There is a growing trend of cyberattacks against Internet of Things (IoT) devices; moreover, the sophistication and motivation of those attacks is increasing. The vast scale of IoT, diverse hardware and software, and being typically placed in uncontrolled environments make traditional IT security mechanisms such as signature-based intrusion detection and prevention systems challenging to integrate. They also struggle to cope with the rapidly evolving IoT threat landscape due to long delays between the analysis and publication of the detection rules. Machine learning methods have shown faster response to emerging threats; however, model training architectures like cloud or edge computing face multiple drawbacks in IoT settings, including network overhead and data isolation arising from the large scale and heterogeneity that characterizes these networks. This work presents an architecture for training unsupervised models for network intrusion detection in large, distributed IoT and Industrial IoT (IIoT) deployments. We leverage Federated Learning (FL) to collaboratively train between peers and reduce isolation and network overhead problems. We build upon it to include an unsupervised device clustering algorithm fully integrated into the FL pipeline to address the heterogeneity issues that arise in FL settings. The architecture is implemented and evaluated using a testbed that includes various emulated IoT/IIoT devices and attackers interacting in a complex network topology comprising 100 emulated devices, 30 switches and 10 routers. The anomaly detection models are evaluated on real attacks performed by the testbed's threat actors, including the entire Mirai malware lifecycle, an additional botnet based on the Merlin command and control server and other red-teaming tools performing scanning activities and multiple attacks targeting the emulated devices.

翻译：针对物联网（IoT）设备的网络攻击呈上升趋势；此外，这些攻击的复杂性和动机也在不断增加。物联网规模庞大、硬件和软件多样，且通常部署在不受控的环境中，这使得传统的基于签名的入侵检测与防御系统等IT安全机制难以集成。由于检测规则的分析和发布之间存在较长的延迟，它们也难以应对快速演变的物联网威胁态势。机器学习方法对新出现的威胁表现出更快的响应速度；然而，像云或边缘计算这样的模型训练架构在物联网环境中面临多重缺陷，包括由这些网络的大规模性和异构性所导致的网络开销和数据隔离问题。本文提出了一种用于在大规模分布式物联网和工业物联网（IIoT）部署中训练无监督网络入侵检测模型的架构。我们利用联邦学习（FL）在节点间进行协作训练，以减少隔离和网络开销问题。在此基础上，我们在FL流程中集成了一个完全集成的无监督设备聚类算法，以解决FL设置中出现的异构性问题。该架构在一个包含各种模拟IoT/IIoT设备和攻击者的测试平台上实现和评估，这些设备和攻击者在一个包含100个模拟设备、30个交换机和10个路由器的复杂网络拓扑中交互。异常检测模型基于测试平台威胁行为者执行的真实攻击进行评估，包括整个Mirai恶意软件生命周期、一个基于Merlin命令和控制服务器的其他僵尸网络，以及执行扫描活动和针对模拟设备的多次攻击的其他红队工具。