Authors:
Vishwajeet Bhosale
1
;
Lorenzo de Carli
2
and
Indrakshi Ray
1
Affiliations:
1
Colorado State University, Fort Collins, CO 80523, U.S.A.
;
2
Worcester Polytechnic Institute, Worcester, MA 01609, U.S.A.
Keyword(s):
IoT Security, IoT Traffic Classification, IoT Privacy.
Abstract:
Home IoT devices suffer from poor security, and are easy to commandeer for unskilled attackers. Since most IoTs cannot run host-based detection, detecting compromise via analysis of network traffic is in many cases the only viable option. Unfortunately, traditional Deep Packet Inspection techniques are not applicable: many IoT devices encrypt their traffic and common attacks (e.g., credential stuffing) cannot be described via signatures. Anomaly detection on traffic features, while effective to identify egregious misbehavior (e.g., a DDoS) cannot identify privacy violations, where an attacker triggers legitimate functions (e.g., streaming video, unlocking a door), but without consent of the user. In this paper, we propose a novel anomaly detection technique based on the analysis of user activities. Our approach builds a model to identify user-performed activities on the device from packet sequences, and uses unsupervised learning to identify deviations from normal user behavior in ac
tivity sequences. Thus, it can flag situations where an attacker misuses an IoT device, even when such attacks do not involve protocol-level exploits and do not result in significant anomalies in traffic-level features. Preliminary results show that our approach can effectively map device traffic to activities, and suggest that such activities can be used to distinguish malicious and benign users.
(More)