IoT devices are known to be vulnerable to various cyber-attacks, such as data exfiltration and the execution of flooding attacks as part of a DDoS attack. When it comes to detecting such attacks using network traffic analysis, it has been shown that some attack scenarios are not always equally easy to detect if they involve different IoT models. That is, when targeted at some IoT models, a given attack can be detected rather accurately, while when targeted at others the same attack may result in too many false alarms. In this research, we attempt to explain this variability of IoT attack detectability and devise a risk assessment method capable of addressing a key question: how easy is it for an anomaly-based network intrusion detection system to detect a given cyber-attack involving a specific IoT model? In the process of addressing this question we (a) investigate the predictability of IoT network traffic, (b) present a novel taxonomy for IoT attack detection which also encapsulates traffic predictability aspects, (c) propose an expert-based attack detectability estimation method which uses this taxonomy to derive a detectability score (termed `D-Score') for a given combination of IoT model and attack scenario, and (d) empirically evaluate our method while comparing it with a data-driven method.
翻译:据了解,IoT装置很容易受到各种网络攻击,例如数据过滤和作为DDoS攻击的一部分实施洪水袭击。在使用网络交通分析来探测这种攻击时,已经表明,如果涉及不同的IoT模型,某些攻击情景并不总是同样容易被探测到。也就是说,当针对IoT某些模型时,可以相当准确地探测到某种特定攻击,而当针对其他模型时,同一攻击可能导致过多的虚假警报。在这项研究中,我们试图解释IoT攻击可探测性的这种变异性,并设计一种风险评估方法,以便能够解决一个关键问题:以异常为基础的网络入侵探测系统如何容易探测涉及特定IoT模型的某一网络攻击?在处理这一问题的过程中,我们:(a) 调查IoT网络交通的可预测性,(b) 为IoT攻击探测提供一种新的分类方法,其中还包含交通可预测性方面,(c) 提议一种专家为基础的攻击可探测性估计方法,利用这一分类方法来得出可探测性评分数(中期为`D-S-COREL数据),同时用一种特定方法来评估一种I-A-VAL-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-I-</s>