Lightweight Intrusion Detection Using Multiple Entropies of Traffic Behavior in IoT Networks

Since Mirai malware first appeared in 2016, different variants have been created. The variants infect Internet of Things (IoT) devices such as home routers and webcams. The scale of DDoS attacks using Mirai-infected IoT devices has exceeded 600 Gbps. There has been a lot of researches on intrusion detection methods using machine learning for IoT networks. However, the existing method needs a lot of computational resources. Therefore, it is difficult to run such intrusion detection systems on resource-limited IoT gateways. In this research, we focus on the communication behavior of IoT devices, such as periodic communication with a specific server during benign operations. We propose a new intrusion detection method that represents the communication behavior of each host using multiple entropy features such as destination port number, source port number, and transmission time interval. The proposed method can achieve performance comparable to the existing intrusion detection method even if using a lightweight machine learning algorithm with fewer features. The evaluation of the results shows that the proposed method can reduce the detection processing time by 28.7 ms and memory usage by up to 331 MiB compared to the existing method, and the proposed method can achieve a detection accuracy of 99.8%, which is almost the same as the existing method.