Secure Systems Group, Aalto University

DÏoT system overview Self-learning device-type identification

• Passive fingerprinting of periodic traffic

• Abstract device types: type#12Self-learning anomaly detection system

• Gated recurrent unit (GRU) to model

communications as a language

• Device-type-specific anomaly detection model

• Federated learning of AD models

Distributed and collaborative system

• One IoT security service provider

• Several security gateways

ICRI-CARS

DÏoT: A Self-learning Systemfor Detecting Compromised IoT devices

Thien Duc Nguyen, Samuel Marchal, Markus Miettinen, N. Asokan and Ahmad Sadeghi

Periodicity of communications• Binarization of communication flows

• Fourier transform + signal autocorrelation

Device

FingerprintingAnomaly

Detection

Local SOHO network

Security Gateway

Device

Identification

Device detection Profiling

IoT Security Sevice Provider

Problem setting Increase in IoT malware and botnets

• Mirai, Persirai, Reaper, Hajime, etc.

Existing intrusion detection methods are inefficient

• Heterogeneity of IoT devices

• Scarcity of communications

• Resource limitations / etc.

Require a self-learning system for security

monitoring of IoT

ARP 1 0

HTTPS 1

443 0 mDNS 1

5353 0

TCP 1 62976 0

0 50 100 150 200

time (seconds) Evaluation (> 30 IoT devices)Device-type identification• 98% accuracy

• 30 minutes to identify a device’s type

Anomaly detection• Detects 94% of attacks from Mirai botnet

• Average detection time of 2 seconds

• No false positives (real-world deployment)

Attack Packets/s. Detection time (s.) Detection ratescan 292.2 0.4 100.0%

udp 84.4 1.7 100.0%

syn 752.6 0.2 100.0%

ack 123.8 1.1 94.6%

udpplain 1755.8 0.1 82.2%

vse 331.1 0.5 63.3%

dns 1292.6 0.1 100.0%

greip 167.8 0.7 100.0%

greeth 53.4 2.3 100.0%

http 10.9 15.4 100.0%

Average 442.3 2.3 94.0%

TP ra

te

1

0.95

0.9

0.85

0.8

0.75

0.7

ɣ = 0.4 ɣ = 0.5 ɣ = 0.6

0 0.02 0.04 0.06 0.08 0.1

FP rate