Real-Time IoT Device Activity Detection in Edge Networks

  • Ibbad HafeezEmail author
  • Aaron Yi Ding
  • Markku Antikainen
  • Sasu Tarkoma
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11058)


The growing popularity of Internet-of-Things (IoT) has created the need for network-based traffic anomaly detection systems that could identify misbehaving devices. In this work, we propose a lightweight technique, IoTguard, for identifying malicious traffic flows. IoTguard uses semi-supervised learning to distinguish between malicious and benign device behaviours using the network traffic generated by devices. In order to achieve this, we extracted 39 features from network logs and discard any features containing redundant information. After feature selection, fuzzy C-Mean (FCM) algorithm was trained to obtain clusters discriminating benign traffic from malicious traffic. We studied the feature scores in these clusters and use this information to predict the type of new traffic flows. IoTguard was evaluated using a real-world testbed with more than 30 devices. The results show that IoTguard achieves high accuracy (\({\ge }98\%\)), in differentiating various types of malicious and benign traffic, with low false positive rates. Furthermore, it has low resource footprint and can operate on OpenWRT enabled access points and COTS computing boards.


Network Security Traffic monitoring Classification Anomaly detection Semi-supervised learning 



The work was supported in part by the Business Finland PraNA research project.


  1. 1.
    Kdd cup 1999 data. Accessed 18 July 2016
  2. 2.
    Senrio. 400,000 publicly available IoT devices vulnerable to single flaw. Accessed 5 May 2016
  3. 3.
    Agrawal, R., Srikant, R.: Fast algorithms for mining association rules in large databases. In: Proceedings of the 20th International Conference on Very Large Data Bases, VLDB 1994, pp. 487–499 (1994)Google Scholar
  4. 4.
    Akbar, S., et al.: Improving network security using machine learning techniques. In: 2012 IEEE International Conference on Computational Intelligence and Computing Research, pp. 1–5 (2012)Google Scholar
  5. 5.
    Aranganayagi, S., Thangavel, K.: Clustering categorical data using silhouette coefficient as a relocating measure. In: International Conference on Computational Intelligence and Multimedia Applications (ICCIMA 2007), vol. 2, pp. 13–17 (2007)Google Scholar
  6. 6.
    Barrera, D., Molloy, I., Huang, H.: IDIoT: securing the Internet of Things like it’s 1994. CoRR abs/1712.03623 (2017)Google Scholar
  7. 7.
    Bekerman, D., et al.: Unknown malware detection using network traffic classification. In: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 134–142 (2015)Google Scholar
  8. 8.
    Bohara, A., Thakore, U., Sanders, W.H.: Intrusion detection in enterprise systems by combining and clustering diverse monitor data. In: Proceedings of the Symposium and Bootcamp on the Science of Security, HotSos 2016, pp. 7–16 (2016)Google Scholar
  9. 9.
    Chawla, N.V., Bowyer, K.W., Hall, L.O., Kegelmeyer, W.P.: Smote: synthetic minority over-sampling technique. J. Artif. Int. Res. 16(1), 321–357 (2002)zbMATHGoogle Scholar
  10. 10.
    Cheng, S.M., et al.: Traffic-aware patching for cyber security in mobile IoT. IEEE Commun. Mag. 55(7), 29–35 (2017)CrossRefGoogle Scholar
  11. 11.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 139–154 (2008)Google Scholar
  12. 12.
    Jeyakumar, V., Madani, O., ParandehGheibi, A., Yadav, N.: Data driven data center network security. In: Proceedings of the 2016 ACM on International Workshop on Security And Privacy Analytics, IWSPA 2016, p. 48 (2016)Google Scholar
  13. 13.
    Roux, J., et al.: Toward an intrusion detection approach for IoT based on radio communications profiling. In: 13th European Dependable Computing Conference, Geneva, Switzerland, p. 4p. (2017)Google Scholar
  14. 14.
