Skip to main content
SpringerLink
Log in

Real-Time IoT Device Activity Detection in Edge Networks

  • Conference paper
  • First Online:
Network and System Security (NSS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11058))

Included in the following conference series:

Abstract

The growing popularity of Internet-of-Things (IoT) has created the need for network-based traffic anomaly detection systems that could identify misbehaving devices. In this work, we propose a lightweight technique, IoTguard, for identifying malicious traffic flows. IoTguard uses semi-supervised learning to distinguish between malicious and benign device behaviours using the network traffic generated by devices. In order to achieve this, we extracted 39 features from network logs and discard any features containing redundant information. After feature selection, fuzzy C-Mean (FCM) algorithm was trained to obtain clusters discriminating benign traffic from malicious traffic. We studied the feature scores in these clusters and use this information to predict the type of new traffic flows. IoTguard was evaluated using a real-world testbed with more than 30 devices. The results show that IoTguard achieves high accuracy (\({\ge }98\%\)), in differentiating various types of malicious and benign traffic, with low false positive rates. Furthermore, it has low resource footprint and can operate on OpenWRT enabled access points and COTS computing boards.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    \(d: D \mid d(A_{ki})=(1/4) (a_{ki} + 2\times b_{ki} + c_{ki})\) for triangular set \(A_{ki}\).

References

  1. Kdd cup 1999 data. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. Accessed 18 July 2016

  2. Senrio. 400,000 publicly available IoT devices vulnerable to single flaw. https://bit.ly/2Ieghvu. Accessed 5 May 2016

  3. Agrawal, R., Srikant, R.: Fast algorithms for mining association rules in large databases. In: Proceedings of the 20th International Conference on Very Large Data Bases, VLDB 1994, pp. 487–499 (1994)

    Google Scholar 

  4. Akbar, S., et al.: Improving network security using machine learning techniques. In: 2012 IEEE International Conference on Computational Intelligence and Computing Research, pp. 1–5 (2012)

    Google Scholar 

  5. Aranganayagi, S., Thangavel, K.: Clustering categorical data using silhouette coefficient as a relocating measure. In: International Conference on Computational Intelligence and Multimedia Applications (ICCIMA 2007), vol. 2, pp. 13–17 (2007)

    Google Scholar 

  6. Barrera, D., Molloy, I., Huang, H.: IDIoT: securing the Internet of Things like it’s 1994. CoRR abs/1712.03623 (2017)

    Google Scholar 

  7. Bekerman, D., et al.: Unknown malware detection using network traffic classification. In: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 134–142 (2015)

    Google Scholar 

  8. Bohara, A., Thakore, U., Sanders, W.H.: Intrusion detection in enterprise systems by combining and clustering diverse monitor data. In: Proceedings of the Symposium and Bootcamp on the Science of Security, HotSos 2016, pp. 7–16 (2016)

    Google Scholar 

  9. Chawla, N.V., Bowyer, K.W., Hall, L.O., Kegelmeyer, W.P.: Smote: synthetic minority over-sampling technique. J. Artif. Int. Res. 16(1), 321–357 (2002)

    MATH  Google Scholar 

  10. Cheng, S.M., et al.: Traffic-aware patching for cyber security in mobile IoT. IEEE Commun. Mag. 55(7), 29–35 (2017)

    Article  Google Scholar 

  11. Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 139–154 (2008)

    Google Scholar 

  12. Jeyakumar, V., Madani, O., ParandehGheibi, A., Yadav, N.: Data driven data center network security. In: Proceedings of the 2016 ACM on International Workshop on Security And Privacy Analytics, IWSPA 2016, p. 48 (2016)

    Google Scholar 

  13. Roux, J., et al.: Toward an intrusion detection approach for IoT based on radio communications profiling. In: 13th European Dependable Computing Conference, Geneva, Switzerland, p. 4p. (2017)

    Google Scholar 

  14. Lu, W., et al.: Automatic discovery of botnet communities on large-scale communication networks. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, pp. 1–10 (2009)

    Google Scholar 

  15. Martindale, J.: Nearly 30 percent of all web traffic is sent by malicious bots. https://www.digitaltrends.com/web/bad-bots-intrnet/. Accessed 6 Apr 2018

  16. McMillan, R.: Up to three percent of internet traffic is malicious, researcher says. https://www.csoonline.com/article/2122506/data-protection/up-to-three-percent-of-internet-traffic-is-malicious-researcher-says.html. Accessed 6 Apr 2018

  17. Meidan, Y., et al.: Detection of unauthorized IoT devices using machine learning techniques. CoRR abs/1709.04647 (2017). http://arxiv.org/abs/1709.04647

  18. Meidan, Y., et al.: Profiliot: a machine learning approach for IoT device identification based on network traffic analysis. In: Proceedings of the Symposium on Applied Computing, SAC 2017, pp. 506–509 (2017)

    Google Scholar 

  19. Miettinen, M., et al.: IoT sentinel: automated device-type identification for security enforcement in IoT. In: 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), pp. 2177–2184 (2017)

