Behavior Anomaly Detection in IoT Networks

Conference paper
Part of the Lecture Notes on Data Engineering and Communications Technologies book series (LNDECT, volume 49)


Data encryption makes deep packet inspection less suitable nowadays, and the need of analyzing encrypted traffic is growing. Machine learning brings new options to recognize a type of communication despite the heterogeneity of encrypted IoT traffic right at the network edge. We propose the design of scalable architecture and the method for behavior anomaly detection in IoT networks. Combination of two existing semi-supervised techniques that we used ensures higher reliability of anomaly detection and improves results achieved by a single method. We describe conducted classification and anomaly detection experiments allowed thanks to existing and our training datasets. Presented satisfying results provide a subject for further work and allow us to elaborate on this idea.


IoT behavioral analysis Encrypted traffic Anomaly detection 



This work was supported by the Grant Agency of the Czech Technical University in Prague, grant No. SGS17/212/OHK3/3T/18 funded by the Ministry of Education, Youth and Sports of the Czech Republic and Secure Gateway for Internet of Things (SIoT) project No. VI20172020079 funded by the Ministry of the Interior of the Czech Republic.


  1. 1.
    Alrashdi, I., Alqazzaz, A., Aloufi, E., Alharthi, R., Zohdy, M., Ming, H.: Ad-IoT: anomaly detection of IoT cyberattacks in smart city using machine learning. In: 2019 IEEE 9th Annual Computing and Communication Workshop and Conference (CCWC), January 2019Google Scholar
  2. 2.
    Anderson, B., McGrew, D.: Identifying encrypted malware traffic with contextual flow data. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, pp. 35–46. ACM (2016)Google Scholar
  3. 3.
    Anderson, B., McGrew, D.: Joy (2016)Google Scholar
  4. 4.
    Arndt, D.J., Zincir-Heywood, A.N.: A comparison of three machine learning techniques for encrypted network traffic analysis. In: 2011 IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA), pp. 107–114, April 2011Google Scholar
  5. 5.
    Garca, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. Comput. Secur. 45, 100–123 (2014)CrossRefGoogle Scholar
  6. 6.
    Gebhart, G.: We’re Halfway to Encrypting the Entire Web (2017)Google Scholar
  7. 7.
    Hafeez, I., Ding, A.Y., Antikainen, M., Tarkoma, S.: Real-time IoT device activity detection in edge networks. In: Au, M.H., Yiu, S.M., Li, J., Luo, X., Wang, C., Castiglione, A., Kluczniak, K. (eds.) Network and System Security, pp. 221–236. Springer (2018)Google Scholar
  8. 8.
    Kopp, M., Grill, M., Kohout, J.: Community-based anomaly detection. In: 2018 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1–6, December 2018Google Scholar
  9. 9.
    Piskozub, M., Spolaor, R., Martinovic, I.: MalAlert: detecting malware in large-scale network traffic using statistical features. ACM SIGMETRICS Perform. Eval. Rev. 46, 151–154 (2019)CrossRefGoogle Scholar
  10. 10.
    Shahid, M.R., Blanc, G., Zhang, Z., Debar, H.: IoT devices recognition through network traffic analysis. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 5187–5192, December 2018Google Scholar
  11. 11.
    Sivanathan, A., Gharakheili, H.H., Loi, F., Radford, A., Wijenayake, C., Vishwanath, A., Sivaraman, V.: Classifying IoT devices in smart environments using network traffic characteristics. IEEE Trans. Mob. Comput. 18, 1745–1459 (2018)CrossRefGoogle Scholar
  12. 12.
    Soukup, D., Cejka, T.: NEMEA-SIoT (2019)Google Scholar
  13. 13.
    Statista: Fog computing and the Internet of Things: extend the cloud to where the things are (2015)Google Scholar
  14. 14.
    Stergiopoulos, G., Talavari, A., Bitsikas, E., Gritzalis, D.: Automatic detection of various malicious traffic using side channel features on TCP packets. In: Lopez, J., Zhou, J., Soriano, M. (eds.) Computer Security, pp. 346–362. Springer (2018)Google Scholar
  15. 15.
    Ullah, I., Mahmoud, Q.H.: A two-level hybrid model for anomalous activity detection in IoT networks. In: 2019 16th IEEE Annual Consumer Communications Networking Conference (CCNC), pp. 1–6, January 2019Google Scholar
  16. 16.
    Velan, P., Čermák, M., Čeleda, P., Drašar, M.: A survey of methods for encrypted traffic classification and analysis. Int. J. Netw. Manag. 25(5), 355–374 (2015)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.CESNET, a.l.e.PragueCzech Republic
  2. 2.CTU in PraguePragueCzech Republic

Personalised recommendations