Forensic Analysis on False Data Injection Attack on IoT Environment

False Data Injection Attack (FDIA) is an attack that could compromise Advanced Metering Infrastructure (AMI) devices where an attacker may mislead real power consumption by falsifying meter usage from end-users smart meters. Due to the rapid development of the Internet, cyber attackers are keen on exploiting domains such as finance, metering system, defense, healthcare, governance, etc. Securing IoT networks such as the electric power grid or water supply systems has emerged as a national and global priority because of many vulnerabilities found in this area and the impact of the attack through the internet of things (IoT) components. In this modern era, it is a compulsion for better awareness and improved methods to counter such attacks in these domains. This paper aims to study the impact of FDIA in AMI by performing data analysis from network traffic logs to identify digital forensic traces. An AMI testbed was designed and developed to produce the FDIA logs. Experimental results show that forensic traces can be found from the evidence logs collected through forensic analysis are sufficient to confirm the attack. Moreover, this study has produced a table of attributes for evidence collection when performing forensic investigation on FDIA in the AMI environment. Keywords—Advanced Metering Infrastructure (AMI); False Data Injection Attack (FDIA); man in the middle (MITM); internet of things (IoT); forensic analysis


I. INTRODUCTION
Internet of Things (IoT) offers many benefits and advantages to people in the current modern era [1]. Besides, even in our daily life, IoT has proven to be beneficial. IoT is a system of interrelated intelligent devices that are provided with unique identifiers and given the ability to connect with other devices by exchanging information over a communication network. The IoT is seen as one of the foremost important zones in future development and is expanding tremendous consideration from a wide scope of businesses [2]. IoT will play a major role in improving many sectors such as manufacturing, public security, health care, accommodation, entertainment, environment protection, agriculture, industrial monitoring, intelligent transportation, and traditional metering system.
However, little consideration has been paid to IoT adoption that may affect the IoT device"s security measure, such as lack of authentication and insecure communication are among the main problems in most IoT devices [3]. These vulnerabilities will lead to many forms of attacks taking place, such as malware injection, SQL injection [4], false data injection (FDI), man-in-the-middle (MITM) [5], zero-day exploit, distributed denial-of-service (DDoS), DNS tunnelling [6], and many more cyber-attacks. Since the case of the Mirai botnet in 2016, over 600,000 IoT devices were targeted to launch cyberattacks that reached 620 Gigabits at the peak. The number of malware in the cyber world has been growing, giving threats to cybersecurity to face other types of aggravated attacks.
There is also concern about one of the IoT environments, the Advanced Metering Infrastructure (AMI). AMI is a system consisting of modern electronic-digital hardware and software, which enables data measurement intermittently and remote communication continuously. The system gives a few important capacities that were not already possible or had to be performed manually. For instance, the ability to remotely and automatically measure power usage, connect and disconnect service, and voltage monitoring. FDIA is one of the popular attacks that can impact AMI as countries around the globe are implementing an AMI in their infrastructure. Like the MITM attack, FDIA is more toward creating falsified data, which the attacker injected from compromised smart meters to change the actual value sent by another smart meter in AMI. This threat can negatively affect both utilities and customers as it is difficult to investigate from the available log in the AMI [7]. This paper aims to simulate the impact of FDIA on the IoT environment and perform forensic analysis on digital traces from data obtained.
In the next section of this paper, related literature on cyber attacks in the smart grid was reviewed. Subsequently, Section III presents the development of a testbed that is used to simulate the cyber attack in components of the smart grid. Section IV presents the result from the simulation and how forensic investigations are done to investigate FDI attacks in the smart grid environment. Section V provides a conclusion to the paper.

