IoT devices fundamentally lack built-in security mechanisms to protect themselves from security attacks. Existing works on improving IoT security mostly focus on detecting anomalous behaviors of IoT devices. However, these existing anomaly detection schemes may trigger an overwhelmingly large number of false alerts, rendering them unusable in detecting compromised IoT devices. In this paper we develop an effective and efficient framework, named CUMAD, to detect compromised IoT devices. Instead of directly relying on individual anomalous events, CUMAD aims to accumulate sufficient evidence in detecting compromised IoT devices, by integrating an autoencoder-based anomaly detection subsystem with a sequential probability ratio test (SPRT)-based sequential hypothesis testing subsystem. CUMAD can effectively reduce the number of false alerts in detecting compromised IoT devices, and moreover, it can detect compromised IoT devices quickly. Our evaluation studies based on the public-domain N-BaIoT dataset show that CUMAD can on average reduce the false positive rate from about 3.57% using only the autoencoder-based anomaly detection scheme to about 0.5%; in addition, CUMAD can detect compromised IoT devices quickly, with less than 5 observations on average.

翻译：物联网设备从根本上缺乏内置安全机制来抵御安全攻击。现有提升物联网安全性的研究大多聚焦于检测物联网设备的异常行为，但这些异常检测方案可能触发大量误报警报，导致其在检测失陷设备时难以实际应用。本文提出一种高效实用的检测框架CUMAD，用于识别失陷物联网设备。与直接依赖单个异常事件不同，CUMAD通过集成基于自编码器的异常检测子系统与基于序贯概率比检验（SPRT）的序贯假设检验子系统，旨在积累充分证据来检测失陷设备。该框架可有效降低检测失陷设备时的误报数量，同时实现快速检测。基于公共领域N-BaIoT数据集的评估研究表明，CUMAD可将仅使用自编码器异常检测方案时约3.57%的假阳性率平均降低至0.5%；此外，CUMAD能够快速检测失陷设备，所需平均观测次数少于5次。