research-article

Clust-IT: clustering-based intrusion detection in IoT environments

Authors:

Robert P. Markiewicz,

Daniele SgandurraAuthors Info & Claims

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Article No.: 81, Pages 1 - 9

https://doi.org/10.1145/3407023.3409201

Published: 25 August 2020 Publication History

Abstract

Low-powered and resource-constrained devices are forming a greater part of our smart networks. For this reason, they have recently been the target of various cyber-attacks. However, these devices often cannot implement traditional intrusion detection systems (IDS), or they can not produce or store the audit trails needed for inspection. Therefore, it is often necessary to adapt existing IDS systems and malware detection approaches to cope with these constraints.

We explore the application of unsupervised learning techniques, specifically clustering, to develop a novel IDS for networks composed of low-powered devices. We describe our solution, called Clust-IT (Clustering of IoT), to manage heterogeneous data collected from cooperative and distributed networks of connected devices and searching these data for indicators of compromise while remaining protocol agnostic. We outline a novel application of OPTICS to various available IoT datasets, composed of both packet and flow captures, to demonstrate the capabilities of the proposed techniques and evaluate their feasibility in developing an IoT IDS.

References

[1]

Abiodun, O. I., Jantan, A., Omolara, A. E., Dada, K. V., Mohamed, N. A., and Arshad, H. State-of-the-art in artificial neural network applications: A survey. Heliyon 4, 11 (2018), e00938.

[2]

Airehrour, D., Gutierrez, J., and Ray, S. K. A lightweight trust design for iot routing. In 2016 IEEE 14th Intl Conf on Dependable, Autonomic and Secure Computing, 14th Intl Conf on Pervasive Intelligence and Computing, 2nd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress (DASC/PiCom/DataCom/CyberSciTech) (2016), IEEE, pp. 552--557.

[3]

Al-Garadi, M. A., Mohamed, A., Al-Ali, A., Du, X., Ali, I., and Guizani, M. A survey of machine and deep learning methods for internet of things (iot) security. IEEE Communications Surveys Tutorials (2020), 1--1.

[4]

Angrishi, K. Turning internet of things (iot) into internet of vulnerabilities (iov):Iot botnets. arXiv preprint arXiv:1702.03681 (2017).

[5]

Ankerst, M., Breunig, M. M., Kriegel, H.-P., and Sander, J. Optics: Ordering points to identify the clustering structure. In Proceedings of the 1999 ACM SIGMOD International Conference on Management of Data (New York, NY, USA, 1999), SIGMOD '99, ACM, pp. 49--60.

[6]

Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. Understanding the mirai botnet. In USENIX Security Symposium (2017).

Digital Library

[7]

Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., and Kirda, E. Scalable, behavior-based malware clustering. In NDSS (2009), vol. 9, Citeseer, pp. 8--11.

[8]

Bertino, E., and Islam, N. Botnets and internet of things security. Computer, 2 (2017), 76--79.

Digital Library

[9]

Breitenbacher, D., Homoliak, I., Aung, Y. L., Tippenhauer, N. O., and Elovici, Y. Hades-iot: A practical host-based anomaly detection system for iot devices (extended version). arXiv preprint arXiv:1905.01027 (2019).

[10]

Breunig, M. M., Kriegel, H.-P., Ng, R. T., and Sander, J. Lof: Identifying density-based local outliers. In Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data (New York, NY, USA, 2000), SIGMOD '00, ACM, pp. 93--104.

Digital Library

[11]

Britz, D., Goldie, A., Luong, M.-T., and Le, Q. Massive exploration of neural machine translation architectures. arXiv preprint arXiv:1703.03906 (2017).

[12]

Buitinck, L., Louppe, G., Blondel, M., Pedregosa, F., Mueller, A., Grisel, O., Niculae, V., Prettenhofer, P., Gramfort, A., Grobler, J., Layton, R., VanderPlas, J., Joly, A., Holt, B., and Varoqaux, G. API design for machine learning software: experiences from the scikit-learn project. In ECML PKDD Workshop: Languages for Data Mining and Machine Learning (2013), pp. 108--122.

[13]

Cho, K., Van Merriënboer, B., Gulcehre, C., Bahdanau, D., Bougares, F., Schwenk, H., and Bengio, Y. Learning phrase representations using rnn encoder-decoder for statistical machine translation. arXiv preprint arXiv:1406.1078 (2014).

[14]

Emerson, S., Choi, Y.-K., Hwang, D.-Y., Kim, K.-S., and Kim, K.-H. An oauth based authentication mechanism for iot networks. In 2015 International Conference on Information and Communication Technology Convergence (ICTC) (2015), IEEE, pp. 1072--1074.

[15]

Esfahani, A., Mantas, G., Matischek, R., Saghezchi, F. B., Rodriguez, J., Bicaku, A., Maksuti, S., Tauber, M. G., Schmittner, C., and Bastos, J. A lightweight authentication mechanism for m2m communications in industrial iot environment. IEEE Internet of Things Journal 6, 1 (2017), 288--296.

