IoT devices present a series of liabilities to administrators that aim for fully secure networks. Owing to their heterogeneity and limited processing power, administrators often implement monitoring mechanisms to prevent unauthorized use of resources and data exfiltration. However, most approaches allow for easy discrimination of private behavioral patterns of its users or nodes by their MAC or IP addresses. Inferring data exchange patterns at the physical layer is a more complex task, as a single signal power indicator may correspond to a mixture of simultaneous data transmissions. This article proposes privacy-focused mechanisms by resorting to physical layer data analysis and one-class classification models to perform anomaly detection in IoT networks. We present a full processing pipeline that considers the signal that identifies and models patterns on the channel activity and silence periods. We train our models with data captured from interactions with an Amazon Echo with devices generating background noise and test them against a similar scenario with a tampered network node periodically uploading data. Our data show that the best performing model, kernel density estimation, is able to detect anomalies with a 99% precision rate, even surpassing the tested neural networks approaches. We also propose a framework that aims to deploy validated models into production IoT environments. We designed an end-to-end data flow that autonomously extracts data and classifies them at the anomaly detection server. The envisioned components were designed to be horizontally scaled for a myriad of data streams and machine learning algorithms working in parallel.
| INTRODUCTIONWith the advent of Internet of Things (IoT) and wireless mesh networks, security risks inherent to these types of networks, namely, unauthorized use of resources and data exfiltration, have grown in number and severity. Currently, embedded sensors have become the trend, being used in both home automation and in critical and sensible infrastructures. IoT devices are always a security liability due to their heterogeneity, lack of constant monitoring, their placement in open wireless mediums, their limited resources, and, more recently, the access to locally stored sensitive data. 1,2 Manufacturers do not implement strong authentication and encryption algorithms to be used in the communications between devices, forcing administrators to use monitoring strategies to keep the network secure.