1

Timely Detection and Mitigation of Stealthy DDoSAttacks via IoT Networks

Keval Doshi, Yasin Yilmaz, and Suleyman Uludag

Abstract—Internet of Things (IoT) networks consist of sensors,actuators, mobile and wearable devices that can connect to theInternet. With billions of such devices already in the marketwhich have significant vulnerabilities, there is a dangerous threatto the Internet services and also some cyber-physical systemsthat are also connected to the Internet. Specifically, due totheir existing vulnerabilities IoT devices are susceptible to beingcompromised and being part of a new type of stealthy DistributedDenial of Service (DDoS) attack, called Mongolian DDoS, which ischaracterized by its widely distributed nature and small attacksize from each source. This study proposes a novel anomaly-based Intrusion Detection System (IDS) that is capable of timelydetecting and mitigating this emerging type of DDoS attacks. Theproposed IDS’s capability of detecting and mitigating stealthyDDoS attacks with even very low attack size per source isdemonstrated through numerical and testbed experiments.

Index Terms—IoT networks, DDoS attacks, anomaly detection,sequential detection, nonparametric methods

I. INTRODUCTION

The emergence of Internet of Things (IoT) has been one ofthe most significant technological advances of the last decade[1]. With the development of various miniaturized embeddedsystems and many web services along with cloud comput-ing, it is virtually possible to make any isolated system tocommunicate with another machine. Moreover, the increasedcapabilities of new System on Chip (SoC) devices, and adrastic reduction in their sizes have led to an exponentialincrease in the number of devices that communicate throughthe Internet. With the number of IoT devices in use todayalready in a few billions, and with an exponential growth, theamount of data generated and transmitted is also witnessinga proportional increase. This has made the IoT paradigm aprime target for a legion of attackers, hackers, cybercriminalsand occasionally governments [1].

Unfortunately, the security of IoT devices is not able tokeep up with the hardware development and now more andmore vulnerabilities are detected on a regular basis leading tosecurity threats and privacy concerns [1]. For example, suchcompromised devices can be utilized to perform DistributedDenial of Service (DDoS) attacks. DDoS is a type of cyber-attack in which the perpetuator attacks an online servicetypically by flooding traffic using a large number of sources.Volumetric attacks as the name suggests are characterized by

This work was supported in part by the U.S. National Science Foundationunder the Grant CNS-1737598 and in part by the SCEEE-17-03 Grant.

K. Doshi and Y.Yilmaz are with the Electrical Engineering Depart-ment, University of South Florida, Tampa, FL USA (e-mail: keval-doshi@mail.usf.edu, yasiny@usf.edu).

S. Uludag, is with the Department of Computer Science, University ofMichigan - Flint, MI USA (e-mail: uludag@umich.edu).

enormous amount of traffic, and they normally do not requirea large amount of traffic to be generated by the hackers them-selves causing it to be the simplest and most common type ofDDoS attack [2]. In this paper, we consider this type of DDoSattacks, especially the stealthy ones, which are challengingto detect and mitigate due to their widely-distributed natureand low-rate anomalous traffic from each source which caneasily bypass traditional filters (i.e., stealth attacks). In stealthyDDoS attacks, such as the recent Mongolian DDoS attacks[3], although the increase in traffic from each source is small,collectively they are still capable of achieving their goal ofdisrupting the targeted service due to being widely distributed.Although a number of practical solutions have been deployedagainst DDoS, many problems still exist [4], especially due tothe new genre of DDoS attacks through IoT devices.

A. DDoS via IoT

There has been a sharp increase in the number of IoTdevices with an estimated number of 8.4B devices in 2017which is expected to reach 20B by 2020 [5]. According to astudy by Gartner, a high percentage of new businesses andsystems will include an IoT component by 2020 [6]. Theconvenience provided by IoT technologies has led to a wide-scale deployment of a variety of Internet-connected sensorssuch as thermostats, security cameras, smart lights amongmany others. Unfortunately, the rapid spread of IoT also bringsabout a proliferation of security risks. Even though IoT isevolving at an expeditious pace, it is still very much in itsinception stage. Hence, at this stage there is a significant riskthat hacked IoT devices can be used for nefarious purposessuch as being used as a part of a botnet to launch DDoSattacks [4].

Currently, IoT network security faces four major challenges:(C1) Minimally invasive mitigation: Because of the distributed

nature of recent DDoS attacks, it is very difficult todetect the attacking devices. However, the attack shouldbe mitigated with minimal interruption of services tobenign users who want to legitimately use the servicesunder attack.

(C2) High dimensionality: Considering the large number ofdevices in a typical IoT network, and the abundantdata generated by those devices, computationally efficientsolutions that can achieve effective network monitoring,i.e., joint monitoring of devices, are required.

(C3) Unknown attack patterns: Since there is a wide range ofvulnerabilities that attackers can exploit, and new attacktechniques are continuously developed by attackers, thepredictability of attack patterns is quite low compared

arX

iv:2

006.

0806

4v1

[cs

.CR

] 1

5 Ju

n 20

20

2

to the traditional Internet security. Hence, conventionalsignature-based detection techniques, as well as paramet-ric probabilistic models are not feasible.

(C4) Timely detection and mitigation: Due to the highly inter-connected IoT ecosystem including the Internet and crit-ical infrastructure such as Smart Grid, and the potentialdisastrous effects of cyberattacks, timely detection andmitigation of attacks is crucial.

We state some of the real-world examples to scrutinize thedamage that can be caused by cyberattacks via IoT.

1) The Mirai botnet, that was launched in 2016, causedone of the most prolific series of attacks in the DDoShistory [7], [8]. This particular botnet infected numerousIoT devices (primarily older routers and IP cameras), andreached data rates higher than 600Gbps. Through floodingthe DNS provider Dyn, the Mirai botnet took downmany popular websites such as Etsy, GitHub, Netflix,Shopify, SoundCloud, Spotify, and Twitter. Mirai tookadvantage of devices running out-of-date firmware, andrelied on the fact that most users do not change the defaultusernames/passwords on their devices. The fact that itssource code has been released on a hacker forum (andnow it is available online [9]) facilitated its derivations.

2) In November 2016, hackers shut down the heating of twobuildings in the city of Lappeenranta, Finland. This wasanother DDoS attack, and in this case, the attack wasspecifically targeted towards an attribute of smart home.The attackers managed to cause the heating controllersto continually reboot the system in a loop so that theheaters never worked. The attack was significant becausethe temperatures are well below freezing at that time ofthe year, and such a scenario can be life threatening.

3) In early 2017, Verizon Wireless released a report thatincluded an unnamed university that experienced an at-tack from more than 5,000 IoT devices, such as vendingmachines and smart light bulbs.

These examples portray the severity of the situation if suchbotnets are acquired by sophisticated hackers and employedagainst critical infrastructures such as Nuclear Plants, SmartGrids, etc.

