Anomalous Communications Detection in IoT Networks Using Sparse Autoencoders

TL;DR

This paper introduces a novel method using sparse autoencoders to detect anomalous and malicious communications in IoT networks, effectively distinguishing between legitimate and malicious traffic to enhance security.

Contribution

The paper proposes a new autoencoder-based approach for IoT anomaly detection that accurately identifies malicious communications with low false positive rates.

Findings

Detection rates between 86.9% and 91.2%.

False positive rates between 0.1% and 0.5%.

Effective differentiation of malicious from legitimate traffic.

Abstract

Nowadays, IoT devices have been widely deployed for enabling various smart services, such as, smart home or e-healthcare. However, security remains as one of the paramount concern as many IoT devices are vulnerable. Moreover, IoT malware are constantly evolving and getting more sophisticated. IoT devices are intended to perform very specific tasks, so their networking behavior is expected to be reasonably stable and predictable. Any significant behavioral deviation from the normal patterns would indicate anomalous events. In this paper, we present a method to detect anomalous network communications in IoT networks using a set of sparse autoencoders. The proposed approach allows us to differentiate malicious communications from legitimate ones. So that, if a device is compromised only malicious communications can be dropped while the service provided by the device is not totally interrupted. To characterize network behavior, bidirectional TCP flows are extracted and described using statistics on the size of the first N packets sent and received, along with statistics on the corresponding inter-arrival times between packets. A set of sparse autoencoders is then trained to learn the profile of the legitimate communications generated by an experimental smart home network. Depending on the value of N, the developed model achieves attack detection rates ranging from 86.9% to 91.2%, and false positive rates ranging from 0.1% to 0.5%.