ABSTRACT
The latest generation of IoT systems incorporate machine learning (ML) technologies on edge devices. This introduces new engineering challenges to bring ML onto resource-constrained hardware, and complications for ensuring system security and privacy. Existing research prescribes iterative processes for machine learning enabled IoT products to ease development and increase product success. However, these processes mostly focus on existing practices used in other generic software development areas and are not specialized for the purpose of machine learning or IoT devices.
This research seeks to characterize engineering processes and security practices for ML-enabled IoT systems through the lens of the engineering lifecycle. We collected data from practitioners through a survey (N=25) and interviews (N=4). We found that security processes and engineering methods vary by company. Respondents emphasized the engineering cost of security analysis and threat modeling, and trade-offs with business needs. Engineers reduce their security investment if it is not an explicit requirement. The threats of IP theft and reverse engineering were a consistent concern among practitioners when deploying ML for IoT devices. Based on our findings, we recommend further research into understanding engineering cost, compliance, and security trade-offs.
- 2016. Hackers Used New Weapons to Disrupt Major Websites Across U.S. https://www.nytimes.com/2016/10/22/business/internet-problems-attack.html. Accessed June 08, 2021.Google Scholar
- 2016. A Primer on Continuous Delivery. https://feeney.mba/a-primer-on-continuous-delivery.htmlGoogle Scholar
- 2017. Baseline Security Recommendations for IoT. https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot. Accessed June 09, 2021.Google Scholar
- 2017. Your Roomba May Be Mapping Your Home, Collecting Data That Could Be Shared. https://www.nytimes.com/2017/07/25/technology/roomba-irobot-data-privacy.html. Accessed June 08, 2021.Google Scholar
- 2019. IoT Device Cybersecurity Capability Core Baseline. https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259A.pdf. Accessed June 09, 2021.Google Scholar
- 2020. Foundational Cybersecurity Activitiesfor IoT Device Manufacturers. https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdf. Accessed June 09, 2021.Google Scholar
- 2020. IoT Non-Technical Supporting Capability Core Baseline. https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259b-draft.pdf. Accessed June 09, 2021.Google Scholar
- 2020. System brings deep learning to "internet of things" devices. https://news.mit.edu/2020/iot-deep-learning-1113.Google Scholar
- Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Weir, Michelle L. Mazurek, and Sascha Fahl. 2017. Developers Need Support, Too: A Survey of Security Advice for Software Developers. Proceedings - IEEE Cybersecurity Development Conference, SecDev (2017). Google ScholarCross Ref
- Deniz Akdur, Vahid Garousi, and Onur Demirörs. 2018. A survey on modeling and model-driven engineering practices in the embedded software industry. Journal of Systems Architecture 91 (2018), 62--82. Google ScholarCross Ref
- Sultan Alharby, Nick Harris, Alex Weddell, and Jeff Reeve. 2018. The Security Trade-offs in Resource Constrained Nodes for IoT Application. International Journal of Electrical, Electronic and Communication Sciences: 11.0. 12, 1 (2018), 56--63. https://www.researchgate.net/publication/322747058%0Ahttp://www.waset.org/downloads/15/papers/18ae010177.pdfGoogle Scholar
- Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK: Security Evaluation of Home-Based IoT Deployments. In 2019 IEEE Symposium on Security and Privacy, SP.Google Scholar
- Saleema Amershi, Andrew Begel, Christian Bird, Robert DeLine, Harald Gall, Ece Kamar, Nachiappan Nagappan, Besmira Nushi, and Thomas Zimmermann. 2019. Software Engineering for Machine Learning: A Case Study. In International Conference on Software Engineering: Software Engineering in Practice. Google ScholarDigital Library
- Hala Assal and Sonia Chiasson. 2019. "Think secure from the beginning": A survey with software developers. Conference on Human Factors in Computing Systems - Proceedings (2019). Google ScholarDigital Library
- Luigi Atzori, Antonio Iera, and Giacomo Morabito. 2010. The Internet of Things: A survey. Computer Networks (2010). Google ScholarDigital Library
