Detecting Compromised IoT Devices Using Autoencoders with Sequential Hypothesis Testing
This work addresses the issue of false alerts in IoT security for device monitoring, presenting an incremental improvement over existing anomaly detection methods.
The paper tackles the problem of high false positive rates in detecting compromised IoT devices by proposing CUMAD, a framework that integrates autoencoder-based anomaly detection with sequential hypothesis testing, reducing the false positive rate from about 3.57% to 0.5% and enabling detection with less than 5 observations on average.
IoT devices fundamentally lack built-in security mechanisms to protect themselves from security attacks. Existing works on improving IoT security mostly focus on detecting anomalous behaviors of IoT devices. However, these existing anomaly detection schemes may trigger an overwhelmingly large number of false alerts, rendering them unusable in detecting compromised IoT devices. In this paper we develop an effective and efficient framework, named CUMAD, to detect compromised IoT devices. Instead of directly relying on individual anomalous events, CUMAD aims to accumulate sufficient evidence in detecting compromised IoT devices, by integrating an autoencoder-based anomaly detection subsystem with a sequential probability ratio test (SPRT)-based sequential hypothesis testing subsystem. CUMAD can effectively reduce the number of false alerts in detecting compromised IoT devices, and moreover, it can detect compromised IoT devices quickly. Our evaluation studies based on the public-domain N-BaIoT dataset show that CUMAD can on average reduce the false positive rate from about 3.57% using only the autoencoder-based anomaly detection scheme to about 0.5%; in addition, CUMAD can detect compromised IoT devices quickly, with less than 5 observations on average.