ProvNet-IoT: Provenance based network layer forensics in Internet of Things

Internet of Things is rapidly changing the human lives to bring convenience in domestic, public and industrial environments spanning across multiple application domains. At the same time, increasing security attacks on these networks raised alarms for timely response by forensic investigators to avoid severe consequences of the attacks. Major network forensic approaches proposed so far for IoT are based on recording and analyzing the network traffic to produce suitable evidences. One of the greatest challenges in this process is the identification and correlation of suitable artifacts among volumes of network packets to reconstruct the attack scenarios during forensic investigation. To address this challenge, we propose ProvNet-IoT, a novel provenance based forensic model for investigating network level attacks in IoT environment. The interactions between different nodes at network layer are depicted using information, functional, and event modeling techniques. We use progressive network provenance to explain different events pertaining to various attack scenarios and to provide forensically sound evidences. ProvNet-IoT is validated using two publicly available labeled IoT datasets with a corpus of different attacks. Experimental results showed the benchmark performance of ProvNet-IoT in identifying selective artifacts to produce reliable evidences during forensic investigation.