Anomaly Detection in IoT networks

In the past few years there has been ad hoc growth in IoT networks, unlike the regulated incorporation of enterprise ethernet or Wi-Fi infrastructure. The old infrastructure took a long time to grow and multiple generations to stabilize to the technology that we have today. Then, we had the luxury of time to implement the necessary checks and balances. This is very unlike the mushroom growth of the IoT networks. These networks are being included in enterprise networks on a need and convenience basis but are slowly becoming indispensable. Hence, the security aspect of intrusion detection and prevention is generally an afterthought.
The problem compounds the heterogeneity of these IoT networks. There are a multitude of available solutions, numerous protocols, and new devices of different makes and models being added daily. Keeping track of these in a systematic fashion by design is simply not possible. Such networks are loosely coupled with enterprise networks, or in many cases, have an overlay architecture, so a single overarching control and monitoring mechanism is not practical.

Anomaly detection in IoT networks

These IoT networks are new, so the industry has not had the time to study every vulnerability of these systems in detail. Due to the time to market pressures and digital transformation wave, the systems are being deployed without extensive validation. Attack surfaces have not been hashed properly and, in many cases, the mitigation infrastructure not defined.

The problem of how to keep the enterprise networks, which employ such IoT devices and infrastructure safe from adversarial entities, is therefore extremely pertinent. Engineers need to build systems that mitigate such attacks, without hindering the deployment speed or mandating network restrictions in protocols or devices. Such a system is an ideal target for analytics and machine learning (ML) concepts.

The biggest challenge is a lack of time

These IoT networks are evolving daily. New products, methods, and use-cases are being developed and deployed regularly. There simply is not enough time to study the behavior of these networks in totality, discover every corner case and create system mitigations. Checks and balances should be designed on the fly, and need to be adjusted and pivoted regularly.

What is more, the challenges presented by IoT networks do not stop at time. The solution space is fragmented, and one size does not fit all. The network topology is varied and differs greatly from user to user. Deployment conditions cannot be anticipated for every usage, making the development of security solutions that fit most of the scenarios difficult.

The scale of IoT devices is significantly larger than enterprise Wi-Fi or ethernet devices. It is hard to keep up with this growth using traditional models of prepping the network, and defining rules and access controls to create the correct boundaries.

Fingerprinting and anomaly detection approaches

Making a ‘uniqueness’ decision using metadata from over-the-air traffic capture for a device is a difficult problem. Features need to be extracted from the physical layer (for example, drifts in timing characteristics, inter-packet time deltas, frequency offsets), all the way to application behavior (actuation or working pattern). This helps identify the device and log the distinctive fingerprint of the device.

Once the behavior has been documented, departures of normal behavior can be marked and flagged as anomalous. Anomalies can happen at different layers in an IoT device. At a more physical level, with aging, devices can start misbehaving. This can be put in a predictive maintenance bucket, or the behavior might show a different pattern after a faulty firmware update. The device may become compromised, and the behavior pattern can change with a more malicious intent. It might start sending packets of kinds to explore attack surfaces or access ports which have not been historically accessed. At an application level, things might change both intentionally or in error – devices could have a very different pattern when there is an application upgrade or in error. 

What is the solution?

The solution we evaluated uses both ML fundamentals and novel deep learning (DL) approaches. It encompasses fingerprinting devices and their behavior in a live network with an asynchronous learning mechanism.

Our proposal is to ‘sniff’ the IoT network to infer characteristics related to device uniqueness and behavior, protocol, and application. The system constantly sniffs the wireless traffic and records the packet sequence. Packet features such as size, direction, interval, and layer are used to create fingerprints, which can identify the device. The identity finds device anomalies with respect to its own past actions, or its divergence from the ensemble characteristics. It then flags such anomalies, trying to distinguish between benign and malicious anomalies.

Why ML? The problem, by definition, is conducive to the application of ML concepts. The problem space is not bounded, and simple analytics cannot identify and fingerprint. When there are no historical datasets, synchronous learning and data-modeling are ruled out. New devices, generations of devices, and software revisions of devices can all cause behavior changes, so learning cannot be static.

