Conference PaperPDF Available

IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security

Authors:
Mohamed-Lamine Messai at Université Lumiere Lyon 2 - Laboratoire ERIC
Mohamed-Lamine Messai
  • Université Lumiere Lyon 2 - Laboratoire ERIC
Hamida Seba at Claude Bernard University Lyon 1
Hamida Seba
Download full-text PDF
Read full-text
Download citation
Content uploaded by Mohamed-Lamine Messai
Author content
All content in this area was uploaded by Mohamed-Lamine Messai on Aug 30, 2023
Content may be subject to copyright.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
IoT Network Attack Detection: Leveraging Graph Learning
for Enhanced Security
Mohamed-Lamine MESSAI
Associate Professor
ERIC Laboratory, Lyon, France
GRASEC @ ARES Conference 2023 - August 29 - September 01, 2023
Benevento, Italy
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Contents
1Introduction
2Related work
3Proposed solution
4Evaluation
5Conclusion
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Introduction: IoT networks
Distributed networks of small, lightweight wireless nodes
Monitor the environment by measuring physical parameters
such as temperature, pressure, humidity ... etc.
An IoT / sensor device : sensing + processing +
communicating wirelessly + battery
Networks with resource-constrained devices | divers
applications
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Network model: IoT networks
Remote server
Gateway Gateway
Data storage,
proccessing
and analysis
Bi-directed link
Sensor node
Data aggregation,
proccessing
Data sensing and collecting
IoT Platform
ML algorithms
Poisoning attacks
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Why IoT networks ?
IoT applications identied as the most vulnerable applications
[Butun et al., 2019]
67 Zettabytes of data are generated by IoT and sensor devices
in 2020 [CISCO estimation, Ferreboeuf et al. 2021]
From the top 10 IoT Vulnerabilities [OWASP Internet of
Things Project] :
Lack of device security management
Lack of physical hardening
=> Detecting intrusion is an important issue.
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Types of Anti-intrusion systems
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Intrusion Detection Systems (IDS)
Our solution is a network-based IDS
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Why graphs ?
Relational data => graph representation is well adapted
An attack can be combined : in the same host or in a set of
connected hosts
Represent multi-host attacks in a network
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Graphs
An attributed graph can be constructed to contain
information from a computer network.
Detecting attacks by collecting various information from the
network.
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Existing works
Resource consuming and consequently not scalable
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Our solution framework
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Dataset : TON_IoT
It is a recent binary-class labeled dataset specially designed for
detecting attacks from real-world IoT environment
It includes various types of data, such as sensor readings,
network trac, and IoT device interactions
Represented dierent kinds of attacks : DoS, DDoS, scanning
attack, backdoor, ... etc.
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Preliminary results
GraphSage for node embedding. Activity window = 30 seconds.
Algorithm Accuracy Precision Recall F1-score
Decision tree 97% 96% 96% 96%
Random forest 98% 98% 98% 98%
KNN 98% 97% 98% 96%
SVM 93% 92% 93% 91%
Gradient Boosting 97% 96% 96% 96%
MLP 99% 99% 99% 99%
Table: Performance of dierent AI algorithms in our framework
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Comparison: Preliminary results
Table: Comparison Results
Approaches ML algorithm Precision Recall F1-score
GODIT [1] decision tree 92%92%92%
Our approach MLP 99% 99% 99%
[1] Ramesh Paudel, Timothy Muncy, and William Eberle. 2019. Detecting DoS Attack in Smart Home IoT Devices
Using a Graph-Based Approach. In 2019 IEEE International Conference on Big Data (Big Data).
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
Conclusion
IoT networks : a rich source of applications and problems
Attack detection is critical in IoT networks, as they suer
from security vulnerabilities
Graph-based security solutions:
Detect attacks and also linked attacks
Perspective : Compare our approach with other existing code
available graph-based attack detection methods in IoT networks.
This work is funded by Agence Nationale de la recherche
under grant (ANR) under grant ANR-20-CE39-0008.
https://gladis.projet.liris.cnrs.fr/
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..........
Introduction ......
Related work ..
Proposed solution ......
Evaluation ....
Conclusion
...
Thank you for your attention!
