skip to main content
10.1145/3407023.3409201acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Clust-IT: clustering-based intrusion detection in IoT environments

Published: 25 August 2020 Publication History

Abstract

Low-powered and resource-constrained devices are forming a greater part of our smart networks. For this reason, they have recently been the target of various cyber-attacks. However, these devices often cannot implement traditional intrusion detection systems (IDS), or they can not produce or store the audit trails needed for inspection. Therefore, it is often necessary to adapt existing IDS systems and malware detection approaches to cope with these constraints.
We explore the application of unsupervised learning techniques, specifically clustering, to develop a novel IDS for networks composed of low-powered devices. We describe our solution, called Clust-IT (Clustering of IoT), to manage heterogeneous data collected from cooperative and distributed networks of connected devices and searching these data for indicators of compromise while remaining protocol agnostic. We outline a novel application of OPTICS to various available IoT datasets, composed of both packet and flow captures, to demonstrate the capabilities of the proposed techniques and evaluate their feasibility in developing an IoT IDS.

References

[1]
Abiodun, O. I., Jantan, A., Omolara, A. E., Dada, K. V., Mohamed, N. A., and Arshad, H. State-of-the-art in artificial neural network applications: A survey. Heliyon 4, 11 (2018), e00938.
[2]
Airehrour, D., Gutierrez, J., and Ray, S. K. A lightweight trust design for iot routing. In 2016 IEEE 14th Intl Conf on Dependable, Autonomic and Secure Computing, 14th Intl Conf on Pervasive Intelligence and Computing, 2nd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress (DASC/PiCom/DataCom/CyberSciTech) (2016), IEEE, pp. 552--557.
[3]
Al-Garadi, M. A., Mohamed, A., Al-Ali, A., Du, X., Ali, I., and Guizani, M. A survey of machine and deep learning methods for internet of things (iot) security. IEEE Communications Surveys Tutorials (2020), 1--1.
[4]
Angrishi, K. Turning internet of things (iot) into internet of vulnerabilities (iov):Iot botnets. arXiv preprint arXiv:1702.03681 (2017).
[5]
Ankerst, M., Breunig, M. M., Kriegel, H.-P., and Sander, J. Optics: Ordering points to identify the clustering structure. In Proceedings of the 1999 ACM SIGMOD International Conference on Management of Data (New York, NY, USA, 1999), SIGMOD '99, ACM, pp. 49--60.
[6]
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. Understanding the mirai botnet. In USENIX Security Symposium (2017).
[7]
Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., and Kirda, E. Scalable, behavior-based malware clustering. In NDSS (2009), vol. 9, Citeseer, pp. 8--11.
[8]
Bertino, E., and Islam, N. Botnets and internet of things security. Computer, 2 (2017), 76--79.
[9]
Breitenbacher, D., Homoliak, I., Aung, Y. L., Tippenhauer, N. O., and Elovici, Y. Hades-iot: A practical host-based anomaly detection system for iot devices (extended version). arXiv preprint arXiv:1905.01027 (2019).
[10]
Breunig, M. M., Kriegel, H.-P., Ng, R. T., and Sander, J. Lof: Identifying density-based local outliers. In Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data (New York, NY, USA, 2000), SIGMOD '00, ACM, pp. 93--104.
[11]
Britz, D., Goldie, A., Luong, M.-T., and Le, Q. Massive exploration of neural machine translation architectures. arXiv preprint arXiv:1703.03906 (2017).
[12]
Buitinck, L., Louppe, G., Blondel, M., Pedregosa, F., Mueller, A., Grisel, O., Niculae, V., Prettenhofer, P., Gramfort, A., Grobler, J., Layton, R., VanderPlas, J., Joly, A., Holt, B., and Varoqaux, G. API design for machine learning software: experiences from the scikit-learn project. In ECML PKDD Workshop: Languages for Data Mining and Machine Learning (2013), pp. 108--122.
[13]
Cho, K., Van Merriënboer, B., Gulcehre, C., Bahdanau, D., Bougares, F., Schwenk, H., and Bengio, Y. Learning phrase representations using rnn encoder-decoder for statistical machine translation. arXiv preprint arXiv:1406.1078 (2014).
[14]
Emerson, S., Choi, Y.-K., Hwang, D.-Y., Kim, K.-S., and Kim, K.-H. An oauth based authentication mechanism for iot networks. In 2015 International Conference on Information and Communication Technology Convergence (ICTC) (2015), IEEE, pp. 1072--1074.
[15]
Esfahani, A., Mantas, G., Matischek, R., Saghezchi, F. B., Rodriguez, J., Bicaku, A., Maksuti, S., Tauber, M. G., Schmittner, C., and Bastos, J. A lightweight authentication mechanism for m2m communications in industrial iot environment. IEEE Internet of Things Journal 6, 1 (2017), 288--296.
[16]
Gers, F. A., Schmidhuber, J., and Cummins, F. Learning to forget: continual prediction with lstm. In 1999 Ninth International Conference on Artificial Neural Networks ICANN 99. (Conf. Publ. No. 470) (1999), vol. 2, pp. 850--855 vol. 2.
[17]
Gu, G., Perdisci, R., Zhang, J., and Lee, W. Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the 17th Conference on Security Symposium (USA, 2008), SS'08, USENIX Association, p. 139--154.
[18]
Hafeez, I., Antikainen, M., Ding, A. Y., and Tarkoma, S. Iot-keeper: Detecting malicious iot network activity using online traffic analysis at the edge. IEEE Transactions on Network and Service Management 17, 1 (2020), 45--59.
[19]
Hamza, A., Gharakheili, H. H., Benson, T. A., and Sivaraman, V. Detecting volumetric attacks on lot devices via sdn-based monitoring of mud activity. In Proceedings of the 2019 ACM Symposium on SDN Research (2019), ACM, pp. 36--48.