- Saurabh Bagchi, Tarek F. Abdelzaher, Ramesh Govindan, Prashant Shenoy, Akanksha Atrey, Pradipta Ghosh, and Ran Xu. 2020. New Frontiers in IoT: Networking, Systems, Reliability, and Security Challenges. IEEE Internet of Things Journal 7, 12 (2020), 11330--11346. Google ScholarCross Ref
- Vishnu Banna, Akhil Chinnakotla, and et al. 2021. An Experience Report on Machine Learning Reproducibility: Guidance for Practitioners and TensorFlow Model Garden Contributors. arXiv (2021).Google Scholar
- Iulia Bastys, Musard Balliu, and Andrei Sabelfeld. 2018. If This Then What?: Controlling Flows in IoT Apps. In Conference on Computer and Communications Security, CCS.Google ScholarDigital Library
- Chiara Bodei, Stefano Chessa, and Letterio Galletta. 2019. Measuring Security in IoT Communications. Theoretical Computer Science 764 (April 2019), 100--124. Google ScholarDigital Library
- Will Brackenbury, Abhimanyu Deora, Jillian Ritchey, Jason Vallee, Weijia He, Guan Wang, Michael L. Littman, and Blase Ur. 2019. How Users Interpret Bugs in Trigger-Action Programming. In Conference on Human Factors in Computing Systems CHI.Google Scholar
- Z. Berkay Celik, Earlence Fernandes, Eric Pauley, Gang Tan, and Patrick D. McDaniel. 2019. Program Analysis of Commodity IoT Applications for Security and Privacy: Challenges and Opportunities. ACM Comput. Surv. 52, 4 (2019).Google Scholar
- Z. Berkay Celik, Patrick D. McDaniel, Gang Tan, Leonardo Babun, and A. Selcuk Uluagac. 2019. Verifying Internet of Things Safety and Security in Physical Spaces. IEEE Secur. Priv. 17, 5 (2019).Google ScholarCross Ref
- Z. Berkay Celik, Gang Tan, and Patrick D. McDaniel. 2019. IoTGuard: Dynamic Enforcement of Security and Safety Policy in Commodity IoT. In 26th Annual Network and Distributed System Security Symposium, NDSS.Google Scholar
- Mengsu Chen, Felix Fischer, Na Meng, Xiaoyin Wang, and Jens Grossklags. 2019. How reliable is the crowdsourced knowledge of security implementation?. In International Conference on Software Engineering (ICSE).Google ScholarDigital Library
- Long Cheng, Christin Wilson, Song Liao, Jeffrey Young, Daniel Dong, and Hongxin Hu. 2020. Dangerous Skills Got Certified: Measuring the Trustworthiness of Skill Certification in Voice Personal Assistant Platforms. In CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security. ACM.Google Scholar
- François Chollet. 2017. Xception: Deep learning with depthwise separable convolutions. Proceedings - 30th IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2017 (2017), 1800--1807. arXiv:1610.02357 Google ScholarCross Ref
- Rafael Maiani de Mello and Guilherme Horta Travassos. 2016. Surveys in Software Engineering: Identifying Representative Samples. In Proceedings of the 10th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM '16). Association for Computing Machinery, Article 55, 6 pages. Google ScholarDigital Library
- Joa Pedro Dias and Hugo Sereno Ferreira. 2018. State of the software development life-cycle for the internet-of-things. arXiv (2018). arXiv:1811.04159Google Scholar
- Paul Dodemaide, Prof. Lynette Joubert, Dr Nicole Hill, and Dr Mark Merolli. 2020. Online Survey Design and Social Media. In Proceedings of the Australasian Computer Science Week Multiconference (ACSW '20). Association for Computing Machinery, Article 36, 8 pages. Google ScholarDigital Library
- B. Dorsemaine, J. Gaulier, J. Wary, N. Kheir, and P. Urien. 2015. Internet of Things: A Definition Taxonomy. In 2016 9th International Conference on Next Generation Mobile Applications, Services and Technologies. 72--77. Google ScholarCross Ref
- El Mahdi El Mhamdi and Rachid Guerraoui. 2017. When Neurons Fail. Proceedings - 2017 IEEE 31st International Parallel and Distributed Processing Symposium, IPDPS 2017 (2017), 1028--1037. arXiv:1706.08884 Google ScholarCross Ref
- Pardis Emami-Naeini. 2020. Informing Privacy and Security Decision Making in an IoT World. Ph. D. Dissertation. Carnegie Mellon University.Google Scholar
- Michael Fagan, Katerina N Megas, Karen Scarfone, and Matthew Smith. 2020. Foundational Cybersecurity Activities for IoT Device Manufacturers. NIST Interagency/Internal Report 8259 (2020). https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdfGoogle Scholar
- Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security Analysis of Emerging Smart Home Applications. In IEEE Symposium on Security and Privacy, SP.Google Scholar
- Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, and Atul Prakash. 2018. Decentralized Action Integrity for Trigger-Action IoT Platforms. In 25th Annual Network and Distributed System Security Symposium, NDSS.Google Scholar
