Easy methods to detect anomalies in system metrics and enhance your safety posture utilizing AWS IoT Gadget Defender customized metrics


IoT purposes and units may be numerous and are used throughout industries resembling utilities, agriculture, manufacturing, mining, and client electronics. With the exponential development of IoT units and the rising menace panorama, it additionally signifies that IoT safety must be accounted for and designed into the answer from the bottom up.

AWS IoT Device Defender is a service that helps safe your IoT system fleet and can be utilized to audit and monitor your IoT units at scale. By default, the service allows you to monitor 17 network-related metrics, resembling modifications in connection patterns, units that talk to unauthorized or unrecognized endpoints, and modifications in inbound and outbound system visitors patterns. You possibly can learn to leverage these metrics to monitor your fleet of IoT devices.

However what occurs if it is advisable to monitor metrics which are distinctive to your system fleet or use case? For instance, the variety of units linked to wi-fi gateways, cost ranges for batteries, or security-related metrics resembling domains being contacted by units, detecting modifications to operating purposes or processes in your units, modifications in configuration of your units, distant logins, or some other application-specific conduct.

On this weblog publish, you’ll be taught the steps concerned in monitoring safety metrics particular to your IoT utility. As an IoT administrator, you’ll be capable to arrange security profiles to outline the anticipated conduct of your units based mostly on customized metrics, monitor conduct patterns, and obtain alerts when units violate the anticipated conduct. AWS IoT Device Defender custom metrics provide the flexibility to watch operational well being and safety metrics which are distinctive to your system fleet or use case and allow you to reply to points in a well timed method. It’s straightforward to configure and use on units which connect with AWS IoT Core and helps you enhance the safety posture of your IoT units and system. Understanding the state of your units is necessary for making certain the reliability, safety, well being and efficiency of your IoT system. Gadget monitoring can present the knowledge it is advisable to assist your improvement and operations groups react to points. It will probably enable you to perceive your IoT system’s state utilizing a predefined set of metrics and customized metrics. We’ll now present you learn how to create a pattern customized metric to watch for modifications in processes operating on an IoT system.

Answer overview and use case

For the needs of this publish, let’s assume:

  1. You’re constructing a Linux-based system. Let’s name this system mything1
  2. You will have authored an utility myapp that performs all of the enterprise operation within the system.

You will have recognized that since myapp is speaking over the community, monitoring myapp‘s conduct is necessary. From a course of conduct perspective, you recognize that myapp ought to by no means launch a baby course of. For instance, launching a baby course of resembling a shell that’s managed by an unauthorized consumer to execute arbitrary instructions or a crypto-miner for mining cryptocurrency utilizing the system’s compute assets, are widespread indicators of compromise. With this context in thoughts, we’ll construct an answer for monitoring the variety of little one processes launched by myapp and obtain alerts from AWS IoT Gadget Defender when myapp launches any new course of.

Answer conditions

  1. AWS account
  2. You should utilize the AWS IoT quick connect guide to register a factor, apply insurance policies, connect certificates and obtain the pattern system agent. Select Python SDK for the AWS IoT Gadget SDK underneath step 2 of the above information.
  3. AWS IoT Device Defender Agent SDK (Python)
  4. A pc with the newest browser – like Firefox or Chrome
  5. Primary understanding of Linux (e.g. create directories, set file permissions) and programming (compiling code)

Observe: You will discover code screenshots to point the place code additions have to be made within the current AWS IoT Gadget Defender Agent SDK

Answer structure

Answer walkthrough

Cloud-side modifications

1.     Create a customized metric representing the variety of little one processes of myapp:

a. Go to the Gadget Defender Detect Metrics part – Underneath AWS IoT on the left panel underneath Detect click on Metrics.

b. Click on Create beside customized metrics.

c. Within the definition part, specify the identify, an outline and quantity because the metric sort:

d. Profitable customized metric creation:

2. Create safety profile

a. Go to the Safety profiles part, underneath the Detect drop down choose Safety Profiles

b. Underneath Create Safety Profile click on on “Create Rule-based anomaly Detect profile”

c. Since we all know that myapp ought to by no means launch a baby course of, you must outline the anticipated behaviors by choosing the Metric as: Variety of Youngster Processes of myapp and setting the anticipated worth to be lower than or equal to 0:

d. Additionally, add your customized metric by clicking the drop down “Further Metrics to retain”:

e. Click on Subsequent. Maintain default settings for Alert goal part.

f. Click on Subsequent. Connect Safety profile to All issues, if this rule is a fleet-wide expectation. Please be aware that you’ve the choice to choose particular factor teams to use this profile too.

g. Click on Subsequent. Click on Save and re-check all settings then click on proceed.

h. The Safety profiles web page ought to checklist your newly created safety profile:

3. First examine you might be in the appropriate area. Then replace the IoT coverage within the AWS IoT Policies page to permit Gadget Defender metrics scoping the privileges to issues prefixed by mything1 solely.

