The mature protection mechanisms for traditional desktops (e.g., Antivirus or EDR) cannot be directly applied into IoT endpoint devices with constrained resource, unfriendly interface, and heterogeneous architectures, thereby making the protection of IoT endpoint devices extremely difficult. Recently, several research works applied firmware emulation techniques to re-host firmware of IoT endpoint device in emulated IoT systems and enabled system-level monitoring and testing for virtual IoT endpoint device with high fidelity so that dynamic analysis and fuzzing can be realized. In this speech, we further exploit emulated and virtual IoT endpoint device as a “substitute” of a physical device which we want to protect. By integrating system-level monitoring component, the malicious behavior in the virtual device can be captured and the corresponding suspicious network payload containing malicious command or binary. Via IDS, we can block anomalous packets and realize EDR. Finally, we demonstrate how the developed experimental EDR platform protects several commercial IoT devices.
Shin-Ming Cheng received his B.S. and Ph.D. degrees in computer science and information engineering from National Taiwan University, Taipei, Taiwan, in 2000 and 2007, respectively. Since 2012, he has been on the faculty of the Department of Computer Science and Information Engineering, National Taiwan University of Science and Technology, Taipei, where he is currently an associate professor. Since 2017, he has been with the Research Center for Information Technology Innovation, Academia Sinica, Taipei, as a joint assistant research fellow. Since 2014, he incubates cybersecurity talent with the support from Ministry of Education and holds advanced information security summer schools (AIS) each year. His current interests are telecommunications and mobile network security. Moreover, he investigates on IoT system security and development of cybersecurity platform.