A Survey of Anomaly Detection Approaches in Internet of Things€¦ · A Survey of Anomaly...

ISeCureThe ISC Int'l Journal ofInformation Security

July 2018, Volume 10, Number 2 (pp. 79–92)

http://www.isecure-journal.org

Review Paper

A Survey of Anomaly Detection Approaches in Internet of Things

Morteza Behniafar 1,∗, Alireza Nowroozi 2, and Hamid Reza Shahriari 31Faculty of Electronic and Computer Engineering, Malek Ashtar University of Technology, Tehran, Iran2Computer Engineering Department, Sharif University of Technology, Tehran, Iran3Department of Computer Engineering and Information Technology, Amirkabir University of Technology, Tehran, Iran

A R T I C L E I N F O.

Article history:

Received: 23 February 2018

First Revised: 3 April 2018

Last Revised: 21 July 2018

Accepted: 30 July 2018

Published Online: 31 July 2018

Keywords:Anomaly, Intrusion Detection,

Internet of Things, IT Security.

A B S T R A C T

Internet of Things is an ever-growing network of heterogeneous and constraint

nodes which are connected to each other and Internet. Security plays an

important role in such networks. Experience has proved that encryption and

authentication are not enough for the security of networks and an Intrusion

Detection System is required to detect and to prevent attacks from malicious

nodes. In this regard, Anomaly based Intrusion Detection Systems identify

anomalous behavior of the network and consequently detect possible intrusion,

unknown and stealth attacks. To this end, this paper analyses, evaluates

and classifies anomaly detection approaches and systems specific to Internet

of Things. For this purpose, anomaly detection systems and approaches are

analyzed in terms of engine architecture, application position and detection

method and in each point of view, approaches are investigated considering the

associated classification.

c© 2018 ISC. All rights reserved.

1 Introduction

Analyzing security of Internet of Things (IoT) andits problems can be investigated from two view-

points: 1) things and 2) network. At things level, IoTsecurity faces different challenges compared to gen-eral computer networks due to its natural constraintsof resources and computational power of things. Inse-cure communication channel, unsupervised operationin many applications and heterogeneity of the com-prising things at network level makes the networksvulnerable against intruders and this makes security

∗ Corresponding author.

Email addresses: [email protected] (M. Behniafar),

[email protected] (A. Nowroozi),[email protected] (HR. Shahriari)

ISSN: 2008-2045 c© 2018 ISC. All rights reserved.

of such networks complicated. Thus, providing secu-rity for IoT and the implemented protocols is criticaland requires lots of works to design and develop se-curity mechanisms.

One of the security challenges in these networks iswireless communication which facilitates malicious op-erations of the adversary. Even when it is protected bycryptographic and authentication mechanisms, thingsare exposed to wireless attacks either from within thenetwork (due to the physical intrusion in the networkand nodes and things capturing as well as copyingthem) or from the Internet [1]. Another challengeis dynamic topology which provides the ground forthe adoption of intruder nodes. In addition, routingprotocols, flow control and access control layer proto-cols try to operate with less computational cost andoverhead, therefore security challenges arise. Another

ISeCure

80 A Survey of Anomaly Detection Approaches in IoT — Behniafar et. al

challenge of IoT is energy constraint, for example, ad-versary can make nodes to wake up from sleep modewithout any reason using an intruder node whichbroadcasts wake up beacons which makes nodes tolose their energy and their lifetime is shortened; there-fore, IoT has special features which can be describedas security challenges for these networks and thismakes security attainment, a challenge towards de-veloping such networks. Therefore, applying existingmethods for detecting anomalies in the IoT are notdirectly possible and is faced with challenges [2, 3].Anomaly detection from a large amount of heteroge-neous data generated by various distributed sourceswith different data patterns and considering resourceconstraints are some of the main challenges [4].

Security and privacy are an afterthought on manythings today, because manufacturers try to get prod-ucts to market as quickly as possible. Also aboutdevice’s firmware and different platforms and frame-works, the security evaluations have not been fullyimplemented. These and other issues cause vulnera-bilities in different layers of IoT. OWASP cited topIoT vulnerabilities as follows [5]:

(1) Insecure Web Interface,(2) Insufficient Authentication/Authorization,(3) Insecure Network Services,(4) Lack of Transport Encryption/Integrity Verifi-

cation,(5) Privacy Concerns,(6) Insecure Cloud Interface,(7) Insecure Mobile Interface,(8) Insufficient Security Configurability,(9) Insecure Software/Firmware,

(10) Poor Physical Security.

In this regard, with the exploitation of those vulnera-bilities, there have been specific attacks on IoT-basednetwork, among them, “2016 Dyn cyberattack” and“Persirai botnet attack” and Aidra can be mentioned.These botnets are also called the thingbots and com-prise of all sort of devices ranging from smart phonesto laptops and the new smart devices like TV and re-frigerator. When infected by a botnet the IoT devicesbecome part of an enormous DDoS 1 ecosystem andsend requests to the target server to crash it. Suchan attack makes it hard to trace the actual sourceas millions of connected devices are bombarding thenetwork together. In 2016 Dyn cyberattack [6], Dyncame under attack by multiple large and complexDDoS attacks against their Managed DNS infrastruc-ture originated from Mirai-based botnets by gener-ated compounding recursive DNS retry traffic whichcaused major disruption of Internet services. The at-tack was a botnet coordinated through a large number

1 Distributed Denial of Service

of compromised IoT devices (more than 100,000 ma-licious endpoints), including Digital Video Recorders(DVRs), IP-cameras, printers, residential gatewaysand so on, that had been infected with Mirai malware.In 2017, a new IoT botnet called Persirai has been dis-covered targeting over 1000 IP camera models basedon various Original Equipment Manufacturer (OEM)products by taking advantage of UPnP 2 . Persiraican perform UDP DDoS attack with SSDP packetswithout spoofing IP address. Trendmicro detected ap-proximately 120,000 IP cameras that are vulnerableto Persirai [7].

In the context of IoT IDS survey, a few researcheshave been done [8] and in the context of anomalybased IDS in IoT, no significant work has been doneuntil the preparation of this paper. Therefore, thispaper reviews and surveys anomaly detection systemsand approaches in the context of IoT and proposes aclassification of works done from different points ofview.

In the following, Section 2 describes anomaly de-tection and general classification of anomaly detec-tion approaches in general computer networks. Sec-tion 3 investigates, analyzes and evaluates researcheson anomaly detection in the context of IoT. Finally,the paper is concluded in Section 4.

2 Anomaly Detection

Cryptographic techniques are used as a deterrent se-curity layer and defense frontline which can be brokendue to weak security mechanisms in things and wire-less environment. On the other hand, intruder nodescan make insider attacks without considering cryp-tography (due to authentication and having the en-cryption keys). For example, they can target systemcommunications and interactions and disturb systemcommunications or eavesdrop message contents orchange them and change aggregated information ofthe network. Thus, a second defense layer is requiredto provide security of the network in which systeminteractions are monitored and relevant alarm areissued upon detecting anomalous behavior in the net-work. Indeed, this defense system not only monitorsnetwork behavior for detecting anomalous behaviorof the insider attackers but also it is applied to detectmalicious behaviors of unknown external network at-tackers. In fact, this system is able to analyze andidentify normal behavior of the IoT network to de-tect attacks and threats of the insider things, exter-nal threats from Internet and hybrid attacks of thesetwo in interactions of internal things and gateways sothat whenever an anomaly is detected, the system iswarned so that more damages are prevented. In this

2 Universal Plug and Play

ISeCure

July 2018, Volume 10, Number 2 (pp. 79–92) 81

regard, system behavior and network status analysisis one of the main problems in managing IoT. Thisis why detecting anomalous behavior and anomalyfrom network flow is one of the main keys in iden-tifying status and condition of the network. This isbecause detecting anomalous and malicious behaviorresults in anomaly level in two forms of labeling andscoring for blocking or eliminating adversary nodes[9]. Anomaly labeling leads to false positive or falsenegative errors, but the fuzzy consequence and theuse of scoring and probabilistic methods in providingthe result of anomaly detection is more appropriate.

