本文为瑞典梅拉达伦大学（作者：Shahid Raza）的博士论文，共256页。

未来的互联网将是一个IPv6网络，它将传统的计算机和大量的智能对象或网络互连为无线传感器网络（WSNs）。物联网（IoT）将是许多服务的基础，我们的日常生活将取决于它的可用性和可靠运行。因此，在许多其他问题中，必须解决在物联网中实现安全通信的挑战。传统的互联网已经建立并测试了网络安全的方法。物联网是互联网和资源受限网络的混合网络，因此在物联网中探索互联网标准化机制的选择是合理的。

物联网需要多方面的安全解决方案，其中通信通过保密性、完整性和身份验证服务得到保护；网络受到保护以避免入侵和干扰；节点内数据以加密形式存储。使用标准化机制，物联网中的通信可以在不同的层上得到保护：在具有IEEE 802.15.4安全的链路层上，在具有IP安全（IPsec）的网络层上，以及在具有数据报传输安全（DTLS）的传输层上。即使物联网通过加密和身份验证得到保护，传感器节点也会受到来自无线传感器网络和互联网的无线攻击。因此，需要一个入侵检测系统（IDS）和防火墙。由于无线传感器网络中的节点可以被捕获和克隆，因此对存储数据的保护也很重要。

本文有三个主要贡献。它通过使用轻量压缩但符合标准的IPsec、DTLS和IEEE 802.15.4链路层实现物联网中的安全通信；讨论了每种解决方案的优缺点。所提出的安全解决方案已在实际硬件上的IoT中实现和评估。本文还介绍了物联网入侵检测系统IDS的设计、实现和评估。最后还提供了保护节点内数据的机制。

对不同解决方案的实验评估表明，IPsec、DTLS和802.15.4安全可以有效地保护物联网中资源受限的设备，防止敌对入侵；提出的安全与通信相结合的机制可以显著降低与安全相关的操作和能耗。

The future Internet will be an IPv6 network interconnectingtraditional computers and a large number of smart objects or networks such asWireless Sensor Networks (WSNs). This Internet of Things (IoT) will be thefoundation of many services and our daily life will depend on its availabilityand reliable operations. Therefore, among many other issues, the challenge ofimplementing secure communication in the IoT must be addressed. The traditionalInternet has established and tested ways of securing networks. The IoT is ahybrid network of the Internet and resource-constrained networks, and it istherefore reasonable to explore the options of using security mechanismsstandardized for the Internet in the IoT.
The IoT requires multi-faceted security solutions where the communication issecured with confidentiality, integrity, and authentication services; the networkis protected against intrusions and disruptions; and the data inside a sensornode is stored in an encrypted form. Using standardized mechanisms, communicationin the IoT can be secured at different layers: at the link layer with IEEE802.15.4 security, at the network layer with IP security (IPsec), and at thetransport layer with Datagram Transport Layer Security (DTLS). Even when theIoT is secured with encryption and authentication, sensor nodes are exposed towireless attacks both from inside the WSN and from the Internet. Hence anIntrusion Detection System (IDS) and firewalls are needed. Since the nodesinside WSNs can be captured and cloned, protection of stored data is alsoimportant.
This thesis has three main contributions. (i) It enables secure communicationin the IoT using lightweight compressed yet standard compliant IPsec, DTLS, andIEEE 802.15.4 link layer security; and it discusses the pros and cons of eachof these solutions. The proposed security solutions are implemented andevaluated in an IoT setup on real hardware. (ii) This thesis also presents the design,implementation, and evaluation of a novel IDS for the IoT. (iii) Last but notleast, it also provides mechanisms to protect data inside constrained nodes.
The experimental evaluation of the different solutions shows that the resource constraineddevices in the IoT can be secured with IPsec, DTLS, and 802.15.4 security; canbe efficiently protected against intrusions; and the proposed combined securestorage and communication mechanisms can significantly reduce thesecurity-related operations and energy consumption.

1. 引言

2. 挑战与贡献

3. 相关论文总述

4. 相关工作

5. 结论与未来工作展望

6. WirelessHART协议的安全考虑

7. 6LoWPAN中基于压缩IPsec的安全通信

8. 物联网安全通信——用于6LoWPAN的链路层安全与IPsec比较

9. Lithe：用于物联网的轻量级安全COAP

10. SVELTE：物联网的实时入侵检测

11. 物联网的安全存储与通信合并机制

更多精彩文章请关注公众号：