B. Related Works

DDoS attacks via IoT networks are relatively less addressedcompared to other security issues in the IoT enviornment.However, it is recently attracting considerable interest, e.g.,[4], [7], [8]. In [10]–[13], a wide range of vulnerabilitiesbecause of which conventional signature-based detection tech-niques fail, are discussed. In [14], authors propose a solutionto UDP flood attack in an IoT environment using 6LoWPANand IEEE 802.15.4. However, it has high overheads and com-plex architectures and components which do not suit an IoTenvironment [15]. An agent-based DDoS mitigation approachis proposed in [16]. The authors propose a two-part algorithmin which the attack detection part has been performed in theborder router. A similar entropy-based solution is proposedin [17], but with the requirement that the packet contentsshould be detectable. They also do not consider scenariosin which the entropy does not change but the number of

packets do. Xiang et al. [18] proposes an information metricapproach to quantify the differences between legitimate andattack network traffic by assuming that the legitimate trafficfollows a Gaussian distribution, whereas the attack trafficfollows a Poisson distribution. Machine learning algorithmsare also gaining attention as recent anomaly detection researchshows promise [19]. Doshi et al. [20] presents the performanceof popular machine learning algorithms such as SVM, k-nearest-neighbors, neural networks etc. in detecting malicioustraffic. However, they require training data for malicioustraffic (supervised anomaly detection), and extract featureswhich are specific to certain IoT devices without consideringother devices that might be present in the network such aslaptops or smartphones. In [21], Nomm et al. proposes usingfeature selection with popular anomaly detection techniquessuch as one-class SVM to detect IoT botnet attacks. Theyuse three different approaches for extracting useful featuresand provides their results over the N-BaIoT dataset. Kurtet al. [22] proposes an online anomaly detection algorithmbased on dimensionality reduction, that is capable of detectinganomalies in high dimensional settings. They also presenttheir results using the N-BaIoT dataset. Meidan et al. [23]proposes using deep autoencoders for detecting DDoS attacksat the network level. They achieve small false positive rates bytraining a deep autoencoder for each individual device in thenetwork, which might not scale well to large networks withmany devices. They also use a window-based majority votingscheme to detect attacks, which is not well suited for quickdetection.

C. ContributionsIn this paper, we propose a practical anomaly-based de-

tection and mitigation technique for IoT-based DDoS attacks,especially the challenging stealthy DDoS attacks with datarate increase per device as low as 10%, which is significantlylower than the considered rates in the literature, and caneasily bypass most of the existing approaches. Specifically, theproposed technique is based on a statistical anomaly detectionalgorithm called Online Discrepancy Test (ODIT) that miti-gates the attack with minimal interruption of regular service;scales well to large systems; does not rely on presumedbaseline and attack patterns; and achieves quick and accuratedetection and mitigation thanks to its sequential nature. Themajor contributions of this paper are as follows:• A novel detection and mitigation technique for stealthy

DDoS attacks is proposed, and its time and space com-plexity is analyzed;

• Asymptotic optimality of the proposed detector is provenin the minimax sense as the training data size grows;

• Solution to a dynamic scenario in which the number ofdevices in the network changes is provided;

• A comprehensive performance evaluation is providedusing a testbed implementation, the N-BaIoT dataset, andsimulations.

We first present the problem formulation in Sec. II, thenprovide the proposed IDS in Sec. III, experimental and testbedresults in Sec. IV, discuss the limitations in Sec. V, and finallyconclude the paper in Sec. VI.

3

II. PROBLEM FORMULATION AND BACKGROUND

A. System Model

In the considered architecture (Fig. 1), each IoT devicesends its data to the node connected to it. Nodes direct thedata traffic to a center, such as a web server, data center orutility center. The architecture is scalable in such a way that anode may represent a smart home consisting of tens of devicesor a smart building/neighborhood access point consisting ofthousands of devices.

Each device typically has different data communicationcharacteristics. In particular, the data content is typicallydifferent (for example, a thermostat would have considerablysmaller packet size as compared to a CCTV camera), and thecommunication protocol used might be different (such as TCP,UDP or HTTP). Also, for the same device the data rates mightdiffer significantly based on the location or type of connection,e.g., a laptop connected via a fiber optic cable might send1000 packets per second whereas the same device would besending 10 packets per second on a slower connection. Eventhe active communication frequency varies considerably, e.g.,devices like printers update its status once a minute, whereasCCTV cameras send data every second. In this work, ouronly assumption is that they perform a packet-based datacommunication.

Center

Node 1 Node n Node N

IoT Devices

Fig. 1. System model consisting of IoT devices such as thermostat, CCTV,light bulb, smartphone, etc. In the threat model, the bold arrows imply anincreased packet rate.

B. Threat Model

We consider a volumetric DDoS attack scenario in whichdata rates (packet/sec.) from a number of devices increase atsome point in time (see Fig. 1). Particularly, we consider athreat model in which some IoT devices are compromised andstart to send more than usual number of data packets. We donot assume further attack specifications such as knowledge onhow devices are compromised (e.g., through a vulnerability inthe firmware, spoofing attack, man-in-the-middle attack, useof default password), the attack magnitude (i.e., percentage ofincrease) and duration, and whether the data content changes

or not. It is not tractable to mitigate such attacks at the centersince accurate identification of all attacking devices is nottractable due to the highly distributed nature of the attacks.Moreover, due to the low-rate nature of the attacks, it is verydifficult to detect them locally at the nodes. We propose ageneral Intrusion Detection System (IDS) that can run locallyand is capable of detecting and mitigating an attack evenwhen it is not possible to inspect the data content, which is aprerequisite for many IDS algorithms, e.g., [17], [24].

Although the standard volumetric attacks that are studiedin the literature include high increase in the data rate ofa device, with the increasing number of compromised IoTdevices low-rate stealthy DDoS attacks (e.g., with a 20%increase per device) started to become threatening [3]. Dueto the proliferation of IoT, cyber-criminals can launch widely-distributed and highly-effective stealthy DDoS attacks, that canbypass conventional filters and IDSs. Hence, in this paper westudy DDoS attacks with data increase rates as low as 20%per device. There are existing works which consider low-rateDDoS attacks (e.g., [18]), nevertheless the considered increaserates are still significantly higher than what we consider in thispaper.

As a result of such widely-distributed DDoS attacks (e.g.,the almost uniform distribution of attack traffic in Mirai [25]),it is not tractable to have a single global solution running atthe server end, and thus we propose in the next section a localIDS that runs at each node. Such local solutions also facilitateaccurate mitigation.

III. PROPOSED ANOMALY-BASED IDS

In this section, we present our detection and mitigationstrategy for the proposed IDS. As shown in Fig. 2, we detect anattack based on the cooperative test statistic, and once an attackis detected, we monitor each device individually to identifythe attacking devices (see Sections III-B and III-C). We alsoanalyze the computational complexity and a practical scenarioin which the number of devices in the network are dynamicin nature.

