anomalydetection in IOT networks
| Reference number | |
| Coordinator | SENTOR MANAGED SECURITY SERVICES AB |
| Funding from Vinnova | SEK 798 000 |
| Project duration | November 2018 - December 2019 |
| Status | Completed |
| Venture | Collaboration projects in cybersecurity and digital infrastructure |
Purpose and goal
The purpose of the project was to produce a proof-of-concept of a service that detects compromise of IoT devices by analyzing traffic meta data. The system needs to produce detailed enough alerts regarding anomalies for a human to be able to determine severity, which is why traditional black box machine learning models were deemed unsuitable. A PoC has been produced with the capacity to perform this analysis in real time with limited resources.
Expected results and effects
Studies of probability distributions in typical client network traffic demonstrated that statistical modelling of these will often give very vague results. This however, is primarily caused by end user computers, phones and tablets. For single purpose devices (such as IoT devices), the distributions are more favorable, which enables a fairly confident detection of anomalies.
Planned approach and implementation
The project was executed in 3 phases. Phase 1 consisted of establishing functional requirements based on market needs, hardware requirements and interaction with other systems and personel. In phase 2, various models for traffic analysis were evaluated in order to identify a model robust enough to provide credible results, but flexible enough to be easily adaptable when new traffic metrics are discovered. In phase 3, a number of different metrics were tested in the model to identify which gave the most precise indication of anomalies based on actual network traffic.