    Google Scholar 

  20. Narvekar, M., Syed, S.F.: An optimized algorithm for association rule miningusing FP tree. Procedia Comput. Sci. 45(Supplement C), 101–110 (2015). http://www.sciencedirect.com/science/article/pii/S1877050915003336. International Conference on Advanced Computing Technologies and Applications

  21. Nguyen, T.T.T., Armitage, G.: A survey of techniques for internet traffic classification using machine learning. IEEE Commun. Surv. Tutor. 10(4), 56–76 (2008)

    Article  Google Scholar 

  22. Nordum, A.: Popular internet of things forecast of 50 billion devices by 2020 is outdated. https://bit.ly/2K2Tk3Z. Accessed 7 May 2017

  23. Patton, M., et al.: Uninvited connections: a study of vulnerable devices on the Internet of Things (IoT). In: 2014 IEEE Joint Intelligence and Security Informatics Conference, pp. 232–235 (2014)

    Google Scholar 

  24. Pauli, D.: 414,949 d-link cameras, IoT devices can be hijacked over the net. https://www.theregister.co.uk/2016/07/08/414949_dlink_cameras_iot_devices_can_be_hijacked_over_the_net/. Accessed 7 May 2017

  25. Ran, J., Kong, X., Lin, G., Yuan, D., Hu, H.: A self-adaptive network traffic classification system with unknown flow detection. In: 2017 3rd IEEE International Conference on Computer and Communications (ICCC), pp. 1215–1220 (2017)

    Google Scholar 

  26. ur Rehman, Z., Idris, A., Khan, A., : Multi-dimensional scaling based grouping of known complexes and intelligent protein complex detection. Comput. Biol. Chem. 74, 149–156 (2018). https://doi.org/10.1016/j.compbiolchem.2018.03.023

    Article  Google Scholar 

  27. Shanmugam, B., Idris, N.B.: Improved intrusion detection system using fuzzy logic for detecting anamoly and misuse type of attacks. In: 2009 International Conference of Soft Computing and Pattern Recognition, pp. 212–217 (2009)

    Google Scholar 

  28. Shanmugavadivu, R., Nagarajan, N.: Network intrusion detection system using fuzzy logic. Indian J. Comput. Sci. Eng. (IJCSE) 2(1), 101–111 (2001)

    Google Scholar 

  29. Strayer, W.T., Lapsely, D., Walsh, R., Livadas, C.: Botnet detection based on network behavior. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. Advances in Information Security, vol. 36, pp. 1–24. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-68768-1_1

    Chapter  Google Scholar 

  30. Trauwaert, E.: On the meaning of dunn’s partition coefficient for fuzzy clusters. Fuzzy Sets Syst. 25(2), 217–242 (1988)

    Article  Google Scholar 

  31. Yi, L., Shi, Y.: Research on abnormal traffic classification of web camera based on supervised learning and semi-supervised learning. In: 2017 3rd IEEE International Conference on Computer and Communications (ICCC), pp. 547–551 (2017)

    Google Scholar 

  32. Zhou, K., et al.: Fuzziness parameter selection in fuzzy c-means: the perspective of cluster validation. Sci. China Inf. Sci. 57(11), 1–8 (2014)

    Google Scholar 

Download references

Acknowledgements

The work was supported in part by the Business Finland PraNA research project.

Author information

Authors and Affiliations

  1. University of Helsinki, Helsinki, Finland

    Ibbad Hafeez, Markku Antikainen & Sasu Tarkoma

  2. Technical University of Munich, Munich, Germany

    Aaron Yi Ding

  3. Delft University of Technology, Delft, Netherlands

    Aaron Yi Ding

  4. Helsinki Institute of Information Technology, Helsinki, Finland

    Markku Antikainen & Sasu Tarkoma

Authors
  1. Ibbad Hafeez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aaron Yi Ding
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Markku Antikainen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sasu Tarkoma
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ibbad Hafeez .

Editor information

Editors and Affiliations

  1. The Hong Kong Polytechnic University, Hong Kong, China

    Man Ho Au

  2. The University of Hong Kong, Hong Kong, China

    Siu Ming Yiu

  3. Guangzhou University, Guangzhou, China

    Jin Li

  4. The Hong Kong Polytechnic University, Hong Kong, China

    Xiapu Luo

  5. City University of Hong Kong, Hong Kong, China

    Cong Wang

  6. University of Salerno and University of Naples Federico II, Fisciano, Italy

    Aniello Castiglione

  7. CISPA Helmholtz Center i.G. GmbH, Saarbrücken, Germany

    Kamil Kluczniak

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hafeez, I., Ding, A.Y., Antikainen, M., Tarkoma, S. (2018). Real-Time IoT Device Activity Detection in Edge Networks. In: Au, M., et al. Network and System Security. NSS 2018. Lecture Notes in Computer Science(), vol 11058. Springer, Cham. https://doi.org/10.1007/978-3-030-02744-5_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-02744-5_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-02743-8

  • Online ISBN: 978-3-030-02744-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation