Observability in Machine Learning based Intrusion Detection Systems for RPL-based IoT

Abstract: As IoT devices become more and more present in our daily lives, security in IoT networks has become a major concern. A promising approach for detecting attacks is the use of machine learning based Intrusion Detection Systems (IDSs). The attack studied in this thesis is the blackhole attack, an attack causing parts of the network to disconnect. The IDS identifies malicious activities in the network by analyzing the network traffic. However, in the case of a blackhole attack, not all activity can necessarily be seen by the IDS. We study the impact of limited observability for an IDS and simulate attacks on RPL-based IoT networks using the Cooja simulator together with the Multi-Trace extension. The data obtained from the simulations are processed to match the observability of the sink node, and then used to train and test a Deep Neural Network machine learning model for an IDS. The DNN is trained on a conventional blackhole attack and then tested on variations of that attack in order to evaluate the efficiency of the IDS ability to detect previously unseen but similar attack types. We use a data preparation method that allows the IDS to detect attacks online, as opposed to retrospectively. Additionally we modify the network simulations to be more realistic and assess how the IDS is affected by the more realistic network simulations. Our study found that the IDS was not significantly affected by the more realistic simulations, however observability proved to be a critical factor for detecting attacks. We show that an IDS with access to full observability of network activities achieved greater performance, with a detection rate of approximately 92\%, compared to an IDS with limited observability, which achieved a detection rate ranging from 45\% to 78\%. Our findings highlight the importance of considering and developing new techniques for enhanced observability, in order to further improve and develop IDSs.