Fig. 2. Proposed Intrusion Detection and Mitigation System

A. Proposed Detection Strategy

The heterogeneous nature of an IoT network makes para-metric anomaly detection approaches for DDoS detection lesseffective since they assume probabilistic models for nomi-nal and anomalous conditions. In practice, it is difficult to

4

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8

xn;1t

0.3

0.35

0.4

0.45

0.5

0.55

0.6

0.65

0.7

0.75

0.8x

n;2

t

~Ln(,)

Ln1

Ln2

Training set 1Training set 2Test set

Fig. 3. ODIT procedure with M1 = 5, M2 = 10, α = 0.2, k = 2.Dn1 = d[logLn1 − log Ln

(α)] and Dn2 = d[logLn2 − log Ln

(α)] are used as

in (1) for online anomaly detection (see also Fig. 4). Test points are fromthe same nominal distribution as training points, which is a two-dimensionalGaussian with independent components, 0.5 mean, and 0.1 standard deviation.

know/estimate the anomalous and even the nominal probabilitydistributions. Hence, parametric anomaly-based IDSs, as wellas many conventional signature-based IDSs are not feasiblein addressing stealthy DDoS attacks through IoT. Recently,an online and non-parametric detector called the Online Dis-crepancy Test (ODIT) was proposed for detecting persistentand abrupt anomalies [26]. Thanks to its nonparametric op-eration, ODIT does not need to know baseline or anomalousdistributions beforehand, hence can address the challenge (C3)stated in Section I-A. ODIT is a sequential method whichaccumulates evidence in time, and makes a decision at eachtime based on the accumulated evidence so far, instead ofmaking a hard decision based on a single data point. Thissequential nature of ODIT is tailored for timely detection,thus it is able to address the challenge (C4). Moreover, ODITcan handle monitoring large number of devices together (seeSections III-D and IV), which addresses the challenge (C2).

In this work, we propose a novel modification for ODIT,and prove that this modified version, as the training datasize grows, asymptotically becomes the Cumulative Sum(CUSUM) test, which is the optimum sequential change detec-tion algorithm in the minimax sense. CUSUM is a parametrictest which assumes both the nominal and the anomalousdistributions are completely known [27].

We next show the procedure for the proposed ODIT-basedIDS for a node n, which observes a d-dimensional normalizeddata vector xnt ∈ [0, 1]d, where d is the number of devices,at each time t. Here, in the context of DDoS attack detection,xnt denotes the number of packets received from the d devicesin the network at time t and normalized by the correspondingmaximum number of packets for each device. Normalizationof each dimension of xnt into [0, 1] is performed to dealwith the typical heterogeneity in the data communicationcharacteristics of IoT devices.Then, in Section III-B, we showhow to achieve cooperation among nodes.

Training: Given an attack-free training dataset XnM ={xn1 , . . . , xnM} which represents the baseline (i.e., nominal)operation, we begin our training procedure.

1) Randomly split XnM into two subsets XnM1and XnM2

withM1 and M2 points, where M1 + M2 = M , for com-putational efficiency, as in the bipartite GEM algorithm[28].

2) For each point xni in XnM1find the kth-nearest-neighbor

(kNN) distance Lni with respect to the points in XnM2.

3) For a significance level α, e.g., 0.05, store the (1− α)thpercentile Ln(α) of kNN distances {Ln1 , . . . , LnM1

} to useas a baseline statistic for computing the anomaly evidenceof test instances.

The training procedure is illustrated in Fig. 3, where thetraining set consists of M = 15 points, which is then randomlysplit into two sets of M1 = 5 points (denoted by green) andM2 = 10 points (denoted by blue). In this example, for eachpoint in the first set, we find the second-nearest-neighbor (k =2) distance with respect to the second set. The largest kNNdistance (α = 0.2) among the points in the first set is used asthe baseline statistic Ln(α).

Testing: When a new data xnt is observed at time t,1) Compute

Dnt = d[logLnt − log Ln(α)] (1)

where Lnt is the kNN distance of the new data point xntwith respect to the points in XnM2

, and Ln(α) is obtainedin the training.

2) Treating the statistic Dnt as a positive/negative evidence

for anomaly accumulate it over time as in CUSUM:

snt = max{snt−1 +Dnt , 0}, sn0 = 0, (2)

where Dnt is given in (1).

3) Decide to continue taking a new data point xnt+1 if theaccumulated evidence snt is not sufficient for raising anattack alarm, and stop and raise an alarm at the first timesnt ≥ h, i.e., at time

Tn = min{t : snt ≥ hn}, (3)

where hn > 0 is a predetermined threshold.As compared to anomaly evidence Dt = Lt − L(α)

presented in the original ODIT algorithm [26], we use theform given in Eq. 2. This modification enables an asymptoticoptimality proof, which is presented in Theorem 1. Theintuition behind this modification is to explicitly show theanalogy between the attack evidence Dt and log-likelihoodratio.

Theorem 1. When the nominal distribution f0(xnt ) is finiteand continuous, and the attack distribution f1(xnt ) is a uni-form distribution whose support includes xnt , as the trainingset grows, the anomaly evidence Dn

t converges in probabilityto the log-likelihood ratio,

Dnt

p→ logf1(xnt )

f0(xnt )as M2 →∞, (4)

i.e., the proposed ODIT detector converges to CUSUM, whichis minimax optimum in minimizing expected detection delaywhile satisfying a false alarm constraint.

5

1 2 3 4 5 6 7 8 9 10

t

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

ODIT statistic, snt

Detection threshold, hn

Fig. 4. ODIT statistic and decision procedure using the setup in Fig. 3 andanomalous test points from uniform distribution over [0, 1]. Anomaly startsat t = 6, and detected at t = 7 with the shown threshold.

Proof: See the Appendix.

Since the proposed detector does not train on anomalousdata or assume any model for anomaly, the uniform distribu-tion condition on f1 for asymptotic optimality is expected.

Parameter Selection: The detection threshold hn mani-fests a trade-off between minimizing the detection delay andminimizing the false alarm rate, as can be seen in Fig. 4.Particularly, smaller threshold facilitates early detection, butalso increases the probability of false alarm. In practice, hn canbe chosen to satisfy a given false alarm rate. The number ofneighbors k also affects the trade-off between early detectionand small false alarm rate. Smaller k would result in beingmore sensitive to anomaly, hence supports earlier detection,but at the same time it causes to be more prone to the falsealarms due to nominal outliers. Larger k would result invice versa. The choice for M1 and M2 is typically skewedtowards M2, i.e., M2 > M1, since M2 determines the degreeof resemblance between kNN distance likelihood under thenominal case, as explained in Theorem 1. The significancelevel α is an intermediate parameter whose effect can becompensated by the threshold h. As a rule of thumb, a smallα value, such as 0.05, should be first selected, and then hnshould be set to satisfy a desired false alarm rate.

Remark 1. A training set that is free of anomaly can beobtained through either human supervision or through anisolated secure system. We should emphasize here the dif-ference between anomaly and outlier. The training set maycontain outliers that are generated under no-attack conditions.Outliers correspond to “tail events” that can occur undernominal settings with low probability. Although outliers arerare under normal operations, they can still exist in thetraining set, and their natural existence does not harm theregular operation of the proposed detector. On the otherhand, anomaly is a change in the system behavior, i.e., inthe probability distribution of the generated data. In otherwords, anomaly can be defined as the existence of “persistentoutliers”, as opposed to the sporadic nominal outliers.

