Leveraging machine learning for profiling IoT devices to identify malicious activities

   Protecting IoT devices is a relevant and important task in the context of a constantly increasing number of devices connected to the network and a growing threat of cyberattacks. One of the key solutions to this problem is profiling such devices to increase the security level of the systems in which they operate. The application of machine learning methods represents a promising approach to solving this problem. This study presents a method for profiling Internet of Things (IoT) devices aimed at detecting malicious activity. The proposed solution enables the identification of network events that may indicate the presence of cyberattacks. The essence of the method lies in the creation of individualized behavioral profiles for each IoT device using machine learning algorithms. Profiles are constructed based on the analysis of network traffic. The machine learning models are employed to perform classification and anomaly detection tasks. The study provides a detailed description of the main stages of the proposed approach, including data collection and preprocessing, model selection and training, testing, and evaluation of the effectiveness of the developed solution. In the course of the study, 26 device profiles were constructed using the CIC IoT 2022 dataset. An additional 21 new features were incorporated into the original dataset. The augmented dataset was balanced using oversampling and undersampling techniques. For each device comparative performance evaluations were conducted for Random Forest, XGBoost, and CatBoost models in the context of attack detection as well as for Isolation Forest, Elliptic Envelope, and One-Class Support Vector Machine for anomaly detection. It was demonstrated that the newly proposed features are among the most informative. A comparison of the obtained results with relevant studies confirmed the applicability of the proposed approach for ensuring the security of IoT devices and reducing the risks associated with their operation.

1. Levshun D., Gaifulina D., Chechulin A., Kotenko I. Problematic issues of information security of cyber-physical systems. Informatics and Automation, 2020, vol. 19, no. 5, pp. 1050–1088. (in Russian). doi: 10.15622/ia.2020.19.5.6

2. Levshun D.S., Chechulin A.A., Kotenko I.V. Design lifecycle for secure cyber-physical systems based on embedded devices. Proc. of the 9^th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2017, pp. 77–282. doi: 10.1109/IDAACS.2017.8095090

3. Levshun D., Chechulin A., Kotenko I., Chevalier Y. Design and verification methodology for secure and distributed cyber-physical systems. Proc. of the 10^th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 2019, pp. 1–5. doi: 10.1109/NTMS.2019.8763814

4. Levshun D., Chechulin A., Kotenko I. A technique for design of secure data transfer environment: Application for I2C protocol. Proc. of the IEEE Industrial Cyber-Physical Systems (ICPS), 2018, pp. 789–794. doi: 10.1109/ICPHYS.2018.8390807

5. Rose J.R., Swann M., Bendiab G., Shiaeles S., Kolokotronis N. Intrusion detection using network traffic profiling and machine learning for IoT. Proc. of the. 7^th International Conference on Network Softwarization (NetSoft), 2021, pp. 409–415. doi: 10.1109/NetSoft51509.2021.9492685

6. Safi M., Dadkhah S., Shoeleh F., Mahdikhani H., Molyneaux H., Ghorbani A.A. A survey on IoT profiling, fingerprinting, and identification. ACM Transactions on Internet of Things, 2022, vol. 3, no. 4, pp. 1–39. doi: 10.1145/3539736

7. Ahmed K.I., Tahir M., Habaebi M.H., Lau S.L., Ahad A. Machine learning for authentication and authorization in iot: Taxonomy, challenges and future research direction. Sensors, 2021, vol. 21, no. 15, pp. 5122. doi: 10.3390/s21155122

8. Wójcicki K., Biegańska M., Paliwoda B., Górna J. Internet of things in industry: research profiling, application, challenges and opportunities — a review. Energies, 2022, vol. 15, no. 5, pp. 1806. doi: 10.3390/en15051806

9. Nguyen G.L., Dumba B., Ngo Q.D., Le H.V., Nguyen T.N. A collaborative approach to early detection of IoT Botnet. Computers & Electrical Engineering, 2022, vol. 97, pp. 107525. doi: 10.1016/j.compeleceng.2021.107525

