Encyclopedia of Wireless Networks

Living Edition
| Editors: Xuemin (Sherman) Shen, Xiaodong Lin, Kuan Zhang

Anomaly Detection for IoT Systems

  • Xin-Xue LinEmail author
  • En-Hau Yeh
  • Phone Lin
Living reference work entry
DOI: https://doi.org/10.1007/978-3-319-32903-1_183-1



Anomaly detection for Internet of Things (IoT) system is to automatically detect whether the IoT devices, components, or systems operate normally or not. Usually there are multiple sensors or external monitors that observe the signals sent from the operating IoT systems. The detection module analyzes the signals to determine whether the system’s behavior is normal or abnormal.

Historical Background

The IoT systems link the heterogeneous sensors and IoT servers to provide the IoT applications such as healthcare, industrial automation, environment monitoring, and so on. Because the decade aged IoT systems and new IoT systems may coexist, it is not easy to implement the monitors into the integrated IoT systems. It is usually to treat the integrated IoT system as a black box. Furthermore, because the signals come from one or more types of sensors (i.e., heterogeneous sensors), it is complicated for the monitors to analyze the signals from the IoT systems. One of the solutions to resolve the issue is to use the rules defined by the expert, but it usually takes time and cost. The data-driven technologies can be applied for anomaly detection in IoT systems. Some of the previous works using these data-driven technologies are summarized as follows:

The works (Xie et al. 2017; Juvonen et al. 2015) built the statistical model based on the normal data. If a data sample does not follow the statistical model, it is judged as an abnormal data point. The work (Zhang et al. 2016) used supervised machine learning algorithms to build a classification model to check whether a data sample is normal or abnormal. It is required to label each data sample as “normal” or “abnormal” in supervised learning algorithms. The works (Valenzuela et al. 2013; Shin et al. 2011) used unsupervised machine learning algorithms to build clustering models. Because it does not rely on the labeled data, it can save lots of labeling effort.


Anomaly detection techniques can be applied in many domains such as intrusion detection, system health monitoring, anomalous event detection in sensor networks, and so on. The anomalies could be caused by external factors (e.g., network attacking and human mistake) or internal factors (e.g., hardware failure and resource exhaustion). The anomaly detection techniques can be grouped into the following categories: density-based (Breunig et al. 2000), statistical-based (Xie et al. 2017; Juvonen et al. 2015), clustering-based (Zong et al. 2018), and the machine learning-based (Zhang et al. 2016) techniques. These techniques use historical data to build up models to determine whether the data sample is normal or abnormal. In most cases, the anomalies are rare events (i.e., less data points for the anomalies). It is very hard to directly learn the anomalous patterns from less data samples. To resolve the issue, we may only use the data samples of normal events to build up the model for anomaly detection. If a sample data does not follow the model (e.g., does not fall into the distribution of the data points of normal event), it is determined as an abnormal event.

Key Applications

In the following, we elaborate on some IoT applications (Porkodi and Bhuvaneswari 2014) for which anomaly detection can be applied:

Industrial Environment/System

In Industry 4.0 (Stojanovic et al. 2016) for automation and data exchange in the manufacturing industry, wireless sensor networks are deployed to monitor the physical environment to ensure that the manufacturing systems operate continuously and safely. With the help of the monitoring sensors, the status of the monitored object is represented by several metrics, with which the anomaly detection can determine whether the status of the monitored object is normal or abnormal.

Smart Home

In the smart home application (Fahad and Rajarajan 2015), the electrical devices, such as air-condition, television, and so on, are connected with the IoT network, through which users can interact with the devices. The anomaly detection for smart home can be applied for home security, where it can detect whether someone without authority breaks into, or check whether the door is locked or not.

Health Monitoring

With the wearable devices connected to the IoT network, the human’s physiological status can be monitored remotely in real time, which makes elderly care (Shin et al. 2011) or healthcare more functional. The anomaly detection can be applied for checking whether the status deviates from distribution of the historical data, and determines whether the owner of the devices is in trouble (i.e., an emergency event occurs). It can also reduce the response time for an emergency event. Applying anomaly detection helps health monitoring system be able to react more quickly.

