DIoT: A Self-learning System for Detecting Compromised IoT Devices

IoT devices are being widely deployed. Many of them are vulnerable due to insecure implementations and configuration. As a result, many networks already have vulnerable devices that are easy to compromise. This has led to a new category of malware specifically targeting IoT devices. Existing intrusion detection techniques are not effective in detecting compromised IoT devices given the massive scale of the problem in terms of the number of different types of devices and manufacturers involved. In this paper, we present DIoT, a system for detecting compromised IoT devices effectively. In contrast to prior work, DIoT uses a novel self-learning approach to classify devices into device types and build normal communication profiles for each of these that can subsequently be used to detect anomalous deviations in communication patterns. DIoT is completely autonomous and can be trained in a distributed crowdsourced manner without requiring human intervention or labeled training data. Consequently, DIoT can cope with the emergence of new device types as well as new attacks. By systematic experiments using more than 30 off-the-shelf IoT devices, we show that DIoT is effective (94% detection rate) and fast (2 s.) at detecting devices compromised by the infamous Mirai malware. DIoT reported no false alarms when evaluated in a real-world deployment setting.