Researchers at Princeton just published a set of encouraging results showing that real-time detection of IoT DDoS attacks is possible using machine learning techniques. The Princeton team decided to focus on detecting IoT DDoS attacks because of their recent surge in popularity, and the potential for machine learning to identify this kind of malicious Internet traffic.
The team built a machine learning pipeline, which performs multiple functions, including data collection, feature extraction and binary classification of IoT traffic. They designed the pipeline so that it can be operated on network middleboxes, such as servers, firewalls and routers.
The ML system captures the traffic moving through the middlebox by noting its source IP address, source port, destination IP address, destination port, packet size, and the timestamp of all IP packets sent from smart home devices. Following the feature capture, the system separates the packets by source IP address and non-overlapping time windows.
The system generates two kinds of feature for each packet:
- Stateless (packet size, inter-packet interval, and protocol)
- Stateful (bandwidth, IP destination address cardinality and novelty).
The Princeton team tested five different machine learning algorithms to separate IoT packets from other types of DoS attack packets.
The system was deployed on an experimental consumer IoT device network, and the team was delighted with its results. “Our classifiers successfully identify attack traffic with an accuracy higher than 0.999. We found that random forest, K-nearest neighbors, and neural net classifiers were particularly effective,” they noted.
They found that the stateless features significantly outperformed the stateful features, allowing them to determine that “real-time anomaly detection of IoT attack traffic may be practical because the stateless features are lightweight and derived from network-flow attributes.” However, stateful features did help improve the accuracy of the overall results.
The team next want to experiment to see if they get similar results with normal traffic from additional IoT devices and with attack traffic recorded from an actual DDoS attack. They also want to try out additional features and more sophisticated ML techniques.
The Princeton researchers were not yet able to come up with a solution for what to do once an owner realizes their IoT device is part of a DDoS attack.
“Simply cutting the device off from the network might not be feasible, especially if the device is essential (e.g. a blood sugar monitor or a home water pump), because many smart devices do not retain basic functionality without network connectivity. Notifying the user is an option, but many users of home IoT devices will be unequipped to perform device maintenance beyond powering off or disconnecting the device,” they said.
The full article can be read here.