]
Lecturer: Cristian Hesselman | Noël [#10]
[Slides](slides/lecture6a.pdf) | Dylan [#11]
[Slides](slides/lecture6b.pdf) | Wouter [#12]
[Slides](slides/lecture6c.pdf) 7 | Jun 5 | **Interactive lecture**: Threat & Compromise Detection
Papers/RFCs: [#13] [#14] [#15]
Lecturer: Elmer Lastdrager
**Room: CR 3B (!)** | Ahmed [#13]
[Slides](slides/lecture7a.pdf) | Ruben [#14]
[Slides](slides/lecture7b.pdf) | FangFang [#15]
[Slides](slides/lecture7c.pdf) 8 | Jun 12 | **Interactive lecture**: IoT Device Abuse
Papers/RFCs: [#16] [#17] [#18]
Lecturer: Cristian Hesselman, Elmer Lastdrager | Ander [#16]
[Slides](slides/lecture8a.pdf) | Dion [#17]
[Slides](slides/lecture8b.pdf) | Mathay [#18]
[Slides](slides/lecture8c.pdf) 9 | Jun 19 | **Interactive lecture**: Edge IoT Security Sytems 1
Papers/RFCs: [#19] [#20] [#21]
Lecturer: Elmer Lastdrager, Caspar Schutijser | Sam [#19]
[Slides](slides/lecture9a.pdf) | Samiksha [#20]
[Slides](slides/lecture9b.pdf) | Julik [#21]
[Slides](slides/lecture9c.pdf) 10 | June 26 | **Interactive lecture**: Edge IoT Security Sytems 2
Papers/RFCs: [#22] [#23] [#24]
Lecturer: Elmer Lastdrager, Caspar Schutijser | Samarjeet [#22]
[Slides](slides/lecture10a.pdf) | Thomas [#23]
[Slides](slides/lecture10b.pdf) | Shubham [#24]
[Slides](slides/lecture10c.pdf) 11 | Jul 3 | **Interactive lecture**: IoT Device Profiling
Papers/RFCs: [#25] [#26]
Lecturer: Cristian Hesselman, Elmer Lastdrager | Thanasis [#25]
[Slides](slides/lecture11a.pdf) | Tariq [#26]
[Slides](slides/lecture11b.pdf) | Dennis [#7]
[Slides](slides/lecture11c.pdf) [Table [schedule]: Schedule for SSI 2018/2019.] All lectures take place on **Wednesdays from 10:45 until 12:30** (third and fourth hour) in **RA 2237**, except for May 15th and June 5, when the lectures are in CR 3B. There is a coffee break between 11:45 and 12:00. # Staying up to date Please check the SSI homepage at for the latest schedule and other information. We'll also keep you posted of any changes through the SSI mailing list, which is at You can also use the mailing list for discussing technical and administrative matters with your fellow students and with SSI lecturers. **Note**: sending a message to the list means that you send it to everyone on the list, both students and lecturers. We subscribed everyone on the list on April 9, 2019. Send an email to if you’re not getting messages from the list. # Papers and RFCs We'll be using 26 papers and IETF RFCs on IoT security for the interactive sessions of lectures 3 through 11, with a particular focus on homenets. Papers 28 and 29 are about the Manufacturer Usage Description (MUD), which you'll need for the lab assignment. ## IoT Concepts and Applications [#1]: M. Weiser, "The Computer for the 21st Century", Scientific American Special Issue on Communications, Computers, and Networks, September 1991, [#2]: K. Rose, S. Eldridge, L. Chapin, "The Internet of Things: An Overview – Understanding the Issues and Challenges of a More Connected World", ISOC Whitepaper, October 2015, [#3]: O. Garcia-Morchon, S. Kumar, and M. Sethi, "State-of-the-Art and Challenges for the Internet of Things Security", IRTF Internet Draft, April 2018, ## IoT Architectural Considerations [#4]: H. Tschofenig, J. Arkko, and D. McPherson, "Architectural Considerations in Smart Object Networking", RFC7452, March 2015, [#5]: Eireann Leverett, Richard Clayton & Ross Anderson, "Standardisation and Certification of the `Internet of Things'", 16th Annual Workshop on the Economics of Information Security (WEIS2017), USA, June 2017, [#6]: M. Chiang and T. Zhang, "Fog and IoT: An Overview of Research Opportunities," in IEEE Internet of Things Journal, vol. 3, no. 6, pp. 854-864, December 2016, ## IoT Standards and Requirements [#7]: Tara Salman, Raj Jain, "A Survey of Protocols and Standards for Internet of Things," Advanced Computing and Communications, Vol. 1, No. 1, March 2017, [#8]: ENISA, Baseline Security Requirements for the IoT, [#9]: IETF, "A Firmware Update Architecture for Internet of Things Devices", version 