{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,9]],"date-time":"2026-06-09T06:26:51Z","timestamp":1780986411001,"version":"3.54.1"},"reference-count":46,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2024,1,17]],"date-time":"2024-01-17T00:00:00Z","timestamp":1705449600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Fondazione CRT (Cassa di Risparmio di Torino)","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}]},{"name":"project SERICS","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>The Internet of Things (IoT) is rapidly growing, with an estimated 14.4 billion active endpoints in 2022 and a forecast of approximately 30 billion connected devices by 2027. This proliferation of IoT devices has come with significant security challenges, including intrinsic security vulnerabilities, limited computing power, and the absence of timely security updates. Attacks leveraging such shortcomings could lead to severe consequences, including data breaches and potential disruptions to critical infrastructures. In response to these challenges, this research paper presents the IoT Proxy, a modular component designed to create a more resilient and secure IoT environment, especially in resource-limited scenarios. The core idea behind the IoT Proxy is to externalize security-related aspects of IoT devices by channeling their traffic through a secure network gateway equipped with different Virtual Network Security Functions (VNSFs). Our solution includes a Virtual Private Network (VPN) terminator and an Intrusion Prevention System (IPS) that uses a machine learning-based technique called oblivious authentication to identify connected devices. The IoT Proxy\u2019s modular, scalable, and externalized security approach creates a more resilient and secure IoT environment, especially for resource-limited IoT devices. The promising experimental results from laboratory testing demonstrate the suitability of IoT Proxy to secure real-world IoT ecosystems.<\/jats:p>","DOI":"10.3390\/s24020590","type":"journal-article","created":{"date-parts":[[2024,1,17]],"date-time":"2024-01-17T07:41:28Z","timestamp":1705477288000},"page":"590","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":56,"title":["Security at the Edge for Resource-Limited IoT Devices"],"prefix":"10.3390","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4265-7743","authenticated-orcid":false,"given":"Daniele","family":"Canavese","sequence":"first","affiliation":[{"name":"IRIT, CNRS, 118 Route de Narbonne, CEDEX 9, F-31062 Toulouse, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5738-9094","authenticated-orcid":false,"given":"Luca","family":"Mannella","sequence":"additional","affiliation":[{"name":"Dipartimento di Automatica e Informatica, Politecnico di Torino, Corso Duca degli Abruzzi 24, 10129 Turin, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9259-5157","authenticated-orcid":false,"given":"Leonardo","family":"Regano","sequence":"additional","affiliation":[{"name":"Dipartimento di Ingegneria Elettrica ed Elettronica, Universit\u00e0 degli Studi di Cagliari, Piazza d\u2019Armi, 09123 Cagliari, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8016-1490","authenticated-orcid":false,"given":"Cataldo","family":"Basile","sequence":"additional","affiliation":[{"name":"Dipartimento di Automatica e Informatica, Politecnico di Torino, Corso Duca degli Abruzzi 24, 10129 Turin, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2024,1,17]]},"reference":[{"key":"ref_1","unstructured":"Bruegge, F., Hasan, M., Kulezak, M., Lasse Lueth, K., Pasqua, E., Sinha, S., Wegner, P., Baviskar, K., and Taparia, A. (2023). State of IoT\u2014Spring 2023, IoT Analytics GmbH. Technical Report."},{"key":"ref_2","unstructured":"Kumar, D., Shen, K., Case, B., Garg, D., Alperovich, G., Kuznetsov, D., Gupta, R., and Durumeric, Z. (2019, January 14\u201316). All things considered: An analysis of IoT devices on home networks. Proceedings of the 28th USENIX Security Symposium (USENIX Security 19), Santa Clara, CA, USA."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Langiu, A., Boano, C.A., Schu\u00df, M., and R\u00f6mer, K. (2019, January 7\u201310). UpKit: An Open-Source, Portable, and Lightweight Update Framework for Constrained IoT Devices. Proceedings of the 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS), Dallas, TX, USA.","DOI":"10.1109\/ICDCS.2019.00207"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"261","DOI":"10.1007\/s40860-022-00175-4","article-title":"Helping novice developers harness security issues in cloud-IoT systems","volume":"8","author":"Corno","year":"2022","journal-title":"J. Reliab. Intell. Environ."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Corno, F., and Mannella, L. (2023). Security Evaluation of Arduino Projects Developed by Hobbyist IoT Programmers. Sensors, 23.","DOI":"10.3390\/s23052740"},{"key":"ref_6","unstructured":"Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., and Kallitsis, M. (2017, January 16\u201318). Understanding the Mirai Botnet. Proceedings of the 26th USENIX Security Symposium (USENIX Security 17), Vancouver, BC, USA."},{"key":"ref_7","unstructured":"(2023, October 04). ETSI, 650, Route des Lucioles, Valbonne\u2014Sophia Antipolis, France. Available online: https:\/\/www.etsi.org\/deliver\/etsi_gs\/nfv\/001_099\/003\/01.02.01_60\/gs_nf."