| Abstract | IoT devices are increasingly deployed in daily life. Many of these devices
are, however, vulnerable due to insecure design, implementation, and
configuration. As a result, many networks already have vulnerable IoT
devices that are easy to compromise. This has led to a new category of
malware specifically targeting IoT devices. However, existing intrusion
detection techniques are not effective in detecting compromised IoT devices
given the massive scale of the problem in terms of the number of different
types of devices and manufacturers involved. In this paper, we present DÏoT,
an autonomous self-learning distributed system for detecting compromised IoT
devices. DÏoT builds effectively on device-type-specific communication
profiles that are subsequently used to detect anomalous deviations in
devices' communication behavior, potentially caused by malicious
adversaries. DÏoT utilizes a federated learning approach for aggregating
behavior profiles efficiently. To the best of our knowledge, it is the first
system to employ a federated learning approach to anomaly-detection-based
intrusion detection. Consequently, DÏoT can cope with emerging new and
unknown attacks. We systematically and extensively evaluated more than 30
off-the-shelf IoT devices over a long term and show that DÏoT is highly
effective (95.6% detection rate) and fast (~257 ms) at detecting devices
compromised by, for instance, the infamous Mirai malware. DÏoT reported no
false alarms when evaluated in a real-world smart home deployment setting. |
|---|