Mohamed-Lamine MESSAI Associate Professor ERIC Laboratory, Lyon, France
IoT Network Attack Detection: Leveraging Graph Learning for Enhanced Security
Analysis of ToN-IoT, UNW-NB15, and Edge-IIoT Datasets Using DL in Cybersecurity for IoT
Article
Full-text available
  • Sep 2022
The IoT’s quick development has brought up several security problems and issues that cannot be solved using traditional intelligent systems. Deep learning (DL) in the field of artificial intelligence (AI) has proven to be efficient, with many advantages that can be used to address IoT cybersecurity concerns. This study trained two models of intelligent networks—namely, DenseNet and Inception Time—to detect cyber-attacks based on a multi-class classification method. We began our investigation by measuring the performance of these two networks using three datasets: the ToN-IoT dataset, which consists of heterogeneous data; the Edge-IIoT dataset; and the UNSW2015 dataset. Then, the results were compared by identifying several cyber-attacks. Extensive experiments were conducted on standard ToN-IoT datasets using the DenseNet multicategory classification model. The best result we obtained was an accuracy of 99.9% for Windows 10 with DenseNet, but by using the Inception Time approach we obtained the highest result for Windows 10 with the network, with 100% accuracy. As for using the Edge-IIoT dataset with the Inception Time approach, the best result was an accuracy of 94.94%. The attacks were also assessed in the UNSW-NB15 database using the Inception Time approach, which had an accuracy rate of 98.4%. Using window sequences for the sliding window approach and a six-window size to start training the Inception Time model yielded a slight improvement, with an accuracy rate of 98.6% in the multicategory classification.
View
Pikachu: Temporal Walk Based Dynamic Graph Embedding for Network Anomaly Detection
Conference Paper
Full-text available
  • Apr 2022
Enterprise networks evolve constantly over time. In addition to the network topology, the order of information flow is crucial to detect cyber-threats in a constantly evolving network. Majority of the existing technique uses static snapshot to learn from dynamic network. However, using static snapshots is not sufficient as it largely ignores highly granular temporal information and leads to information loss due to approximation of aggregation granularity. In this work, we propose PIKACHU, a sophisticated , unsupervised, temporal walk-based dynamic network embedding technique that can capture both network topology as well as highly granular temporal information. PIKACHU learns the appropriate and meaningful representation by preserving the temporal order of nodes. This is important information to detect Advanced Persistent Threat (APT) as temporal order helps to understand the lateral movement of the attacker. Experiments on two open-source datasets: LANL and OpTC datasets demonstrated the effectiveness in detecting network anomalies. PIKACHU achieves True Positive Rate (TPR) of 95.1% in LANL and 98.7% on OpTC dataset. Furthermore, in the LANL dataset, it achieves a 4.65% reduction in False Positive Rate (FPR) despite similar area under ROC curve (AUC). In the OpTC dataset 16% improvement in AUC was obtained in comparison to the other state-of-the-art approaches.
View
TON_IoT Telemetry Dataset: A New Generation Dataset of IoT and IIoT for Data-Driven Intrusion Detection Systems
Article
Full-text available
  • Sep 2020
Although the Internet of Things (IoT) can increase efficiency and productivity through intelligent and remote management, it also increases the risk of cyber-attacks. The potential threats to IoT applications and the need to reduce risk have recently become an interesting research topic. It is crucial that effective Intrusion Detection Systems (IDSs) tailored to IoT applications be developed. Such IDSs require an updated and representative IoT dataset for training and evaluation. However, there is a lack of benchmark IoT and IIoT datasets for assessing IDSs-enabled IoT systems. This paper addresses this issue and proposes a new data-driven IoT/IIoT dataset with the ground truth that incorporates a label feature indicating normal and attack classes, as well as a type feature indicating the sub-classes of attacks targeting IoT/IIoT applications for multi-classification problems. The proposed dataset, which is named TON_IoT, includes Telemetry data of IoT/IIoT services, as well as Operating Systems logs and Network traffic of IoT network, collected from a realistic representation of a medium-scale network at the Cyber Range and IoT Labs at the UNSW Canberra (Australia). This paper also describes the proposed dataset of the Telemetry data of IoT/IIoT services and their characteristics. TON_IoT has various advantages that are currently lacking in the state-of-the-art datasets: i) it has various normal and attack events for different IoT/IIoT services, and ii) it includes heterogeneous data sources. We evaluated the performance of several popular Machine Learning (ML) methods and a Deep Learning model in both binary and multi-class classification problems for intrusion detection purposes using the proposed Telemetry dataset. INDEX TERMS Internet of Things (IoT), Industrial Internet of Things (IIoT), cybersecurity, intrusion detection systems (IDSs), dataset.
View
Application of a Dynamic Line Graph Neural Network for Intrusion Detection With Semisupervised Learning
Article
  • Jan 2022
Deep learning (DL) greatly enhances binary anomaly detection capabilities through effective statistical network characterization; nevertheless, the intrusion class differentiation performance is still insufficient. Two related challenges have not been fully explored. 1) Statistical attack characteristics are overemphasized while ignoring inherent attack topologies; sequence features are extracted from whole traffic flows, but the interaction evolution of each IP pair over time is rarely considered, such as in long short-term memory (LSTM) and gated recurrent units (GRUs). 2) Meeting the need for many high-quality labeled data samples is an expensive and labor-intensive task in large-scale, complex, and heterogeneous networks. To address these issues, we propose a dynamic line graph neural network (DLGNN)-based intrusion detection method with semisupervised learning. Our model converts network traffic into a series of spatiotemporal graphs. A dynamic GNN (DGNN) is employed to extract spatial information from each discrete snapshot and capture the contextual evolution of communication between IP pairs through consecutive snapshots. Moreover, a line graph realizes edge embedding expressions corresponding to network communications and strengthens the message aggregation ability of graph convolution. Experiments on 6 novel datasets demonstrate that our approach achieves 98.15–99.8% accuracy in abnormality detection with fewer labeled samples. Meanwhile, state-of-the-art multiclass performance is achieved, e.g., the average detection accuracy for DDoS across the 6 datasets reaches 95.32%.