By connecting a local network of things to Internetand migrating from M2M 3 inter-network communica-tions to Internet-based communications, characteris-tics of the local wireless network of things and Internetare integrated and have created new characteristics.Thus, integrating Internet and local network of thingschanges challenges and existing solutions; which isdue to considering characteristics of the closed localnetwork of constrained nodes and Internet simulta-neously and integrating them together. To mentionsome examples of these features for this network,open access to local network of things from Inter-net, physical access to network nodes to compromisethe legitimated nodes, limited resources available foranomaly detection approaches (considering their over-head), unstable communication links in the networkof things, wireless-specific attacks through insiderintruder and outside of the network-Internet, con-sidering IoT specific protocols (for instance, 6LoW-PAN 4 is a lightweight protocol for using IPv6 in lowpower networks) and specific architecture of thingsand comprising a heterogeneous network of nodescan be named [9–11]. Aforementioned problems makeconventional anomaly detection approaches not to beresponsive for IoT and proposing new solutions, meth-ods and designing new architectures based on spe-cific architectures of IoT necessary so that lightweightanomaly detection approaches considering resourceconstraints proportionate to security challenges canbe presented. Considering the discussion above foranomaly detection in IoT, there are strategic issueswhich should be analyzed specifically for IoT. To thisend, the following issues can be mentioned:

- Analysis, design and extracting appropriate andefficient features: these features should be de-signed such that accuracy of detecting anomalyand attacks is efficiently high by reducing over-head of monitoring data due to constrained re-sources.

3 Machine to Machine4 IPv6 over Low-Power Wireless Personal Area Networks

- Architecture of anomaly detection engine: de-signing, deployment structure, engine compo-nents structure and interactions, informationcollector agents, decision making agents andlocating them in the network for maximum effi-ciency and minimum network overhead.

- Analysis mechanisms and anomaly detectiontechniques: analysis and design of processingprocedures such that detection accuracy foranomaly detection specific for IoT is increasedand computational cost is decreased.

Thus, the aforementioned issues are problems whichshould be analyzed specifically for these networksso that approaches proposed for anomaly detectionin the context of IoT are identified well and theseelements can be used to identify approaches whichcan be proposed to detect anomalies in IoT with highaccuracy and low overhead.

After identifying principles of anomaly detectionand its components, anomaly detection systemsshould be investigated in general computer networksso that studies in the context of anomaly detection inIoT can be analyzed with a good perspective of workdone in this field; thus, in the following, principles ofanomaly detection in general computer networks arepresented.

Anomaly Detection in General ComputerNetworks

Researches in the context of anomaly detection in gen-eral computer networks are conducted to IntrusionDetection. In order to obtain a better understandingin the context of anomaly detection in IoT and ana-lyze the researches in this field, principles of anomalydetection methods in general computer networks aregiven first and then studies in this field are analyzedand investigated. Understanding anomaly detectionapproaches in computer networks and recognizingtheir advantages and shortcomings provides the possi-bility for the researchers to analyze and compare theexisting methods to propose an optimal mechanismfor detecting anomalies in IoT.

Researches and studies in the context of anomalydetection in general computer networks have resultedin systems with different anomaly detection proce-dures. Most of these methods have employed proce-dures which require high computational and opera-tional overhead to increase detection accuracy. Thisis because, in the conventional Internet, constrainedenergy and resources is not an acute problem; thus, fo-cus is on increasing detection accuracy. Methods em-ployed for anomaly detection can be classified into twogroups of model-based and similarity-based methods[12]. In model-based methods, first a normal model

ISeCure


of the behavior of the network’s elements is definedand then violations from the model are considered asan anomaly. In similarity-based models, each data iscompared with other data of the network and collec-tive data and non-similarity with other data of thenetwork is identified as an anomaly.

In previous studies, some features are mentionedfor monitoring and supervising for intrusion detectionamong which, the following can be mentioned [13–17]:

- Time interval between consequent messages fordetecting speed of packet transmission.

- Content of the packet and number of modi-fied packets for monitoring message integrityattacks.

- Transmission latency for detecting latency at-tacks in sending packets including black holeattack or selective forwarding attacks.

- Repeated packet transmission to detect denialof service.

- Transmitter node identity to detect attacks likeWormhole, Helloflood, and neighbor discoveryattacks in IPv6 and Sybil.

- Number of collisions for detecting attacks likejamming.

- Number of packet loss for detecting attacks andsymptoms of dropping, modifying or jamming.

- Amount of energy consumed by network com-ponents to prevent distribution of energy con-sumption in the whole network.

Each of the aforementioned parameters has higherefficiency in one or several threats or attacks and isnot able to detect all attacks. In addition, it should bepointed out that a network with limited resources likelimited energy and computational capacity like IoTis not able to monitor all of these parameters; thus,attacks and threats should be prioritized accordingto application and goal, thus on that basis, extractand monitor some of features. To this end, researchesconducted in this field have extracted and monitoreddifferent parameters of the network according to theirdetection goal.

3 Literature Review

Principles of the methods employed for anomaly de-tection in general computer networks were studiedin the above. In this section, previous work donein the context of anomaly detection in IoT are ana-lyzed and classified. These studies are analyzed andinvestigated from three different viewpoints and ineach section, investigations are presented consideringthe associated classification. First, in terms of en-gine architecture, hybrid intrusion detection systems(anomaly-based detection along with signature-baseddetection) and pure anomaly-based intrusion detec-

tion are identified. Second, anomaly detection in IoThas been investigated from another point of view;Functionality Position; in which two general groupsare identified. One group is for detecting anomalyin transport and network layer which generally stud-ies behavior of nodes and network in communicationlinks, and transport layers and associated attacksincluding routing attacks. In another class, studiesare conducted on anomaly detection at service andapplication level and interactions and data flow pa-rameters are studied. Third, studies are classified interms of the employed method to detect anomaly indetection engine. In this aspect, different mechanismsare used to detect anomaly where the most signifi-cant ones are anomaly detection methods based onstatistical mechanisms. Indeed, methods based onSVM, neural network and artificial immune systemare also proposed which are more limited. Figure 1shows anomaly detection approaches classificationpresented in this paper and Table 1 show a brief re-view of researches done in anomaly detection in IoTnetworks.

