Behaviour Modelling and Anomaly Detection in Smart-Home IoT Devices

Abstract

The usage of Internet of Things (IoT) devices has been exponentially increasing and their security is often overlooked. Hackers exploit the vulnerabilities present to perform large scale attacks as well as to obtain privacy-sensitive information. Resource constraints combined with a lack of incentives for manufacturers makes it harder to implement security solutions part of these devices. This thesis aims at developing a system that monitors the behaviour of these IoT devices. Network traffic is captured and analysed as part of a network middle-box to model the behaviour of an IoT device. This traffic shows the interactions of the IoT device with other devices and hosts. By modelling the normal behaviour of a device, we can detect anomalies exhibited. Denial of Service attack was performed to evaluate the effectiveness of state machines in detecting anomalies. To verify the validity of state machines built based on network traffic in a laboratory setup, a test environment with a different setting was used. Traffic was captured from a smart home setting and used to validate the state machines. We show that state machines can be effectively used to model the behaviour of IoT devices at the packet level and can also be used to uniquely identify commands issued from smartphone to IoT device. They can also effectively distinguish attack traffic from normal traffic.