5, April 2019, ## IoT Botnet Measurements [#10]: C. Kolias, G. Kambourakis, A. Stavrou, J. Voas, “DDoS in the IoT: Mirai and Other Botnets”, IEEE Computer, July 2017, [#11]: M. Antonakakis, et al., Understanding the Mirai Botnet, in: 26th USENIX Security Symposium, 2017, [#12]: S. Herwig, K. Harvey, G. Hughey, R. Roberts, and D. Levin, "Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet", Network and Distributed Systems Security (NDSS) Symposium 2019, San Diego, CA, USA, February 2019, ## Threat & Compromise Detection [#13]: J. Spaulding and A. Mohaisen, "Defending Internet of Things Against Malicious Domain Names using D-FENS," 2018 IEEE/ACM Symposium on Edge Computing (SEC), Seattle, WA, 2018, pp. 387-392, [#14]: Y. Meidan et al., "N-BaIoT—Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders," in IEEE Pervasive Computing, vol. 17, no. 3, pp. 12-22, Jul.-Sep. 2018. doi: [10.1109/MPRV.2018.03367731]( [#15]: Thien Duc Nguyen, Samuel Marchal, Markus Miettinen, Minh Hoang Dang, N. Asokan, Ahmad-Reza Sadeghi, "DIoT: A Crowdsourced Self-learning Approach for Detecting Compromised IoT Devices", The 39th IEEE International Conference on Distributed Computing Systems (accepted for publication), January 2019, ## IoT Device Abuse [#16]: Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow. "IoTPOT: Analysing the Rise of IoT Compromises". 9th USENIX Workshop on Offensive Technologies (co-located with USENIX Sec '15), WOOT '15, Washington, DC, [#17]: Šimon M., Huraj L., Horák T. (2019) DDoS Reflection Attack Based on IoT: A Case Study. In: Silhavy R. (eds) Cybernetics and Algorithms in Intelligent Systems. CSOC2018 2018. Advances in Intelligent Systems and Computing, vol 765, [#18]: Rouven Scholz and Christian Wressnegger, "Security Analysis of Devolo HomePlug Devices", In Proceedings of the 12th European Workshop on Systems Security (EuroSec '19), 2019, ## Edge IoT Security Systems 1 [#19]: Martin Serror, Martin Henze, Sacha Hack, Marko Schuba, and Klaus Wehrle. 2018. "Towards In-Network Security for Smart Homes." In Proceedings of the 13th International Conference on Availability, Reliability and Security (ARES 2018), [#20]: Javid Habibi, Daniele Midi, Anand Mudgerikar, and Elisa Bertino, "Heimdall: Mitigating the Internet of Insecure Things", IEEE Internet of Things Journal, Vol. 4, No. 4, Aug 2017 [#21]: Chase E. Steward, Anne Maria Vasu, Eric Keller, "CommunityGuard: A Crowdsourced Home Cyber-Security System", ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization (SDN-NFV Security), March 2017, ## Edge IoT Security Systems 2 [#22]: C. Dietz et al., "IoT-Botnet Detection and Isolation by Access Routers," 2018 9th International Conference on the Network of the Future (NOF), Poznan, 2018, pp. 88-95, [#23]: Vijay Sivaraman, Hassan Habibi Gharakheili, Arun Vishwanath, Roksana Boreli, Olivier Mehani, "Network-level security and privacy control for smart-home IoT devices", IEEE 11th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), Abu Dhabi, United Arab Emirates, Oct 2015, [#24]: A. K. Simpson, F. Roesner, and T. Kohno, "Securing vulnerable home iot devices with an in-hub security manager," First International Workshop on Pervasive Smart Living Spaces (PerLS 2017) — in conjunction with IEEE PerCom 2017, March 2017, ## IoT Device Profiling [#25]: Noah Apthorpe, Dillon Reisman, Nick Feamster, "A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic", Workshop on Data and Algorithmic Transparency (DAT '16), New York University Law School, November 2016, [#26]: Marchal, S., Miettinen, M., Nguyen, T. D., Sadeghi, A-R., & Asokan, N. (Accepted/In press). AuDI: Towards Autonomous IoT Device-Type Identification using Periodic Communication. IEEE Journal on Selected Areas in Communications, ## Lab Assignment [#28]: E. Lear, R. Droms, and D. Romascanu, "Manufacturer Usage Description Specification", RFC 8520, March 2019, [#29]: Ayyoob Hamza, Dinesha Ranathunga, H. Habibi Gharakheili, Matthew Roughan, Vijay Sivaraman, "Clear as MUD: Generating, Validating and Applying