Our proposal uses a variety ML concepts to identify events and distinguish between expected and anomalous behavior. A fingerprints dataset is collected for each event and used to train a supervised ‘Random Forest’ model, which is used to identify IoT app events. Also, the proposal extracts expected behavior from app descriptions using natural language processing (NLP), and can compare actual versus expected behavior. To combat the ever-changing nature of IoT attacks, we deploy a reinforcement learning-based attack detection framework. This automatically adjusts the attack detection threshold and quickly detects new IoT attacks as these evolve.


Typical IoT network topology is either in a hub-spoke format or a mesh structure. In both cases, there is always an aggregator, gateway and border router. These gateways are spread over the network to provide coverage to the full-service area, and are an ideal location for data sniffing.

IoT gateway

We have based our experimentation on non-IP protocols – specifically Zigbee and Bluetooth Low Energy (BLE). The front-end of the system is a data-capture/sniffer unit, and we use Ubertooth and Raspberry Pi as the capture unit. The capture unit initially listens to the BLE broadcast channel and subsequently follows individual devices to capture device-specific information.

The captured data is parsed and curated to extract the relevant features, which range from physical layer characteristics, protocol traffic pattern, timing and application packets.

IoT Anomaly Detection System
Figure 1: Simplified view of IoT Anomaly Detection System

Data store

The curated data is shipped to a data base for further processing, and is normalized by flattening the multiple views (for example, captures of same device from different gateways). The cleaned-up data is then used for ML DL processing.

ML DL engine

The ML DL engine then runs the relevant algorithms to identify, detect and flag anomalies. The feedback loop can intimate the network elements to react to the found issues and mitigate accordingly.

Our approaches

We took two different approaches to attack the problem, which both use the same basic infrastructure.

IOTGAZE: IoT security enforcement with wireless context analysis
We define wireless context as the device events which can be gleamed through wireless sniffing. The key components of the context generations are IoT fingerprinting, Sequential Event Generation, and Temporal Event Generation. We have used features such as packet size, direction, traffic class and packet interval for classification. The Random Forest ML classifier is employed to classify the packets into the device and event classes. The events are then flattened to generate the sequence of events related to a IoT device, which is further processed to generate event stream and event dependence.

During IoT application context generation we try to automagically gleam the application behavior by reading and processing the application description. This, in some ways can be thought of as priming the network with what to expect from the IoT device and what the normal working model is. We have employed Stanford parser for application description analysis, mapping the capability and creating an event transition graph for the application.

The final step is to correlate the IoT application context with the observed wireless context for anomalies. 

IoTGAZE System

Towards Learning-automation IoT Attack Detection through Reinforcement Learning

In this approach, we propose a reinforcement learning-based attack detection model that can automatically learn and recognize the attack pattern transformation. Therefore, we can continuously detect IoT attacks with less human intervention. We explore the crucial features of IoT traffic and utilize entropy-based metrics to detect both high- and low-rate IoT attacks. We then leverage reinforcement learning techniques to continuously adjust the attack detection threshold based on the detection feedback, which optimizes the detection and the false alarm rate. We conducted extensive experiments over a real IoT attack dataset to demonstrate the effectiveness of our IoT attack detection framework.

The first step is to extract the entropy of the information variables, which allows us to gauge the randomness of the variable and use that for analysis. The more random the feature the less effective it is for detections and the derivation of anomalies. The feature is extracted and used as an input for a reinforcement learning module, which continuously optimizes and updates the threshold vector for attack detection.

IoT Anomaly and Attack detection with Reinforcement Learning
Figure 3: IoT Anomaly and Attack detection with Reinforcement Learning


Anomaly detection is slowly transitioning from trial and error arts into an exact science. ML DL is becoming the tool of choice for engineers to map system behavior and isolate discrepancies. The complexity lies in incorporating the tool without disrupting the normal functionality of the system. In our study, we focused not only on the ML DL aspects of research, but also on how to make the system less intrusive and low touch to avoid service disruptions. We aimed to optimize the windows in which we collect and analyze data for anomalies, while leaving the rest for normal traffic. What makes the research even more interesting is how to differentiate between benign and malicious attacks.

This work was spearheaded by Tianbo Gu from UC Davis in consultation with Prof. Prasant Mohapatra (UC Davis), Mark Nutter, Mohit Aggarwal and Allaukik Abhishek (Arm Research).