Inferring Connected IoT Devices from IPFIX Records in Residential ISP Networks

Pashamokhtari, Arman; Okui, Norihiro; Miyake, Yutaka; Nakahara, Masaru; Gharakheili, Hassan Habibi

doi:10.1109/lcn52139.2021.9524954

Cited by 14 publications

(15 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another important aspect of our dataset is that unlike most datasets used thus far (some of which were published), it is not comprised of packet-level raw traffic data but rather is comprised mainly of IPFIX-level aggregated metadata, which results in lower communication/storage overhead while preserving privacy. We note that in [65], a large and diverse IPFIX-based dataset was collected from an IoT testbed, however it (1) only contains benign data, limiting attack detection evaluation, (2) emanates from a single network only, such that collaborative learning can not be properly evaluated, and (3) reflects a limited frequency of human interaction, which is performed by just the lab staff, as opposed to the ongoing and natural real-world interaction with a diverse range of people in multiple disparate home networks reflected in our dataset.…”

Section: Existing Public Datasets For Iot Attack Detectionmentioning

confidence: 80%

“…This hardware enabled both the service of continuous smart home monitoring for malicious activities, and the standardized collection of data which can be shared and used for model training; however, it is possible that in the future ISPs would offer such a service themselves and preinstall the necessary software on the home routers they supply, instead of an additional hardware. Second, our method requires correct IoT model identification prior to anomaly detection, in order to enable the training and deployment of an anomaly detector for each IoT model separately; to this end, there are already promising research results regarding IoT identification based on IPFIX records, even behind a NAT [65], [66] (which is a typical setting in home networks). Third, as noted by [65], behavioral changes are not rare in the IoT, which could have an effect on the profile of normal network patterns.…”

Section: Discussionmentioning

confidence: 99%

“…Second, our method requires correct IoT model identification prior to anomaly detection, in order to enable the training and deployment of an anomaly detector for each IoT model separately; to this end, there are already promising research results regarding IoT identification based on IPFIX records, even behind a NAT [65], [66] (which is a typical setting in home networks). Third, as noted by [65], behavioral changes are not rare in the IoT, which could have an effect on the profile of normal network patterns. This might necessitate relatively frequent model retraining, depending on the degree to which the traffic patterns of each monitored IoT model m are sensitive to behavioral changes.…”

Section: Discussionmentioning

confidence: 99%

“…This data selection strategy enabled us to evaluate the generalizability of our collaborative method and answer the question: Can an anomaly detector, which was trained and optimized using shared traffic data from multiple identical IoT devices deployed in various other networks, effectively detect IoT-related cyber-attacks that involve an identical IoT device that was not represented in F m training or F m validation ? Additional data cleansing operations included (3) keeping only external communications (i.e., communication sent outside each device's network) [65]; (4) keeping only assumed-benign flows in F m training and F m validation , as opposed to F m test which contains both malicious and assumed-benign flows; and (5) sanitizing F m training [77], [78] in order to avoid model poisoning [64] by removing extreme outliers, i.e., excluding training flows whose destination ports are too scarce, collaboratively considering all of the IoT devices in F m trn . The entire process of data partitioning and analytical flow is illustrated in Fig.…”

Section: Data Merging Enrichment Preprocessing and Partitioningmentioning

confidence: 99%

See 3 more Smart Citations

CADeSH: Collaborative Anomaly Detection for Smart Homes

Avraham

Libhaber

Shabtai

2023

IEEE Internet Things J.

