The application of the Internet of Things concept in domains such as industrial control, building automation, human health, and environmental monitoring, introduces new privacy and security challenges. Consequently, traditional implementation of monitoring and security mechanisms cannot always be presently feasible and adequate due to the number of IoT devices, their heterogeneity and the typical limitations of their technical specifications. In this paper, we propose an IP flow-based Intrusion Detection System (IDS) framework to monitor and protect IoT networks from external and internal threats in real-time. The proposed framework collects IP flows from an IoT network and analyses them in order to monitor and detect attacks, intrusions, and other types of anomalies at different IoT architecture layers based on some flow features instead of using packet headers fields and their payload. The proposed framework was designed to consider both the IoT network architecture and other IoT contextual characteristics such as scalability, heterogeneity, interoperability, and the minimization of the use of IoT networks resources. The proposed IDS framework is network-based and relies on a hybrid architecture, as it involves both centralized analysis and distributed data collection components. In terms of detection method, the framework uses a specification-based approach drawn on normal traffic specifications. The experimental results show that this framework can achieve ≈ 100% success and 0% of false positives in detection of intrusions and anomalies. In terms of performance and scalability in the operation of the IDS components, we study and compare it with three different conventional IDS (Snort, Suricata, and Zeek) and the results demonstrate that the proposed solution can consume fewer computational resources (CPU, RAM, and persistent memory) when compared to those conventional IDS.

物联网概念在工业控制，楼宇自动化，人类健康和环境监控等领域的应用带来了新的隐私和安全挑战。因此，由于物联网设备的数量，异构性和技术规范的典型局限性，传统的监视和安全机制实施目前并不总是可行和适当的。在本文中，我们提出了一个基于IP流的入侵检测系统（IDS）框架，以实时监控和保护IoT网络免受外部和内部威胁。拟议的框架从IoT网络收集IP流并对其进行分析，以监视和检测攻击，入侵，和基于某些流功能的不同IoT架构层的其他类型的异常，而不是使用数据包头字段及其有效负载。提出的框架旨在同时考虑IoT网络架构和其他IoT上下文特征，例如可伸缩性，异构性，互操作性以及IoT网络资源使用的最小化。提议的IDS框架是基于网络的，并且依赖于混合体系结构，因为它涉及集中式分析和分布式数据收集组件。在检测方法方面，该框架使用基于规范的方法，该方法基于正常流量规范。实验结果表明，该框架在入侵和异常检测中可以实现≈100％的成功率和0％的误报率。