    Lu, W., et al.: Automatic discovery of botnet communities on large-scale communication networks. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, pp. 1–10 (2009)Google Scholar
  15. 15.
    Martindale, J.: Nearly 30 percent of all web traffic is sent by malicious bots. Accessed 6 Apr 2018
  16. 16.
    McMillan, R.: Up to three percent of internet traffic is malicious, researcher says. Accessed 6 Apr 2018
  17. 17.
    Meidan, Y., et al.: Detection of unauthorized IoT devices using machine learning techniques. CoRR abs/1709.04647 (2017).
  18. 18.
    Meidan, Y., et al.: Profiliot: a machine learning approach for IoT device identification based on network traffic analysis. In: Proceedings of the Symposium on Applied Computing, SAC 2017, pp. 506–509 (2017)Google Scholar
  19. 19.
    Miettinen, M., et al.: IoT sentinel: automated device-type identification for security enforcement in IoT. In: 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), pp. 2177–2184 (2017)Google Scholar
  20. 20.
    Narvekar, M., Syed, S.F.: An optimized algorithm for association rule miningusing FP tree. Procedia Comput. Sci. 45(Supplement C), 101–110 (2015). International Conference on Advanced Computing Technologies and Applications
  21. 21.
    Nguyen, T.T.T., Armitage, G.: A survey of techniques for internet traffic classification using machine learning. IEEE Commun. Surv. Tutor. 10(4), 56–76 (2008)CrossRefGoogle Scholar
  22. 22.
    Nordum, A.: Popular internet of things forecast of 50 billion devices by 2020 is outdated. Accessed 7 May 2017
  23. 23.
    Patton, M., et al.: Uninvited connections: a study of vulnerable devices on the Internet of Things (IoT). In: 2014 IEEE Joint Intelligence and Security Informatics Conference, pp. 232–235 (2014)Google Scholar
  24. 24.
    Pauli, D.: 414,949 d-link cameras, IoT devices can be hijacked over the net. Accessed 7 May 2017
  25. 25.
    Ran, J., Kong, X., Lin, G., Yuan, D., Hu, H.: A self-adaptive network traffic classification system with unknown flow detection. In: 2017 3rd IEEE International Conference on Computer and Communications (ICCC), pp. 1215–1220 (2017)Google Scholar
  26. 26.
    ur Rehman, Z., Idris, A., Khan, A., : Multi-dimensional scaling based grouping of known complexes and intelligent protein complex detection. Comput. Biol. Chem. 74, 149–156 (2018). Scholar
  27. 27.
    Shanmugam, B., Idris, N.B.: Improved intrusion detection system using fuzzy logic for detecting anamoly and misuse type of attacks. In: 2009 International Conference of Soft Computing and Pattern Recognition, pp. 212–217 (2009)Google Scholar
  28. 28.
    Shanmugavadivu, R., Nagarajan, N.: Network intrusion detection system using fuzzy logic. Indian J. Comput. Sci. Eng. (IJCSE) 2(1), 101–111 (2001)Google Scholar
  29. 29.
    Strayer, W.T., Lapsely, D., Walsh, R., Livadas, C.: Botnet detection based on network behavior. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. Advances in Information Security, vol. 36, pp. 1–24. Springer, Boston (2008). Scholar
  30. 30.
    Trauwaert, E.: On the meaning of dunn’s partition coefficient for fuzzy clusters. Fuzzy Sets Syst. 25(2), 217–242 (1988)CrossRefGoogle Scholar
  31. 31.
    Yi, L., Shi, Y.: Research on abnormal traffic classification of web camera based on supervised learning and semi-supervised learning. In: 2017 3rd IEEE International Conference on Computer and Communications (ICCC), pp. 547–551 (2017)Google Scholar
  32. 32.
    Zhou, K., et al.: Fuzziness parameter selection in fuzzy c-means: the perspective of cluster validation. Sci. China Inf. Sci. 57(11), 1–8 (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Ibbad Hafeez
    • 1
    Email author
  • Aaron Yi Ding
    • 2
    • 3
  • Markku Antikainen
    • 1
    • 4
  • Sasu Tarkoma
    • 1
    • 4
  1. 1.University of HelsinkiHelsinkiFinland
  2. 2.Technical University of MunichMunichGermany
  3. 3.Delft University of TechnologyDelftNetherlands
  4. 4.Helsinki Institute of Information TechnologyHelsinkiFinland

Personalised recommendations