The fast-growing Internet-of-Things (IoT) market has opened up a large threat landscape, given the wide deployment of IoT devices in both consumer and commercial spaces. Attacks on IoT devices generally consist of multiple stages and are dispersed spatially and temporally. These characteristics make it challenging to detect and identify the attack stages using solutions that tend to be localized in space and time. In this work, we present Adept, a distributed framework to detect and identify the individual attack stages in a coordinated attack. Adept works in three phases. First, network traffic of IoT devices is processed locally for detecting anomalies with respect to their benign profiles. Any alert corresponding to a potential anomaly is sent to a security manager, where aggregated alerts are mined, using frequent itemset mining (FIM), for detecting patterns correlated across both time and space. Finally, using both alert-level and pattern-level information as features, we employ a machine learning approach to identify individual attack stages in the generated alerts. We carry out extensive experiments, with emulated and realistic network traffic; the results demonstrate the effectiveness of the proposed framework in terms of its ability in attack-stage detection and identification.

中文翻译：

---

ADEPT：物联网网络中相关攻击阶段的检测和识别


鉴于物联网设备在消费和商业领域的广泛部署，快速增长的物联网 (IoT) 市场带来了巨大的威胁。针对物联网设备的攻击通常包含多个阶段，并且在空间和时间上分散。这些特征使得使用往往在空间和时间上本地化的解决方案来检测和识别攻击阶段变得具有挑战性。在这项工作中，我们提出了 Adept，一个分布式框架，用于检测和识别协调攻击中的各个攻击阶段。 Adept 的工作分三个阶段。首先，物联网设备的网络流量在本地进行处理，以检测其良性配置文件的异常情况。与潜在异常相对应的任何警报都会发送到安全管理器，在安全管理器中使用频繁项集挖掘 (FIM) 来挖掘聚合警报，以检测跨时间和空间的相关模式。最后，使用警报级别和模式级别信息作为特征，我们采用机器学习方法来识别生成的警报中的各个攻击阶段。我们通过模拟和真实的网络流量进行了大量的实验；结果证明了所提出的框架在攻击阶段检测和识别能力方面的有效性。