Behavioral complexity analysis of networked systems to identify malware attacks
Date
2020
Authors
Haefner, Kyle, author
Ray, Indrakshi, advisor
Ben-Hur, Asa, committee member
Gersch, Joe, committee member
Hayne, Stephen, committee member
Ray, Indrajit, committee member
Journal Title
Journal ISSN
Volume Title
Abstract
Internet of Things (IoT) environments are often composed of a diverse set of devices that span a broad range of functionality, making them a challenge to secure. This diversity of function leads to a commensurate diversity in network traffic, some devices have simple network footprints and some devices have complex network footprints. This network-complexity in a device's traffic provides a differentiator that can be used by the network to distinguish which devices are most effectively managed autonomously and which devices are not. This study proposes an informed autonomous learning method by quantifying the complexity of a device based on historic traffic and applies this complexity metric to build a probabilistic model of the device's normal behavior using a Gaussian Mixture Model (GMM). This method results in an anomaly detection classifier with inlier probability thresholds customized to the complexity of each device without requiring labeled data. The model efficacy is then evaluated using seven common types of real malware traffic and across four device datasets of network traffic: one residential-based, two from labs, and one consisting of commercial automation devices. The results of the analysis of over 100 devices and 800 experiments show that the model leads to highly accurate representations of the devices and a strong correlation between the measured complexity of a device and the accuracy to which its network behavior can be modeled.
Description
Zip file contains supplementary images.
Rights Access
Subject
cyber-security
anomaly-detection
IoT