Design and implementation of intelligent packet filtering in IoT microcontroller-based devices

TL;DR

T800, a low-resource packet filter that utilizes machine learning (ML) algorithms to classify packets in IoT devices, is introduced and shows that T800 is an efficient solution that increases device computational capacity by excluding unsolicited malicious traffic from the processing pipeline.

Abstract

Internet of Things (IoT) devices are increasingly pervasive and essential components in enabling new applications and services. However, their widespread use also exposes them to exploitable vulnerabilities and flaws that can lead to significant losses. In this context, ensuring robust cybersecurity measures is essential to protect IoT devices from malicious attacks. However, the current solutions that provide flexible policy specifications and higher security levels for IoT devices are scarce. To address this gap, we introduce T800, a low-resource packet filter that utilizes machine learning (ML) algorithms to classify packets in IoT devices. We present a detailed performance benchmarking framework and demonstrate T800's effectiveness on the ESP32 system-on-chip microcontroller and ESP-IDF framework. Our evaluation shows that T800 is an efficient solution that increases device computational capacity by excluding unsolicited malicious traffic from the processing pipeline. Additionally, T800 is adaptable to different systems and provides a well-documented performance evaluation strategy for security ML-based mechanisms on ESP32-based IoT systems. Our research contributes to improving the cybersecurity of resource-constrained IoT devices and provides a scalable, efficient solution that can be used to enhance the security of IoT systems.

Figures (10)

• Figure 1: T800 packet filtering architecture. T800's mechanism consists of intercepting the network packets after they are available in RAM. The interception point corresponds to the first function inside the TCP/IP stack to ensure filtering before processing by the adjacent layers. The decision to accept or drop packets is pluggable, leaving the security policy specification flexible and dynamic.
• Figure 2: Implementation structure of T800. The current packet workflow is dynamically activated or deactivated depending on the execution context. In addition, the pluggable classification function implements the heuristics to identify malicious or normal packets.
• Figure 3: Sequence diagram for ESP32's evaluation metrics capturing. Describe the protocol to execute an experiment replica. It dynamically loads the corresponding classification function, and the workload excites during a period after the system signaling is ready.
• Figure 4: Interaction of T800 with ESP-IDF stack lwIP. T800's design assumes coupling to the lwIP, influencing the minimum with the original system. However, it is flexible to adapt to other stacks.
• Figure 5: Setup for measuring the T800 energy consumption in an ESP32-based system. The monitor is implemented in hardware and attached to the physical system. All data gathered is stored separately on the monitor.