This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2021.3111477, IEEE Access Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000. Digital Object Identifier 10.1109/ACCESS.2017.DOI Defining the behavior of IoT devices through the MUD standard: review, chal- lenges and research directions JOSÉ L. HERNÁNDEZ RAMOS 1 , SARA N. MATHEU 2 , ANGELO FERAUDO 3 , GIANMARCO BALDINI 1 (Senior Member, IEEE), JORGE BERNAL BERNABE 2 , POONAM YADAV 4 , ANTO- NIO SKARMETA 2 (Member, IEEE), PAOLO BELLAVISTA 3 (Senior Member, IEEE) 1 European Commission, Joint Research Centre, Ispra 21027, Italy (e-mail: {jose-luis.hernandez-ramos, gianmarco.baldini}@ec.europa.eu) 2 University of Murcia, Department of Information and Communication Engineering, Spain (e-mail: {saranieves.matheu, jorgebernal, skarmeta}@um.es) 3 DISI, University of Bologna, Italy (e-mail: angelo.feraudo@studio.unibo.it, paolo.bellavista@unibo.it) 4 Computer Science Department at the University of York, UK (e-mail: poonam.yadav@york.ac.uk) Corresponding author: José L. Hernández-Ramos (e-mail: jose-luis.hernandez-ramos@ec.europa.eu). This work has been partially funded by the European Commission through the projects H2020-830929 CyberSec4Europe, H2020-780139 SerIoT and H2020-952702 BIECO. ABSTRACT With the strong development of the Internet of Things (IoT), the definition of IoT devices’ intended behavior is key for an effective detection of potential cybersecurity attacks and threats in an increasingly connected environment. In 2019, the Manufacturer Usage Description (MUD) was standardized within the IETF as a data model and architecture for defining, obtaining and deploying MUD files, which describe the network behavioral profiles of IoT devices. While it has attracted a strong interest from academia, industry, and Standards Developing Organizations (SDOs), MUD is not yet widely deployed in real-world scenarios. In this work, we analyze the current research landscape around this standard, and describe some of the main challenges to be considered in the coming years to foster its adoption and deployment. Based on the literature analysis and our own experience in this area, we further describe potential research directions exploiting the MUD standard to encourage the development of secure IoT- enabled scenarios. INDEX TERMS MUD, Internet of Things, Security, IETF standards I. INTRODUCTION With the increasing deployment of the Internet of Things (IoT), cybersecurity issues may have a broader scope and impact [1]. Indeed, the interconnection of physical devices to the Internet (which is one of the underlying aspects of IoT) may lead to an increase of the attack surface, as well as a more significant impact derived from potential threats and at- tacks. This aspect has been exploited by well-known attacks (e.g., Mirai or Hajime botnets [2]) that leverage vulnerable IoT devices to launch cyberattacks on other Internet devices and services. In spite of the prominent advances enhancing IoT security in recent years [3], these attacks highlight the need to improve existing attack detection and mitigation mechanisms in IoT-enabled environments. The realization of an effective detection of security attacks in a specific IoT system or network requires identifying the expected behavior of each device composing such environ- ment [4], [5]. Indeed, most of existing approaches based on machine learning techniques to improve IoT security [6] require the proper definition of devices’ intended operation and behaviour to train the corresponding model. The concept is that events or communications, which are not part of the IoT device’s normal behavior, can be considered as a potential threat or attack. From another point of view, a legitimate behaviour may be imposed on IoT devices. For example, rules can be defined and applied to determine how a device is deployed or connected to a network. For that purpose, specific network components may require adapting their operation to enforce restrictions associated with the in- tended operation of a new device. However, the application of these concepts is challenging due to the current heterogeneity of IoT devices, which are based on various technologies and communication protocols. Furthermore, the restrictions inherent to certain IoT devices (e.g., the lack of user in- VOLUME 4, 2016 1