- Fereshteh Ghaljaie, Mahin Naderifar, and Hamideh Goli. 2017. Snowball Sampling: A Purposeful Method of Sampling in Qualitative Research. Strides in Development of Medical Education 14, 3 (2017). arXiv:http://sdme.kmu.ac.ir/article_90598_-3632edfb2e97c38d73c0bdea8753195c.pdf Google Scholar
- Kim Hazelwood, Sarah Bird, David Brooks, Soumith Chintala, Utku Diril, Dmytro Dzhulgakov, Mohamed Fawzy, Bill Jia, Yangqing Jia, Aditya Kalro, James Law, Kevin Lee, Jason Lu, Pieter Noordhuis, Misha Smelyanskiy, Liang Xiong, and Xiaodong Wang. 2018. Applied Machine Learning at Facebook: A Datacenter Infrastructure Perspective. In HPCA. Google ScholarCross Ref
- Robert M. Hierons. 1999. Machine Learning, by Tom M. Mitchell, McGraw-Hill, 1997 (Book Review). Softw. Test. Verification Reliab. 9, 3 (1999), 191--193.Google ScholarCross Ref
- Geoffrey Hinton, Oriol Vinyals, and Jeff Dean. 2015. Distilling the Knowledge in a Neural Network. NIPS Deep Learning and Representation Learning Workshop (2015), 1--9. arXiv:1503.02531 http://arxiv.org/abs/1503.02531Google Scholar
- Andrew G. Howard, Menglong Zhu, Bo Chen, Dmitry Kalenichenko, Weijun Wang, Tobias Weyand, Marco Andreetto, and Hartwig Adam. 2017. MobileNets: Efficient convolutional neural networks for mobile vision applications. arXiv (2017). arXiv:1704.04861Google Scholar
- Jez Humble and Gene Kim. 2018. Accelerate: The science of lean software and devops: Building and scaling high performing technology organizations. IT Revolution.Google Scholar
- Heiner Lasi, Peter Fettke, Hans-Georg Kemper, Thomas Feld, and Michael Hoffmann. 2014. Industry 4.0. Business & information systems engineering (2014).Google Scholar
- Dirk Van Der Linden, Pauline Anthonysamy, Bashar Nuseibeh, Thein Than Tun, Marian Petre, Mark Levine, John Towse, and Awais Rashid. 2020. Schrodinger's security: Opening the box on app developers' security rationale. Proceedings - International Conference on Software Engineering (2020). Google ScholarDigital Library
- MH Lloyd and PJ Reeve. 2009. IEC 61508 and IEC 61511 assessments-some lessons learned. (2009).Google Scholar
- Tamara Lopez, Helen Sharp, Thein Tun, Arosha Bandara, Mark Levine, and Bashar Nuseibeh. 2019. Hopefully we are mostly secure': Views on secure code in professional practice. Proceedings - 2019 IEEE/ACM 12th International Workshop on Cooperative and Human Aspects of Software Engineering, CHASE 2019 (2019). Google ScholarDigital Library
- Amir Makhshari and Ali Mesbah. 2021. IoT Bugs and Development Challenges. ICSE 2021 (2021), 460--472. Google ScholarDigital Library
- Xianghang Mi, Feng Qian, Ying Zhang, and XiaoFeng Wang. 2017. An empirical characterization of IFTTT: ecosystem, usage, and performance. In Proceedings of the 2017 Internet Measurement Conference, IMC.Google ScholarDigital Library
- Hooman Mohajeri Moghaddam, Gunes Acar, Ben Burgess, Arunesh Mathur, Danny Yuxing Huang, Nick Feamster, Edward W. Felten, Prateek Mittal, and Arvind Narayanan. 2019. Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS. ACM.Google ScholarDigital Library
- Blaine Nelson, Benjamin I.P. Rubinstein, Ling Huang, Anthony D. Joseph, Steven J. Lee, Satish Rao, and J. D. Tygar. 2012. Query strategies for evading convex-inducing classifiers. Journal of Machine Learning Research 13 (2012), 1293--1332. arXiv:1007.0484Google ScholarDigital Library
- Taehyeun Park, Nof Abuzainab, and Walid Saad. 2016. Learning How to Communicate in the Internet of Things: Finite Resources and Heterogeneity. IEEE Access 4 (2016). Google ScholarCross Ref
- Roger S Pressman. 2005. Software engineering: a practitioner's approach. Palgrave macmillan.Google Scholar
- Pytorch. 2017. TORCHVISION - https://pytorch.org/vision/stable/index.html. https://pytorch.org/vision/stable/index.html?highlight=torchvision#module-torchvisionGoogle Scholar
- Bin Qian, Jie Su, Zhenyu Wen, Devki Nandan Jha, Yinhao Li, Yu Guan, Deepak Puthal, Philip James, Renyu Yang, Albert Y. Zomaya, Omer Rana, Lizhe Wang, MacIej Koutny, and Rajiv Ranjan. 2020. Orchestrating the Development Lifecycle of Machine Learning-based IoT Applications: A Taxonomy and Survey. Comput. Surveys 53 (2020). Issue 4. Google ScholarDigital Library
- Paul Ralph, Sebastian Baltes, Domenico Bianculli, et al. 2020. ACM SIGSOFT Empirical Standards. CoRR abs/2010.03525 (2020). arXiv:2010.03525Google Scholar
- Frances Robles and Nicole Perlroth. 2021. 'Dangerous Stuff': Hackers Tried to Poison Water Supply of Florida Town. The New York Times (Feb. 2021).Google Scholar