View full text Add to dashboard Cite

Although home IoT (Internet of Things) devices are typically plain and task oriented, the context of their daily use may affect their traffic patterns. That is, a given IoT device will probably not generate the exact same traffic data when operated by different people in different environments and when connected to different networks with different topologies and communication components. For this reason, anomaly-based intrusion detection systems tend to suffer from a high false positive rate (FPR). To overcome this, we propose a two-step collaborative anomaly detection method which first uses an autoencoder to differentiate frequent ('benign') and infrequent (possibly 'malicious') traffic flows. Clustering is then used to analyze only the infrequent flows and classify them as either known ('rare yet benign') or unknown ('malicious'). Our method is collaborative, in that (1) normal behaviors are characterized more robustly, as they take into account a variety of user interactions and network topologies, and (2) several features are computed based on a pool of identical devices rather than just the inspected device.We evaluated our method empirically, using 21 days of real-world traffic data that emanated from eight identical IoT devices deployed on various networks, one of which was located in our controlled lab where we implemented two popular IoT-related cyber-attacks. Our collaborative anomaly detection method achieved a macro-average area under the precision-recall curve of 0.841, an F1 score of 0.929, and an FPR of only 0.014. These promising results were obtained by using labeled traffic data from our lab as the test set, while training the models on the traffic of devices deployed outside the lab, and thus demonstrate a high level of generalizability. In addition to its high generalizability and promising performance, our proposed method also offers benefits such as privacy preservation, resource savings, and model poisoning mitigation. On top of that, as a contribution to the scientific community, our novel dataset is available online.

show abstract

Section: Existing Public Datasets For Iot Attack Detectionmentioning

confidence: 80%

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Section: Data Merging Enrichment Preprocessing and Partitioningmentioning

confidence: 99%

See 2 more Smart Citations

CADeSH: Collaborative Anomaly Detection for Smart Homes

Avraham

Libhaber

Shabtai

2023

IEEE Internet Things J.

View full text Add to dashboard Cite

show abstract

“…A "whitelist" of IoT behaviors, specified in the form of MUD (Manufacturer Usage Description) profiles, has been employed to detect anomalies [19]. Researchers have employed various ML techniques to learn from the benign behavior of IoT devices to monitor their health and detect malicious incidents [33], [42], [18], [38]. The use of pure benign instances from IoT network traffic in training inference models, without the inclusion of known attack (malicious) instances, enables them to become more robust against unseen and morphing cyber-attacks.…”

Section: Related Workmentioning

confidence: 99%

AdIoTack: Quantifying and Refining Resilience of Decision Tree Ensemble Inference Models against Adversarial Volumetric Attacks on IoT Networks

Pashamokhtari¹,

Batista²,

Gharakheili³

2022

Preprint

Self Cite

View full text Add to dashboard Cite

Machine Learning-based techniques have shown success in cyber intelligence. However, they are increasingly becoming targets of sophisticated data-driven adversarial attacks resulting in misprediction, eroding their ability to detect threats on network devices. In this paper, we present AdIoTack 1 , a system that highlights vulnerabilities of decision trees against adversarial attacks, helping cybersecurity teams quantify and refine the resilience of their trained models for monitoring and protecting Internet-of-Things (IoT) networks. In order to assess the model for the worst-case scenario, AdIoTack performs whitebox adversarial learning to launch successful volumetric attacks that decision tree ensemble network behavioral models cannot flag. Our first contribution is to develop a white-box algorithm that takes a trained decision tree ensemble model and the profile of an intended network-based attack (e.g., TCP/UDP reflection) on a victim class as inputs. It then automatically generates recipes that specify certain packets on top of the indented attack packets (less than 15% overhead) that together can bypass the inference model unnoticed. We ensure that the generated attack instances are feasible for launching on Internet Protocol (IP) networks and effective in their volumetric impact. Our second contribution develops a method to monitor the network behavior of connected devices actively, inject adversarial traffic (when feasible) on behalf of a victim IoT device, and successfully launch the intended attack. Our third contribution prototypes AdIoTack and validates its efficacy on a testbed consisting of a handful of real IoT devices monitored by a trained inference model. We demonstrate how the model detects all non-adversarial volumetric attacks on IoT devices while missing many adversarial ones. The fourth contribution develops systematic methods for applying patches to trained decision tree ensemble models, improving their resilience against adversarial volumetric attacks. We demonstrate how our refined model detects 92% of adversarial volumetric attacks.

show abstract