Design of CUMAD and Network Model

Table of Links

Abstract and 1. Introduction

2. Related Work

3. Background on Autoencoder and SPRT and 3.1. Autoencoder

3.2. Sequential Probability Ratio Test

4. Design of CUMAD and 4.1. Network Model

4.2. CUMAD: Cumulative Anomaly Detection

5. Evaluation Studies and 5.1. Dataset, Features, and CUMAD System Setup

5.2. Performance Results

6. Conclusions and References

4. Design of CUMAD

In this section we will first discuss the considered network model, where CUMAD will be deployed, and then we will present the design of the CUMAD framework.

4.1. Network Model

Figure 2 illustrates the conceptual network model, where CUMAD is deployed. As shown in the figure, in order for CUMAD to carry out its task to detect compromised IoT devices in a network, CUMAD needs to have access to the network traffic associated with the IoT devices in the network. Depending on the deployment scenarios of CUMAD in the network and the corresponding network architecture, there can be a few different ways for CUMAD to obtain the corresponding network traffic of IoT devices. In essence, CUMAD as a network-based solution can be deployed in a similar way as network-based intrusion detection systems.

In the current design of CUMAD, (statistical) features from raw network traffic will be extracted and fed to CUMAD for detecting compromised IoT devices. Each input data point fed to CUMAD comprises these extracted features, and can be summarized at different levels of granularity of network traffic, such as packets, flows, and time windows. These features will capture the network behavioral characteristics of the corresponding IoT devices. In Section 5 we will discuss the network traffic features contained in the public-domain N-BaIoT dataset when we perform evaluation studies on CUMAD [8].