SA-IDS: A single attribute intrusion detection system for Slow DoS attacks in IoT networks

IF 6 3区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Internet of Things Pub Date : 2025-02-07 DOI:10.1016/j.iot.2025.101512

Andy Reed, Laurence Dooley, Soraya Kouadri Mostefaoui

{"title":"SA-IDS: A single attribute intrusion detection system for Slow DoS attacks in IoT networks","authors":"Andy Reed, Laurence Dooley, Soraya Kouadri Mostefaoui","doi":"10.1016/j.iot.2025.101512","DOIUrl":null,"url":null,"abstract":"<div><div>Internet of Things (IoT) technologies are expanding and pervade evermore application domains bringing a raft of positive user benefits. However, the matter of application layer security and the omnipresent danger of Denial of Service (DoS) attacks remains a significant risk to effective IoT performance. DoS is especially serious in IoT networks given the propensity for malicious nodes to mimic legitimate nodes encountering slow connectivity, a problem intensified in very stochastic traffic environments where higher node latencies create even stealthier Slow DoS conditions.</div><div>The contribution this paper presents is a flexible <em>single attribute intrusion detection system</em> (SA-IDS) for IoT networks, which employs a novel variable threshold range for just the delta time network attribute, to accurately detect Slow DoS attacks in highly stochastic traffic, while crucially still being able to reliably discriminate malicious from legitimate slow node activity. Experimental results in a live IoT network compellingly demonstrate the superior detection performance of SA-IDS under the stealthiest Slow DoS attack conditions, where genuine nodes with high latency are almost indistinguishable from malicious nodes, thus rendering existing Slow DoS detection methods ineffective that rely solely on static thresholds based on network traffic attribute analysis.</div></div>","PeriodicalId":29968,"journal":{"name":"Internet of Things","volume":"30 ","pages":"Article 101512"},"PeriodicalIF":6.0000,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Internet of Things","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2542660525000253","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Internet of Things (IoT) technologies are expanding and pervade evermore application domains bringing a raft of positive user benefits. However, the matter of application layer security and the omnipresent danger of Denial of Service (DoS) attacks remains a significant risk to effective IoT performance. DoS is especially serious in IoT networks given the propensity for malicious nodes to mimic legitimate nodes encountering slow connectivity, a problem intensified in very stochastic traffic environments where higher node latencies create even stealthier Slow DoS conditions.

The contribution this paper presents is a flexible single attribute intrusion detection system (SA-IDS) for IoT networks, which employs a novel variable threshold range for just the delta time network attribute, to accurately detect Slow DoS attacks in highly stochastic traffic, while crucially still being able to reliably discriminate malicious from legitimate slow node activity. Experimental results in a live IoT network compellingly demonstrate the superior detection performance of SA-IDS under the stealthiest Slow DoS attack conditions, where genuine nodes with high latency are almost indistinguishable from malicious nodes, thus rendering existing Slow DoS detection methods ineffective that rely solely on static thresholds based on network traffic attribute analysis.

查看原文本刊更多论文

SA-IDS：物联网网络中针对慢速DoS攻击的单属性入侵检测系统

物联网（IoT）技术正在扩展并渗透到越来越多的应用领域，为用户带来了大量积极的利益。然而，应用层安全和无处不在的拒绝服务（DoS）攻击的危险仍然是物联网有效性能的重大风险。在物联网网络中，DoS尤其严重，因为恶意节点倾向于模仿遇到缓慢连接的合法节点，这个问题在非常随机的流量环境中加剧，在这种环境中，更高的节点延迟会产生更隐蔽的缓慢DoS条件。本文提出的贡献是针对物联网网络的灵活的单属性入侵检测系统（SA-IDS），该系统仅采用增量时间网络属性的新颖可变阈值范围，以准确检测高度随机流量中的慢速DoS攻击，同时至关重要的是仍然能够可靠地区分恶意和合法的慢速节点活动。在物联网实时网络中的实验结果令人信服地证明了SA-IDS在最隐蔽的慢速DoS攻击条件下的卓越检测性能，在这种情况下，具有高延迟的真实节点与恶意节点几乎无法区分，从而使得现有的仅依赖基于网络流量属性分析的静态阈值的慢速DoS检测方法无效。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Internet of Things Multiple-

CiteScore

3.60

自引率

5.10%

发文量

115

审稿时长

37 days

期刊介绍： Internet of Things; Engineering Cyber Physical Human Systems is a comprehensive journal encouraging cross collaboration between researchers, engineers and practitioners in the field of IoT & Cyber Physical Human Systems. The journal offers a unique platform to exchange scientific information on the entire breadth of technology, science, and societal applications of the IoT. The journal will place a high priority on timely publication, and provide a home for high quality. Furthermore, IOT is interested in publishing topical Special Issues on any aspect of IOT.