IoT application domains, device diversity and connectivity are rapidly growing. IoT devices control various functions in smart homes and buildings, smart cities, and smart factories, making these devices an attractive target for attackers. On the other hand, the large variability of different application scenarios and inherent heterogeneity of devices make it very challenging to reliably detect abnormal IoT device behaviors and distinguish these from benign behaviors. Existing approaches for detecting attacks are mostly limited to attacks directly compromising individual IoT devices, or, require predefined detection policies. They cannot detect attacks that utilize the control plane of the IoT system to trigger actions in an unintended/malicious context, e.g., opening a smart lock while the smart home residents are absent. In this paper, we tackle this problem and propose ARGUS, the first self-learning intrusion detection system for detecting contextual attacks on IoT environments, in which the attacker maliciously invokes IoT device actions to reach its goals. ARGUS monitors the contextual setting based on the state and actions of IoT devices in the environment. An unsupervised Deep Neural Network (DNN) is used for modeling the typical contextual device behavior and detecting actions taking place in abnormal contextual settings. This unsupervised approach ensures that ARGUS is not restricted to detecting previously known attacks but is also able to detect new attacks. We evaluated ARGUS on heterogeneous real-world smart-home settings and achieve at least an F1-Score of 99.64% for each setup, with a false positive rate (FPR) of at most 0.03%.

翻译：摘要：物联网应用领域、设备多样性与连接性正迅速发展。物联网设备控制智能家居、智慧城市和智能工厂中的多种功能，使其成为攻击者的诱人目标。然而，不同应用场景的巨大差异性和设备固有的异构性，使得可靠检测异常物联网设备行为并将其与正常行为区分变得极具挑战性。现有攻击检测方法大多局限于直接破坏单个物联网设备的攻击，或需要预定义的检测策略。它们无法检测利用物联网系统控制平面在非预期/恶意上下文中触发操作的攻击，例如在智能家居居民外出时打开智能门锁。本文针对此问题提出ARGUS，这是首个用于检测物联网环境下上下文攻击的自学习入侵检测系统，其中攻击者通过恶意调用物联网设备操作实现其目标。ARGUS基于环境中物联网设备的状态与操作来监控上下文设置，并采用无监督深度神经网络（DNN）对典型上下文设备行为进行建模，从而检测发生在异常上下文环境中的操作。这种无监督方法确保ARGUS不仅限于检测已知攻击，还能识别新型攻击。我们在异构真实智能家居场景中评估了ARGUS，每种配置的F1分数均达到至少99.64%，且假阳性率（FPR）不超过0.03%。