Identifying Security and Privacy Violation Rules in Trigger-Action IoT Platforms With NLP Models

Abstract

Trigger-action platforms are systems that enable users to easily define, in terms of conditional rules, custom behaviors concerning Internet of Things (IoT) devices and Web services. Unfortunately, although these tools stimulate the creativity of users in building automation, they may also introduce serious risks for the users. Indeed, trigger-action rules can lead to the possibility of users harming themselves, for example, by unintentionally disclosing nonpublic information, or unwillingly exposing their smart environment to cyber-threats. In this article, we propose to use natural language processing (NLP) techniques to detect automation rules, defined within trigger-action IoT platforms, that potentially violate the security or privacy of the users. The proposed NLP-based models capture the semantic and contextual information of the trigger-action rules by applying classification techniques to different combinations of rule's features. We evaluate the proposed solution with the mainstream trigger-action platform, namely, If-This-Then-That, by training the NLP models with a data set of 76 741 rules labeled by using an ensemble of three semi-supervised learning techniques. The experimental results demonstrate that the model based on bidirectional encoder representations from transformers (BERTs) obtains the highest performances when trained on all features, achieving average Precision and Recall values between 88% and 93%. We also compare the achieved performances with those of a baseline system implementing information flow analysis.