DÏoT: A Federated Self-learning Anomaly Detection System for IoT (1804.07474v5)

Abstract: IoT devices are increasingly deployed in daily life. Many of these devices are, however, vulnerable due to insecure design, implementation, and configuration. As a result, many networks already have vulnerable IoT devices that are easy to compromise. This has led to a new category of malware specifically targeting IoT devices. However, existing intrusion detection techniques are not effective in detecting compromised IoT devices given the massive scale of the problem in terms of the number of different types of devices and manufacturers involved. In this paper, we present D\"IoT, an autonomous self-learning distributed system for detecting compromised IoT devices effectively. In contrast to prior work, D\"IoT uses a novel self-learning approach to classify devices into device types and build normal communication profiles for each of these that can subsequently be used to detect anomalous deviations in communication patterns. D\"IoT utilizes a federated learning approach for aggregating behavior profiles efficiently. To the best of our knowledge, it is the first system to employ a federated learning approach to anomaly-detection-based intrusion detection. Consequently, D\"IoT can cope with emerging new and unknown attacks. We systematically and extensively evaluated more than 30 off-the-shelf IoT devices over a long term and show that D\"IoT is highly effective (95.6% detection rate) and fast (~257 ms) at detecting devices compromised by, for instance, the infamous Mirai malware. D\"IoT reported no false alarms when evaluated in a real-world smart home deployment setting.

• The paper introduces a federated self-learning method using device-type-specific models to autonomously detect anomalies in IoT devices.
• It demonstrates a detection rate of 95.6% with zero false alarms and an average latency of 257 milliseconds.
• The system aggregates sparse local data via federated learning, offering a scalable and robust solution for real-world IoT security challenges.

Federated Self-learning Anomaly Detection for IoT

The paper "D: A Federated Self-learning Anomaly Detection System for IoT" addresses a critical issue in IoT security by introducing a novel system called "D". This system is designed to detect compromised IoT devices using a federated learning approach, thus providing a mechanism to manage the dynamic threats posed by IoT-targeting malware such as Mirai.

Key Contributions

1. Device-Type-Specific Anomaly Detection: The proposed system, D, leverages device-type-specific anomaly detection models. These models autonomously learn communication profiles of IoT devices without human intervention or the need for labeled data. By modeling device-specific behavior, the system can effectively detect deviations that may signal a compromise.
2. Federated Learning Approach: D utilizes federated learning to aggregate behavior profiles from multiple client networks. This ensures that local data from IoT devices, typically sparse and limited, is effectively utilized to train comprehensive anomaly detection models. The approach is novel in the context of anomaly detection for IoT security.
3. Comprehensive Evaluation: The paper includes a thorough evaluation using data from over 30 IoT devices and demonstrates a detection rate of 95.6% with zero false alarms. This significant result is achieved with an average detection latency of 257 milliseconds, showcasing the system's efficiency.

System Model

The architecture of D consists of two main components: the Security Gateway and the IoT Security Service. The Security Gateway acts as a local monitor and performs initial anomaly detection, while the IoT Security Service aggregates and updates global models. These components work together to identify abnormal communication patterns indicative of malware like Mirai.

Adversary Model

The adversary is presumed to be an IoT malware capable of scanning, exploiting, and performing attacks using vulnerable devices. The system assumes non-malicious manufacturers, uncompromised Security Gateways, and the availability of an automated device-identification mechanism to ensure robust defense mechanisms.

Challenges and Solutions

The paper identifies several challenges inherent to IoT anomaly detection, such as device heterogeneity, resource limitations, and scarce communication. D addresses these challenges with its autonomous self-learning capability and the federated learning approach which ensures minimal false alarms and accurate detection even with limited data.

Implications and Future Work

The introduction of a federated learning approach to IoT security bears significant implications. It provides a scalable solution that can adapt to the growing and diverse landscape of IoT devices. The results imply practical applicability in real-world scenarios without overwhelming users with false alarms.

Future work may focus on extending D’s capabilities to address more sophisticated adversarial attacks and incorporate evolving IoT device functionalities. Additionally, exploring the integration of more advanced federated learning techniques could further enhance the system's robustness and efficiency.

Conclusion

The paper provides a well-founded approach to IoT security, effectively combining self-learning anomaly detection and federated learning. The proposed system, D, is shown to be effective against known malware like Mirai and adaptable to emerging threats, making it a promising solution in the field of IoT security.