A. False Data Injection Attack (FDIA)
The operation of the smart grid faces extreme consequences when the smart meters have been compromised and reporting false power consumption. Most current cases include the crime of electricity stealing. However, a few other sorts of data falsification attacks are conceivable such as FDIA. AMI would (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 10, 2021 266 | P a g e www.ijacsa.thesai.org be affected by this kind of attack badly as data falsification is difficult to detect.
Based on [8], they work on detecting falsification of data injection attacks focusing on smart grid systems. They made a successful and real-time scheme to distinguish FDIA in smart grids where they evaluate the reliabilities of state estimations by misusing spatial-temporal correlations and trust-based voting. The study"s objective is to minimize the harm from the threat of FDIA in smart grids by using these solutions to conduct detection of an attack. This case study was done by simulation of the smart grid and the proposed solutions to detect malicious FDIA. It is suggested that powerful countermeasures are necessary as these kinds of attacks can become highly potential threats as those FDIA are evolving by implementing anti-forensic techniques to prevent detection of the attack.
In [9], the study proposed a system to detect cyber-attacks that aim to sabotage the Instrumentation and Control (I&C) environment. The study intends to provide a last line of defense to sabotage attacks. A system called Goosewolf was produced which has the capability to detect when an adversary has manipulated the process control of the Programmable Logic Controller (PLC). The result obtained in that study shows that the proposed system is effective in checking the capabilities of the PLC and the ability to detect FDIA.
Another study by [10] has focused their work on statistical anomaly detection techniques to solve the difficulties in detecting data falsification in AMI. To identify compromised smart meters for deductive and additive attacks, they have proposed a trust model based on Kullback-Leibler divergence. Moreover, techniques such as the generalized linear and Weibull function-based kernels were proposed for camouflage and conflict attacks. After investigation on comparison under various attacks, which is additive, deductive, camouflage, and conflict, they found out that their models have good high true positive detection and the average false positive is just 8 per cent for most attacks conducted.

B. IoT Testbeds
For the purpose of better understanding on vulnerabilities of IoT devices, researchers utilized a security testbed designed to simulate the attack in a particular environment. The author in [11] illustrated a testbed for securing IoT devices by producing a testbed that can be used as a penetration testing platform to evaluate risks and vulnerabilities of IoT devices. The penetration testing included were port scanning, vulnerability scanning, downgrading attack, search exploits, brute force directories, passwords, port services, and SSL configuration. The software used to perform the testing were Snitch, ZAP, Wascan, Skipfish, Nmap, TLS proper, SSLScan, Nikto, Wireshark, Ettercap, Dirb, SQLmap, WAFWooF, Metasploit, Dex2jar, Binwalk, and UART. The network protocols used was WIFI and BLE. Penetration testing for this analysis was conducted on a smart bulb and IP camera. Vulnerabilities found were very common problems in IoTbased products such as no firewall, authentication in plain text, open ports, lack of certificate, etc. Moreover, paper [12] displayed a testbed designed to analyze security issues in IoT devices. This testbed indicated design and architecture prerequisites to support the development of penetration testing for the purpose of cybersecurity forensic investigation. They conducted the tests based on the security vulnerabilities in the IoT products such as Amazon Echo, Nest Cam, Phillips hue, SENSE Mother, Samsung SmartThings, Witching HOME, WeMo Smart Crock-Pot, and Netatmo Security Camera. The study was conducted using WIFI and Bluetooth. For control and administration, they handle the process and events using NI TestStand software. A closed source software runs only on Windows OS, which is intensely prohibitive and proprietary. Following a huge downside from limitation in network penetration testing capabilities, the software used to avoid testing from handling passive capture of packets, wireless cards, and other network or low-level functionalities.
In [13], researchers used SecuWear to recognize the weaknesses of commercial hardware. The testbed collects the data needed for distinguishing different attacks, thereby assessing the security of wearables devices. Besides, it gives a method for mitigating information and performing attacks in a network that used WIFI and BLE. The software used to perform the vulnerability assessments, and penetration testing was Wireshark. In that study, the eavesdropping and the Denial of Service (DOS) attack were executed. The results of the study found that SecuWear vulnerabilities may be similar to certain open sources such as false positives when recognizing security issues. Fig. 1 shows the topology of our testbed that is used to perform FDIA. The testbed consists of 4 main hardware components, two units Raspberry Pi 4 Model B, a computer and a switch. The smart meter (192.168.1.13) generates random data to mimic a real smart meter then sends the generated data to the data collector containing one virtual machine running Ubuntu Version 21.04 operating system to act as a data collector using the MYSQL version 10.14.9-MariaDB database which receives incoming data from the smart meter. Attacker smart meter (192.168.1.11) will act as an attacker to perform FDIA that will attempt to tamper the smart meter data to the data collector. 267 | P a g e www.ijacsa.thesai.org A comparative analysis between normal traffic logs and logs during the attack was made to verify the FDIA investigations in the IoT environment. Forensic evidence was analyzed based on the packet captured using Wireshark in the form of PCAP files.

