IoT devices are known to be vulnerable to various cyber-attacks, such as data exfiltration and the execution of flooding attacks as part of a DDoS attack. When it comes to detecting such attacks using network traffic analysis, it has been shown that some attack scenarios are not always equally easy to detect if they involve different IoT models. That is, when targeted at some IoT models, a given attack can be detected rather accurately, while when targeted at others the same attack may result in too many false alarms. In this research, we attempt to explain this variability of IoT attack detectability and devise a risk assessment method capable of addressing a key question: how easy is it for an anomaly-based network intrusion detection system to detect a given cyber-attack involving a specific IoT model? In the process of addressing this question we (a) investigate the predictability of IoT network traffic, (b) present a novel taxonomy for IoT attack detection which also encapsulates traffic predictability aspects, (c) propose an expert-based attack detectability estimation method which uses this taxonomy to derive a detectability score (termed `D-Score') for a given combination of IoT model and attack scenario, and (d) empirically evaluate our method while comparing it with a data-driven method.

翻译：物联网设备已知易受多种网络攻击，例如数据窃取以及作为分布式拒绝服务（DDoS）攻击一部分的泛洪攻击。在使用网络流量分析检测此类攻击时，研究表明，涉及不同物联网模型时，某些攻击场景的检测难度并不总是相同。也就是说，当针对某些物联网模型时，特定攻击可以被相当准确地检测到，而当针对其他模型时，同一攻击可能导致过多的误报。本研究试图解释物联网攻击可检测性这种差异，并设计一种能够解决关键问题的风险评估方法：基于异常的入侵检测系统检测涉及特定物联网模型的网络攻击的难易程度如何？在解决这一问题的过程中，我们 (a) 研究了物联网网络流量的可预测性；(b) 提出了一种新颖的物联网攻击检测分类法，其中也包含流量可预测性方面；(c) 提出了一种基于专家的攻击可检测性估计方法，该方法利用该分类法为给定的物联网模型与攻击场景组合导出可检测性分数（称为“D-Score”）；以及 (d) 在将其与数据驱动方法进行比较的同时，对我们的方法进行了实证评估。