Detecting Compromised IoT Devices Using Autoencoders with Sequential Hypothesis Testing

TL;DR

This paper introduces CUMAD, a framework combining autoencoders and sequential hypothesis testing to detect compromised IoT devices efficiently, significantly reducing false alarms and detection time compared to existing methods.

Contribution

The paper presents a novel framework, CUMAD, that effectively integrates autoencoder anomaly detection with sequential hypothesis testing for improved IoT device security.

Findings

Reduces false positive rate from 3.57% to 0.5%.

Detects compromised devices in less than 5 observations on average.

Demonstrates effectiveness on the N-BaIoT dataset.

Abstract

IoT devices fundamentally lack built-in security mechanisms to protect themselves from security attacks. Existing works on improving IoT security mostly focus on detecting anomalous behaviors of IoT devices. However, these existing anomaly detection schemes may trigger an overwhelmingly large number of false alerts, rendering them unusable in detecting compromised IoT devices. In this paper we develop an effective and efficient framework, named CUMAD, to detect compromised IoT devices. Instead of directly relying on individual anomalous events, CUMAD aims to accumulate sufficient evidence in detecting compromised IoT devices, by integrating an autoencoder-based anomaly detection subsystem with a sequential probability ratio test (SPRT)-based sequential hypothesis testing subsystem. CUMAD can effectively reduce the number of false alerts in detecting compromised IoT devices, and moreover, it can detect compromised IoT devices quickly. Our evaluation studies based on the public-domain N-BaIoT dataset show that CUMAD can on average reduce the false positive rate from about 3.57% using only the autoencoder-based anomaly detection scheme to about 0.5%; in addition, CUMAD can detect compromised IoT devices quickly, with less than 5 observations on average.