A group of researchers have devised a self-learning system for detecting compromised IoT devices that does not require prior knowledge about device types or labeled training data to operate.
“We propose a novel approach that combines automated device-type identification and subsequent device-type-specific anomaly detection by making use of machine learning techniques. Using this approach, we demonstrate that we can effectively and quickly detect compromised IoT devices with little false alarms, which is an important consideration for deployability and usability of any anomaly detection approach,” the researchers noted.
About the DÏOT system
DÏOT, as they’ve dubbed the system, consists of a Security Gatewa and an IoT Security Service.
The former stands in as the local access gateway to the Internet to which IoT devices connect, but it also monitors the communication patterns of connected IoT devices and extracts device fingerprints for identifying the device type, as well as detects devices displaying abnormal communication behavior (potentially caused by malware).
The latter uses the device fingerprints created by the Security Gateway to identify the type of IoT devices in use and then sends the anomaly detection models for those specific types of devices to the Security Gateway, to use to detect deviations from normal behavior encoded by the detection model.
Once a compromised IoT device is detected, the Service can let users know so they can proceed with remediation.
A viable solution
The researchers wanted to create a solution for detecting compromised IoT devices that would work for novel attacks (i.e., would not rely solely on signatures) and would scale and work for the extremely fragmented IoT device market.
“To be effective, an anomaly detection model requires capturing all benign patterns of behavior in order to differentiate benign from malicious behavior. Given the ever-increasing number of literally thousands of types of IoT devices (ranging from temperature sensors and smart light bulbs to big appliances like washing machines) an all-encompassing behavior model would be 1) tedious to learn and update, and 2) too broad to be effective at detecting subtle anomalies,” they explained.
“Our approach is based on building models of normal (benign) communication behavior for classes of IoT devices grouped according to device types. Unlike previous approaches, device types and their normal communication profiles are learned automatically, requiring no human intervention or labeling of any training data. Both device-type identification and anomaly detection models are trained in a distributed manner using unlabeled crowdsourced data [cap-tured in client IoT networks].”
According to the results of the experiments done by the researchers by using over 30 IoT devices and the Mirai malware, DÏOT is both effective (has 96% detection rate with 1% false alarms) and fast at detecting compromised devices (does so in less than 0.03 seconds).