IoT Device Identification And Anomaly Detection Based On Traffic

The number of devices connected to the Internet has grown rapidly in recent years,and the heterogeneity and security of these devices pose serious challenges to asset management and maintenance.The heterogeneity and security of IoT devices need to be addressed through device type identification and anomaly detection methods.The mainstream IoT device type identification works mostly exploit supervised machine learning or deep learning,which require a large number of samples for training.In fact,there are novel devices that have never appeared in a large number of IoT devices,which cannot be effectively identified by a supervised mechanism.At the same time,some IoT devices such as smart desk lamps and smoke alarms generate too little traffic to be used for training deep learning models.In addition,mainstream IoT device anomaly detection works often extract a large number of features to train models.Whereas these works are costly,and most of the features are useless.Facing the actual needs,we study the type identification and anomaly detection methods of IoT devices to design a complete monitoring solution for IoT device assets,which can still achieve high-accuracy identification of device types in the case of few samples,and identify novel devices.At the same time,it can extract appropriate features from many aspects to distinguish normal traffic and abnormal traffic.Specific research work and contributions include:(1)We collect normal historical traffic datasets of IoT devices from different sources.One is to collect the traffic of IoT terminal from an electric power company in the actual working environment and establish a label dataset.The second is to collect the traffic of consumer IoT devices in the experimental environment.The third is from public research datasets.(2)We propose an IoT device type identification method IoT-Siamese based on siamese network for the problem of few-shot learning as well as novel device identification.Based on the basic process of device type identification,firstly extract the original character features of the flow,then design and improve the siamese network model to be suitable for multiclassification tasks,as well as propose a new dataset generation strategy,finally conduct experiments on normal traffic datasets from different sources.The results show that IoT-Siamese has better classification performance than other identification works in the case of few samples,especially for the devices that generate less traffic,and can solve the problem of novel device identification well.(3)We propose a multi-feature fusion based IoT device anomaly detection method IoT-MFF to address the problem that existing works extract a large number of features leading to high cost and most of the features are useless.First,we design an experiment to explore the impact of IoT malicious attacks on the IoT device type identification performance,then mine its unique patterns from the normal historical traffic of IoT devices,including traffic volume,period,and distribution of header field values.After we exploit the time window to cut the traffic into samples,and extract multiple features from three aspects: statistical features,information entropy features,and wavelet decomposition coefficient features from each window.The results show that the method IoT-MFF has higher detection accuracy and better real-time performance.