  "Model": "2012-10-17",
  "Assertion": [
      "Effect": "Allow",
      "Action": [
      "Useful resource": [
      "Impact": "Permit",
      "Motion": [
      "Useful resource": [
      "Impact": "Permit",
      "Motion": [
      "Useful resource": [

Gadget-side change

1. Obtain pattern agent from Github:

git clone https://github.com/aws-samples/aws-iot-device-defender-agent-sdk-python.git

2. Construction of the pattern agent:

a. collector.py is the Python module answerable for

i. Amassing metrics that you simply’re considering, on this case: the variety of little one processes of myapp. Observe that the gathering of metrics happens at intervals outlined by the command line argument: -i

ii. It codecs the collected metrics within the format required by AWS IoT Gadget Defender Detect utilizing the metrics.py module. metrics.py makes use of the tags.py module to specify the metric identify to be despatched to AWS IoT Gadget Defender Detect

b. agent.py is the high-level module that mixes the collector and the awsiot SDK used for speaking with AWS IoT

3. Modify tags.py to incorporate a brand new metric as a property of the category Tags:

def num_child_processes(self):
    return "num_child_procs_myap

4. Modify metrics.py to incorporate num_child_processes:

a. Replace the constructor perform (init) to set a default worth: self.num_child_processes = []

b. Create a member perform of sophistication Metrics to arrange your metric for sending over the community

def add_num_child_processes(self, num_child_processes):
    self.num_child_processes = {"quantity": num_child_processes}

c. Lastly, convert the metric to the beforehand specified Tag property within the member perform _v1_metrics:

if self.num_child_processes:
    report[t.custom_metrics] = {t.num_child_processes: [self.num_child_processes] }

5. Replace collector.py  to incorporate the features required for locating the variety of little one processes of myapp:

a. We’ll use two features right here:

i. one for locating the method object representing myapp . This perform ought to be outlined exterior the collector class

def find_process(process_name):
    # Return the first course of object 
    # which matches `process_name` precisely
    for proc in ps.process_iter():
        if process_name == proc.identify():
            return proc

ii. one as a staticmethod member perform of sophistication Collector for locating myapp‘s little one processes:

def get_num_child_processes(metrics):
    process_name = "myapp"
    my_process = find_process(process_name)
    num_child_processes = 0
    if my_process:
        num_child_processes = len(my_process.youngsters(recursive=True))

b. Within the member perform collect_metrics, add a line to name get_num_child_processes if custom_metrics are enabled

          c.if self._use_custom_metrics:

6. Set up the bundle: pip set up ./aws-iot-device-defender-agent-sdk-python --upgrade

7. Check by operating collector.py module independently simply to make sure that there are not any errors:

a. Observe that I’ve handed the command line argument: -cm right here to allow customized metrics assortment

b. Create a pretend myapp by creating a replica of your present shell and renaming it to myapp:

                       i. cp `which sh` ./myapp

 ii. Launch myapp: ./myapp

                      iii.     Launch an extended operating course of like cat that may watch for consumer enter: cat

8. Run agent.py to constantly monitor the variety of course of spawned by myapp with the required parameters, along with -cm (For enabling customized metrics):

python aws-iot-device-defender-agent-sdk-python/AWSIoTDeviceDefenderAgentSDK/agent.py -f json -e <your-endpoint> -r <root_cert_path> -c <cert_path> -k <private_key_path> -cm -id mything1

9. You need to shortly be capable to view the variety of little one processes of myapp by navigating to the Defender Metrics tab within the Things page (recheck you might be in the appropriate AWS area):

10. You also needs to be capable to see any alarms generated in case there are any violations:


On this weblog publish, we demonstrated learn how to outline a customized metric in AWS IoT Gadget Defender by making a rule-based safety profile and the modifications required within the pattern agent to be able to ship this info from the system to AWS IoT Gadget Defender. Now you may get began with creating your personal customized metrics distinctive to your system fleet or use case, get alerts, examine points and take mitigation actions. AWS IoT Gadget Defender’s built-in mitigation actions can be utilized to carry out mitigation steps on alerts resembling including issues to a factor group, changing default coverage model, and updating system certificates.

Study extra

Concerning the authors

Eknath Venkataramani is a safety engineer on the AWS IoT workforce. He at the moment focuses on serving to to safe a number of AWS IoT service releases by figuring out and designing new IoT options that make safety simpler for IoT prospects.
Ryan Dsouza Ryan Dsouza is a Principal Options Architect for IoT at AWS. Primarily based in New York Metropolis, Ryan helps prospects design, develop, and function safer, scalable, and progressive options utilizing the breadth and depth of AWS capabilities to ship measurable enterprise outcomes. Ryan has over 25 years of expertise in digital platforms, sensible manufacturing, power administration, constructing and industrial automation, and OT/IIoT safety throughout a various vary of industries. Earlier than AWS, Ryan labored for Accenture, SIEMENS, Common Electrical, IBM, and AECOM, serving prospects for his or her digital transformation initiatives.

Source link

Compare items
  • Total (0)