Hitting Moving Targets: Intelligent Prevention of IoT Intrusions on the Fly

Massive Internet of Things (IoT) devices have been playing a critical role in both the cyber and physical worlds. Various cyber attacks pose significant risks to IoT. Machine learning-based intrusion detection system (IDS) has earned much research attention. However, the intrusion prevention system (IPS) is rarely explored. Realtime intrusion prevention is quite challenging because the decision has to be made during a flow rather than after it finishes. Restricted by aligning with the shortest flows, existing IPSs generally inspect only the very first packets, leading to information loss for accurate detection. In this article, we first measure the information loss quantitatively. Then we devise Sniper, an IoT IPS scheme consisting of a flow length predictor, a novel feature space, and an enhanced ensemble learning algorithm. The flow length predictor guides a proper prevention time point to preserve as much information as possible. The proposed Markov matrix-based feature encoding method further saves more information than existing ones. The enhanced learning algorithm ensures a low-false positive rate (FPR), which is critical for IPSs. We benchmark Sniper with one closed-world and three open-world data sets. The results show that Sniper achieves a 99.89% prevention rate and 0.03% FPR, which is superior to the five state-of-the-art baseline models.