10. Bansal M., Priya. Performance comparison of MQTT and CoAP protocols in different simulation environments. Lecture Notes in Networks and Systems, 2021, vol. 145, pp. 549–560. doi: 10.1007/978-981-15-7345-3_47

11. Canavese D., Mannella L., Regano L., Basile C. Security at the edge for resource-limited IoT devices. Sensors, 2024, vol. 24, no. 2, pp. 590. doi: 10.3390/s24020590

12. Rose J.R., Swann M., Bendiab G., Shiaeles S., Kolokotronis N. Intrusion detection using network traffic profiling and machine learning for IoT. Proc. of the 7^th International Conference on Network Softwarization (NetSoft), 2021, pp. 409–415. doi: 10.1109/NetSoft51509.2021.9492685

13. Dadkhah S., Mahdikhani H., Danso P.K., Zohourian A., Truong K.A., Ghorbani A.A. Towards the development of a realistic multidimensional IoT profiling dataset. Proc. of the 19^th Annual International Conference on Privacy, Security & Trust (PST), 2022, pp. 1–11. doi: 10.1109/PST55820.2022.9851966

14. Safi M., Kaur B., Dadkhah S., Shoeleh F., Lashkari A.H., Molyneaux H., Ghorbani A.A. Behavioural monitoring and security profiling in the internet of things (IoT). Proc. of the IEEE 23^rd International Conference on High Performance Computing and Communications 7^th International Conference on Data Science and Systems 19^th International Conference on Smart City and 7^th International Conference on Dependability in Sensor Cloud and Big Data Systems and Applications HPCC/DSS/Smartcity/Dependsys, 2021, pp. 1203–1210. doi: 10.1109/HPCC-DSS-SMARTCITY-DEPENDSYS53884.2021.00185

15. Getman A.I., Goryunov M.N., Matskevich A.G., Rybolovlev D.A. A comparison of a machine learning-based intrusion detection system and signature-based systems. Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS), 2022, vol. 34, no. 5, pp. 111–126. (in Russian). doi: 10.15514/ISPRAS-2022-34(5)-7

16. Koball C., Rimal B.P., Wang Y., Salmen T., Ford C. IoT device identification using unsupervised machine learning. Information, 2023, vol. 14, no. 6, pp. 320. doi: 10.3390/info14060320

17. Bakhsh S.A., Khan M.A., Ahmed F., Alshehri M.S., Ali H., Ahmad J. Enhancing IoT network security through deep learning-powered Intrusion Detection System. Internet of Things, 2023, vol. 24, pp. 100936. doi: 10.1016/j.iot.2023.100936

18. Zhao R., Zhan M., Deng X., Wang Y., Wang Y., Gui G., Xue Z. Yet another traffic classifier: A masked autoencoder based traffic transformer with multi-level flow representation. Proc. of the 37^th AAAI Conference on Artificial Intelligence, 2023, vol. 37, no. 4, pp. 5420–5427. doi: 10.1609/aaai.v37i4.25674

19. Zohourian A., Dadkhah S., Molyneaux H., Neto E.C.P., Ghorbani A.A. IoT-PRIDS: Leveraging packet representations for intrusion detection in IoT networks. Computers & Security, 2024, vol. 146, pp. 104034. doi: 10.1016/j.cose.2024.104034

20. Roshan K., Zafar A. Ensemble adaptive online machine learning in data stream: a case study in cyber intrusion detection system. International Journal of Information Technology, 2024, vol. 16, no. 8, pp. 5099–5112. doi: 10.1007/s41870-024-01727-y

21. Khan M.M., Alkhathami M. Anomaly detection in IoT-based healthcare: machine learning for enhanced security. Scientific Reports, 2024, vol. 14, no. 1, pp. 5872. doi: 10.1038/s41598-024-56126-x

22. Jeffrey N., Tan Q., Villar J.R. Using ensemble learning for anomaly detection in cyber–physical systems. Electronics, 2024, vol. 13, no. 7, pp. 1391. doi: 10.3390/electronics13071391

23. Bajpai S., Sharma K., Chaurasia B.K. Intrusion detection framework in IoT networks. SN Computer Science, 2023, vol. 4, no. 4, pp. 350. doi: 10.1007/s42979-023-01770-9