Unsupervised machine learning for network-centric anomaly detection in IoT

Industry 4.0 holds the promise of greater automation and productivity but also introduces new security risks to critical industrial control systems from unsecured devices and machines. Networks need to play a larger role in stopping attacks before they disrupt essential infrastructure as host-centric IT security solutions, such as anti-virus and software patching, have been ineffective in preventing IoT devices from getting compromised. We propose a network-centric, behavior-learning based, anomaly detection approach for securing such vulnerable environments. We demonstrate that the predictability of TCP traffic from IoT devices can be exploited to detect different types of DDoS attacks in real-time, using unsupervised machine learning (ML). From a small set of features, our ML classifier can separate normal and anomalous traffic. Our approach can be incorporated in a larger system for identifying compromised end-points despite IP spoofing, thus allowing the use of SDN-based mechanisms for blocking attack traffic close to the source. Compared to supervised ML methods, our unsupervised ML approaches are easier to instrument and are more effective in detecting new and unseen attacks.