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1109\/MCOMSTD.201.2100023","article-title":"Security Function Virtualization for IoT Applications in 6G Networks","volume":"5","author":"Aman","year":"2021","journal-title":"IEEE Commun. Stand. Mag."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"63","DOI":"10.1007\/s10207-011-0124-7","article-title":"Principles of remote attestation","volume":"10","author":"Coker","year":"2011","journal-title":"Int. J. Inf. Secur."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Zolotukhin, M., and H\u00e4m\u00e4l\u00e4inen, T. (2018, January 27\u201329). On Artificial Intelligent Malware Tolerant Networking for IoT. Proceedings of the 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), Verona, Italy.","DOI":"10.1109\/NFV-SDN.2018.8725767"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1109\/MC.2013.249","article-title":"Software-defined networking: On the verge of a breakthrough?","volume":"46","author":"Ortiz","year":"2013","journal-title":"Computer"},{"key":"ref_12","unstructured":"(2023, October 04). ETSI, 650, Route des Lucioles, Valbonne\u2014Sophia Antipolis, France. Available online: https:\/\/portal.etsi.org\/nfv\/nfv_white_paper.pdf."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"1218","DOI":"10.1109\/JSAC.2020.2986618","article-title":"A Network Function Virtualization System for Detecting Malware in Large IoT Based Networks","volume":"38","author":"Guizani","year":"2020","journal-title":"IEEE J. Sel. Areas Commun."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Graves, A. (2012). Supervised Sequence Labelling with Recurrent Neural Networks, Springer.","DOI":"10.1007\/978-3-642-24797-2"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"113199","DOI":"10.1109\/ACCESS.2021.3104113","article-title":"An Advanced Intrusion Detection System for IIoT Based on GA and Tree Based Algorithms","volume":"9","author":"Kasongo","year":"2021","journal-title":"IEEE Access"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"4724","DOI":"10.1109\/TII.2018.2852491","article-title":"Industrial Internet of Things: Challenges, Opportunities, and Directions","volume":"14","author":"Sisinni","year":"2018","journal-title":"IEEE Trans. Ind. Informatics"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"17","DOI":"10.1109\/2.294849","article-title":"Genetic algorithms: A survey","volume":"27","author":"Srinivas","year":"1994","journal-title":"Computer"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"540","DOI":"10.1016\/j.dcan.2022.05.027","article-title":"Intrusion detection and prevention system for an IoT environment","volume":"8","author":"Kumar","year":"2022","journal-title":"Digit. Commun. Networks"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1109\/MIC.2017.39","article-title":"Fog Computing","volume":"21","author":"Chen","year":"2017","journal-title":"IEEE Internet Comput."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1145\/997150.997156","article-title":"A Taxonomy of DDoS Attack and DDoS Defense Mechanisms","volume":"34","author":"Mirkovic","year":"2004","journal-title":"Acm Sigcomm Comput. Commun. Rev."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Sunyaev, A. (2020). Internet Computing: Principles of Distributed Systems and Emerging Internet-Based Technologies, Springer International Publishing.","DOI":"10.1007\/978-3-030-34957-8"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"57","DOI":"10.1016\/j.ins.2022.03.065","article-title":"PDAE: Efficient network intrusion detection in IoT using parallel deep auto-encoders","volume":"598","author":"Basati","year":"2022","journal-title":"Inf. Sci."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"219","DOI":"10.1016\/j.future.2019.02.050","article-title":"Edge computing: A survey","volume":"97","author":"Khan","year":"2019","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Sharma, R.K., and Pippal, R.S. (2020, January 25\u201326). Malicious Attack and Intrusion Prevention in IoT Network using Blockchain based Security Analysis. Proceedings of the 2020 12th International Conference on Computational Intelligence and Communication Networks (CICN), Bhimtal, India.","DOI":"10.1109\/CICN49253.2020.9242610"},{"key":"ref_25","unstructured":"Dang, Q. (2015). Federal Information Processing Standards Publication (NIST FIPS), National Institute of Standards and Technology."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Jiang, C., Kuang, J., and Wang, S. (2019, January 9\u201311). Home IoT Intrusion Prevention Strategy Based on Edge Computing. Proceedings of the 2019 IEEE 2nd International Conference on Electronics and Communication Engineering (ICECE), Xi\u2019an, China.","DOI":"10.1109\/ICECE48499.2019.9058536"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Raj, J.R., and Srinivasulu, S. (2022, January 16\u201318). Design of IoT Based VPN Gateway for Home Network. Proceedings of the 2022 International Conference on Electronics and Renewable Systems (ICEARS), Tuticorin, India.","DOI":"10.1109\/ICEARS53579.2022.9751838"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Upton, E., and Halfacree, G. (2016). Raspberry Pi User Guide, John Wiley & Sons.","DOI":"10.1002\/9781119415572"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Fan, J., Wang, Z., and