B. Cooperative Operation

Multiple nodes running the proposed IDS given in Eq.(1)–(3) can cooperate for earlier detection and mitigationof attacks by leveraging the hierarchical structure shown inFig. 1. Following the cooperative CUSUM with independenceassumption in [29] we propose a cooperative detector whichsums the local statistics computed at the nodes to obtain aglobal statistic st =

∑Nn=1 s

nt . That is, at each time t, each

node n updates its local statistic snt using (2) and transmits itto the center, which sums them to obtain the global detectionstatistic st. Then, the center decides whether or not thereis an attack similarly to (3), i.e., raises an alarm at timeT = min{t : st ≥ h}. This cooperative detector can detectattacks earlier than the single-node ODIT detector thanks tothe spatial diversity, i.e., accumulated attack evidences frommultiple nodes. Note that the statistics from nodes without anyattacked device typically take small values close to zero, butnever become negative according to (2). Thus, they do not neg-atively contribute to the global statistic st, and consequentlydo not cause extra delay in detection.

The cooperative scheme through summing local statisticsin a hierarchical architecture enables the proposed detectorto easily scale to arbitrarily large networks. The optimalstatistical detection would normally require multivariate anal-ysis for all the devices in the entire network. However, dueto the abundance of IoT devices this is not feasible; andmore importantly due to the natural hierarchical structurein IoT networks such a large-scale multivariate analysis isunnecessary. Specifically, IoT devices are grouped under nodessuch as smart home routers, and devices under differentnodes can be typically modeled independently under no-attack conditions. Although an attack will normally correlatethem, it is reasonable to relax that constraint since a practicalattack strikes devices asynchronously, i.e., each of the attackeddevices has different attack onset times. This relaxation iscritical for CUSUM to be applicable to any multi-dimensionalsetting since it is not tractable to estimate the set of attackeddevices to perform multivariate analysis [29]. After detection,the mitigation procedure given in the next subsection can beapplied at each node.

C. Mitigation Strategy

Timely detection of a DDoS attack is a necessary, but nota sufficient condition for ensuring the security of a system.We need a mitigation strategy that is capable of stopping theDDoS attack by identifying the attacking IoT devices, and thenblocking the traffic originating from those devices.

We perform an in-depth analysis to determine which IoTdevices are causing the increase. We begin by examiningthe cooperative statistic st calculated in Sec. III-B and de-termining which nodes are causing the increase. Once theattacking nodes are identified, we examine every dimension,which represent an IoT device connected to the node, of thedistance Lnt , calculated in Sec. III-A. (Lnt )2 corresponds to thesquared Euclidean norm of the d-dimensional distance vectorynt = xnt − xn(k) whose jth entry yn,jt is the distance of thedata from device j at time t to the jth dimension of kth nearest

6

neighbors, i.e., (Lnt )2 = ‖ynt ‖22. If yn,jt comes out large, thenit contributes to a large Lnt towards an alarm, which providesan evidence that the device is under attack. Hence, after analarm is raised at time T , we

1) first determine the time instance τ when the test statisticst started to increase since the last time it was zero (τ = 6in Fig. 4), which can be seen as an estimate for the attackonset time,

2) then, compute the average statistic

sn =1

T − τ + 1

T∑t=τ

snt (5)

for each node n, and compare it with a threshold θ1 todetermine the attacking nodes, i.e., node n has attackeddevices if sn ≥ θ1.

3) then, for each node identified as attacking, compute theaverage distance

yn,j =1

T − τ + 1

T∑t=τ

yn,jt (6)

for each device j under it, and compare it with a thresholdθ2 to decide as attacking or not, i.e., device j is identifiedas attacking if yn,j ≥ θ2.

As usual the selection of threshold θ1 and θ2 controlsa balance between the False Positive Rate (FPR) and TruePositive Rate (TPR). As shown in Fig. 15, the proposedmitigation technique achieves high TPR for almost all FPReven in the challenging attack scenario investigated in SectionIV. We should note that the procedure in Eq. (6) requiressome memory to store the most recent distance values for alldimensions local to the node performing the procedure.

Combining the detection and mitigation strategies, the pro-posed IDS technique is summarized in Algorithm 1.

D. Computational Complexity

The following theorem shows that the proposed algorithmcan scale well to large systems.

Theorem 2. The online time complexity and space (i.e.,memory or storage) complexity of Algorithm 1 linearly scaleswith M2, the number of points in the second training set, andd, the number of devices, i.e., O(M2d). The offline trainingtime complexity is O(M1M2d).

Proof: See the Appendix.

Remark 2. There are efficient ways of finding (approximate)k nearest neighbors that scale even better to high-dimensionalsystems. For instance the method proposed in [30] has a timecomplexity of O(λd) in online testing where λ is the maximumnumber of points to examine for finding k nearest neighbors.λ can be chosen much smaller than M2 at the expense ofdecreasing the accuracy of kNN approximation. Hence, abalance between approximation quality and computationalcomplexity should be sought while choosing λ. Consequently,using a fast kNN method instead of straightforward computa-tion the real-time operation capability and/or the scalabilityof the proposed method can be significantly enhanced.

Algorithm 1: Proposed detection & mitigation algorithm1: Initialize: s0 = 0, t = 02: for n = 1, . . . , N do3: Partition training set into XnM1

and XnM2

4: Determine Ln(α)5: end for6: while st < h do7: t← t+ 18: Get new data {xnt } and compute {Dn

t } as in (1)9: snt = max{snt +Dn

t , 0}10: st =

∑Nn=1 s

nt .

11: end while12: Declare attack at T = t13: for n = 1, . . . , N do14: Compute sn as in (5)15: if sn ≥ θ1 then16: for j = 1, . . . , d do17: Compute yn,j as in (6)18: if yn,j ≥ θ2 then19: Block traffic from device j20: end if21: end for22: end if23: end for

E. Dynamic Environments

A major challenge for any anomaly-based intrusion detec-tion system is adaptability to dynamic environments. Thismeans that the system should be adaptable to changes in theenvironment, while still recognizing abnormal activities. In adynamic IoT network such as a university or a shopping mall,the number of devices may frequently change based on thenumber of people, time of the day, day of the year etc. Withvarying number of devices over time the challenge for theproposed IDS is computing the kNN distance under varyingnumber of data dimensions.

A key observation here is that data rates are specific to appli-cations rather than devices. For instance, video streaming hascertain data rates regardless of the streaming device. Hence,considering a list of applications that are used in the network,such as web browsing, music and video streaming, we can dealwith the changing number of dimensions. Specifically, we firstcollect training data for the extreme scenario with maximumnumber of devices running each application simultaneously.During online testing, at each time we modify the training setby ignoring the unused dimensions for each application, andcompute Lnt .

Since there is a huge number of possible combinations forthe number of devices running each application, performingthe expensive training procedure (see Theorem 2) for eachsuch combination to compute the baseline statistic Ln(α) is notfeasible. Hence, we propose to build a function approximatorfor Ln(α). We collect data for several different combinations,and compute Ln(α) for each such combination. Using thenumber of devices running each application as input we traina regression model to estimate the Ln(α) value for a given

7

550

600

650

700

750

800

850

900

~ Ln (,

)Sta

tist

ic

200 250 300 350 400 450 500

Number of devices

Exact ODIT

Estimated ODIT

Fig. 5. Comparison of the estimated Ln(α)

statistic to the computed one fordifferent combinations with increasing number of devices.

combination. The results for Gaussian process regression isshown in Fig. 5. A simpler method (e.g., linear regression) ora more sophisticated method (e.g., deep neural network) canbe used for the regression model. In Fig. 5, we compare theestimated Ln(α) statistic to the computed one for different com-binations with increasing number of devices. We see that theestimated statistic closely matches that of exact ODIT, whichis infeasible to compute for all combinations. Furthermore,the baseline statistic Ln(α) depends on the selected significancelevel α, which is a design parameter. Our simulations showthat a small mismatch between the estimated and computedLn(α) values is not critical for the algorithm’s performance.

