Could we detect compromised consumer IoT devices participating in a DDoS attack in real-time and do someting about it? A group of researchers Princeton University have presented some encouraging results showing that the first part of that equation can be relatively easily solved.

As IoT traffic is often distinct from that of other Internet connected devices and as machine learning has proved promising for identifying malicious Internet traffic, they decided to use these facts to their advantage.

So, they created a machine learning pipeline that performs data collection, feature extraction, and binary classification of IoT traffic and designed it so that it can be operated on network middleboxes (e.g., routers, switches, firewalls).

Real-time IoT DDoS detection

The system captures the traffic passing through the middlebox, records the source IP address, source port, destination IP address, destination port, packet size, and timestamp of all IP packets sent from smart home devices. Then, it separates the packets by source IP address and non-overlapping time windows.

For each packet, the system generates two types of features:

Stateless (packet size, inter-packet interval, and protocol)

Stateful (bandwidth, IP destination address cardinality and novelty).

Finally, they tested five machine learning algorithms to distinguish normal IoT packets from DoS attack packets.

The researchers deployed the system on an experimental consumer IoT device network and the results they obtained were good. “Our classifiers successfully identify attack traffic with an accuracy higher than 0.999. We found that random forest, K-nearest neighbors, and neural net classifiers were particularly effective,” they noted.

They also pointed out that the stateless features greatly outperformed the stateful features and that, therefore, “real-time anomaly detection of IoT attack traffic may be practical because the stateless features are lightweight and derived from network-flow attributes.”

But the capture and use of stateful features is also helpful, as it improved the accuracy of the results.

Future testing

They plan to try and see whether they can get similar results with normal traffic from additional IoT devices and with attack traffic recorded from a real DDoS attack, and want to experiment with additional features and more complex machine learning techniques.

The question of what to do when once an IoT device is discovered to be part of a DDoS attack remains open.

“Simply cutting the device off from the network might not be feasible, especially if the device is essential (e.g. a blood sugar monitor or a home water pump), because many smart devices do not retain basic functionality without network connectivity. Notifying the user is an option, but many users of home IoT devices will be unequipped to perform device maintenance beyond powering off or disconnecting the device,” they noted.