Trigger-action Internet of Things (IoT) platforms allow IoT devices to create a chain of interactions to automate network tasks by leveraging functional dependencies between IoT event conditions and actions. When network devices notify their cyber states to the IoT hub by reporting event conditions, the hub utilizes this chain to invoke actions in corresponding IoT devices dictated by user-defined rules. Adversaries exploit this scenario to implement remote injection attacks by maliciously reporting fake event conditions to the hub to force it to command target IoT devices to perform invalid actions violating rule integrity. Security mechanisms in the existing literature either require complete visibility over network events to provide an effective defense against dynamic injection attacks or do not offer real-time security.
In this dissertation, we present three security systems to fill this gap in the literature: 1) IoTMonitor, a Hidden Markov Model (HMM) based security analysis system that extracts optimized attack paths and discovers frequently exploited nodes in the network; 2) IoTWarden, a Deep Reinforcement Learning (DRL) based real-time defense system that allows a defense agent to learn attack behavior by observing the network environment and design an optimal defense policy to counter attacker's actions at runtime, maximizing overall security rewards; 3) IoTHaven, A POMDP-based online defense system to discern optimal defense policy for the partially observable IoT networks.