Abstract
Interfacing the smart cities with cyber-physical systems (CPSs) improves cyber infrastructures while introducing security vulnerabilities that may lead to severe problems such as system failure, privacy violation, and/or issues related to data integrity if security and privacy are not addressed properly. In order for the CPSs of smart cities to be designed with proactive intelligence against such vulnerabilities, anomaly detection approaches need to be employed. This chapter will provide a brief overview of the security vulnerabilities in CPSs of smart cities. Following a thorough discussion on the applicability of conventional anomaly detection schemes in CPSs of smart cities, possible adoption of distributed anomaly detection systems by CPSs of smart cities will be discussed along with a comprehensive survey of the state of the art. The chapter will discuss challenges in tailoring appropriate anomaly detection schemes for CPSs of smart cities and provide insights into future directions for the researchers working in this field.
TopIntroduction
Today, the pace of technology is incredibly high and brings new terms and notions every often. For instance; cyber-cities, cyber-infrastructures, cyber-facilities, Internet of Things (IoT), Industrial IoT (IIoT), Web of Things (WoT), Internet of Everything (IoE) are namely a few which are related to this current topic of smart cities.
Cyber is the critical term mentioning that the thing it refers to is related to computing technology and emphasizes some artificial smartness. Therefore, cyber-cities, cyber-infrastructures, and cyber-facilities eventually are the counterparts of the terms they emphasize (i.e. cities, infrastructures, and facilities, respectively) and relate to the smarter, automated and technologically improved versions of them (Kim, 2012). Cyber-Physical System (CPS) is one of the main pillars of all cyber-related notions such as cyber-cities, cyber-infrastructures, and cyber-facilities (Poovendran, 2010).
According to UN reports, current cities of the developed and under-developed countries are on the edge of livable limits in terms of scalability, environment, and security, owing to the fast population growth among the world (Khatoun and Zeadally, 2017). Although the main objective of a smart city is to improve the quality of lives of its habitants, it may help our world to relieve from the over-population stress by providing efficiently managed cities along with sustainable resources (energy, water, etc.). That is being said; the security and privacy of the people constitute one of the biggest concerns and challenges to be faced in the rapid development of the smart cities.
IoE is bringing together people, processes, data (raw or processed), and things (cameras, sensors, actuators, etc.) to make network connections more relevant and valuable than ever before, turning information into actions that create new capabilities, richer experiences, and unprecedented economic opportunity for businesses, individuals, and countries. Whereas, the IoT is the network of physical objects accessed through the Internet. These objects contain embedded technology to interact with internal states or the external environment. In other words, when objects can sense and communicate, it changes how and where decisions are made, and who makes them. For example, Learning Thermostat by Nest Inc. (2018) learns what temperature you like and builds a regulating (to heat up or cool down the house) schedule around yours as acting like a personal assistant. In this way, not only the comfort level in the house is improved but also the overall (reduces the heating up or cooling down the house during your away time) energy consumption is drastically decreased.
Similarly to what the application-layer web is to the network-layer Internet, the WoT provides an application layer that simplifies the creation of IoT applications and therefore is a term that needs to be considered under the IoT umbrella. When IoT gets into the industry domain with higher communication and security standards, it is called Industrial IoT (IIoT). In addition, IoE further advances the power of the Internet to improve business and industry outcomes, and ultimately make people’s lives better by adding to the progress of IoT. Nevertheless, as devices are getting more connected and collect more data, privacy and security concerns will increase too. How companies and entities decide to balance customer privacy with this wealth of IoE data will be critical (Banafa, 2016).
Key Terms in this Chapter
Intrusion: An event where unauthorized users, generally referred to as hackers, gather information or access rights that he/she is normally not allowed to.
SNORT: It is a lightweight and dedicated host-based IDS, which is composed of the four components: packet decoder, the detection engine, logger, alert generator. Snort employs an easy and flexible rule definition language that creates rules used by the intrusion detection engine.
Anomaly: An abnormal behavior of a system or user that is deviating from the normal set of usage. An anomaly can be an indication of a malfunction, an error or more importantly an intrusion.
Denial of Service (DoS): A class of attack in which targeted network or system disconnects and quits from the intended mode of operation. It is one of the most dangerous attacks capable of taking down any type of network that is of any size.
Agent: An agent is a program installed at the host to do the following tasks; event filtering, event aggregation, normalization of the aggregated events, and sending the aggregated results regarding the events to the data analyzer of a centralized intrusion detection program for the further inspection and decision making.
Sensors: These are responsible for collecting evidence regarding the events. It is one of the most critical components of the IDS. The input for a sensor may be any component of a network that could generate useful information regarding intrusions. Some kind of input for a sensor may be composed of the log files, network packets, traces of the system calls, etc. Sensors also send the intrusion-related data to the data analyzer of the IDS 5 .
Security Risk Assessment: Identifying the vulnerabilities of a system along with the possible worst-case scenarios as well as their probabilities and the evaluation of total property losses in case of such events. This activity generally performed during the establishment of security services for a network or computer system as a part of the provisioning of information security services.
Log File: A file that keeps records of events that happen in an operating system or in other software. Logging is the function of keeping a log in a specific place. Following an intrusion event, log files help information security officers to reveal what went wrong and which damages happened during the intruding activity.
Event: An expected or unexpected happening related to the systems that are in operation. An example of events maybe; arrival of connection commands, the request for the permission to some certain files, the request for escalation in the permissions, etc.
Firewall: A software or hardware that is designed to block the unwanted or unauthorized network traffic between computer networks or hosts. Firewalls are mostly considered as a part of IPS that constitutes the first line of defense in the provisioning of the information security services.