3.1 Anomaly Detection in terms ofDetection Engine’s Architecture

In research done in this field, three approaches wereproposed for Intrusion detection in IoT. In the firstapproach, intrusion detection based on signature isproposed. In this method, detection phase and at-tack classification are performed through predeter-mined patterns. In another class, approaches for in-trusion detection in IoT are implemented by combin-ing signature-based methods and anomaly detectionmethods which detect intrusion using these two meth-ods simultaneously or sequentially. In the third class,only anomaly detection methods are used for intru-sion detection and predefined signature attacks arenot applicable. In this paper, studies performed inthe two latter cases are investigated. Between thesetwo methods, focus is on intrusion detection based onpure anomaly detection methods; thus, most studiesand proposed systems are related to this part. For thisreason and because all of them cannot be describedin this section, therefore Researches conducted on thecase of the hybrid method in this section will be pre-sented by case and pure anomaly detection methodsare described in the following sections related to thespecific proposed method.

3.1.1 Anomaly-based Intrusion DetectionSystem

In this class of systems, merely anomaly detectionmethods are used to detect attacks and identify intru-sion in the network. First, the normal behavior of the

ISeCure


Figure 1. Anomaly Detection approaches in IoT

network is identified and then an intrusion is detectedthrough identifying violations from normal behavior.In this method, the signature of attacks is not acces-sible and only approximation methods are used to de-tect intrusion. Thus, false negative is one of the chal-lenges of this method but on the contrary, it is ableto detect new attacks and changing behavior of thenetwork in previously known attacks. Due to advan-tages of detecting new attacks and changing behaviorof the network, studies have focused on this context.Thus, due to large number of research done in thisfield, studies considering the focus of the proposedmethod is presented in more details in the following.In this regard, authors of [62] have investigated intru-sion detection approaches and have compared themtogether to apply them to cloud applications basedon IoT and have concluded that intrusion detectionsystems based on statistical measures, anomaly-baseddetection methods and clustered architecture can beapplied to IoT. It has been mentioned that IoT isa network of different components and things withdifferent applications which are connected to eachother. Thus, heterogeneous structure in the topologyof IoT is very common. So, clustering network to dif-ferent application classes is a suitable approach inmechanisms based on IoT.

3.1.2 Hybrid Intrusion Detection System

In these methods, intrusion detection engine com-bines anomaly and signature-based detection meth-ods. This combination is implemented in two ways.In the first approach, signature-based intrusion de-tection is at the first layer and then anomaly-basedintrusion detection operates as being suspected to thenetwork or detecting an anomalous signature. Ouranalysis show that, in this approach, detecting suspi-cious states in the network is a challenge, because theadvantage of anomaly detection in comparison to hy-

brid approach is in detecting states which signature-based systems are not able to detect. In another ap-proach, signature-based and anomaly-based intrusiondetection systems operate in parallel and their detec-tion objective is different. In this regard, this sectioninvestigates intrusion detection systems which haveemployed anomaly detection and signature-based sys-tems as a hybrid Intrusion detection approach.

Analysis of [8] indicates that for intrusion detectionin IoT, a hybrid intrusion detection system is requiredin which 6LoWPAN is considered and multilateraldetection mechanism based on anomaly detection andprotocol analysis is offered.

Studies in [34, 35] are also of hybrid intrusion de-tection type and are proposed in details in section3.2.2. In addition, authors of [44, 45] have proposedan intrusion detection system for IoT (Internet-basedheterogeneous sensor networks) which is based on sig-nature and anomaly. This paper has also investigatedin section 3.3.1.

Authors of [36, 37] have proposed a hybrid intru-sion detection system in another way. In the proposedapproach, normal profile at activity intervals is de-tected first and then it is used to detect anomalies inthe behavior of nodes. After this stage, this anomalyis compared with defined anomalies to extract itstype, then by considering anomaly types that aredetected; intrusion type is detected by predefined ex-pert knowledge rules. These papers have defined andclassified anomalies and attacks imposed on the net-work very well. In [36], results of intrusion detectionand normal profile of each node are sent to the upperlayer, based on which, network detects intrusion. In[37], employing rules resulting from expert knowledgein anomaly detection is described and generalizationof the work remained for future works.

In [42, 43], A Hybrid Intrusion Detection System

ISeCure


Engine Architecture Functionality Position Detection Method Description

[18] Liu et. al

Pure Anomaly Detection Network and Application Layer Statistical network data analysis

Jacquard coefficient

[19] Kasinathan et. al 6LoWPAN DoS attacks detection

[20] Ding et. al Latent correlation

[21] Yang et. alData aggregation anomaly

detection

[22] Lyu et. al Hyper-ellipsoidal clustering

[23] Ageev et al

******

[24] Chen et al

[25] Eliseev et. al

[26] Gunupudi et. al

[27] Pacheco et. al

[28] Onal et. al

[13] Le at al

Pure Anomaly Detection Routing and Transport Layer Statistical network data analysis

RPL[29] Thanigaivelan et al

[30] Mayzaud et. al

[31] Summerville et. al Deep Packet Inspection

[32] Wang et al*****

[33] Wang et al

[34] RazaHybrid Routing and Transport Layer Statistical network data analysis *****

[35] Raza et. al

[36] Fu et alHybrid Network and Application Layer Statistical network data analysis *****

[37] Desnitsky et al

[38] Pongle et al

Pure Anomaly Detection Routing and Transport Layer **** Blackhole and wormhole detection[39] Tsitsiroudi et al

[40] Surendar et al

[41] Sarigiannidis et al

[42] Bostani et alHybrid Routing and Transport Layer **** Optimum-path forest algorithm

[43] Sheikhan et al

[44] Amin et al Hybrid

Network and Application Layer Statistical network data analysis Based on CUSUM algorithm[45] Trilles et al

Pure Anomaly Detection[46] Machaka et al

[47] Moshtaghi et al

[48] Yu et al

Pure Anomaly Detection Network and Application Layer PCA *****[49] Hoang et al

[50] Zhao et al

[51] Zheng et al

Pure Anomaly Detection Network and Application Layer SVM *****

[52] Shilton at al

[53] Zissis et al

[54] McDermott et al

[55] Jain et al

[56] Sedjelmaci et al HybridNetwork and Application Layer Neural Network

Neuro-fuzzy

[57] Thing et al Pure Anomaly Detection ****

[58] Granjal et al HybridNetwork and Application LayerRouting and Transport Layer

Statistical network data analysis Threshold based method

[59] Domb et al HybridNetwork and Application Layer ****** Random-Forest algorithm

[60] Tama et al Pure Anomaly Detection

[61] Sedjelmaci et. al Hybrid Network and Application Layer ******* Game theory

Table 1. IoT Anomaly detection literature

for Internet of Things based on MapReduce approachwith the aim of distributed detection is proposed.The proposed model use supervised and unsupervisedoptimum-path forest model for intrusion detection.

Granjal and Pedroso [58] proposed a hybrid intru-sion detection system for CoAP based network. Thiswork design and implement various predefined rulesand threshold for transport, network and application

layers to detect malicious nodes and remove themfrom network interactions. Also intrusion preventionis done through node blacklists. The point is detec-tion of new types of attacks and Internet side attacksby predefined scenario in the presented approach andit seems that defining new detection scenarios is re-quired. Finally, they implemented and evaluated ex-perimentally the proposed approach and impact oncritical resources of sensing devices and of its effi-

ISeCure


ciency in dealing with the considered attacks. Imple-mentation and evaluation of resource usage is doneby Contiki Simulator.

3.2 Anomaly Detection in terms ofApplication

As mentioned, a class of researches has studiedanomaly detection and attacks at lower layers of thenetwork and another class of researches has investi-gated anomaly detection at application and networklayer. In this regard, first class detects routing relatedattacks including blackhole, wormhole. The secondclass detects attacks including application attacks,network attacks and attacks from Internet.

