Score-VAE: Root Cause Analysis for Federated-Learning-Based IoT Anomaly Detection

Root cause analysis is the process of identifying the underlying factors responsible for triggering anomaly detection alarms. In the context of anomaly detection for Internet of Things (IoT) traffic, these alarms can be triggered by various factors, not all of which are malicious attacks. It is crucial to determine whether a malicious attack or benign operations cause an alarm. To address this challenge, we propose an innovative root cause analysis system called score-variational autoencoder (VAE), designed to complement existing IoT anomaly detection systems based on the federated learning (FL) framework. Score-VAE harnesses the full potential of the VAE network by integrating its training and testing schemes strategically. This integration enables Score-VAE to effectively utilize the generation and reconstruction capabilities of the VAE network. As a result, it exhibits excellent generalization, lifelong learning, collaboration, and privacy protection capabilities, all of which are essential for performing root cause analysis on IoT systems. We evaluate Score-VAE using real-world IoT trace data collected from various scenarios. The evaluation results demonstrate that Score-VAE accurately identifies the root causes behind alarms triggered by IoT anomaly detection systems. Furthermore, Score-VAE outperforms the baseline methods, providing superior performance in discovering root causes and delivering more accurate results.