2025 Theses Doctoral

Towards Large-Scale IoT Management: A Metadata-Oriented Approach

Hao, Luoyao

Internet of Things (IoT) has significantly altered how we operate and interact with physical devices. With billions of connected devices generating vast amounts of data, enormous opportunities have emerged for IoT systems to leverage this data and optimize functionalities. However, this massive influx of devices introduces challenges in interpreting, managing, and utilizing IoT data, devices, and systems. Although the generated data dominates the volume of IoT data, the metadata, i.e., data about the data, is equally critical but, unfortunately, often neglected.

Metadata describes devices and data, playing a crucial role in building reliable IoT management systems, improving data analysis and decision-making, and facilitating interoperability between heterogeneous systems. Metadata provides the necessary contexts and instructions to make sense of devices and enables IoT systems to unlock their full potential.

This dissertation demonstrates how metadata can address the management complexities of large-scale IoT systems, where numerous independently developed devices interoperate and integrate. This is particularly significant as these systems expand beyond a single home or enterprise to span multiple domains. The proposed metadata-oriented IoT management system constructs an overlay on top of today's operational IoT devices. It prioritizes flexible descriptors over fixed identifiers and implements a suite of solutions that includes an IoT metadata name resolver, providing the backbone infrastructure across geographically distributed systems; an attribute-based distributed access control solution for fine-grained and distributed authorization; a policy server with identity-independent policy specifications to enhance system dependability by separating the management workflows from the operation; and a stringent firewall solution that responds to IoT network behavior to secure the systems. Together, these components empower IoT environments that are discoverable and accessible with granularity, safely operable, and robustly programmable on a large scale, thereby extending the functional scope beyond individual smart systems to integrate into broader, more complex networked environments.

This dissertation is organized as follows.

First, we delve into the exploration and categorization of metadata in general, highlighting their significance for managing large-scale computer systems, including file systems and the Web infrastructure. Centered on IoT metadata, we illustrate the challenges and opportunities associated with various facets of existing IoT solutions. We discuss the design principles and system implementation challenges for a reliable, efficient, and federated IoT management system, leading to the fundamentals of Metadata-Oriented IoT Systems (MOIS).

Second, we present the Name Resolver (MOIS-NR), the core infrastructure component of the MOIS system. MOIS-NR resolves IoT names as flexible queries, translating them into specific device metadata via an array of APIs. MOIS-NR organizes a federated set of hierarchically distributed directories. Computational nodes, such as IoT gateways, run discovery agents and mechanisms that collect device metadata to update these directories. Essential device metadata, which includes attributes, descriptive profiles, and recognized network behaviors, empowers the functionalities of MOIS-AC, MOIS-PS, and MOIS-FW, as described below.

Third, we introduce the Access Control (MOIS-AC), which retrieves metadata from MOIS-NR, primarily device attributes, to facilitate informed authorization decisions. MOIS-AC is a systematic, attribute-based access control solution that allows for distributed attribute provisioning with fine granularity. It utilizes metadata to enhance the access control solution, which in turn governs and authorizes access to the metadata itself. The system is bifurcated into two phases: initially granting access to metadata, including the exposure of device APIs, and subsequently utilizing a capability-based approach to obtain a token for extended services or device access.

Fourth, we detail the Policy Server (MOIS-PS). MOIS-PS stores and assesses policies derived from authorities, regulatory agencies, developer communities, and manufacturers, integrating them into IoT management stages. Policies delineate desired and prohibitive behaviors of IoT applications and devices, ensuring operations remain within a normative range, thereby promoting security, safety, and energy conservation. For example, a policy might restrict room temperature settings from dipping below 60 degrees Fahrenheit. MOIS-PS employs a relationship-based design, as opposed to identity-based policies, which allows for device replacement, system upgrades, or software updates without needing the specific devices to be known to the system beforehand. This approach enhances the compatibility, scalability, and reusability of the policies. Serving as the guardian of the system, MOIS-PS ensures that all connected devices operate within predefined and accepted boundaries, thereby offering a unified platform for policy enforcement.

Finally, we outline the Firewall (MOIS-FW). MOIS-FW is a real-time firewall solution incorporating dynamic DNS observation and packet filtration based on DNS responses or static projected traffic behaviors. Here, metadata, predominantly network behavioral profiles, is extracted from MOIS-NR and embedded into firewall strategies. Unlike traditional firewalls, MOIS-FW employs a more aggressive and proactive way, defaulting to a whitelist approach and discarding suspicious packets. It also provides an interactive endpoint to involve administrators in the packet control, i.e., whitelist an endpoint or forward a packet. This dynamic and real-time solution is bolstered by the P4 technology through its runtime control.

To summarize, this dissertation develops a metadata-oriented approach to streamline the design and building blocks of IoT management systems. It introduces a comprehensive set of mechanisms designed to address challenges in device management, name resolution, cross-domain data access, fine-grained authorization, interoperability, and safe operation. By establishing a management plane that overlays the operational workflows, the MOIS solution stack includes, but is not limited to, cleanly decoupled subsystems for metadata-based name resolution and device discovery, distributed access control, policy enforcement, and a dynamic firewall. These components are capable of functioning independently or can be integrated seamlessly to provide a holistic solution for large-scale IoT management. This approach provides IoT system developers and administrators with a foundational and systematic strategy for managing IoT devices as a reliably interconnected and automated ecosystem.