Internet of Things device monitoring using rule-based device identification and device-centric intrusion detection

Abstract

The Internet of Things (IoT) has become an integral part of human life as IoT devices promote smarter living by automating everyday tasks and seamlessly integrating technology into daily life. In recent years, we have witnessed huge adoption and integration of IoT devices in various applications such as healthcare, industry and transportation.

However, this widespread adoption raises significant concerns. IoT devices are often resource-constrained devices that lack proper security mechanisms. Moreover, the proliferation of these low-power devices and sensors as well as the heterogeneity of IoT protocols and technologies have contributed to a complex network of insecure devices. This turns IoT devices into entry points to IoT-enabled networks, making them susceptible to breaches and cyber attacks.

Therefore, there is a need to find solutions to address the security issues. In this dissertation, we address this gap by proposing an IoT device monitoring framework that identifies IoT devices, creates behavioural profiles for them and detects their anomalies and intrusions. It is a centralized device-centric approach in which each device is identified and constantly monitored for possible anomalies and intrusions.

We propose the Data-driven Rule-based Modelling (DRM) framework that extracts patterns from data to formulate hypotheses and evaluate them to generate rules and aggregate the rules into a rule-based model. This framework is used to develop a rule based IoT device identification framework that identifies the devices in a network with high performance and efficiency. Together with the proposed device-centric anomaly-based intrusion detection system, they identify, profile and detect intrusions against IoT devices.

We analyze these models and extensively evaluate their performance and efficiency by designing various experiments. Based on the experimental results, the device identification model identifies the majority of IoT devices as soon as they join the network and produces minimal false positives. The intrusion detection model pro files the normal behaviour of IoT devices and detects intrusions without requiring extensive computation and resource allocation, making it a lightweight model with high performance. Both models are lightweight enough to be scalable to large-scale IoT networks and deployed in real-world use cases in a near-real-time setting.