Data driven intrusion detection for 6LoWPAN based IoT systems

Wide adoption of Internet of Things (IoT) devices and their limitations in terms of hardware cause them to be easy targets for attackers. This, in turn, requires monitoring such systems using intrusion detection systems and take mitigative actions against insider and outsider attackers. Recent studies have explored that machine learning based intrusion detection systems are quite successful in detecting different types of cyber threats targeting IoT systems. However, the proposed systems in these studies incurred limitations in terms of the characteristics of their datasets and detection models. Specifically, a big proportion of the proposed models were developed using simulation-based data generated through specific simulators. Some of these studies also used previously published testbed data that contain the samples of outdated IoT attacks and vulnerabilities. Furthermore, they focused on a lower attack variety and proposed binary classifiers which do not scale in multi-attack scenarios. In this study, we propose a machine learning based multi-class classifier that can classify 6 attack types together with the benign traffic. Our node based feature extraction and detection methodology allows locating the network addresses of the attackers, rather than a rough network level attack existence information, by modeling their traffic characteristics over a sliding time window. For training and testing our models, we also propose an intrusion detection dataset generated using the traffic data collected from real IoT devices running with 6LoWPAN and RPL protocols. Besides having RPL routing attacks in the dataset, we leverage Mirai botnet, employed frequently to target IoT devices. The results show that the proposed intrusion detection system can detect 6 attack types with high recall scores ranging from 79% to 100%. We also illustrate the practicality of the developed model via deployment in a proof of concept implementation over a testbed.