| Summary: | With the advent of wireless mesh networks and the Internet of Things (IoT), security risks inherent to these types of networks, either non-authorized use of the network or data exfiltration, have grown in number. Most of the approaches currently available for anomaly detection in IoT networks perform frame and packet inspection, which may inadvertently reveal the private behavioral patterns of its users. Additionally, those whose focus falls on the physical layer data often use Received Signal Strength Indicator (RSSI) as a distance metric and perform anomaly detection according to the nodes’ relative distance, or use spectrum values directly as inputs of classification models without any data exploration. This Dissertation proposes privacy-focused mechanisms for anomaly detection, which analyses radio activity at the physical layer, measuring silence and activity periods. We then extract features from the duration of these periods, perform data exploration and feature engineering, and use them for training both classical and neural network approaches of One-Class Classification (OCC) models. We train our models with data captured from interactions with an Amazon Echo, first on a noise-free environment, simulating a home-automation scenario, and second with multiple devices generating background data exchanges on a lab full of devices and interference. We then test them against similar scenarios with a tampered network node, periodically uploading data to a local machine. Our data show that, in both situations, the best performing model is able to detect anomalies with a 99% precision rate. This work also proposes a framework for deploying the validated models into a production environment. This proposal defines the entire data pipeline, which is recorded and processed at the sniffers, sent to a message broker, and consumed by the corresponding probe’s classifier instance at a central server. This “server” is responsible for managing the consumer/classifier instances, storing the windows of features and respective labels, and periodically re-train the models so that they can adapt to the behavioral changes on the network. We performed series of tests to assert if this architecture is able to scale with a higher number of probes; these tests showed that, due to memory constraints, it is advisable to split the data consumers and classifiers across different physical hosts.
|
|---|