Towards identifying IoT traffic anomalies on the home gateway: poster abstract

The number of IoT devices continues to grow despite the alarming rate of identification of security and privacy issues. There is widespread concern that development of IoT devices is performed without sufficient attention paid to security and privacy issues. Consequently, networks have a higher probability of incorporating vulnerable IoT devices that may be easy to compromise to launch cyber attacks. Inclusion of IoT devices paves the way for a new category of anomalies to be introduced to networks. Traditional anomaly detection techniques (e.g., semi-supervised and signature-based methods), however, are likely inefficient in detecting IoT-based anomalies. This is because these techniques require static signatures of known attacks, specialized hardware, or full packet inspection. They are also expensive, and may be inaccurate or unscalable. Vulnerable IoT devices can be used to perform destructive attacks or invade privacy. The ability to find anomalies in IoT traffic has the potential to assist with early detection and deployment of countermeasures to thwart such attacks. Thus, new techniques for detecting infected IoT devices are needed to mitigate the associated security and privacy risks. In this research, we investigate the possibility to identify IoT traffic using a combination of behavioural profile, predefined blocklist and device fingerprint. Such a system may be able to detect anomalous and/or malicious devices and/or traffic reliably and quickly. Initial results show that for our implementation of such a system, IoT traffic can be identified using device behaviour profile, fingerprint, and contacted destinations. This work takes the first step towards designing and evaluating iDetector, a framework that can detect anomalous behaviour within IoT networks. In our experiments, iDetector was able to correctly identify 80--90% of all captured traffic traversing a home gateway.