Detecting Compromised IoT Devices Using Autoencoders with Sequential Hypothesis Testing
Md Mainuddin, Zhenhai Duan, Yingfei Dong
TL;DR
IoT devices often lack strong security, making reliable detection of compromises challenging due to noisy anomaly alerts. The authors propose CUMAD, which couples an autoencoder-based anomaly detector with a sequential probability ratio test (SPRT) to accumulate evidence over time and make fast, low-FPR decisions. Evaluations on the N-BaIoT dataset show that CUMAD reduces the false positive rate from about 3.57% (autoencoder alone) to around 0.5% and detects compromises with fewer than five observations on average. This cumulative, online approach enables scalable, per-device IoT security with practical, rapid detection.
Abstract
IoT devices fundamentally lack built-in security mechanisms to protect themselves from security attacks. Existing works on improving IoT security mostly focus on detecting anomalous behaviors of IoT devices. However, these existing anomaly detection schemes may trigger an overwhelmingly large number of false alerts, rendering them unusable in detecting compromised IoT devices. In this paper we develop an effective and efficient framework, named CUMAD, to detect compromised IoT devices. Instead of directly relying on individual anomalous events, CUMAD aims to accumulate sufficient evidence in detecting compromised IoT devices, by integrating an autoencoder-based anomaly detection subsystem with a sequential probability ratio test (SPRT)-based sequential hypothesis testing subsystem. CUMAD can effectively reduce the number of false alerts in detecting compromised IoT devices, and moreover, it can detect compromised IoT devices quickly. Our evaluation studies based on the public-domain N-BaIoT dataset show that CUMAD can on average reduce the false positive rate from about 3.57% using only the autoencoder-based anomaly detection scheme to about 0.5%; in addition, CUMAD can detect compromised IoT devices quickly, with less than 5 observations on average.