Graph-Based DDoS Attack Detection in IoT Systems with Lossy Network

This study introduces a robust solution for the detection of Distributed Denial of Service (DDoS) attacks in Internet of Things (IoT) systems, leveraging the capabilities of Graph Convolutional Networks (GCN). By conceptualizing IoT devices as nodes within a graph structure, we present a detection mechanism capable of operating efficiently even in lossy network environments. We introduce various graph topologies for modeling IoT networks and evaluate them for detecting tunable futuristic DDoS attacks. By studying different levels of network connection loss and various attack situations, we demonstrate that the correlation-based hybrid graph structure is effective in spotting DDoS attacks, substantiating its good performance even in lossy network scenarios. The results indicate a remarkable performance of the GCN-based DDoS detection model with an F1 score of up to 91%. Furthermore, we observe at most a 2% drop in F1-score in environments with up to 50% connection loss. The findings from this study highlight the advantages of utilizing GCN for the security of IoT systems which benefit from high detection accuracy while being resilient to connection disruption.Comment: 11 pages, 13 figure

Correlation-Aware Neural Networks for DDoS Attack Detection In IoT Systems

We present a comprehensive study on applying machine learning to detect distributed Denial of service (DDoS) attacks using large-scale Internet of Things (IoT) systems. While prior works and existing DDoS attacks have largely focused on individual nodes transmitting packets at a high volume, we investigate more sophisticated futuristic attacks that use large numbers of IoT devices and camouflage their attack by having each node transmit at a volume typical of benign traffic. We introduce new correlation-aware architectures that take into account the correlation of traffic across IoT nodes, and we also compare the effectiveness of centralized and distributed detection models. We extensively analyze the proposed architectures by evaluating five different neural network models trained on a dataset derived from a 4060-node real-world IoT system. We observe that long short-term memory (LSTM) and a transformer-based model, in conjunction with the architectures that use correlation information of the IoT nodes, provide higher performance (in terms of F1 score and binary accuracy) than the other models and architectures, especially when the attacker camouflages itself by following benign traffic distribution on each transmitting node. For instance, by using the LSTM model, the distributed correlation-aware architecture gives 81% F1 score for the attacker that camouflages their attack with benign traffic as compared to 35% for the architecture that does not use correlation information. We also investigate the performance of heuristics for selecting a subset of nodes to share their data for correlation-aware architectures to meet resource constraints.Comment: 16 pages, 17 figures, journa