Data driven intrusion detection for 6LoWPAN based IoT systems

Official URL: https://risc01.sabanciuniv.edu/record=b2708498_(Table of contents)

Wide adoption of Internet of Things (IoT) devices and their limitations in terms of hardware causes them to be easy targets for attackers. Therefore, it is important to monitor these systems, where security mechanisms are less applicable, by using intrusion detection systems, and take the necessary actions against insider and outsider attackers promptly. Intrusion detection systems monitor computer networks continuously and ensure that relevant reports are forwarded to the system administrators in case of a security incident. Recent studies have explored that machine learning based intrusion detection systems are quite successful in detecting different types of attacks. However, most of the models proposed in the literature were developed using simulation based or previously published testbed data that contain the samples of outdated IoT attacks and vulnerabilities. Furthermore, the variety of the attacks aimed to be detected are relatively low and the proposed models are binary classifiers which are not scalable for multi-attack scenarios. Binary classifiers can distinguish an attack type from benign traffic in contrast to multi-class classifiers, which can classify different types of attacks together with benign traffic. In this thesis, we propose a machine learning based multi-class classifier that can classify 6 attack types together with the benign traffic. Our node based feature extraction and detection methodology allows to pinpoint the exact locations of the attackers by modelling their traffic characteristics over a sliding time window. For training and testing our models, we also propose an intrusion detection dataset generated using the traffic data collected from real IoT devices working over the 6LoWPAN and RPL protocols. Besides having RPL routing attacks in the dataset, we leverage Mirai botnet, used frequently to target IoT devices. The results show that the proposed intrusion detection system can detect 6 attack types with high recall scores ranging from 79% to 100%.