Detecting Internet of Things attacks using distributed deep learning

摘要

The reliability of Internet of Things (IoT) connected devices is heavily dependent on the security model employed to protect user data and prevent devices from engaging in malicious activity. Existing approaches for detecting phishing, distributed denial of service (DDoS), and Botnet attacks often focus on either the device or the backend. In this paper, we propose a cloud-based distributed deep learning framework for phishing and Botnet attack detection and mitigation. The model comprises two key security mechanisms working cooperatively, namely: (1) a Distributed Convolutional Neural Network (DCNN) model embedded as an IoT device micro-security addon for detecting phishing and application layer DDoS attacks; and (2) a cloud-based temporal Long-Short Term Memory (LSTM) network model hosted on the back-end for detecting Botnet attacks, and ingest CNN embeddings to detect distributed phishing attacks across multiple IoT devices. The distributed CNN model, embedded into a ML engine in the client's IoT device, allows us to detect and defend the IoT device from phishing attacks at the point of origin. We create a dataset consisting of both phishing and non-phishing URIs to train the proposed CNN add-on security model, and select the N_BaIoT dataset for training the back-end LSTM model. The joint training method minimizes communication and resource requirements for attack detection, and maximizes the usefulness of extracted features. In addition, an aggregation of schemes allows the automatic fusion of multiple requests to improve the overall performance of the system. Our experiments show that the IoT micro-security add-on running the proposed CNN model is capable of detecting phishing attacks with an accuracy of 94.3% and a F-1 score of 93.58%. Using the back-end LSTM model, the model detects Botnet attacks with an accuracy of 94.80% using all malicious data points in the used dataset Thus, the findings demonstrate that the proposed approach is capable of detecting attacks, both at device and at the back-end level, in a distributed fashion.