3.2.1 Anomaly Detection at ApplicationLayer

In this class of studies, the focus is on detecting at-tacks on interactions data or network service. In thefirst class, attacks aim to destruct, forge, modify ordeviate the interactive data at application layer. Inthe second class, attacks aim to disrupt the serviceand network function. Most researchers focus on de-tecting anomalies at application layer, so there aresome works in this context, thus this section cannotinvestigate them all by case. Considering what thepaper has focused on, details are described providedin the following sections. Some of the researches inthis context are associated with detecting anomaliesin industrial data [63–65] and Industrial-IoT [66]. Inthis class, a real application service of IoT like smarthomes [67, 68] or application of IoT in industry [69]isconsidered and According to context and application,different techniques are employed for data anomalydetection.

3.2.2 Anomaly Detection in Routing andTransport Layer

In this class of researches, routing attacks in6LoWPAN-based networks and attacks in transportand network layers are investigated. In this regard,[13, 35] have investigated detecting routing attacks in6LoWPAN-based IoT networks. In this context, au-thors of [34, 35] have proposed SVELETE intrusiondetection system for IoT aiming to detect routingattacks including wormhole, selective forwarding andso on. Authors of [13] have also investigated provid-ing security of IoT using intrusion detection systems.In this study, the purpose is to make IoT resistantagainst vulnerabilities and security threats of qualityof service on 6LoWPAN platform and focus is on at-tacks imposed on routing protocols considering QoS.

In [29, 30], a framework is proposed for anomaly

detection in IoT in which nodes in distributed man-ner evaluate their neighbors by using RPL (RoutingProtocol for Low-power and Lossy network) in theirown way. In [29] nodes transmit evaluation results totheir parent nodes through a control message on RPLplatform and higher layer nodes transmit the mes-sage to edge router nodes or gateways. Finally, edgenodes are responsible to verify anomalies of nodes andnotify nodes periodically. Evaluating and reportinganomalous behavior in network layer and isolatinganomalous node is performed at link layer. This isdue to prevent anomalous node’s data does not enterthe higher layers of the network for processing. Struc-ture of detection modules and isolation of anomalousnodes in network layer might be beneficial for optimal-ity of packets’ data processing in network layer andpreventing extra processing of anomalous nodes pack-ets in link layer. This paper has not discussed imple-mentation and evaluation of the mentioned method.In [30], a structure is proposed for distributed pas-sive monitoring which multi-instance feature of RPLprotocol is used to propose several network routingtopologies. In this method, network nodes are dividedinto two groups. One group is constrained nodes andthe other group is watchdog nodes which eavesdropinteractions of a homogenous network of things andmonitor nodes passively and evaluate them and offertheir results to the sink nodes for a comprehensiveevaluation of the network status. These two networksare formed by two different topologies and two sepa-rate RPL samples forming the network and are linkedto higher nodes.

EyeSim [39] and VisIoT [41] are intrusion detec-tion systems with visual assistance for representingthe status of nodes’ links. Mentioned systems detectwormhole links to detect black hole attacks. Sink nodeis responsible for nodes monitoring in order to detectlinks of black-hole and monitor neighbors, routing ta-bles of each node and next step in packet routing andtransmission and detect intruder nodes through in-vestigating this information. The main focus of thesepapers is based on graphical representation of nodes’links to each other for analyzing and monitoring nodesand network and representing results obtained fromsecurity evaluations like detecting black-hole links.Also in black-hole attack detection, InDReS [40] is asystem which detects and prevents intrusion throughemphasizing on detection of black-hole attacks andisolation of malicious node. In the proposed method,network nodes are divided into categories with a headas watching node which monitors packet drop countof its surrounding nodes and finally uses the informa-tion obtained from monitoring neighbors and scoreseach node using Dempster Shafer theory and detectsthe malicious nodes through comparing the score

ISeCure


with a threshold and informs the network to isolateit. NS2 simulator is used to evaluate the proposedwork. In the simulations, assumptions are: networknodes are homogeneous, the network is connected tothe Internet and head is not captured.

3.3 Anomaly Detection in terms ofDetection Method

Detection engine and the approach used for detect-ing anomaly apart from system architecture and itsapplication and based on detection method plays themain role in anomaly detection approaches survey.Researches are divided into two groups in terms of de-tection mechanism. In one group which includes themost work done, detection approach is based on net-work data analysis. The other limited group studiesdeep packet inspection for anomaly detection.

3.3.1 Anomaly Detection based on NetworkData Analysis

This method is based on applying different algorithmsfor supervising and monitoring network and appli-cation level data as anomaly detection feature. Allnetwork data including content of interaction data be-tween nodes at application layer and the parametersof network traffic flow are monitored and analyzedso that if their values are changed whether in termsof values exchanged at application layer or values oftraffic flow, deviation from normal behavior is de-tected. Different algorithms are proposed for detect-ing anomalies based on these data but most methodsemploy statistical mechanisms in detecting normalbehavior of data at application and network layerand deviation from it. Some recent studies are alsoproposed, in which artificial immune system, SVMclassifiers, neural network and PCA based approachesare applied to network data for detecting anomalies.

Anomaly Detection based on Artificial Im-mune System

Authors of [70–72] have investigated the overallreview of the applying artificial immune algorithmsfor anomaly detection based on using network leveldata on IoT and their system architecture. In [70], ageneral architecture is proposed in which a centralservice provider and some agents are predicted fordetecting anomalies at gateways. They proposed gen-eral architecture and application of artificial immunealgorithms for anomaly detection and work on detailsof detection method and practical evaluation mightbe for future.

Anomaly Detection based on SVM

For detecting anomalies based on SVM classifiers,

[52] has proposed DP1SVM which is a one class SVMwith update feature for learning data model. Thispaper has focused on extracting the associated SVMand update method. A set of environmental featuresin a sensor network comprising 9 sensors is used forevaluation and data samples of a sensor during two-weeks are used for testing the proposed SVM and timecurve required for learning and updating the model isalso presented for data of that network. Also, authorsof [51] have investigated applying a one-class SVMas a general structure. Applying the aforementionedmethods for implementation in constrained nodes ofIoT should be considered in terms of overhead andcost.

Anomaly Detection Based On Neural Net-work

Artificial Neural Network is another method usedfor anomaly detection for Internet of Things. In thismethod, an artificial neural network used to modelnetwork data and do clustering on aggregated dataform end nodes. Advantage of this method is its us-ability in different and diverse area in supervisedand unsupervised manner, so in different contexts,it can identify and learn network data model anddetect anomaly data. This excellence requires provid-ing more data to tune its neurons organization andweighted connections for identifying data pattern andoverall data model. Some works used neural networkalong with and in comparison to other machine learn-ing methods.

In this context [54, 55] investigated Neural Net-work and SVM method and compared their result inanomaly detection and demonstrated the promise ofboth computational intelligence techniques in effec-tively detecting intrusions; although SVM performsbetter results with smaller sample size than neuralnetwork. Authors of [57] study deep learning approachfor anomaly detection in IEEE 802.11 Network. Thiswork examined the utilization of different techniquesas the activation functions for the hidden neurons inthe proposed neural network for attack detection andclassification.