IV. EXPERIMENTAL RESULTS

In this section we evaluate the performance of the proposedIDS using real data, an IoT testbed, and simulations.

A. N-BaIoT Dataset

We firstly consider the N-BaIoT dataset [23] 1, whichcontains data from various IoT devices under both nominaland attack conditions. The network consists of of nine devices,namely a thermostat, a baby monitor, a webcam, two doorbells,and four security cameras connected via WiFi. The datasetdescription, as well as attacks considered in our experimentsare presented in Table I. We do not consider UDP and TCPattacks in our experiments since the provided data does notcorrelate with typical UDP and TCP attacks.

Our results show that the proposed ODIT-based IDS signif-icantly outperforms the deep autoencoder-based IDS proposedin the N-BaIoT paper [23], and by extension Isolation Forest[31], SVM [32] and LOF [33], which are shown to beoutperformed by the autoencoder method. In Fig. 6, we presentthe false positive rate and the average detection delay wheneach device is under attack. Here, the average detection delayis analogous to the false negative rate as all the misclassifiedanomalous instances would contribute to the average detectiondelay. The proposed ODIT-baed method achieves much moreaccurate and quicker detection than the autoencoder-based

1This dataset is available at the UCI Machine Learning Repository.

1 2 3 4 5 6 7 8 9Device

0

0.005

0.01

0.015

0.02

0.025

False

Pos

itiv

eR

ate

AutoencoderODIT

1 2 3 4

0.5

1

1.5

2

#10-3

1 2 3 4 5 6 7 8 9

Device

0

5

10

15

20

25

30

35

40

45

Aver

age

Det

ection

Delay

(sam

ples)

ODITAutoencoder

6 8 100

0.1

0.2

Fig. 6. Comparison between deep autoencoder-based IDS and the proposedODIT-based IDS in terms of false positive rate (top) and average detectiondelay (bottom). The x-axis corresponds to the index of the attacked device.

Fig. 7. IoT testbed consisting of NodeMCUs, smart switches, security camera,Amazon Echo Show, laptop, tablet, and Raspberry Pi.

method except for device 8. On further analyzing the data,we see that there are a few outliers in the data for device 8,which causes some false alarms. Note that by increasing thedecision threshold h, we are able to reduce the false positiverate at the cost of a slightly higher detection delay. Conversely,a smaller detection delay can be achieved by setting a lowerthreshold at the cost of a few more false alarms. Thanks to itssequential nature, the ODIT-based IDS detects the attacks rightafter it occurs while satisfying very small false alarm rates.Whereas, the autoencoder-based IDS applies a majority votingin a moving window for attack detection, thus its detectiondelay is at least half the window size. The optimum windowsizes reported in [23] for each device are used for comparisons.

B. Testbed Results

We next present a hardware implementation of our pro-posed attack detection and mitigation algorithm. Even though

8

TABLE IOVERVIEW OF THE N-BAIOT DATASET PROPERTIES, BOTNET INFECTIONS, AND CONSIDERED ATTACK TYPES

Dataset Properties Botnet Infections Considered Bashlite Attacks Considered Mirai AttacksDevice

IDDevice Make and Model Device Type Mirai BASHLITE Combo Junk Scan TCP UDP ACK Scan SYN UDP UDP Plain

1 Danmini Doorbell ! ! ! ! ! - - ! ! ! - !

2 Ennio Doorbell x ! ! ! ! - - - - - - -3 Ecobee Thermostat ! ! ! ! ! - - ! ! ! - !

4 Philips B120N/10 Baby Monitor ! ! ! ! ! - - ! ! ! - !

5 Provision PT-737E Security Camera ! ! ! ! ! - - ! ! ! - !

6 Provision PT-838 Security Camera ! ! ! ! ! - - ! ! ! - !

7 SimpleHome XCS7-1002-WHT Security Camera ! ! ! ! ! - - ! ! ! - !

8 SimpleHome XCS7-1003-WHT Security Camera ! ! ! ! ! - - ! ! ! - !

9 Samsung SNH 1011 N Webcam x ! ! ! ! - - - - - - -

Fig. 8. Setup for hardware implementation.

0 500 1000 1500 2000 2500 30000

500

1000

0 500 1000 1500 2000 2500 30000

10

20

0 500 1000 1500 2000 2500 30000

500

1000

Fig. 9. Time series for number of packets sent by a computer (top), aNodeMCU (middle), and an Amazon Echo Show (bottom).

there are several dataset already available, none of themaddresses stealthy DDoS attacks. In existing works, even a300% increase from the nominal data rate of a device isconsidered low-rate DDoS, e.g., [18]. However, due to theexponential increase in the number of IoT devices, muchlower data rates, e.g., a 30% increase, might be sufficientfor performing effective DDoS attacks, as exemplified by therecent Mongolian DDoS attacks [3]. Also, most of the datasets

TABLE IITESTBED ATTACK CHARACTERISTICS

Attack Name Attack Type Magnitude CompromisedDeviceHttp Flooding Application Low-Rate Node MCU

ICMP Flooding Volumetric Low-Rate Node MCUPing of Death Protocol Low-Rate LaptopUDP Flooding Volumetric High-Rate Laptop

seem to concentrate only on vulnerable devices, but in a typicalnetwork, there are also devices that cannot be compromisedeasily, and account for a significant amount of backgrounddata. We first present the testbed setup, and then provide theexperimental results using the testbed data.

Testbed Setup: To demonstrate a typical IoT network, wecollected the network traffic data from devices that were con-nected via Wi-Fi to an access point, which is wire connectedto a router. For sniffing the network traffic, we performedport mirroring on the router, and recorded the data usingWireshark. The goal here is to design a setup that is as closeto a real life scenario as possible for studying stealthy DDoSattacks. We consider a network consisting of 15 popular IoTdevices, namely a laptop computer, a tablet, 7 NodeMCUs, 4smart switches, an Amazon Echo Show device, and a securitycamera as shown in Fig. 7. The purpose of using a computerand a tablet is to consider devices which cannot be easilycompromised yet they account for a significant amount oftraffic passing through the router. The NodeMCUs, which mayrepresent various IoT devices on the market, are configured toupdate their status on a local server. A Raspberry Pi acts as acommand and control (C&C) server which is used to start andstop attacks. In Fig. 8, we show the setup for our hardwareimplementation. A comparison between the number of packetstransmitted from a computer, a NodeMCU, and an AmazonEcho Show over a period of time is shown in Fig. 9. It is seenthat each device has two major operating states: an active stateand an idle state. However, there is a stark difference betweenthe transmission patterns for each device.

Attack Models & Results: We implemented 4 differentattacks, as shown in Table II. The data was captured in pcapformat by using Wireshark and is publicly available 2. In Httpflooding, at t = 80 sec., we slightly increase the mean ratesof updating the server for two of the NodeMCUs. Particularly,there is small increase in the number of Get requests from two

2https://github.com/kevaldoshi17/DDoSAttackDetection

9

0 500 1000 1500 2000 2500 3000

0

200

400

600

800

1000

0 500 1000 1500 2000 2500 3000

0

200

400

600

800

1000

Fig. 10. Time series for total number of packets sent over the entire networkwithout (top) and with the stealthy Http flooding attack (bottom).

