There are two classes of features relevant to differentiating between normal and attack IoT traffic. These are stateless features, which are derived from flow-independent characteristics of individual packets and stateful features, which capture how network traffic changes over time. Applying domain knowledge about IoT device behaviors to feature engineering can enhance DoS detection performance. Real-time anomaly detection of IoT attack traffic may be practical in particular because stateless features are lightweight and originate from network-flow attributes.
Stateless Features:
Packet Size: The distribution of packet size dramatically differs between attack and normal traffic. Standard packets vary between 100 and 1,200 bytes while the great majority of attack packets are under 100 bytes. When an attacker conducts a denial-of-service attack, s/he is attempting to open as many connec
tion requests as possible in order to exhaust the targeted server’s resources. Therefore, the attacker strives to keep the size of the packets as small as possible so that they can maximize the number of connection requests per second.
Inter-packet Interval: Most packets are sent at regular intervals with some time between packets. However, most DoS attack traffic has close to zero inter-packet intervals and high first and second derivatives of inter-packet intervals.
Protocol: Regular and DoS attack traffic types also have varying protocol
distribution. UDP packets outnumber TCP packets in normal traffic by an average of a factor of three because of UDP video streaming. TCP packets, however, outnumber UDP packets in attack traffic by almost the same ratio. Furthermore, attack traffic includes fewer protocols overall.
Stateless features are generated without splitting the incoming traffic stream by IP source, making them the most lightweight.
Stateful Features:
Bandwidth: Bandwidth usage can be employed to characterize the network traffic patterns of IoT devices. There are typically minor distributional differences in bandwidth usage between the normal and attack traffic.
IP Destination Address Cardinality and Novelty: IoT devices are characterized by the narrow amount of endpoints with which they communicate; for example, a WeMo smart switch only communicates with four endpoints for four specific reasons: for activation or deactivation from the cloud, to retrieve firmware updates, or to log its status. IoT device traffic is also characterized by the fact that the set of destination IP addresses infrequently changes over time. Packets associated with attack traffic are generally in contact with a larger number of endpoints. This distributional difference can assist in differentiating between normal and attack IoT traffic.
There is inherent overhead in generating stateful features, as the network traffic needs to be divided into streams by device and the per-device streams need to be divided into time windows. The time windows serve as a simple time-series representation of the devices’ evolving network behavior.