Anomaly Detection based on PrincipalComponent Analysis

Authors of [48–50] proposed a model for intrusiondetection in IoT which is based on dimension reduc-tion algorithm and a classifier. The proposed modeluses Principal Component Analysis (PCA) to reducedimensions and complexity of various data from alarge number of features to a small number. After datacomplexity reduction, a classifier with less overheadand complexity can better detect the data anomalies.By applying this method, they hope to execute sim-

ISeCure


pler detection method in IoT constraint nodes withless complexity and resource usage.

Anomaly Detection Based on StatisticalMechanisms

In this class of approaches, a statistical model ofnetwork’s behavior parameters resulted from dataflow processing of the network interactions is com-prised implicitly or explicitly [16]. It is necessary thatthis statistical model or behavior profile is generatedin a normal condition without anomaly. After thisstage, in time intervals, the profile is updated basedon network behavior. In order to detect anomaly, ob-tained data from network behavior is compared withreference profile and a degree of anomaly or a label isassigned to it according to the amount of deviation.Considering policy of the method in presenting theoutput, a degree of anomaly or a label is presentedas anomaly result. Presenting anomaly label is donethrough comparison with a threshold where determin-ing a threshold according to conditions is challenging.

Authors of [19] have presented an architecture fordetecting denial of service attacks at network sidewhich is proposed centrally in managerial componentof Low Power networks based on 6LoWPAN. For de-tecting attacks, packets’ size threshold rule is used.In order to evaluate the proposed approach, penetra-tion test and flooding attacks traffic flow are used.Authors of [24] have proposed a general architecturefor anomaly detection in IoT in which network nodesare divided into three groups. Local detection at nodelevel is associated to working nodes and data collec-tors; after anomaly signs, associated node which de-tects anomalies and finally the decision maker nodedecides about its being anomalous considering priorscores of the node. For detection procedures, thiswork has mentioned comparing average of data witha threshold. Authors of [23] have investigated cumula-tive parameters of the statistical distribution of dataflow and anomaly is analyzed and detected throughfuzzy inference from cumulative statistical parameterslike mean, variance and etc. this paper has focusedon flow analysis technique and practical evaluationis performed through generating synthetic statisticaldata.

Liu et.al [18] have examined using of Jacquardcoefficient as a measure for detecting data similarityand detecting distance between data instead of usingsimilarity measures like Euclidean distance. In thispaper, general data generated by MATLAB are usedas statistical features for implementing and evaluatingthe proposed algorithm and anomaly detection.

[22] Proposed a Fog-Empowered anomaly detec-tion scheme based on hyper-ellipsoidal clustering al-

gorithm. In the fog computing model, the Fog layerand the Cloud layer nodes perform the clustering andanomaly detection process and end nodes do not runclustering process on the data. This anomaly detec-tion scheme improves timely detection of anomaliesand saves energy consumption in the network by re-ducing process end node process overhead.

Cumulative SUM algorithm is employed in severalpapers [44–46, 73] as a scoring classifier based onSPC for analyzing data series aiming for anomaly de-tection. In anomaly detection section of [44] whichwas presented in section3.1.2, this method is used todetect anomaly in data collected from the network.In order to evaluate the proposed method, a networkwith mesh topology is created randomly using NS2which communicates data randomly and applies theproposed method to detect anomaly in data flow andattacks like denial of service. Authors of [45, 73] haveproposed a framework for anomaly detection systemin Internet of Things. An anomaly detection systembased on this framework is proposed for environmen-tal monitoring systems based on the above algorithm.In the proposed framework, a brokering approachis used to receive and process data from differenttypes and protocols from different nodes with differ-ent standards in different processing layers. In fact,the proposed approach is to consider a broker for eachclass of nodes so data of that class is received andconverted to the standard format and is offered tothe detection module (CUSUM) for anomaly detec-tion. Indeed, discussions in this paper point out thatCUSUM has constraints and disadvantages in apply-ing and implementing procedures for detecting someanomalies including trend change in the above sys-tem. As mentioned, this paper has proposed a frame-work for a data series analysis in a network of nodesand anomaly detection in IoT is an example of realiz-ing this system. Detection algorithm parameters anddeployment structure of detection modules and fea-tures being analyzed and details of anomaly detectionmethod are issues which should be presented by au-thors of that paper. [46] Has also employed CUSUMto detect DDoS attacks emphasizing on detection ofTCP SYN flooding attacks in IoT. In the proposedpaper, the above method is applied for anomaly de-tection and investigate adjustment of algorithm pa-rameters and their impact on the efficiency of themethod and analyze balance between detection rateand false positive rate and balance between detectionrate and latency in detection. In order to evaluatethe proposed method, DARPA data are used and forsimulating IoT, attack data are added to the data.

Papers [32, 33], evaluate efficiency and quality ofservice of the network to detect anomalies in quali-tative parameters of the network and parameters as-

ISeCure


sociated to quality of service and efficiency are mod-eled in order to maximize utility. That is, parametersof QoS in all nodes of the network are measured innormal condition and if measured parameters are dif-ferent from normal values, anomaly is detected. Forinstance, latency and hop count are mentioned asexamples of the quality of service parameters.

LCAD [20] is an approach for anomaly detectionin different data series based on Latent correlationmethod. In the proposed method, correlation vectorsare computed first using correlation matrix which rep-resents link between different sections of data. Usinglatent correlation vector (LCV), associated latent cor-relation probabilistic model among data is computed.Finally, applying the probability distribution model todata and estimating matching between data and theassociated model, data anomaly is detected. It shouldbe mentioned that using central limit theorem, it isassumed that there are a few numbers of anomalousvectors, accordingly, probabilistic distribution modelwhich is used to detect anomaly, is constituted. Inorder to evaluate the proposed method, three outlierdetection methods are compared to detect anomalyon industrial data. Analysis show that what shouldbe considered about the proposed method is thatits overhead and computational complexity on con-strained nodes and online anomaly detection shouldbe considered.

Eliseeve [25] has proposed a method for detectinganomaly from data flow in the central server withoutinspecting flow content. This method employs cross-correlation of request-response features in the serverflow to analyze network behavior and evaluate itthrough correlation of requests and responses to thecurrent flow of the network with its normal state. Inorder to evaluate this correlation, Pearson correlationcoefficient and neural network one-class classifier areemployed. Considering discussions in the proposedpaper, the first method is not efficient if requestcontent is not considered due to the dependency ofresponse to request content, because different requestsgenerate different responses even if they are of thesame size, thus this method cannot be employed inheterogeneous networks. Thus, this method can beused in servers with simple and similar interactionsand the paper has suggested using the second method.But it should be said that the second method is notsuitable to be implemented in constrained nodes andit should be employed in high power nodes like edgerouter nodes.

3.3.2 Anomaly Detection through DeepPacket Inspection

Authors of [31] have detected anomalies through deeppacket inspection of data being interchanged in thenetwork and they have claimed that anomaly canbe detected by comparing packets bit by bit and bypattern matching. In this method, first, the normalpattern is learned by data packets being transmittedamong nodes of the same type and adjusts parametersof detection pattern through bit distribution of eachclass of nodes and finally, after learning phase, detectsanomaly in packets data through pattern matchingand using logical operation applied to bits. Finally, inorder to evaluate the proposed method, assumed thatcommunication protocols of nodes are simple, thusdata packets are very similar to each other and canbe compared at bit level to detect anomalies throughpattern matching.