NodeMCUs. To depict that the attack magnitude does not haveto be consistent across all devices, we increase the mean packetrate of NodeMCU 1 by 10% and of NodeMCU 2 by 30%.In Fig. 10, we show a comparison between the total numberof packets sent over the entire network with and without thestealthy Http attack. It is seen that due to the low-rate natureof the attack, there is no visible increase in the total number ofpackets. Hence, filter-based methods which monitor the totalnumber of packets transmitted in the network, would fail todetect such a stealthy attack. In all cases, the input to theproposed IDS is the number of each packet type from eachindividual device.

In Fig. 11, we see that from t = 0 to t = 80, the ODITstatistic under the Http attack does not increase considerably,but after t = 80, it steadily increases. This figure is takenfrom a real-time demonstration which is available online 3.By adjusting the threshold we can have a trade-off betweenthe detection delay and number of false alarms. In Fig. 12, wecompare the proposed ODIT-based IDS with the informationmetric-based algorithm proposed in [18] in terms of averagedetection delay under all attack cases. The method in [18]uses an information distance metric based on the generalized(Renyi) entropy. It uses a window to compute the informationmetric on the aggregate traffic at each node, which causes lossin time resolution, and also in early detection ability. SinceODIT monitors each packet type from every individual device,it is able to detect the attack with a much smaller detectiondelay for the same false alarm rates.

Similarly in the other three attack cases, ODIT quickly andaccurately detects the attacks by closely monitoring the datatraffic in each type from each device thanks to its multivariatenature. It takes much longer for the information metric IDSto detect the attacks at the same false alarm rate as thereis no significant increase in the number of total number ofpackets. Although in ICMP flooding, the data rates of the twoNodeMCUs are again increased 10% and 30%, this time it

3https://youtu.be/zQexZgB5AMs

TABLE IIINOMINAL DATA MODEL FOR DIFFERENT IOT DEVICES.

Data Model

IoT DevicesActiveStateProbability

MeanPacketRate

IdleStateProbability

MeanPacketRate

Thermostat 0.25 25 0.75 5Smart Light 0.05 10 0.95 5Security Camera 1 80 0 0Smart Printer 0.05 75 0.95 5Smart TV 0.3 120 0.7 10

is easier for the information metric method to detect sincethe number of ICMP packets in the network is much smallerthan the number of Http packets. In the case of ping of deathattack, which results in an increase in the number of ICMPpackets, the proposed IDS achieves zero detection delay in alltrials. Finally, in the UDP flood attack, we considered a higherattack rate by increasing the nominal data rate of the laptopby 100%. In this case, the performance of information metricmethod improves, but ODIT still outperforms it by detectingthe attack under 0.2 second on average for a false alarm rateof 0.01.

C. Simulation Results

We finally present simulation results to evaluate the per-formance of the proposed IDS in a large network with manynodes, where a stealthy DDoS attack from many compromisedIoT devices can actually take down a server.

Simulation Setup: The simulation setup consists of 10nodes each of which monitors 100 devices (Fig. 1). The IoTdevices considered here are those that are most likely to becompromised or devices that are present in every smart home.The devices are assumed to have two states of operation, idlestate and active state. The assumed probabilities of the devicesbeing in idle or active state are given by Table III. We injectthe attack traffic of different rates into the simulated dataset,and apply the proposed detection and mitigation scheme todiagnose these attacks. We perform this repeatedly for differentkinds of scenarios in which various combinations of devicesget attacked to compute the Average Detection Delay vs. FalseAlarm Rate (i.e., false alarm probability) performance.

In each node, we assume data from each IoT device isindependent and identically distributed (iid) following thepattern given in Table III. The probabilities listed are basedon heuristics and standard day-to-day usage of the mentioneddevices. For example, a smart TV is considered to be usedapproximately 7 to 8 hours in a day, so its active stateprobability is given as 0.3. With the shown probabilities,devices may or may not switch state after a session. Weconsider the following session durations: 5 sec. for thermostat,10 sec. for smart light, 40 sec. for smart printer, 900 sec. forsmart TV, and “always on” for security camera. The meanpacket rates are determined by considering the amount ofdata that is transmitted per second and the average packetsize. For each device, the number of packets are generatedusing the mixture of two Gaussian distributions defined bythe active state probability, mean packet rates and a commonstandard deviation, chosen as 5. To obtain the number of

10

Fig. 11. Live implementation of the proposed IDS in the stealthy Http flooding attack case. At t = 80 attack starts by increasing the data rate of device 1by 10% (third from top) and device 2 by 30% (bottom). In such a stealthy attack, there is no visible change in the total number of packets in the network(second from top). The detection statistic of the proposed IDS steadily increases right after the attack, and alarms when it crosses the threshold (top).

packets, the generated real-valued numbers are rounded to thenearest nonnegative integer. For the purpose of simulations,the training data consists of 40 hours of attack-free data from100 different devices in each node.

Attack Model: Here we consider a practical scenario inwhich the IoT devices could be under attack, but the nodeis assumed to be secure. To parameterize the attack size,we consider 10% of the devices to be compromised. Theattacked devices are randomly selected to assume a generalmodel. During the attack phase, the data rates of the selecteddevices are increased slightly by 10%. To demonstrate theeffectiveness of such a stealthy attack, we plotted in Fig. 13 thetotal number of packets received by the server when attackedfrom 100,000 devices with 10% increase in their data rates.

Comparisons: We compare our proposed model with anIDS based on cooperative CUSUM [29], which knows theexact parameters of the nominal model and the anomalousmodel. CUSUM knows exactly the mean and standard devi-ation of the Gaussian distribution, as well as the probabilityof being active for each device. Note that due to roundingto the nearest nonnegative integer value, the real probabilitydistribution of number of packets deviates from the generativebimodal Gaussian. Hence, the proposed ODIT detector evensometimes outperforms CUSUM, which exactly knows thegenerative Gaussian model. The results for Average DetectionDelay vs False Positive Rate are shown in Fig. 14. We seethat the cooperative ODIT-based IDS, proposed in SectionIII-B, performs better than the clairvoyant CUSUM detector,which exactly knows the generative probabilistic model, forfalse alarm rates less than 0.1. It significantly outperforms theinformation metric method proposed in [18], which monitorsthe aggregate traffic at each node. In Fig. 14, it is seenthat the cooperation among nodes facilitates earlier detection

by our algorithm (ODIT vs. Cooperative ODIT). Throughthe proposed computationally efficient cooperation scheme,given in Section III-B, the ODIT-based IDS is able to handlelarge networks with thousands of devices. This result canbe easily extended to even larger networks with millionsof devices. Finally, in Fig. 15, we evaluate the mitigationperformance of the proposed method (see Section III-C). Sincethe method in [18] monitors the aggregate traffic at nodes, itis not straightforward for it to detect the attacking devices.Thus, to evaluate our mitigation performance, we considerthe data filtering method, which simply applies a thresholdto the observed raw data. The reported Area Under the Curve(AUC) values in Fig. 15 illustrate the successful mitigationperformance of the proposed method under a challengingstealthy attack scenario.

