Machine Learning DDoS Detection for Consumer Internet of Things Devices

TL;DR

This paper presents a machine learning approach to detect DDoS attacks originating from consumer IoT devices by leveraging IoT-specific network behaviors, enabling high-accuracy detection with low-cost algorithms.

Contribution

It introduces IoT-specific features for DDoS detection and demonstrates effective machine learning models, including neural networks, for real-time attack identification.

Findings

High accuracy detection using IoT-specific features

Effective use of neural networks for DDoS detection

Flow-based, protocol-agnostic traffic analysis

Abstract

An increasing number of Internet of Things (IoT) devices are connecting to the Internet, yet many of these devices are fundamentally insecure, exposing the Internet to a variety of attacks. Botnets such as Mirai have used insecure consumer IoT devices to conduct distributed denial of service (DDoS) attacks on critical Internet infrastructure. This motivates the development of new techniques to automatically detect consumer IoT attack traffic. In this paper, we demonstrate that using IoT-specific network behaviors (e.g. limited number of endpoints and regular time intervals between packets) to inform feature selection can result in high accuracy DDoS detection in IoT network traffic with a variety of machine learning algorithms, including neural networks. These results indicate that home gateway routers or other network middleboxes could automatically detect local IoT device sources of DDoS attacks using low-cost machine learning algorithms and traffic data that is flow-based and protocol-agnostic.