[16]

Gers, F. A., Schmidhuber, J., and Cummins, F. Learning to forget: continual prediction with lstm. In 1999 Ninth International Conference on Artificial Neural Networks ICANN 99. (Conf. Publ. No. 470) (1999), vol. 2, pp. 850--855 vol. 2.

[17]

Gu, G., Perdisci, R., Zhang, J., and Lee, W. Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the 17th Conference on Security Symposium (USA, 2008), SS'08, USENIX Association, p. 139--154.

[18]

Hafeez, I., Antikainen, M., Ding, A. Y., and Tarkoma, S. Iot-keeper: Detecting malicious iot network activity using online traffic analysis at the edge. IEEE Transactions on Network and Service Management 17, 1 (2020), 45--59.

Digital Library

[19]

Hamza, A., Gharakheili, H. H., Benson, T. A., and Sivaraman, V. Detecting volumetric attacks on lot devices via sdn-based monitoring of mud activity. In Proceedings of the 2019 ACM Symposium on SDN Research (2019), ACM, pp. 36--48.

Digital Library

[20]

Jordaney, R., Sharad, K., Dash, S. K., Wang, Z., Papini, D., Nouretdinov, I., and Cavallaro, L. Transcend: Detecting concept drift in malware classification models. In 26th USENIX Security Symposium '17 (Vancouver, BC, Aug. 2017), USENIX Association, pp. 625--642.

[21]

Kasinathan, P., Pastrone, C., Spirito, M. A., and Vinkovits, M. Denial-of-service detection in 6lowpan based internet of things. In 2013 IEEE 9th international conference on wireless and mobile computing, networking and communications (WiMob) (2013), IEEE, pp. 600--607.

[22]

Kolias, C., Kambourakis, G., Stavrou, A., and Voas, J. Ddos in the iot: Mirai and other botnets. Computer 50, 7 (2017), 80--84.

Digital Library

[23]

Koroniotis, N., Moustafa, N., Sitnikova, E., and Turnbull, B. Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-iot dataset, 2018.

[24]

Krebs, B. KrebsOnSecurity Hit With Record DDos, 2016.

[25]

Kumar, D., Shen, K., Case, B., Garg, D., Alperovich, G., Kuznetsov, D., Gupta, R., and Durumeric, Z. All things considered: an analysis of IoT devices on home networks. In 28th USENIX Security Symposium '19 (2019), pp. 1169--1185.

[26]

Lab, K. New iot-malware grew three-fold in h1 2018. https://www.kaspersky.com/about/press-releases/2018_new-iot-malware-grew-three-fold-in-h1--2018, 2017. Accessed: 2019-10-18.

[27]

Lab, K. Iot under fire: Kaspersky detects more than 100 million attacks on smart devices in h1 2019. https://www.kaspersky.com/about/press-releases/2019_iot-under-fire-kaspersky-detects-more-than-100-million-attacks-on-smart-devices-in-h1--2019, 2019. Accessed: 2019-10-18.

[28]

Leondes, C. T. Expert systems: the technology of knowledge management and decision making for the 21st century. Elsevier, 2001.

[29]

Lloyd, S. Least squares quantization in pcm. IEEE transactions on information theory 28, 2 (1982), 129--137.

Digital Library

[30]

Mehta, R., and Parmar, M. Trust based mechanism for securing iot routing protocol rpl against wormhole & grayhole attacks. In 2018 3rd International Conference for Convergence in Technology (I2CT) (2018), IEEE, pp. 1--6.

[31]

Midi, D., Rullo, A., Mudgerikar, A., and Bertino, E. Kalis---a system for knowledge-driven adaptable intrusion detection for the internet of things. In 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS) (2017), IEEE, pp. 656--666.

[32]

Mirsky, Y., Doitshman, T., Elovici, Y., and Shabtai, A. Kitsune: an ensemble of autoencoders for online network intrusion detection. arXiv preprint arXiv:1802.09089 (2018).

[33]

Nguyen, T. D., Marchal, S., Miettinen, M., Fereidooni, H., Asokan, N., and Sadeghi, A.-R. Dïot: A federated self-learning anomaly detection system for iot. In 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS) (2019), IEEE, pp. 756--767.

[34]

Pearson, K. Liii. on lines and planes of closest fit to systems of points in space. The London, Edinburgh, and Dublin Philosophical Magazine and Journal of Science 2, 11 (1901), 559--572.

[35]

Pei, J., Hu, Y., and Xie, W. Pca-based visualization of terahertz time-domain spectroscopy image. In MIPPR 2007: Multispectral Image Processing (2007), vol. 6787, International Society for Optics and Photonics, p. 67871M.

[36]

Pelleg, D., Moore, A. W., et al. X-means: Extending k-means with efficient estimation of the number of clusters. In Icml (2000), vol. 1, pp. 727--734.

Digital Library

[37]

Perdisci, R., Lee, W., and Feamster, N. Behavioral clustering of http-based malware and signature generation using malicious network traces. In NSDI (2010), vol. 10, p. 14.