Heterogeneity in context, application and data be-ing transmitted in IoT are the problems which shouldbe considered in the above analysis. This is because,exchanged data at bit-level can be completely differ-ent by their contextual values to compare with others.Another issue that makes this method, challenging isInternet-side attacks that which are not necessarilyrecognizable by bit matching and bit level analysis.

4 Conclusion

As mentioned, works done investigated from threepoints of view. In engine architecture, most studieshave focused on pure anomaly detection in contrastto hybrid IDS. In functionality position point of view,researches done both in the transport layer and de-tection of routing related attacks as well as applica-tion layer and data anomaly detection. In detectionmethods point of view, most works are done on sta-tistical data anomaly detection. As a summary twofield more taken into consideration: first, anomalyintrusion detection at transport layer and routing re-lated attacks. The other one is statistical anomalydetection on the network and application layer data.Most studies in this context are general and have notconsidered specific features of heterogeneous and con-strained networks of IoT and mostly a general modeland framework without practical evaluations on IoTspecific data and platform has been proposed.

The main issue with the proposed approaches inthe literature is the detection approach overhead interms of computation, communication and time com-plexity for execute in IoT-based limited nodes forreal time anomaly detection. Another important issueof works done on IoT anomaly detection is the het-erogeneity of things and context and applications. Ageneral anomaly detection approach cannot provide

ISeCure


a separate diagnostic model for any type of applica-tion and data and for different infrastructures and allthe protocols and data exchanged can be completelydifferent. Based on analysis of works done in the lit-erature, simultaneously address these two issues andachieve high accuracy in detecting anomalies in IoTis an open problem. Thus, in order to propose a com-prehensive anomaly detection system in IoT apartfrom infrastructure protocols for context independentand different applications to detect data and networkanomaly, heavy work is required. In this regard, het-erogeneity and constraint resources of IoT nodes anddiversity of applications and contextual data typesare significant issues that needs to be considered inorder to achieve an all-purpose global anomaly de-tection approach for entire IoT network with hetero-gonous cluster of nodes.

References

[1] Prabhakaran Kasinathan, Gianfranco Costam-agna, Hussein Khaleel, Claudio Pastrone, andMaurizio A Spirito. An ids framework for inter-net of things empowered by 6lowpan. In Pro-ceedings of the 2013 ACM SIGSAC conferenceon Computer & communications security, pages1337–1340. ACM, 2013.

[2] Miao Xie, Song Han, Biming Tian, and SaziaParvin. Anomaly detection in wireless sensornetworks: A survey. Journal of Network andComputer Applications, 34(4):1302–1325, 2011.

[3] Sutharshan Rajasegarar, Christopher Leckie,and Marimuthu Palaniswami. Anomaly detec-tion in wireless sensor networks. IEEE WirelessCommunications, 15(4), 2008.

[4] Charu C Aggarwal, Naveen Ashish, and AmitSheth. The internet of things: A survey fromthe data-centric perspective. In Managing andmining sensor data, pages 383–428. Springer,2013.

[5] Top iot vulnerabilities. https://www.owasp.

org/index.php/Top_IoT_Vulnerabilities.Accessed: 2018-07-10.

[6] Dyn analysis summary of friday october 21 at-tack. https://dyn.com/blog/dyn-analysis-

summary-of-friday-october-21-attack. Ac-cessed: 2018-07-10.

[7] Persirai: New internet of things (iot)botnet targets ip cameras. https://

blog.trendmicro.com/trendlabs-security-

intelligence/persirai-new-internet-

things-iot-botnet-targets-ip-cameras/.Accessed: 2018-07-10.

[8] Audrey A Gendreau and Michael Moorman. Sur-vey of intrusion detection systems towards anend to end secure internet of things. In FutureInternet of Things and Cloud (FiCloud), 2016

IEEE 4th International Conference on, pages 84–90. IEEE, 2016.

[9] Varun Chandola, Arindam Banerjee, and VipinKumar. Anomaly detection: A survey. ACMcomputing surveys (CSUR), 41(3):15, 2009.

[10] ShiWei Chao Jiang Du. A study of informationsecurity for m2m of iot. In Advanced ComputerTheory and Engineering(ICACTE), 2010 3rd In-ternational Conference on, pages 576–579. IEEE,2010.

[11] Debasis Bandyopadhyay and Jaydip Sen. In-ternet of things: Applications and challenges intechnology and standardization. Wireless Per-sonal Communications, 58(1):49–69, 2011.

[12] Ismail Butun, Salvatore D Morgera, and RaviSankar. A survey of intrusion detection systemsin wireless sensor networks. IEEE communica-tions surveys & tutorials, 16(1):266–282, 2014.

[13] Anhtuan Le, Jonathan Loo, Aboubaker Lasebae,Mahdi Aiash, and Yuan Luo. 6lowpan: a studyon qos security threats and countermeasures us-ing intrusion detection system approach. In-ternational Journal of Communication Systems,25(9):1189–1212, 2012.

[14] Ana Paula R da Silva, Marcelo HT Martins,Bruno PS Rocha, Antonio AF Loureiro, Lin-nyer B Ruiz, and Hao Chi Wong. Decentral-ized intrusion detection in wireless sensor net-works. In Proceedings of the 1st ACM interna-tional workshop on Quality of service & securityin wireless and mobile networks, pages 16–23.ACM, 2005.

[15] Andreas A Strikos. A full approach for intrusiondetection in wireless sensor networks. Schoolof Information and Communication Technology,2007.

[16] Pedro Garcia-Teodoro, J Diaz-Verdejo, GabrielMacia-Fernandez, and Enrique Vazquez.Anomaly-based network intrusion detection:Techniques, systems and challenges. computers& security, 28(1-2):18–28, 2009.

[17] Md Safiqul Islam and Syed Ashiqur Rahman.Anomaly intrusion detection system in wirelesssensor networks: security threats and existingapproaches. International Journal of AdvancedScience and Technology, 36(1):1–8, 2011.

[18] Yanbing Liu and Qin Wu. A lightweight anomalymining algorithm in the internet of things. InSoftware Engineering and Service Science (IC-SESS), 2014 5th IEEE International Conferenceon, pages 1142–1145. IEEE, 2014.

[19] Prabhakaran Kasinathan, Claudio Pastrone,Maurizio A Spirito, and Mark Vinkovits. Denial-of-service detection in 6lowpan based internetof things. In 2013 IEEE 9th international con-ference on wireless and mobile computing, net-

ISeCure

https://www.owasp.org/index.php/Top_IoT_Vulnerabilities

https://www.owasp.org/index.php/Top_IoT_Vulnerabilities

https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack

https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack

https://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/





working and communications (WiMob), pages600–607. IEEE, 2013.

[20] Jianwei Ding, Yingbo Liu, Li Zhang, and Jian-min Wang. Lcad: A correlation based abnormalpattern detection approach for large amount ofmonitor data. In Asia-Pacific Web Conference,pages 550–558. Springer, 2014.

[21] Lijun Yang, Chao Ding, Meng Wu, and KunWang. Robust detection of false data injectionattacks for data aggregation in an internet ofthings-based environmental surveillance. Com-puter Networks, 129:410–428, 2017.

[22] Lingjuan Lyu, Jiong Jin, Sutharshan Ra-jasegarar, Xuanli He, and MarimuthuPalaniswami. Fog-empowered anomaly detectionin iot using hyperellipsoidal clustering. IEEE In-ternet of Things Journal, 4(5):1174–1184, 2017.