IV. DISCUSSION OF FINDINGS
The experiments conducted on the testbed were carried out in two phases. The first phase of the experiment was the "Normal operation", and the second phase was the "Under Attack". The details of the experiments will be explained later on in this chapter. Fig. 2 shows the flow of the experiment during normal traffic and under attack.

A. Normal Operations
During the normal traffic phase, the smart meter as shown in Fig. 1 with an IP address of 192.168.1.13 with MAC address of Raspberry bc : 06: f9 will send data to the data collector where the IP address of the database is 192.168.1.20 with MAC address of VMware_98:1f:74. The smart meter will send power consumption data with an interval of 10 seconds between each data to imitate data for 1 week with an interval of 30 minutes between each data interval. In this experiment, 137 data will be collected using the Wireshark version 3.4.5 packet capturing tool. The consumption transmission script will run in 25 minutes to collect data in a total range of 135 to 140 data. Fig. 3 shows the data sent by the smart meter to the data collector, the value of power consumption with the timestamp. Fig. 4 shows the sample data sent by the smart meter to the data collector in the MySQL database. The first column shows the numbers of data in the database. The second column shows the ID of the smart meter, the third and fourth rows display the timestamp of when the data was accepted, and the last row shows the data value of the power consumption.     Fig. 5, it is shown that the destination or the data smart meter answer the ARP request of the smart meter by giving its MAC address Raspberry_bc:06:f9. The smart meter also give ARP, a reply to its MAC address as shown in Fig. 5. Sample of ARP tables for smart meter and data collector are shown in Fig. 6 and Fig. 7.    Based on the data gathered during the normal operations experiment, no anomalies were detected in Wireshark, ARP cache on the smart meter and ARP cache on the data collector. The data sent from the smart meter has the same value as the data stored in the database.

B. Under Attack
The smart meter with an IP address of 192.168.1.13 will send data as usual for the attack simulation. However, another Raspberry Pi will be included that will imitate the attacker for this phase. The attacker with IP address 192.168.1.11 and the corresponding MAC address of Raspberry_bc:06:27 will perform ARP spoofing on the respective smart meter and data collector in the topology. Once the attacker managed to intercept and change the power consumption value, the tampered packet will be forward back to the data collector using IPV4.
By performing ARP spoofing on a legitimate smart meter and data collector, the attacker machine will be the gateway for both of these devices. The attacker can now sniff and perform further attacks as the attacker already has access to data transferred. All communication between the smart meter and data collector now needs to go through the attacker"s machine first before reaching the destination.
Packet manipulation script is used to change the value of power consumption. In this experiment, the power consumption is increased by 12 on every reading. The difference is shown in Fig. 8, where the data generated and sent to the data collector is not tally with Fig. 9 which displays that the data accepted by the data collector was not the legitimate data sent by the smart meter. The data in the database has been modified because the data has been intercepted and sent to the data collector by the attacker. Fig. 10 shows the view of the attacker machine. The data from the smart meter will be intercepted, modified, and then forwarded to the destination. Fig. 10 shows that every data intercepted will be applied increment by 12. For the MITM part, this study successfully perform packet manipulation by using pattern searching tools and some modifications on the iptables to filter only the packet that needs to be modified to come through.    The evidence captured using Wireshark is explained based on Fig. 11. Note on the highlighted line, the attacker sending a broadcast reply telling the data collector that the smart meter"s MAC address is now at his MAC address which is Raspberry_bc:06:27. Also, there are presents of duplicate use in the collected evidence. www.ijacsa.thesai.org  Fig. 12 and Fig. 13   Based on the data gathered during the under attack experiment, anomalies were detected in Wireshark, ARP cache on the smart meter, and ARP cache on the data collector. The data sent from the smart meter has a different value from the data stored in the database as it was changed by the attacker.

C. Forensic Analysis
In this section, the PCAP file that stored all the digital evidence was extracted and analyzed. The analysis and comparison of the collected evidence in this study are used for in-depth analysis. Fig. 14 shows the steps taken during the forensic analysis.
The analysis process begins by collecting packets captured using Wireshark from the client during normal traffic and during under attack. The packets are also collected from the data collector during normal traffic and during the network under attack. The records from the normal traffic phase will be used as a benchmark for comparative analysis to investigate the FDIA in AMI. Fig. 15 shows that Wireshark captured another MAC address (bc:06:27). In addition, Fig. 16 shows the use of duplicate IP addresses was reported. This strengthens the evidence collected, as shown in Fig. 12 and Fig. 13. It could be observed that the IP address 192.168.137.13, which was earlier known to be the IP address of the smart meter, now has two MAC bindings: Raspberry_bc:06:f9 (initial MAC address), and Raspberry_bc:06:27 (owned by the attacker machine in the network), which was the outcome of ARP poisoning/spoofing. Fig. 16 shows that the time to live (TTL) of the packet from the client was 64 (left), and it was still 64 when it reached the data collector (right). This is normal as there is no router involved in this topology. However, Fig. 17 shows that TTL is different when the data was sent from the smart meter (left) and when it was accepted at the data collector (right) during the network was under attack.
As shown in Fig. 17, when the data was sent out from the smart meter (left), the TTL was 64 but when it reached the database, the TTL of the packet was 63, indicate that the packet had travel somewhere else before reached the data collector. The normal topology is assumed that the smart meter should directly deliver data to the data collector with a switch and not include a router, so it should not modify the TTL of the packet. This happens because the attacker intercepted the packet and modified the packet"s data before forwarding it to the real destination.    As displayed in Fig. 18, the time taken for the data collector to respond to the smart meter when the smart meter wants to send data is much lower than when under attack. Fig. 19 shows the average time taken by the data collector to respond when the smart meter wants to send data. This shows a huge gap of time taken for the data collector to reply during normal traffic, and the network was under attack. It can be concluded that the delay that occurred during the network was under attack is caused by the path and process that happened on the data to reach the destination. The data went through a longer path and was processed by the attacker first before the data was forwarded back to the destination.    Based on the forensic analysis conducted, changes were detected in Wireshark such as a single IP address having two different MAC addresses, one MAC address belongs to the normal smart meter and the other MAC address belonging to the attacker. Other changes that were detected are in the TTL of the packet and the time taken for the data collector to respond to the request query.

V. CONCLUSION
This study"s primary motivation was to study FDIA impact in the IoT environment and perform forensics analysis on digital traces from data obtained. Based on the data obtained from the experiments, the proposed list of attributes for forensic analysis could be useful to trace FDIA. In future works, there is a need to explore different types of attacks, such as buffer overflow payloads that may results in a system crash, creating a path for the hackers to initiate their malicious actions. Future studies may also focus on the integration of forensic-by-design principles in the design of any critical system because it will be quite difficult to know what has happened if there is no log or no proof. If the system is able to produce a series of events, it would be very helpful for the www.ijacsa.thesai.org forensic investigator to reconstruct the events in order to identify available sources and different types of potential evidence in such cases. Therefore, another potential study could explore how to integrate forensic-by-design principles in the design of such systems.