V. LIMITATIONS AND FUTURE WORK

In this work, we proposed a novel intrusion detection systemwhich is capable of quickly and accurately detecting andmitigating a broad set of IoT-empowered attacks, in particularstealthy low-rate DDoS attacks. However, there are still somelimitations which need to be addressed to make the systemmore robust to attacks in the future. First, it is assumed thatthe nominal behavior of the devices does not change overtime, so the IDS needs to be trained only once. However,in a real system implementation the IDS needs to be updatedperiodically. Secondly, feature extraction plays an importantrole as number of packets or packet size might not alwaysexactly represent the characteristics of a real network. Forfuture work, we plan to investigate other aspects of dynamicnetworks such as continual learning under changing nominalnetwork traffic.

11

0 0.5 1 1.5 2 2.5 3

− log10(False Alarm Rate)

0

2

4

6

8

10

12

14

16

Averag

eDetectionDelay

ODITInfo. Metric

0 0.5 1 1.5 2 2.5 3

− log10(False Alarm Rate)

0

0.5

1

1.5

2

2.5

3

3.5

AverageDetectionDelay

ODITInfo. Metric

0.5 1 1.5 2 2.5 3

− log10(False Alarm Rate)

0

1

2

3

4

5

AverageDetectionDelay ODIT

Info. Metric

0 0.5 1 1.5 2 2.5 3

− log10(False Alarm Rate)

0

0.5

1

1.5

AverageDetection

Delay ODIT

Info. Metric

ICMP Flood AttackHTTP Flood Attack

Ping of Death Attack UDP Flood Attack

Fig. 12. Comparison of the proposed ODIT-based IDS and the information metric-based IDS in [18] for attacks presented in Table II.

0 200 400 600 800 1000 1200 1400 1600 1800 2000

Time (sec)

1.5

2

2.5

3

3.5

4

4.5

Number

ofpacketsrecieved

byserver

×105

Nominal Attack

Fig. 13. Impact of stealthy DDoS attack on the server. The attack consistsof 100,000 devices with 10% increase in their data rates.

VI. CONCLUSION

With the proliferation of IoT devices, and the ease oftriggering DoS attacks even by unsophisticated maliciousparties, there is an increasing need for developing solutionsto DDoS via IoT, especially the recent stealthy DDoS attacks.In this context, we presented a general and emerging threatmodel for hierarchical IoT networks. We then introduced anovel intrusion detection and mitigation framework that em-ploys an online, scalable and nonparametric anomaly detectionalgorithm. Through real and simulated data, as well as an IoTtestbed we evaluated the performance of proposed detectionand mitigation scheme under challenging stealthy DDoS attackscenarios. Applications of the proposed scheme to large anddynamic networks with varying number of devices were alsoconsidered.

0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2

− log10(False Alarm Rate)

0

5

10

15

20

25

30

AverageDetection

Delay

Cooperative ODITCooperative CUSUMODITInfo. Metric

0 0.5 1 1.5 20

0.2

0.4

0.6

0.8

Fig. 14. Average detection delay vs. False positive rate for the proposedcooperative ODIT-based IDS, the IDS based on cooperative CUSUM [29],and information metric-based IDS [18]. The network consists of 10 nodeseach of which has 100 devices connected to it. 10% of the devices attackwith 10% increase in data rate with respect to their nominal rates.

REFERENCES

[1] Arsalan Mosenia and Niraj K Jha. A comprehensive study of security ofinternet-of-things. IEEE Transactions on Emerging Topics in Computing,5(4):586–602, 2017.

[2] Imperva. Types of ddos attacks. https://www.imperva.com/learn/application-security/ddos-attacks/.

[3] Nexusguard. Q3 2018 threat report: Distributed denial of service(ddos). https://www.nexusguard.com/hubfs/2019%20PTC/NexusguardQ3%202018%20Threat%20Report.pdf, 2019.

[4] Elisa Bertino and Nayeem Islam. Botnets and internet of things security.Computer, (2):76–79, 2017.

[5] Yasin Yilmaz and Suleyman Uludag. Mitigating iot-based cyberattackson the smart grid. In Machine Learning and Applications (ICMLA),2017 16th IEEE International Conference on, pages 517–522. IEEE,2017.

12

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

False Positive Rate

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Tru

ePos

itiv

eR

ate

ODIT: AUC = 0.9825Filter: AUC = 0.6021

Fig. 15. Mitigation performance of ODIT vs. Data filtering method whichapplies a threshold on the data rates. After detecting an attack, the proposedIDS successfully identifies attacked devices, and blocks their traffic.

[6] Laurence Goasduff. Gartner says 5.8 billion enter-prise and automotive iot endpoints will be in use in2020. https://www.gartner.com/en/newsroom/press-releases/2019-08-29-gartner-says-5-8-billion-enterprise-and-automotive-io,2019.

[7] Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, andJeffrey Voas. Ddos in the iot: Mirai and other botnets. Computer,50(7):80–84, 2017.

[8] Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, ElieBursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, LucaInvernizzi, Michalis Kallitsis, et al. Understanding the mirai botnet. InUSENIX Security Symposium, pages 1092–1110, 2017.

[9] Mirai source code. https://github.com/jgamblin/Mirai-Source-Code.[10] Alma D Lopez, Asha P Mohan, and Sukumaran Nair. Network traffic

behavioral analytics for detection of ddos attacks. SMU Data ScienceReview, 2(1):14, 2019.

[11] Ahmad Riza’ain Yusof, Nur Izura Udzir, and Ali Selamat. Systematicliterature review and taxonomy for ddos attack detection and prediction.International Journal of Digital Enterprise Technology, 1(3):292–315,2019.

[12] Mark Shtern, Roni Sandel, Marin Litoiu, Chris Bachalo, and VasileiosTheodorou. Towards mitigation of low and slow application ddosattacks. In 2014 IEEE International Conference on Cloud Engineering,pages 604–609. IEEE, 2014.

[13] Enrico Cambiaso, Gianluca Papaleo, and Maurizio Aiello. Taxonomyof slow dos attacks to web applications. In International Conferenceon Security in Computer Networks and Distributed Systems, pages 195–204. Springer, 2012.

[14] Prabhakaran Kasinathan, Claudio Pastrone, Maurizio A Spirito, andMark Vinkovits. Denial-of-service detection in 6lowpan based internetof things. In 2013 IEEE 9th international conference on wirelessand mobile computing, networking and communications (WiMob), pages600–607. IEEE, 2013.

[15] Vipindev Adat and BB Gupta. A ddos attack mitigation framework forinternet of things. In Communication and Signal Processing (ICCSP),2017 International Conference on, pages 2036–2041. IEEE, 2017.

[16] Krushang Sonar and Hardik Upadhyay. An approach to secure internetof things against ddos. In Proceedings of International Conference onICT for Sustainable Development, pages 367–376. Springer, 2016.

[17] Ping Du and Shunji Abe. Ip packet size entropy-based scheme fordetection of dos/ddos attacks. IEICE transactions on information andsystems, 91(5):1274–1281, 2008.