[23] Sergey Ageev, Yan Kopchak, Igor Kotenko, andIgor Saenko. Abnormal traffic detection in net-works of the internet of things based on fuzzy log-ical inference. In Soft Computing and Measure-ments (SCM), 2015 XVIII International Confer-ence on, pages 5–8. IEEE, 2015.

[24] Zhenguo Chen, Liqin Tian, and Chuang Lin. Amethod for detection of anomaly node in iot.In International Conference on Algorithms andArchitectures for Parallel Processing, pages 777–784. Springer, 2015.

[25] Vladimir Eliseev and Anastasiya Gurina. Al-gorithms for network server anomaly behaviordetection without traffic content inspection. InProceedings of the 9th International Conferenceon Security of Information and Networks, pages67–71. ACM, 2016.

[26] Rajesh Kumar Gunupudi, Mangathayaru Nim-mala, Narsimha Gugulothu, and Suresh ReddyGali. Clapp: A self constructing feature cluster-ing approach for anomaly detection. Future Gen-eration Computer Systems, 74:417–429, 2017.

[27] Jesus Pacheco and Salim Hariri. Anomaly be-havior analysis for iot sensors. Transactionson Emerging Telecommunications Technologies,29(4):e3188, 2018.

[28] Aras Can Onal, Omer Berat Sezer, MuratOzbayoglu, and Erdogan Dogdu. Weather dataanalysis and sensor fault detection using an ex-tended iot framework with semantics, big data,and machine learning. In Big Data (Big Data),2017 IEEE International Conference on, pages2037–2046. IEEE, 2017.

[29] Nanda Kumar Thanigaivelan, Ethiopia Nigussie,Rajeev Kumar Kanth, Seppo Virtanen, andJouni Isoaho. Distributed internal anomaly de-tection system for internet-of-things. In Con-sumer Communications & Networking Confer-ence (CCNC), 2016 13th IEEE Annual, pages

319–320. IEEE, 2016.[30] Anthea Mayzaud, Anuj Sehgal, Remi Badonnel,

Isabelle Chrisment, and Jurgen Schonwalder. Us-ing the rpl protocol for supporting passive moni-toring in the internet of things. In Network Op-erations and Management Symposium (NOMS),2016 IEEE/IFIP, pages 366–374. IEEE, 2016.

[31] Douglas H Summerville, Kenneth M Zach, andYu Chen. Ultra-lightweight deep packet anomalydetection for internet of things devices. InComputing and Communications Conference(IPCCC), 2015 IEEE 34th International Perfor-mance, pages 1–8. IEEE, 2015.

[32] Junping Wang, Qiuming Kuang, and ShihuiDuan. A new online anomaly learning and de-tection for large-scale service of internet of thing.Personal and Ubiquitous Computing, 19(7):1021–1031, 2015.

[33] Junping Wang and Shihui Duan. An onlineanomaly learning and forecasting model for large-scale service of internet of things. In Identifica-tion, Information and Knowledge in the Internetof Things (IIKI), 2014 International Conferenceon, pages 152–157. IEEE, 2014.

[34] Shahid Raza. Lightweight security solutions forthe internet of things. PhD thesis, MalardalenUniversity, Vasteras, Sweden, 2013.

[35] Shahid Raza, Linus Wallgren, and Thiemo Voigt.Svelte: Real-time intrusion detection in the inter-net of things. Ad hoc networks, 11(8):2661–2674,2013.

[36] Rongrong Fu, Kangfeng Zheng, Dongmei Zhang,and Yixian Yang. An intrusion detection schemebased on anomaly mining in internet of things.2011.

[37] VA Desnitsky, IV Kotenko, and SB Nogin. De-tection of anomalies in data for monitoring ofsecurity components in the internet of things.In Soft Computing and Measurements (SCM),2015 XVIII International Conference on, pages189–192. IEEE, 2015.

[38] Pavan Pongle and Gurunath Chavan. Real timeintrusion and wormhole attack detection in inter-net of things. International Journal of ComputerApplications, 121(9), 2015.

[39] Niki Tsitsiroudi, Panagiotis Sarigiannidis, EiriniKarapistoli, and Anastasios A Economides. Eye-sim: A mobile application for visual-assistedwormhole attack detection in iot-enabled wsns.In Wireless and Mobile Networking Conference(WMNC), 2016 9th IFIP, pages 103–109. IEEE,2016.

[40] M Surendar and A Umamakeswari. Indres: Anintrusion detection and response system for in-ternet of things with 6lowpan. In Wireless Com-munications, Signal Processing and Networking

ISeCure


(WiSPNET), International Conference on, pages1903–1908. IEEE, 2016.

[41] Panagiotis Sarigiannidis, Eirini Karapistoli, andAnastasios A Economides. Visiot: A threat visu-alisation tool for iot systems security. In Commu-nication Workshop (ICCW), 2015 IEEE Inter-national Conference on, pages 2633–2638. IEEE,2015.

[42] Hamid Bostani and Mansour Sheikhan. Hybridof anomaly-based and specification-based ids forinternet of things using unsupervised opf basedon mapreduce approach. Computer Communi-cations, 98:52–71, 2017.

[43] Mansour Sheikhan and Hamid Bostani. A hy-brid intrusion detection architecture for internetof things. In Telecommunications (IST), 20168th International Symposium on, pages 601–606.IEEE, 2016.

[44] Syed Obaid Amin, Muhammad Shoaib Siddiqui,Choong Seon Hong, and Sungwon Lee. Rides:Robust intrusion detection system for ip-basedubiquitous sensor networks. Sensors, 9(5):3447–3468, 2009.

[45] Sergi Trilles Oliver, Oscar Belmonte Fernandez,Sven Schade, and Joaquın Huerta Guijarro. Adomain-independent methodology to analyze iotdata streams in real-time. a proof of concept im-plementation for anomaly detection from envi-ronmental data. 2016.

[46] Pheeha Machaka, Andre McDonald, FulufheloNelwamondo, and Antoine Bagula. Using thecumulative sum algorithm against distributeddenial of service attacks in internet of things.In International Conference on Context-AwareSystems and Applications, pages 62–72. Springer,2015.

[47] Masud Moshtaghi, Sarah M Erfani, ChristopherLeckie, and James C Bezdek. Exponentiallyweighted ellipsoidal model for anomaly detec-tion. International Journal of Intelligent Sys-tems, 32(9):881–899, 2017.

[48] Tianqi Yu, Xianbin Wang, and Abdallah Shami.Recursive principal component analysis-baseddata outlier detection and sensor data aggrega-tion in iot systems. IEEE Internet of ThingsJournal, 4(6):2207–2216, 2017.

[49] Dang Hai Hoang and Ha Duong Nguyen. A pca-based method for iot network traffic anomaly de-tection. In Advanced Communication Technology(ICACT), 2018 20th International Conferenceon, pages 381–386. IEEE, 2018.

[50] Shengchu Zhao, Wei Li, Tanveer Zia, and Al-bert Y Zomaya. A dimension reduction modeland classifier for anomaly-based intrusion de-tection in internet of things. In Dependable,Autonomic and Secure Computing, 15th Intl

Conf on Pervasive Intelligence & Computing, 3rdIntl Conf on Big Data Intelligence and Comput-ing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech), 2017IEEE 15th Intl, pages 836–843. IEEE, 2017.

