SGANFuzz: A Deep Learning-Based MQTT Fuzzing Method Using Generative Adversarial Networks
As the Internet of Things (IoT) industry grows, the risk of network protocol security threats has also increased. One protocol that has come under scrutiny for its security vulnerabilities is MQTT (Message Queuing Telemetry Transport), which is widely used. To address this issue, an automated execut...
Main Authors: | , , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
IEEE
2024-01-01
|
Series: | IEEE Access |
Subjects: | |
Online Access: | https://ieeexplore.ieee.org/document/10433531/ |
_version_ | 1797296315876507648 |
---|---|
author | Zhiqiang Wei Xijia Wei Xinghua Zhao Zongtang Hu Chu Xu |
author_facet | Zhiqiang Wei Xijia Wei Xinghua Zhao Zongtang Hu Chu Xu |
author_sort | Zhiqiang Wei |
collection | DOAJ |
description | As the Internet of Things (IoT) industry grows, the risk of network protocol security threats has also increased. One protocol that has come under scrutiny for its security vulnerabilities is MQTT (Message Queuing Telemetry Transport), which is widely used. To address this issue, an automated execution program called fuzz has been developed to verify the security of MQTT brokers. This program is provided with various random and unexpected input data and monitored for different responses, such as acknowledgments, crashes, failures, or memory leaks. To generate a significant number of realistic MQTT protocols, we have proposed a Generative Adversarial Networks (GAN)-based protocol fuzzer called SGANFuzz. Our experimental results show that SGANFuzz has successfully detected 6 vulnerabilities among 7 MQTT implementations, including 3 CVE bugs. Compared to the state-of-the-art fuzzing tools, SGANFuzz has proven to be the most efficient fuzzing tool in terms of vulnerability detection and has expanded the feedback coverage by receiving more unique network responses from MQTT brokers. |
first_indexed | 2024-03-07T22:02:51Z |
format | Article |
id | doaj.art-0a417db44e0f4b02bc5c7c5debe2e495 |
institution | Directory Open Access Journal |
issn | 2169-3536 |
language | English |
last_indexed | 2024-03-07T22:02:51Z |
publishDate | 2024-01-01 |
publisher | IEEE |
record_format | Article |
series | IEEE Access |
spelling | doaj.art-0a417db44e0f4b02bc5c7c5debe2e4952024-02-24T00:01:19ZengIEEEIEEE Access2169-35362024-01-0112272102722410.1109/ACCESS.2024.336571210433531SGANFuzz: A Deep Learning-Based MQTT Fuzzing Method Using Generative Adversarial NetworksZhiqiang Wei0https://orcid.org/0000-0002-6820-6019Xijia Wei1https://orcid.org/0000-0003-4745-6569Xinghua Zhao2Zongtang Hu3Chu Xu4China Mobile (Suzhou) Software Technology Company Ltd., Suzhou, ChinaDepartment of Computer Science, University College London, London, U.K.China Mobile (Suzhou) Software Technology Company Ltd., Suzhou, ChinaChina Mobile (Suzhou) Software Technology Company Ltd., Suzhou, ChinaChina Mobile (Suzhou) Software Technology Company Ltd., Suzhou, ChinaAs the Internet of Things (IoT) industry grows, the risk of network protocol security threats has also increased. One protocol that has come under scrutiny for its security vulnerabilities is MQTT (Message Queuing Telemetry Transport), which is widely used. To address this issue, an automated execution program called fuzz has been developed to verify the security of MQTT brokers. This program is provided with various random and unexpected input data and monitored for different responses, such as acknowledgments, crashes, failures, or memory leaks. To generate a significant number of realistic MQTT protocols, we have proposed a Generative Adversarial Networks (GAN)-based protocol fuzzer called SGANFuzz. Our experimental results show that SGANFuzz has successfully detected 6 vulnerabilities among 7 MQTT implementations, including 3 CVE bugs. Compared to the state-of-the-art fuzzing tools, SGANFuzz has proven to be the most efficient fuzzing tool in terms of vulnerability detection and has expanded the feedback coverage by receiving more unique network responses from MQTT brokers.https://ieeexplore.ieee.org/document/10433531/MQTTfuzz testgenerative adversarial networkstime-series modelstransformervulnerability detection |
spellingShingle | Zhiqiang Wei Xijia Wei Xinghua Zhao Zongtang Hu Chu Xu SGANFuzz: A Deep Learning-Based MQTT Fuzzing Method Using Generative Adversarial Networks IEEE Access MQTT fuzz test generative adversarial networks time-series models transformer vulnerability detection |
title | SGANFuzz: A Deep Learning-Based MQTT Fuzzing Method Using Generative Adversarial Networks |
title_full | SGANFuzz: A Deep Learning-Based MQTT Fuzzing Method Using Generative Adversarial Networks |
title_fullStr | SGANFuzz: A Deep Learning-Based MQTT Fuzzing Method Using Generative Adversarial Networks |
title_full_unstemmed | SGANFuzz: A Deep Learning-Based MQTT Fuzzing Method Using Generative Adversarial Networks |
title_short | SGANFuzz: A Deep Learning-Based MQTT Fuzzing Method Using Generative Adversarial Networks |
title_sort | sganfuzz a deep learning based mqtt fuzzing method using generative adversarial networks |
topic | MQTT fuzz test generative adversarial networks time-series models transformer vulnerability detection |
url | https://ieeexplore.ieee.org/document/10433531/ |
work_keys_str_mv | AT zhiqiangwei sganfuzzadeeplearningbasedmqttfuzzingmethodusinggenerativeadversarialnetworks AT xijiawei sganfuzzadeeplearningbasedmqttfuzzingmethodusinggenerativeadversarialnetworks AT xinghuazhao sganfuzzadeeplearningbasedmqttfuzzingmethodusinggenerativeadversarialnetworks AT zongtanghu sganfuzzadeeplearningbasedmqttfuzzingmethodusinggenerativeadversarialnetworks AT chuxu sganfuzzadeeplearningbasedmqttfuzzingmethodusinggenerativeadversarialnetworks |