The increased utilisation of IoT devices for data collection and monitoring activities have resulted in providing an easy entry path for potential launching of unstoppably terabit scale Distributed Denial of Service (DDoS) attacks. While security experts agree that the mega traffic should be stopped upstream before gaining momentum, there is no practical solution developed for addressing this problem.
This PoC forms the first step towards a practical method to prevent DDoS attack origination from IoT devices by hampering and stopping potential attack traffic at the gateway of ISPs and end-users and addresses the question of ‘How can an ISP detect botnets within their networks, and process the large volumes of traffic to detect these rogue devices mitigated in a matter of seconds, not minutes?’
The POC enabled the delivery of the following;
- Improvement in accuracy of botnet detection by exploiting regularity of IoT communication patterns;
- Improvement in operational efficiency and reduction in the detection delay by combining evidence of abnormal activity from multiple homes; and
- Improved the ability to respond to emerging threats through better explanations of abnormal activity.
Identified Challenge in the Cybersecurity Industry
Since the high velocity and volume of DDoS attacks cannot be stopped by the victim’s network, this prototype proposes a paradigm shifting approach to change the focus from securing a specific victim, to preventing DDoS traffic from IoT devices in entering the network.
In the knowledge in what makes DDoS unstoppable being the number of sources involved in an attack, this modelling potentially distributes a large number of protective software filters and leverages the increasing computational power of edge devices to prevent the attack traffic to aggregate. This enables the prototype the ability to explore an efficient way of identifying traffic from IoT devices and blocking anomalous traffic.
Current network monitoring tools are limited to looking-up a vendor’s MAC address to potentially flag the IoT devices which are inconclusive in many cases. In contrast, a machine learning technique that incorporates information from multiple network layers can detect the traffic more accurately and pave the way for profiling the traffic.
This POC enabled the research team to also make some noteworthy observations:
- IoT devices generally tend to have one or two core functions, communicating with a small number of servers outside their home network and their traffic patterns would tend to be repetitive: and
- This lack of variation should make it easier to detect malicious traffic by looking for anomalies in network traffic.
This prototype demonstrates three key machine learning capabilities;
- Anomaly detection from IoT network traffic: Detecting unusual changes;
- Explanation of anomalous traffic patterns: What the main features of the change are; and
- Visualisation of patterns: What the impact of change actually is.
More on this prototype.
Our team members have extensive experience in research and development in using Artificial Intelligence, Machine Learning, and Game Theory in cyber security.
- Our experience encompasses the development of cutting-edge solutions for organisations such as Defence Science & Technology (DST) Group, Northrop Grumman (US),Telstra, and Australia’s Academic and Research Network (AARNet)