[20]
Jordaney, R., Sharad, K., Dash, S. K., Wang, Z., Papini, D., Nouretdinov, I., and Cavallaro, L. Transcend: Detecting concept drift in malware classification models. In 26th USENIX Security Symposium '17 (Vancouver, BC, Aug. 2017), USENIX Association, pp. 625--642.
[21]
Kasinathan, P., Pastrone, C., Spirito, M. A., and Vinkovits, M. Denial-of-service detection in 6lowpan based internet of things. In 2013 IEEE 9th international conference on wireless and mobile computing, networking and communications (WiMob) (2013), IEEE, pp. 600--607.
[22]
Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J. Ddos in the iot: Mirai and other botnets. Computer 50, 7 (2017), 80--84.
[23]
Koroniotis, N., Moustafa, N., Sitnikova, E., and Turnbull, B. Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-iot dataset, 2018.
[24]
Krebs, B. KrebsOnSecurity Hit With Record DDos, 2016.
[25]
Kumar, D., Shen, K., Case, B., Garg, D., Alperovich, G., Kuznetsov, D., Gupta, R., and Durumeric, Z. All things considered: an analysis of IoT devices on home networks. In 28th USENIX Security Symposium '19 (2019), pp. 1169--1185.
[26]
Lab, K. New iot-malware grew three-fold in h1 2018. https://www.kaspersky.com/about/press-releases/2018_new-iot-malware-grew-three-fold-in-h1--2018, 2017. Accessed: 2019-10-18.
[27]
Lab, K. Iot under fire: Kaspersky detects more than 100 million attacks on smart devices in h1 2019. https://www.kaspersky.com/about/press-releases/2019_iot-under-fire-kaspersky-detects-more-than-100-million-attacks-on-smart-devices-in-h1--2019, 2019. Accessed: 2019-10-18.
[28]
Leondes, C. T. Expert systems: the technology of knowledge management and decision making for the 21st century. Elsevier, 2001.
[29]
Lloyd, S. Least squares quantization in pcm. IEEE transactions on information theory 28, 2 (1982), 129--137.
[30]
Mehta, R., and Parmar, M. Trust based mechanism for securing iot routing protocol rpl against wormhole & grayhole attacks. In 2018 3rd International Conference for Convergence in Technology (I2CT) (2018), IEEE, pp. 1--6.
[31]
Midi, D., Rullo, A., Mudgerikar, A., and Bertino, E. Kalis---a system for knowledge-driven adaptable intrusion detection for the internet of things. In 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS) (2017), IEEE, pp. 656--666.
[32]
Mirsky, Y., Doitshman, T., Elovici, Y., and Shabtai, A. Kitsune: an ensemble of autoencoders for online network intrusion detection. arXiv preprint arXiv:1802.09089 (2018).
[33]
Nguyen, T. D., Marchal, S., Miettinen, M., Fereidooni, H., Asokan, N., and Sadeghi, A.-R. Dïot: A federated self-learning anomaly detection system for iot. In 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS) (2019), IEEE, pp. 756--767.
[34]
Pearson, K. Liii. on lines and planes of closest fit to systems of points in space. The London, Edinburgh, and Dublin Philosophical Magazine and Journal of Science 2, 11 (1901), 559--572.
[35]
Pei, J., Hu, Y., and Xie, W. Pca-based visualization of terahertz time-domain spectroscopy image. In MIPPR 2007: Multispectral Image Processing (2007), vol. 6787, International Society for Optics and Photonics, p. 67871M.
[36]
Pelleg, D., Moore, A. W., et al. X-means: Extending k-means with efficient estimation of the number of clusters. In Icml (2000), vol. 1, pp. 727--734.
[37]
Perdisci, R., Lee, W., and Feamster, N. Behavioral clustering of http-based malware and signature generation using malicious network traces. In NSDI (2010), vol. 10, p. 14.
[38]
Raza, S., Wallgren, L., and Voigt, T. Svelte: Real-time intrusion detection in the internet of things. Ad hoc networks 11, 8 (2013), 2661--2674.
[39]
Sivanathan, A., Gharakheili, H. H., Loi, F., Radford, A., Wijenayake, C., Vishwanath, A., and Sivaraman, V. Classifying iot devices in smart environments using network traffic characteristics. IEEE Transactions on Mobile Computing 18, 8 (2019), 1745--1759.
[40]
Sivanathan, A., Gharakheili, H. H., and Sivaraman, V. Inferring iot device types from network behavior using unsupervised clustering. In 2019 IEEE 44th Conference on Local Computer Networks (LCN) (2019), pp. 230--233.
[41]
Soltan, S., Mittal, P., and Poor, H. V. Blackiot: Iot botnet of high wattage devices can disrupt the power grid. In 27th USENIX Security Symposium '18 (2018), pp. 15--32.
[42]
Tschandl, P., Codella, N., Akay, B. N., Argenziano, G., Braun, R. P., Cabo, H., Gutman, D., Halpern, A., Helba, B., Hofmann-Wellenhof, R., Lallas, A., Lapins, J., Longo, C., Malvehy, J., Marchetti, M. A., Marghoob, A., Menzies, S., Oakley, A., Paoli, J., Puig, S., Rinner, C., Rosendahl, C., Scope, A., Sinz, C., Soyer, H. P., Thomas, L., Zalaudek, I., and Kittler, H. Comparison of the accuracy of human readers versus machine-learning algorithms for pigmented skin lesion classification: an open, web-based, international, diagnostic study. The Lancet Oncology 20, 7 (2019), 938--947.
[43]
Weiss, G., Goldberg, Y., and Yahav, E. On the practical computational power of finite precision rnns for language recognition. arXiv preprint arXiv:1805.04908 (2018).
[44]
Wicherski, G. pehash: A novel approach to fast malware clustering. LEET 9 (2009), 8.
[45]
Zhang, C., and Green, R. Communication security in internet of thing: preventive measure and avoid ddos attack over iot network. In Proceedings of the 18th Symposium on Communications & Networking (2015), Society for Computer Simulation International, pp. 8--15.

