ABSTRACT
The Internet of Things (IoT) is an emerging technology field where large numbers of physical objects communicate between themselves using Internet technology. IoT solutions are very diverse, ranging from simple toys to industrial applications. There are currently billions of IoT devices connected to the Internet, and this number has been growing exponentially in the recent years. The large amount of data being generated from many devices in an IoT network makes it difficult to collect and analyze all the data. However, with this growth there also comes a growing security concern. With the use of IoT devices in the industrial and healthcare sectors, for example, a security incident can have far reaching consequences in the real world. It is imperative to detect attacks as fast as possible, in time to prevent significant damage. The continuous flow of data may be handled with a stream processing approach, a data processing paradigm in which high-rate data sources are processed and generate results on the fly. Based on this approach, we propose SPATIO (end-uSer Protection Against ioT IntrusiOns), an anomaly detection system designed for the IoT using machine learning to discover and alert on anomalies happening in an IoT network but takes a fog computing approach by using devices on the IoT network, such as routers, to collect and transform network traffic into flow metrics. Doing this transformation closer to the edge reduces the bandwidth cost on the network and allows anonymization of data before being sent outside the network, to the cloud or a server running outlier detection algorithm to generate timely alerts of network anomalies. We evaluate SPATIO by developing a prototype testing it on an existing public dataset of IoT attacks. We measured the accuracy of the machine learning approach, reaching close to 80% detection rate in the best scenario, and compared the performance of offloading work to gateway devices in the IoT network versus a centralized approach, in which the fog approach shows advantages in both network load and attack detection latency.