Li, C. (2019, January 16\u201318). Design and Implementation of IoT Gateway Security System. Proceedings of the 2019 International Conference on Artificial Intelligence and Advanced Manufacturing (AIAM), Dublin, Ireland.","DOI":"10.1109\/AIAM48774.2019.00039"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Frankel, S., and Krishnan, S. IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap. RFC Editor, 2011, number 6071 in Request for Comments.","DOI":"10.17487\/rfc6071"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.3. RFC Editor, 2018, number 8446 in Request for Comments.","DOI":"10.17487\/RFC8446"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Alharbi, S., Rodriguez, P., Maharaja, R., Iyer, P., Subaschandrabose, N., and Ye, Z. (2017, January 10\u201312). Secure the Internet of Things with challenge response authentication in fog computing. Proceedings of the 2017 IEEE 36th International Performance Computing and Communications Conference (IPCCC), San Diego, CA, USA.","DOI":"10.1109\/PCCC.2017.8280489"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Zedak, C., Lekbich, A., Belfqih, A., Boukherouaa, J., Haidi, T., and El Mariami, F. (2018, January 10\u201312). A proposed secure remote data acquisition architecture of photovoltaic systems based on the Internet of Things. Proceedings of the 2018 6th International Conference on Multimedia Computing and Systems (ICMCS), Rabat, Morocco.","DOI":"10.1109\/ICMCS.2018.8525902"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1109\/MCC.2016.100","article-title":"To Docker or Not to Docker: A Security Perspective","volume":"3","author":"Combe","year":"2016","journal-title":"IEEE Cloud Comput."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Corno, F., and Mannella, L. (2023, January 20\u201323). A Gateway-based MUD Architecture to Enhance Smart Home Security. Proceedings of the 2023 8th International Conference on Smart and Sustainable Technologies (SpliTech), Split\/Bol, Croatia.","DOI":"10.23919\/SpliTech58164.2023.10193747"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Lear, E., Droms, R., and Romascanu, D. Manufacturer Usage Description Specification. RFC Editor, 2019, number 8520 in Request for Comments.","DOI":"10.17487\/RFC8520"},{"key":"ref_37","unstructured":"Boeyen, S., Santesson, S., Polk, T., Housley, R., Farrell, S., and Cooper, D. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC Editor, 2008, number 5280 in Request for Comments."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Kaufman, C., Hoffman, P.E., Nir, Y., Eronen, P., and Kivinen, T. Internet Key Exchange Protocol Version 2 (IKEv2). RFC Editor, 2014, number 7296 in Request for Comments.","DOI":"10.17487\/rfc7296"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Neto, E.C.P., Dadkhah, S., Ferreira, R., Zohourian, A., Lu, R., and Ghorbani, A.A. (2023). CICIoT2023: A Real-Time Dataset and Benchmark for Large-Scale Attacks in IoT Environment. Sensors, 23.","DOI":"10.20944\/preprints202305.0443.v1"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Eddy, W. Transmission Control Protocol (TCP). RFC Editor, 2022, number 9293 in Request for Comments.","DOI":"10.17487\/RFC9293"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Iyengar, J., and Thomson, M. QUIC: A UDP-Based Multiplexed and Secure Transport. RFC 9000, 2021.","DOI":"10.17487\/RFC9000"},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Postel, J.B. Internet Control Message Protocol. RFC Editor, 1981, number 792 in Request for Comments.","DOI":"10.17487\/rfc0777"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Berbecaru, D.G., Giannuzzi, S., and Canavese, D. (2023, January 9\u201312). Autoencoder-SAD: An Autoencoder-based Model for Security Attacks Detection. Proceedings of the 2023 IEEE Symposium on Computers and Communications (ISCC), Gammarth, Tunisia.","DOI":"10.1109\/ISCC58397.2023.10217930"},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"107621","DOI":"10.1016\/j.compeleceng.2021.107621","article-title":"Encryption-agnostic classifiers of traffic originators and their application to anomaly detection","volume":"97","author":"Canavese","year":"2022","journal-title":"Comput. Electr. Eng."},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"107968","DOI":"10.1016\/j.dib.2022.107968","article-title":"Data set and machine learning models for the classification of network traffic originators","volume":"41","author":"Canavese","year":"2022","journal-title":"Data Brief"},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Basile, C., Canavese, D., Regano, L., Pedone, I., and Lioy, A. (July, January 27). A model of capabilities of Network Security Functions. Proceedings of the 2022 IEEE 8th International Conference on Network Softwarization (NetSoft), Milan, Italy.","DOI":"10.1109\/NetSoft54395.2022.9844057"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/24\/2\/590\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T13:48:49Z","timestamp":1760104129000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/24\/2\/590"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,1,17]]},"references-count":46,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2024,1]]}},"alternative-id":["s24020590"],"URL":"https:\/\/doi.org\/10.3390\/s24020590","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,1,17]]}}}