Connected Cars

A connected car is a vehicle with capability to connect to other vehicles, devices, and networks through wireless local area networks which assists users to drive (Kwak et al. 2016). One of the applications of the anomaly detection on the connected car is to check the user’s driving behavior (e.g., it can determine whether the user has dangerous driving behavior), or check if the functionality of the car is in good status.

Smart City

In the smart city (Difallah et al. 2013), the sensors and activators (e.g., traffic light) are connected to IoT network. Examples of the smart city applications include traffic flow management and environmental monitoring. The anomaly detection in smart city can be applied to detect the car accident (i.e., abnormal traffic flow).

IoT Network Security

In the IoT network security (Hodo et al. 2016), the traditional firewall determines whether a packet can go into the Intranet by referencing the predefined security rules. However, it is hard to identify new types of attacks by using the predefined rules. The unsupervised anomaly detection mechanism can train a behavior model by using the normal Internet traffic. The model can be used to determine abnormal network traffics, e.g., attack patterns, and it can reduce the effort for human expert to find out the attack patterns.



  1. Breunig MM, Kriegel H-P, Ng RT, Sander J (2000) LOF: identifying density-based local outliers. ACM SIGMOD Rec 29(2):93–104CrossRefGoogle Scholar
  2. Difallah DE, Cudre-Mauroux P, McKenna SA (2013) Scalable anomaly detection for smart city infrastructure networks. IEEE Internet Comput 17(6):39–47CrossRefGoogle Scholar
  3. Fahad LG, Rajarajan M (2015) Anomalies detection in smart-home activities. In: Proceedings of IEEE international conference on machine learning and applicationsGoogle Scholar
  4. Hodo E, Bellekens X, Hamilton A, Dubouilh PL, Iorkyase E, Tachtatzis C, Atkinson R (2016) Threat analysis of IoT networks using artificial neural network intrusion detection system. In: Proceedings of IEEE international symposium on networks, computers and communicationsGoogle Scholar
  5. Juvonen A, Sipola T, Hämäläinen T (2015) Online anomaly detection using dimensionality reduction techniques for http log analysis. Comput Netw Int J Comput Telecommun Netw 91:46–56Google Scholar
  6. Kwak BI, Woo J, Kim HK (2016) Know your master: driver profiling-based anti-theft method. In: Proceedings of IEEE annual conference on privacy, security and trustGoogle Scholar
  7. Porkodi R, Bhuvaneswari V (2014) The internet of things applications and communication enabling technology standards: an overview. In: Proceedings of the international conference on intelligent computing applicationsGoogle Scholar
  8. Shin JK, Lee B, Park KS (2011) Detection of abnormal living patterns for elderly living alone using support vector data description. IEEE Trans Inf Technol Biomed 15(3):438–448CrossRefGoogle Scholar
  9. Stojanovic L, Dinic M, Stojanovic N, Stojadinovic A (2016) Big-data-driven anomaly detection in industry (4.0): an approach and a case study. In: Proceedings of IEEE international conference on big dataGoogle Scholar
  10. Valenzuela J, Wang J, Bissinger N (2013) Real-time intrusion detection in power system operations. IEEE Trans Power Syst 28(2):1052–1062CrossRefGoogle Scholar
  11. Xie M, Hu J, Guo S, Zomaya AY (2017) Distributed segment-based anomaly detection with Kullback–Leibler divergence in wireless sensor networks. IEEE Trans Inf Forensics Secur 12(1):101–110CrossRefGoogle Scholar
  12. Zhang Z, Wang X, Lin S (2016) Mobile payment anomaly detection mechanism based on information entropy. IET Netw 5(1):1–7CrossRefGoogle Scholar
  13. Zong B, Song Q, Min MR, Cheng W, Lumezanu C, Cho D, Chen H (2018) Deep autoencoding gaussian mixture model for unsupervised anomaly detection. In: Proceedings of international conference on learning representationsGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Computer Science and Information EngineeringNational Taiwan UniversityTaipeiTaiwan

Section editors and affiliations

  • Phone Lin
    • 1
  1. 1.TaipeiTaiwan