ADEPT: Detection and Identification of Correlated Attack Stages in IoT Networks

The fast-growing Internet-of-Things (IoT) market has opened up a large threat landscape, given the wide deployment of IoT devices in both consumer and commercial spaces. Attacks on IoT devices generally consist of multiple stages and are dispersed spatially and temporally. These characteristics make it challenging to detect and identify the attack stages using solutions that tend to be localized in space and time. In this work, we present Adept, a distributed framework to detect and identify the individual attack stages in a coordinated attack. Adept works in three phases. First, network traffic of IoT devices is processed locally for detecting anomalies with respect to their benign profiles. Any alert corresponding to a potential anomaly is sent to a security manager, where aggregated alerts are mined, using frequent itemset mining (FIM), for detecting patterns correlated across both time and space. Finally, using both alert-level and pattern-level information as features, we employ a machine learning approach to identify individual attack stages in the generated alerts. We carry out extensive experiments, with emulated and realistic network traffic; the results demonstrate the effectiveness of the proposed framework in terms of its ability in attack-stage detection and identification.