View
Real-Time Anomaly Detection in Edge Streams
Article
  • Aug 2022
Given a stream of graph edges from a dynamic graph, how can we assign anomaly scores to edges in an online manner, for the purpose of detecting unusual behavior, using constant time and memory? Existing approaches aim to detect individually surprising edges. In this work, we propose Midas , which focuses on detecting microcluster anomalies , or suddenly arriving groups of suspiciously similar edges, such as lockstep behavior, including denial of service attacks in network traffic data. We further propose Midas -F, to solve the problem by which anomalies are incorporated into the algorithm’s internal states, creating a “poisoning” effect that can allow future anomalies to slip through undetected. Midas -F introduces two modifications: (1) we modify the anomaly scoring function, aiming to reduce the “poisoning” effect of newly arriving edges; (2) we introduce a conditional merge step, which updates the algorithm’s data structures after each time tick, but only if the anomaly score is below a threshold value, also to reduce the “poisoning” effect. Experiments show that Midas -F has significantly higher accuracy than Midas . In general, the algorithms proposed in this work have the following properties: (a) they detects microcluster anomalies while providing theoretical guarantees about the false positive probability; (b) they are online, thus processing each edge in constant time and constant memory, and also processes the data orders-of-magnitude faster than state-of-the-art approaches; and (c) they provides up to 62% higher area under the receiver operating characteristic curve than state-of-the-art approaches.
View
Anomaly Detection in Dynamic Graphs via Transformer
Article
  • Nov 2021
Detecting anomalies for dynamic graphs has drawn increasing attention due to their wide applications in social networks, e-commerce, and cybersecurity. Recent deep learning-based approaches have shown promising results over shallow methods. However, they fail to address two core challenges of anomaly detection in dynamic graphs: the lack of informative encoding for unattributed nodes and the difficulty of learning discriminate knowledge from coupled spatial-temporal dynamic graphs. To overcome these challenges, in this paper, we present a novel transformer-based Anomaly Detection framework for dynamic graphs (TADDY). Our framework constructs a comprehensive node encoding strategy to better represent each nodes structural and temporal roles in an evolving graphs stream. Meanwhile, TADDY captures informative representation from dynamic graphs with coupled spatial-temporal patterns via a dynamic graph transformer model. The extensive experimental results demonstrate that our proposed TADDY framework outperforms the state-of-the-art methods by a large margin on six real-world datasets.
View
A Comprehensive Survey on Graph Anomaly Detection With Deep Learning
Article
  • Jan 2021
Over the last forty years, researches on anomalies have received intensified interests and the burst of information has attracted more attention on anomalies because of their significance in a wide range of disciplines. Anomaly detection, which aims to identify these rare observations, is among the most vital tasks and has shown its power in preventing detrimental events, such as financial fraud, network intrusion, and social spam, from happening. The detection task is typically solved by detecting outlying data in the features space and inherently overlooks the structural information. Graphs have been prevalently used to preserve structural information, and this raises the graph anomaly detection problem - identifying anomalous graph objects (nodes, edges, sub-graphs, and graphs). However, conventional anomaly detection techniques cannot well solve this problem because of the complexity of graph data. For the aptitudes of deep learning in breaking these limitations, graph anomaly detection with deep learning has received intensified studies recently. In this survey, we aim to provide a systematic and comprehensive review of the contemporary deep learning techniques for graph anomaly detection. We also highlight twelve extensive future research directions according to our survey results covering emerging problems introduced by graph data, anomaly detection and real applications.
View
View
View
IoT Security, Challenges, and Solutions: A Review
Chapter
  • Jan 2021
The recent development in mobile computing resulted in widespread application of Internet of Things (IoT). IoT promises a world where smart and intelligent communication from most of the devices is possible through Internet anywhere, anytime with least possible human assistance. However, security and privacy are major concerns of IoT which could affect its sustainable development. In this work, we have dealt with IoT security from two main perspectives that are IoT architecture and protocols. We discuss different layers in IoT architecture and investigated the security concerns associated with different IoT layers along with their possible solutions. We have reviewed various protocols in IoT layered architecture and the security mechanism developed for each protocol. Also, we provide certain future directions of possible research for IoT security.
View