dÏot: a self-learning system for detecting compromised iot ... · secure systems group, aalto...
TRANSCRIPT
Secure Systems Group, Aalto University
DÏoT system overview Self-learning device-type identification
• Passive fingerprinting of periodic traffic
• Abstract device types: type#12Self-learning anomaly detection system
• Gated recurrent unit (GRU) to model
communications as a language
• Device-type-specific anomaly detection model
• Federated learning of AD models
Distributed and collaborative system
• One IoT security service provider
• Several security gateways
ICRI-CARS
DÏoT: A Self-learning Systemfor Detecting Compromised IoT devices
Thien Duc Nguyen, Samuel Marchal, Markus Miettinen, N. Asokan and Ahmad Sadeghi
Periodicity of communications• Binarization of communication flows
• Fourier transform + signal autocorrelation
Device
FingerprintingAnomaly
Detection
Local SOHO network
Security Gateway
Device
Identification
Device detection Profiling
IoT Security Sevice Provider
Problem setting Increase in IoT malware and botnets
• Mirai, Persirai, Reaper, Hajime, etc.
Existing intrusion detection methods are inefficient
• Heterogeneity of IoT devices
• Scarcity of communications
• Resource limitations / etc.
Require a self-learning system for security
monitoring of IoT
ARP 1 0
HTTPS 1
443 0 mDNS 1
5353 0
TCP 1 62976 0
0 50 100 150 200
time (seconds) Evaluation (> 30 IoT devices)Device-type identification• 98% accuracy
• 30 minutes to identify a device’s type
Anomaly detection• Detects 94% of attacks from Mirai botnet
• Average detection time of 2 seconds
• No false positives (real-world deployment)
Attack Packets/s. Detection time (s.) Detection ratescan 292.2 0.4 100.0%
udp 84.4 1.7 100.0%
syn 752.6 0.2 100.0%
ack 123.8 1.1 94.6%
udpplain 1755.8 0.1 82.2%
vse 331.1 0.5 63.3%
dns 1292.6 0.1 100.0%
greip 167.8 0.7 100.0%
greeth 53.4 2.3 100.0%
http 10.9 15.4 100.0%
Average 442.3 2.3 94.0%
TP ra
te
1
0.95
0.9
0.85
0.8
0.75
0.7
ɣ = 0.4 ɣ = 0.5 ɣ = 0.6
0 0.02 0.04 0.06 0.08 0.1
FP rate