Variations in commands executed as part of the attack process can be used to determine the behavioural patterns of IoT attacks. Existing approaches rely on the domain knowledge of security experts to identify the behavioural patterns, categorise and classify cyber attacks. We proposed an Autoencoder(AE)-based feature construction approach to remove the dependency of manually correlating commands and generate an efficient representation by automatically learning the semantic similarity between input features extracted through commands data. We applied three clustering algorithms, i.e., K-means, Gaussian Mixture Models and Density-based spatial clustering of applications with noise, on our data set of AE features. We discussed the clustering arrangements for understanding the impact of changes in commands on behavioural patterns of attacks and how attacks are grouped in the same or different clusters. Evaluation of our feature construction approach shows that the clustering algorithm grouped attacks with more common features values compared to clustering with original features. Moreover, we performed a comparative analysis of two existing feature extraction approaches on our data set considering the type of analysis in the process, generalisability of applying features, coverage to the data set and clustering arrangements. We found that challenges identified in applying existing approaches can be addressed with our proposed approach and improving features with AE resulted in providing meaningful clustering interpretations.

作为攻击过程的一部分执行的命令的变化可用于确定物联网攻击的行为模式。现有方法依靠安全专家的领域知识来识别行为模式，对网络攻击进行分类和分类。我们提出了一种基于自动编码器（AE）的特征构建方法，以消除手动关联命令的依赖性，并通过自动学习通过命令数据提取的输入特征之间的语义相似性来生成有效的表示。我们在 AE 特征数据集上应用了三种聚类算法，即 K 均值、高斯混合模型和基于密度的应用程序空间聚类与噪声。我们讨论了集群安排，以了解命令更改对攻击行为模式的影响以及攻击如何分组到相同或不同的集群中。对我们的特征构建方法的评估表明，与具有原始特征的聚类相比，聚类算法将具有更多共同特征值的攻击分组。此外，考虑到过程中的分析类型、应用特征的普遍性、数据集的覆盖范围和聚类安排，我们对我们的数据集上的两种现有特征提取方法进行了比较分析。我们发现在应用现有方法中发现的挑战可以通过我们提出的方法解决，并且使用 AE 改进特征可以提供有意义的聚类解释。