IoT Behaviorial Profiles" (Technical Report), April 2018, # Background ## Motivation The "Internet of Things" (IoT) is an emerging Internet application that analysist expect will connect 20-30 billion everyday objects to the Internet, such as cars, droned, robots, traffic lights, door locks, and light bulbs. The key added value of the IoT is that it a passive and pervasive application that operates “in the background” as an integral and invisible part of people’s lives [#1][#2], thus enabling us to save time and effort. Conceptually, the IoT accomplishes this by continually interpreting and updating a distributed online representation of people’s physical environments based on data from a wide range of sensors and then uses this model to act upon the real world through actuators, all typically without human involvement or awareness However, the IoT also poses a large-scale security threat because many IoT devices are insecure. Adversaries for instance exploit these vulnerabilities to launch massive DDoS attacks on the Internet infrastructure, such as the DDoS attacks on DNS provider Dyn of late 2016 [#11], which led to large-scale outages of popular services such as Spotify and Twitter. Insecure devices also jeopardize the privacy and safety of users, for instance because they enable adversaries to capture the video feed of online baby monitors or remotely open doors or change room temperatures. ## Synopsis SSI provides you with an overview of current IoT security challenges and technical solutions to address them, for instance using profiles that describe the behavior of IoT devices, measurement systems, and "reverse firewalls" that automatically block outgoing DDoS traffic. SSI will test your ability to understand, apply, and modify a few of these solutions. The study material for SSI consists of (1) scientific papers and (draft) IETF RFCs and (2) a hands-on lab assignment to measure the behavior of IoT devices and describe it through a device profile. SIDN Labs will provide a mini-router with experimental software for the lab assignment, which is yours to keep. ## Learning Outcomes After successful completion of SSI you will: - Understand IoT concepts and applications, security threats, technical solutions, and a few relevant standardization efforts in the IETF - Be able to analyze network traffic of IoT devices and create device profiles that describe this behavior - Understand the operational business of DNS operators and the impact the IoT may have on them (industry perspective) SSI also contributes to your skills to independently carry out research projects and to develop services and systems. ## Contents - Overview of IoT concepts and applications IoT security threats - Device description languages - IoT and threat measurement systems - Mitigation functions - IoT standardization in the IETF ## Interaction SSI is a highly interactive course in which students for instance report on papers they have studied and engage in technical discussions with their peers. The number of students is therefore limited to 27 and they will need to attend all lectures in person at the University of Twente (remote participation will not be available). ## Organization SSI is a collaboration between the University of Twente and [SIDN Labs](, the research department of the domain name registry for the Netherlands' top-level domain, .nl. SIDN Labs' goal is to increase the operational security and resilience of the Internet, for instance through SPIN, an open source security system that protects the Internet and end-users from compromised IoT devices. ## Study Material The study material of SSI consists of academic papers and (draft) IETF standards (RFCs), the MUD RFC, and a GLiNet mini-router. ## Prerequisites Network Security (ET4397IN) or Internet Security (192654000) ## Related Courses 4TU Cyber Security: - Cyber Data Analytics, - Internet Security, - Software Security, - Language-based Software Security, - Applied Security Analysis "Hacking Lab", - Privacy-Enhancing Technologies,