[51] Zibin Zheng, J Wang, and Ziyu Zhu. A gen-eral anomaly detection framework for internetof things. In Proc. 41st IEEE/IFIP Interna-tional Conference on Dependable Systems andNetworks, Hong Kong, 2011.

[52] Alistair Shilton, Sutharshan Rajasegarar,Christopher Leckie, and MarimuthuPalaniswami. Dp1svm: A dynamic planarone-class support vector machine for internetof things environment. In Recent Advances inInternet of Things (RIoT), 2015 InternationalConference on, pages 1–6. IEEE, 2015.

[53] Dimitrios Zissis. Intelligent security on the edgeof the cloud. In Engineering, Technology and In-novation (ICE/ITMC), 2017 International Con-ference on, pages 1066–1070. IEEE, 2017.

[54] Christopher D McDermott and Andrei Petrovski.Investigation of computational intelligence tech-niques for intrusion detection in wireless sensornetworks. 2017.

[55] Raj Jain and Hitesh Shah. An anomaly detec-tion in smart cities modeled as wireless sensornetwork. In Signal and Information Processing(IConSIP), International Conference on, pages1–5. IEEE, 2016.

[56] Hichem Sedjelmaci, Sidi Mohammed Senouci,and Mohamad Al-Bahri. A lightweight anomalydetection technique for low-resource iot devices:A game-theoretic methodology. In Communica-tions (ICC), 2016 IEEE International Confer-ence on, pages 1–6. IEEE, 2016.

[57] Vrizlynn LL Thing. Ieee 802.11 network anomalydetection and attack classification: A deep learn-ing approach. In Wireless Communications andNetworking Conference (WCNC), 2017 IEEE,pages 1–6. IEEE, 2017.

[58] Jorge Granjal and Artur Pedroso. An intrusiondetection and prevention framework for internet-integrated coap wsn. Security and Communica-tion Networks, 2018, 2018.

[59] Menachem Domb, Elisheva Bonchek-Dokow, andGuy Leshem. Lightweight adaptive random-forest for iot rule generation and execution. Jour-nal of Information Security and Applications,34:218–224, 2017.

[60] Bayu Adhi Tama and Kyung-Hyune Rhee. Anintegration of pso-based feature selection andrandom forest for anomaly detection in iot net-work. In MATEC Web of Conferences, volume159, page 02021. EDP Sciences, 2018.

[61] Hichem Sedjelmaci, Sidi Mohamed Senouci, and

ISeCure


Tarik Taleb. An accurate security game for low-resource iot devices. IEEE Transactions on Ve-hicular Technology, 66(10):9381–9393, 2017.

[62] Ismail Butun, Burak Kantarci, and Melike Erol-Kantarci. Anomaly detection and privacy preser-vation in cloud-centric internet of things. InCommunication Workshop (ICCW), 2015 IEEEInternational Conference on, pages 2610–2615.IEEE, 2015.

[63] Mee Lan Han, Jin Lee, Ah Reum Kang, Sung-wook Kang, Jung Kyu Park, and Huy Kang Kim.A statistical-based anomaly detection methodfor connected cars in internet of things environ-ment. In International Conference on Internetof Vehicles, pages 89–97. Springer, 2015.

[64] Sokratis Kartakis, Weiren Yu, Reza Akhavan,and Julie A McCann. Adaptive edge analyticsfor distributed networked control of water sys-tems. In Internet-of-Things Design and Imple-mentation (IoTDI), 2016 IEEE First Interna-tional Conference on, pages 72–82. IEEE, 2016.

[65] Douglas L Goodman, James Hofmeister, andRobert Wagoner. Advanced diagnostics andanomaly detection for railroad safety applica-tions: using a wireless, iot-enabled measurementsystem. In IEEE AUTOTESTCON, 2015, pages273–279. IEEE, 2015.

[66] Li Da Xu, Wu He, and Shancang Li. Internet ofthings in industries: A survey. IEEE Transac-tions on industrial informatics, 10(4):2233–2243,2014.

[67] Praveen Vijai and P Bagavathi Sivakumar. De-sign of iot systems and analytics in the contextof smart city initiatives in india. Procedia Com-puter Science, 92:583–588, 2016.

[68] Chih-Wei Ho, Chun-Ting Chou, Yu-Chun Chien,and Chia-Fu Lee. Unsupervised anomaly de-tection using light switches for smart nursinghomes. In Dependable, Autonomic and SecureComputing, 14th Intl Conf on Pervasive Intelli-gence and Computing, 2nd Intl Conf on Big DataIntelligence and Computing and Cyber Scienceand Technology Congress (DASC/PiCom/Dat-aCom/CyberSciTech), 2016 IEEE 14th Intl C,pages 803–810. IEEE, 2016.

[69] Arijit Ukil, Soma Bandyoapdhyay, ChetanyaPuri, and Arpan Pal. Iot healthcare analytics:The importance of anomaly detection. In Ad-vanced Information Networking and Applications(AINA), 2016 IEEE 30th International Confer-ence on, pages 994–997. IEEE, 2016.

[70] Cai Ming Liu, Si Yu Chen, Yan Zhang, Run Chen,and Kui Liang Guo. An iot anomaly detectionmodel based on artificial immunity. In AdvancedMaterials Research, volume 424, pages 625–628.Trans Tech Publ, 2012.

[71] Julie Greensmith. Securing the internet of thingswith responsive artificial immune systems. InProceedings of the 2015 Annual Conference onGenetic and Evolutionary Computation, pages113–120. ACM, 2015.

[72] Briana Arrington, LiEsa Barnett, Rahmira Ru-fus, and Albert Esterline. Behavioral modelingintrusion detection system (bmids) using inter-net of things (iot) behavior-based anomaly detec-tion via immunity-inspired algorithms. In Com-puter Communication and Networks (ICCCN),2016 25th International Conference on, pages1–6. IEEE, 2016.

[73] Sergio Trilles, Oscar Belmonte, Sven Schade, andJoaquın Huerta. A domain-independent method-ology to analyze iot data streams in real-time. aproof of concept implementation for anomaly de-tection from environmental data. InternationalJournal of Digital Earth, 10(1):103–120, 2017.

Morteza Behniafar is a Ph.D. can-didate at Malek Ashtar Universityof Technology, Tehran, Iran. He re-ceived his B.S. and M.S. degreesin computer engineering from Isfa-han University, Isfahan, Iran. His re-search interests include information

security, intrusion detection systems, anomaly detec-tion, trust and reputation models.

Alireza Norouzi is a freelance con-sultant advising government and pri-vate sector-related industries on in-formation technology. He had fouryears experience as an academic staffand an IT post doctoral position inSharif University of Technology. He

is a specialist in artificial intelligence, cognitive sci-ence, software engineering, and IT security, and isco-founder of four IT startups.

Hamid Reza Shahriari is cur-rently an assistant professor in theDepartment of Computer Engineer-ing and Information Technology atAmirkabir University of Technology.He received his Ph.D. in computerengineering from Sharif University of

Technology in 2007. His research interests include in-formation security, especially data privacy, softwarevulnerability analysis, security in E-commerce, trustand reputation models, and database security.

ISeCure

A Survey of Anomaly Detection Approaches in Internet of Things€¦ · A Survey of Anomaly...

Documents

Transcript of A Survey of Anomaly Detection Approaches in Internet of Things€¦ · A Survey of Anomaly...