Correlation-Aware Neural Networks for DDoS Attack Detection In IoT Systems

TL;DR

This paper introduces correlation-aware neural network architectures for detecting sophisticated DDoS attacks in IoT systems, especially those camouflaged by benign traffic, demonstrating improved detection performance over traditional models.

Contribution

It proposes new correlation-aware neural network architectures and compares centralized and distributed detection models using real-world IoT data, highlighting the effectiveness of LSTM and transformer models.

Findings

Correlation-aware architectures outperform non-correlation models in detection accuracy.

LSTM and transformer models achieve higher F1 scores, especially against camouflaged attacks.

Distributed correlation-aware architecture with LSTM achieves 81% F1 score.

Abstract

We present a comprehensive study on applying machine learning to detect distributed Denial of service (DDoS) attacks using large-scale Internet of Things (IoT) systems. While prior works and existing DDoS attacks have largely focused on individual nodes transmitting packets at a high volume, we investigate more sophisticated futuristic attacks that use large numbers of IoT devices and camouflage their attack by having each node transmit at a volume typical of benign traffic. We introduce new correlation-aware architectures that take into account the correlation of traffic across IoT nodes, and we also compare the effectiveness of centralized and distributed detection models. We extensively analyze the proposed architectures by evaluating five different neural network models trained on a dataset derived from a 4060-node real-world IoT system. We observe that long short-term memory (LSTM) and a transformer-based model, in conjunction with the architectures that use correlation information of the IoT nodes, provide higher performance (in terms of F1 score and binary accuracy) than the other models and architectures, especially when the attacker camouflages itself by following benign traffic distribution on each transmitting node. For instance, by using the LSTM model, the distributed correlation-aware architecture gives 81% F1 score for the attacker that camouflages their attack with benign traffic as compared to 35% for the architecture that does not use correlation information. We also investigate the performance of heuristics for selecting a subset of nodes to share their data for correlation-aware architectures to meet resource constraints.