Progressive Monitoring of IoT Networks Using SDN and Cost-Effective Traffic Signatures

IoT networks continue to expand in various domains, from smart homes and campuses to smart cities and critical infrastructures. It has been shown that IoT devices typically lack appropriate security measures embedded, and hence are increasingly becoming the target of sophisticated cyber-attacks. Also, these devices are heterogeneous in their network communications that makes it difficult for operators of smart environments to manage them at scale. Existing monitoring solutions may perform well in certain environments, however, they do not scale cost-effectively and are inflexible to changes due to their static use of models. In this paper1, we use SDN to dynamically monitor a selected portion of IoT packets or flows, and develop specialized models to learn corresponding traffic signatures. Our first contribution develops a progressive inference pipeline, comprising a number of machine-learning models each is specialized in certain features of IoT traffic. Our inference engine dynamically obtains selected telemetry, including a subset of traffic or flow counters, using SDN techniques. Our second contribution develops three supervised multi-class classifiers, two are protocol specialists trained by packet-based features and one is flow-based model trained by behavioral characteristics of ten unidirectional flows. Our third contribution evaluates the performance of our scheme by replaying real traffic traces of 26 IoT devices on to an SDN switching simulator in conjunction with three trained Random Forest models. Our system yields an overall accuracy of 99.4%. We also integrate our system with an off-the-shelf IDS (Zeek) to flag TCP flood and reflection attacks by inspecting only the suspicious device network traffic.