Cited By

View all
  • (2023)CADeSH: Collaborative Anomaly Detection for Smart HomesIEEE Internet of Things Journal10.1109/JIOT.2022.319481310:10(8514-8532)Online publication date: 15-May-2023
  • (2023)An optimized ensemble prediction model using AutoML based on soft voting classifier for network intrusion detectionJournal of Network and Computer Applications10.1016/j.jnca.2022.103560212(103560)Online publication date: Mar-2023
  • (2022)Oppositional chaos game optimization based clustering with trust based data transmission protocol for intelligent IoT edge systemsJournal of Parallel and Distributed Computing10.1016/j.jpdc.2022.03.008Online publication date: Mar-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security
August 2020
1073 pages
ISBN:9781450388337
DOI:10.1145/3407023
  • Program Chairs:
  • Melanie Volkamer,
  • Christian Wressnegger
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 August 2020

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Funding Sources

Conference

ARES 2020

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)13
  • Downloads (Last 6 weeks)1
Reflects downloads up to 25 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)CADeSH: Collaborative Anomaly Detection for Smart HomesIEEE Internet of Things Journal10.1109/JIOT.2022.319481310:10(8514-8532)Online publication date: 15-May-2023
  • (2023)An optimized ensemble prediction model using AutoML based on soft voting classifier for network intrusion detectionJournal of Network and Computer Applications10.1016/j.jnca.2022.103560212(103560)Online publication date: Mar-2023
  • (2022)Oppositional chaos game optimization based clustering with trust based data transmission protocol for intelligent IoT edge systemsJournal of Parallel and Distributed Computing10.1016/j.jpdc.2022.03.008Online publication date: Mar-2022
  • (2021)An Ensemble of Prediction and Learning Mechanism for Improving Accuracy of Anomaly Detection in Network Intrusion EnvironmentsSustainability10.3390/su13181005713:18(10057)Online publication date: 8-Sep-2021

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media