Detecting Anomalous Microflows in IoT Volumetric Attacks via Dynamic Monitoring of MUD Activity

by   Ayyoob Hamza, et al.

IoT networks are increasingly becoming target of sophisticated new cyber-attacks. Anomaly-based detection methods are promising in finding new attacks, but there are certain practical challenges like false-positive alarms, hard to explain, and difficult to scale cost-effectively. The IETF recent standard called Manufacturer Usage Description (MUD) seems promising to limit the attack surface on IoT devices by formally specifying their intended network behavior. In this paper, we use SDN to enforce and monitor the expected behaviors of each IoT device, and train one-class classifier models to detect volumetric attacks. Our specific contributions are fourfold. (1) We develop a multi-level inferencing model to dynamically detect anomalous patterns in network activity of MUD-compliant traffic flows via SDN telemetry, followed by packet inspection of anomalous flows. This provides enhanced fine-grained visibility into distributed and direct attacks, allowing us to precisely isolate volumetric attacks with microflow (5-tuple) resolution. (2) We collect traffic traces (benign and a variety of volumetric attacks) from network behavior of IoT devices in our lab, generate labeled datasets, and make them available to the public. (3) We prototype a full working system (modules are released as open-source), demonstrates its efficacy in detecting volumetric attacks on several consumer IoT devices with high accuracy while maintaining low false positives, and provides insights into cost and performance of our system. (4) We demonstrate how our models scale in environments with a large number of connected IoTs (with datasets collected from a network of IP cameras in our university campus) by considering various training strategies (per device unit versus per device type), and balancing the accuracy of prediction against the cost of models in terms of size and training time.


page 1

page 3

page 4

page 6

page 8

page 10

page 18


IoT-AD: A Framework To Detect Anomalies Among Interconnected IoT Devices

In an Internet of Things (IoT) environment (e.g., smart home), several I...

N-BaIoT: Network-based Detection of IoT Botnet Attacks Using Deep Autoencoders

The proliferation of IoT devices which can be more easily compromised th...

DIoT: A Self-learning System for Detecting Compromised IoT Devices

IoT devices are being widely deployed. Many of them are vulnerable due t...

ALBUS: a Probabilistic Monitoring Algorithm to Counter Burst-Flood Attacks

Modern DDoS defense systems rely on probabilistic monitoring algorithms ...

Detecting inner-LAN anomalies using hierarchical forecasting

Increasing activity and the number of devices online are leading to incr...

PORTFILER: Port-Level Network Profiling for Self-Propagating Malware Detection

Recent self-propagating malware (SPM) campaigns compromised hundred of t...

Please sign up or login with your details

Forgot password? Click here to reset