[38]

Raza, S., Wallgren, L., and Voigt, T. Svelte: Real-time intrusion detection in the internet of things. Ad hoc networks 11, 8 (2013), 2661--2674.

[39]

Sivanathan, A., Gharakheili, H. H., Loi, F., Radford, A., Wijenayake, C., Vishwanath, A., and Sivaraman, V. Classifying iot devices in smart environments using network traffic characteristics. IEEE Transactions on Mobile Computing 18, 8 (2019), 1745--1759.

[40]

Sivanathan, A., Gharakheili, H. H., and Sivaraman, V. Inferring iot device types from network behavior using unsupervised clustering. In 2019 IEEE 44th Conference on Local Computer Networks (LCN) (2019), pp. 230--233.

[41]

Soltan, S., Mittal, P., and Poor, H. V. Blackiot: Iot botnet of high wattage devices can disrupt the power grid. In 27th USENIX Security Symposium '18 (2018), pp. 15--32.

[42]

Tschandl, P., Codella, N., Akay, B. N., Argenziano, G., Braun, R. P., Cabo, H., Gutman, D., Halpern, A., Helba, B., Hofmann-Wellenhof, R., Lallas, A., Lapins, J., Longo, C., Malvehy, J., Marchetti, M. A., Marghoob, A., Menzies, S., Oakley, A., Paoli, J., Puig, S., Rinner, C., Rosendahl, C., Scope, A., Sinz, C., Soyer, H. P., Thomas, L., Zalaudek, I., and Kittler, H. Comparison of the accuracy of human readers versus machine-learning algorithms for pigmented skin lesion classification: an open, web-based, international, diagnostic study. The Lancet Oncology 20, 7 (2019), 938--947.

[43]

Weiss, G., Goldberg, Y., and Yahav, E. On the practical computational power of finite precision rnns for language recognition. arXiv preprint arXiv:1805.04908 (2018).

[44]

Wicherski, G. pehash: A novel approach to fast malware clustering. LEET 9 (2009), 8.

[45]

Zhang, C., and Green, R. Communication security in internet of thing: preventive measure and avoid ddos attack over iot network. In Proceedings of the 18th Symposium on Communications & Networking (2015), Society for Computer Simulation International, pp. 8--15.

Cited By

Meidan YAvraham DLibhaber HShabtai A(2023)CADeSH: Collaborative Anomaly Detection for Smart HomesIEEE Internet of Things Journal10.1109/JIOT.2022.319481310:10(8514-8532)Online publication date: 15-May-2023
https://doi.org/10.1109/JIOT.2022.3194813
Khan MIqbal NImran Jamil HKim D(2023)An optimized ensemble prediction model using AutoML based on soft voting classifier for network intrusion detectionJournal of Network and Computer Applications10.1016/j.jnca.2022.103560212(103560)Online publication date: Mar-2023
https://doi.org/10.1016/j.jnca.2022.103560
Padmaa MJayasankar TVenkatraman SDutta AGupta DShamshirband SRodrigues J(2022)Oppositional chaos game optimization based clustering with trust based data transmission protocol for intelligent IoT edge systemsJournal of Parallel and Distributed Computing10.1016/j.jpdc.2022.03.008Online publication date: Mar-2022
https://doi.org/10.1016/j.jpdc.2022.03.008
Show More Cited By

Recommendations

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
A Survey on Intrusion Detection and Prevention Systems
Abstract
In the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

August 2020

1073 pages

ISBN:9781450388337

DOI:10.1145/3407023

Program Chairs:
Melanie Volkamer
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)
,
Christian Wressnegger
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 August 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Engineering and Physical Sciences Research Council

Conference

ARES 2020

ARES 2020: The 15th International Conference on Availability, Reliability and Security

August 25 - 28, 2020

Virtual Event, Ireland

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
186
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)1

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Meidan YAvraham DLibhaber HShabtai A(2023)CADeSH: Collaborative Anomaly Detection for Smart HomesIEEE Internet of Things Journal10.1109/JIOT.2022.319481310:10(8514-8532)Online publication date: 15-May-2023
https://doi.org/10.1109/JIOT.2022.3194813
Khan MIqbal NImran Jamil HKim D(2023)An optimized ensemble prediction model using AutoML based on soft voting classifier for network intrusion detectionJournal of Network and Computer Applications10.1016/j.jnca.2022.103560212(103560)Online publication date: Mar-2023
https://doi.org/10.1016/j.jnca.2022.103560
Padmaa MJayasankar TVenkatraman SDutta AGupta DShamshirband SRodrigues J(2022)Oppositional chaos game optimization based clustering with trust based data transmission protocol for intelligent IoT edge systemsJournal of Parallel and Distributed Computing10.1016/j.jpdc.2022.03.008Online publication date: Mar-2022
https://doi.org/10.1016/j.jpdc.2022.03.008
Imran Jamil FKim D(2021)An Ensemble of Prediction and Learning Mechanism for Improving Accuracy of Anomaly Detection in Network Intrusion EnvironmentsSustainability10.3390/su13181005713:18(10057)Online publication date: 8-Sep-2021
https://doi.org/10.3390/su131810057

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten