A Reliable Real-Time Slow DoS Detection Framework for Resource-Constrained IoT Networks

Abstract

Slow DoS attacks have proven to pose a significant security threat to low-resource IoT devices and networks, because they can be launched by nodes which consume nominal bandwidth and have limited resource capability. This makes such malicious attacks easy to initiate, but difficult to mitigate. There also exists the recurrent likelihood of misclassifying legitimate nodes, which are incurring slow or poor network connectivity, as malicious activity. Existing intrusion detection systems (IDS) for detecting Slow DoS attacks often require the creation of large datasets for post event analysis. A functional disadvantage of this dataset-driven approach is the sheer volume of data required, due to the high number of network attributes and events collated, which precludes an in-line, real-time IDS detection solution for live IoT networks. This paper presents an innovative IDS detection framework for resource constrained IoT networks. Using a set of only four attributes, a two-step analysis of live IoT network events enables Slow DoS attacks, in the form of Slowloris, to be both efficiently and reliably detected in real-time. In addition, this lightweight IDS framework can accurately distinguish between malicious and genuine nodes encountering slow or intermittent network connections