- Ruben M. Sandoval, Sebastian Canovas-Carrasco, Antonio Javier Garcia-Sanchez, and Joan Garcia-Haro. 2019. A reinforcement learning-based framework for the exploitation of multiple rats in the iot. IEEE Access 7 (2019). Google ScholarCross Ref
- F. Schwandt. 2016. Internet of things (IoT) connected devices installed base worldwide from 2015 to 2025 in billions - Statista. (2016). https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwideGoogle Scholar
- Eugene Siow, Thanassis Tiropanis, and Wendy Hall. 2018. Analytics for the Internet of Things: A Survey. ACM Comput. Surv. 51, 4, Article 74 (July 2018), 36 pages. Google ScholarDigital Library
- Jacob Steinhardt, Pang Wei Koh, and Percy Liang. 2017. Certified defenses for data poisoning attacks. Advances in Neural Information Processing Systems 2017-December, i (2017), 3518--3530. arXiv:1706.03691Google Scholar
- Manuel Suarez-Albela, Tiago M. Fernandez-Carames, Paula Fraga-Lamas, and Luis Castedo. 2018. A practical performance comparison of ECC and RSA for resource-constrained IoT devices. 2018 Global Internet of Things Summit, GIoTS 2018 (2018). Google ScholarCross Ref
- Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, and Limin Jia. 2017. Some Recipes Can Do More Than Spoil Your Appetite: Analyzing the Security and Privacy Risks of IFTTT Recipes. In Proceedings of the 26th International Conference on World Wide Web, WWW.Google ScholarDigital Library
- TensorFLow. 2021. Models datasets - https://github.com/tensorflow/models. https://github.com/tensorflow/modelsGoogle Scholar
- Tyler W. Thomas, Madiha Tabassum, Bill Chu, and Heather Lipford. 2018. Security during application development: An application security expert perspective. Conference on Human Factors in Computing Systems - Proceedings (2018). Google ScholarDigital Library
- Santiago Torres-Arias. 2020. In-toto: Practical Software Supply Chain Security. Ph. D. Dissertation. New York University Tandon School of Engineering.Google ScholarDigital Library
- Wiebke Toussaint and Aaron Yi Ding. 2020. Machine Learning Systems in the IoT: Trustworthiness Trade-offs for Edge Intelligence. In 2020 IEEE Second International Conference on Cognitive Machine Intelligence (CogMI). 177--184. Google ScholarCross Ref
- Jeffrey Voas. 2016. Demystifying the Internet of Things. Computer 49, 6 (2016), 80--83. Google ScholarDigital Library
- Fangxin Wang, Miao Zhang, Xiangxiang Wang, Xiaoqiang Ma, and Jiangchuan Liu. 2020. Deep Learning for Edge Computing Applications: A State-of-the-Art Survey. IEEE Access 8 (2020). Google ScholarCross Ref
- Elecia White. 2011. Making Embedded Systems: Design Patterns for Great Software. O'Reilly Media.Google Scholar
- Han Xiao, Huang Xiao, and Claudia Eckert. 2012. Adversarial label flips attack on support vector machines. Frontiers in Artificial Intelligence and Applications 242 (2012), 870--875. Google ScholarCross Ref
- Shuochao Yao, Yiran Zhao, Huajie Shao, Sheng Zhong Liu, Dongxin Liu, Lu Su, and Tarek Abdelzaher. 2018. FastDeepIoT: Towards understanding and optimizing neural network execution time on mobile and embedded devices - SenSys 2018 - Proceedings of the 16th Conference on Embedded Networked Sensor Systems. SenSys2018. Google ScholarDigital Library
Index Terms
- "If security is required": engineering and security practices for machine learning-based IoT devices
Recommendations
Security and Privacy in IoT Using Machine Learning and Blockchain: Threats and Countermeasures
Invited Tutorial and Regular PapersSecurity and privacy of users have become significant concerns due to the involvement of the Internet of Things (IoT) devices in numerous applications. Cyber threats are growing at an explosive pace making the existing security and privacy measures ...
Protecting IoT devices from security attacks using effective decision-making strategy of appropriate features
AbstractThe term "Internet of things (IoT)” refers to a network in which data from all connected devices may be gathered, analyzed, and modified as per requirements to offer new services. IoT devices require a constant Internet connection to exchange ...
Machine learning and the Internet of Things security: Solutions and open challenges
Highlights- Emphasizing security challenges and requirements of IoT-based systems.
- ...
AbstractInternet of Things (IoT) is a pervasively-used technology for the last few years. IoT technologies are also responsible for intensifying various everyday smart applications improving the standard of living. However, the inter-crossing ...
Comments