[18] Yang Xiang, Ke Li, and Wanlei Zhou. Low-rate ddos attacks detectionand traceback by using new information metrics. IEEE transactions oninformation forensics and security, 6(2):426–437, 2011.

[19] Varun Chandola, Arindam Banerjee, and Vipin Kumar. Anomalydetection: A survey. ACM computing surveys (CSUR), 41(3):15, 2009.

[20] Rohan Doshi, Noah Apthorpe, and Nick Feamster. Machine learningddos detection for consumer internet of things devices. arXiv preprintarXiv:1804.04159, 2018.

[21] Sven Nomm and Hayretdin Bahsi. Unsupervised anomaly based botnetdetection in iot networks. In 2018 17th IEEE International Conferenceon Machine Learning and Applications (ICMLA), pages 1048–1053.IEEE, 2018.

[22] Mehmet Necip Kurt, Yasin Yilmaz, and Xiaodong Wang. Real-timenonparametric anomaly detection in high-dimensional settings. arXivpreprint arXiv:1809.05250, 2018.

[23] Yair Meidan, Michael Bohadana, Yael Mathov, Yisroel Mirsky, AsafShabtai, Dominik Breitenbacher, and Yuval Elovici. N-baiotnetwork-based detection of iot botnet attacks using deep autoencoders. IEEEPervasive Computing, 17(3):12–22, 2018.

[24] Lersak Limwiwatkul and Arnon Rungsawang. Distributed denial ofservice detection using tcp/ip header and traffic measurement analysis. InCommunications and Information Technology, 2004. ISCIT 2004. IEEEInternational Symposium on, volume 1, pages 605–610. IEEE, 2004.

[25] Imperva. Breaking down mirai: An iot ddos botnet analysis. https://www.imperva.com/blog/malware-analysis-mirai-ddos-botnet/.

[26] Yasin Yilmaz. Online nonparametric anomaly detection based ongeometric entropy minimization. In Information Theory (ISIT), 2017IEEE International Symposium on, pages 3010–3014. IEEE, 2017.

[27] Michele Basseville, Igor V Nikiforov, et al. Detection of abrupt changes:theory and application, volume 104. Prentice Hall Englewood Cliffs,1993.

[28] Kumar Sricharan and Alfred O Hero. Efficient anomaly detection usingbipartite k-nn graphs. In Advances in Neural Information ProcessingSystems, pages 478–486, 2011.

[29] Yajun Mei. Efficient scalable schemes for monitoring a large numberof data streams. Biometrika, 97(2):419–433, 2010.

[30] Marius Muja and David G Lowe. Scalable nearest neighbor algorithmsfor high dimensional data. IEEE Transactions on Pattern Analysis &Machine Intelligence, (11):2227–2240, 2014.

[31] Fei Tony Liu, Kai Ming Ting, and Zhi-Hua Zhou. Isolation forest.In 2008 Eighth IEEE International Conference on Data Mining, pages413–422. IEEE, 2008.

[32] Bernhard Scholkopf and Alexander J Smola. Learning with kernels:support vector machines, regularization, optimization, and beyond. MITpress, 2001.

[33] Markus M Breunig, Hans-Peter Kriegel, Raymond T Ng, and JorgSander. Lof: identifying density-based local outliers. In ACM sigmodrecord, volume 29, pages 93–104. ACM, 2000.

[34] Alan Agresti. An introduction to categorical data analysis. Wiley, 2018.

Keval Doshi received the B.Sc. degree in Electron-ics and Communications Engineering from GujaratTechnological University, India, in 2017. He is cur-rently a Ph.D. student at the Electrical Engineer-ing Department at the University of South Florida,Tampa. His research interests include machine learn-ing, computer vision, and cybersecurity.

Yasin Yilmaz (S’11-M’14) received the Ph.D. de-gree in Electrical Engineering from Columbia Uni-versity, New York, NY, in 2014. He is currentlyan Assistant Professor of Electrical Engineering atthe University of South Florida, Tampa. He receivedthe Collaborative Research Award from ColumbiaUniversity in 2015. His research interests includestatistical signal processing, machine learning, andtheir applications to computer vision, cybersecurity,IoT networks, energy systems, transportation sys-tems, and communication systems.

Suleyman Uludag received the Ph.D. degree inComputer Science from DePaul University, Chicago,IL, in 2007. He is currently an Associate Professorof Computer Science at the University of Michigan- Flint. He received the Fulbright U.S. ScholarProgram Core Award in 2012 and 2018. His researchinterests include security, privacy, and optimizationof data collection particularly as applied to the SmartGrid and Intelligent Transportation Systems.

13

Appendix – Timely Detection and Mitigation ofStealthy DDoS Attacks via IoT Networks

Keval Doshi, Yasin Yilmaz, and Suleyman Uludag

PROOF OF THEOREM 1

Consider a hypersphere St ∈ Rd centered at xnt with radiusLnt , the kNN distance of xnt with respect to the training setXnM2

. The maximum likelihood estimate for the probabilityof a point being inside St under f0 is given by k/M2. It isknown that, as the total number of points grow, this binomialprobability estimate converges to the true probability mass inSt in the mean square sense [34], i.e.,

k/M2L2

→∫Stf0(x) dx

as M2 →∞. Hence, the probability density estimate

f0(xnt ) =k/M2

Vd(Lnt )d,

where Vd(Lnt )d is the volume of St, converges to the actualprobability density function, f0(xnt )

p→ f0(xnt ) as M2 → ∞,since St shrinks and Lnt → 0. Similarly, considering ahypersphere S(α) ∈ Rd around xn(α) which includes k pointswithin its radius Ln(α), we see that as M2 → ∞, Ln(α) → 0and

f0(xn(α)) =k/M2

Vd(Ln(α))d

p→ f0(xn(α)).

Assuming a uniform distribution

f1(x) = f0(xn(α)), ∀x,

we conclude with

log

k/M2

Vd(Ln(α))d

k/M2

Vd(Lnt )d

= d[logLnt − log Ln(α)

]p→ log

f1(xnt )

f0(xnt )

as M2 →∞.

PROOF OF THEOREM 2

In online testing (see lines 6-11), the most expensive part isto compute Dn

t , in particular Lnt . And within Lnt the expensivepart is to find the kth nearest neighbor, which is O(M2d)if computed straightforwardly by computing the distance oftest point to all M2 training points. The space complexity ofthe algorithm is due to storing M2 training points, each ofwhich is d-dimensional, i.e., O(M2d). Note that the both time

This work was supported in part by the U.S. National Science Foundationunder the Grant CNS-1737598 and in part by the SCEEE-17-03 Grant.

K. Doshi and Y.Yilmaz are with the Electrical Engineering Depart-ment, University of South Florida, Tampa, FL USA (e-mail: keval-doshi@mail.usf.edu, yasiny@usf.edu).

S. Uludag, is with the Department of Computer Science, University ofMichigan - Flint, MI USA (e-mail: uludag@umich.edu).

and space complexity of the mitigation part shown in lines13-23 is O((T − τ + 1)d) where T − τ + 1 is a boundednumber close to the detection delay, typically much smallerthan M2. In training, to compute Ln(α) shown in line 4, kthnearest neighbor among M2 points are computed for eachof M1 points, requiring O(M1M2d) computations. However,training is performed once offline, so the complexity of onlinetesting is usually critical for scalability.