Deep learning model for the detection of universal plug and play (UPNP) based attacks in UPNP devices

Ntambi, John

View/Open

Master's dissertation (2.595Mb)

Date

2021-02

Author

Ntambi, John

Metadata

Show full item record

Abstract

The Universal Plug and Play (UPnP) protocol is used by several devices to discover and advertise services to other devices in order to establish connections for data sharing transparently. Its simplicity and zero-configuration requirement have made it popular with many manufacturers who expose it to the WAN to achieve rapid scalability and interconnectivity among devices, this has led to its wide adaption in several applications on the internet over the years. The problem is that UPnP was designed with no security, such as authentication, authorization, or verification. This design flaw raises serious security concerns among users over the confidentiality of data and integrity of communications over UPnP networks. Existing studies have shown that when UPnP is exposed to the WAN, this can result in attacks that are not easily detected by the victim, such as an SSDP reflection DDoS, which may be undetected by the reflecting victim, and NAT injection attacks, which can enable an attacker to remotely expose valuable resources on the LAN to the WAN. Current mitigation and detection studies have mostly focused on UPnP attacks within LAN environments, with suggested solutions that are impractical in WAN environments. Therefore, this study proposes deep learning models based on LSTM and RNN to achieve multi-class classification using a dataset containing current UPnP traffic characteristics captured during an experiment. Although both proposed models achieve an accuracy of more than 98%, the LSTM model outperforms the RNN in multiclass classification and is therefore the ideal model. The study has three key contributions: a labeled network traffic dataset containing current UPnP traffic trends that can be used to solve future classification problems, as well as two deep learning models, LSTM and RNN, used for classification of UPnP attacks and a detailed performance evaluation of both models. Furthermore, the study proposes future research directions.

URI

http://hdl.handle.net/10570/9423

Collections

School of Computing and Informatics Technology (CIT) Collection