Graph Based Machine Learning for Anomaly Detection in IoT Security

Abstract

The exploding number of Internet of Things (IoT) devices in critical infrastructure, smart homes and industrial systems has presented the complex security challenges since the devices are heterogeneous, have limited resources and are highly interconnected. Conventional anomaly detection methods, such as rule system and signature-based systems, are not easily adjusted to highly dynamic and advanced attack vectors particularly on environments at large scale and decently distributed environments. In this paper, we present a graph-based machine learning model that would use the existing relational nature of the communications among devices in an IoT ecosystem to further identify unusual activities in the IoT ecosystem. Particularly, IoT networks can be conceptualized as dynamic graphs that use individual devices as nodes and communication events as edges with temporal and contextual metadata associated with these communication events. To learn both spatial interactions and time-varying dynamics of networks behavior the proposed framework uses Graph Neural Networks (GNNs) combined with recurrent temporal block which can be LSTM or GRU. This allows the model to find not only unchanging or point anomalies, but also more complicated patterns that relate to stealthy, evolving threats. To put critical interactions first and further make this model interpretable, an edge-level attention mechanism is further introduced. The validity of the framework is proved by publicly available datasets, including BoT-IoT and TON_IoT, showing a high detection accuracy and limited false-positive accuracies as well as an effective computational performance flexible enough to real-time usage. The findings indicate the generalizability of the framework in different topologies of IoT and protocols and performs better than a variety of baseline and state-of-the-art machine learning models. What is more, the system can work in edge and fog computing as well because of its lightweight nature and the ability to make decisions locally. On balance, the proposed study makes an advancement in the current state of art of IoT security through the creation of a scalable, dynamic, and explainable graph-based machine learning anomaly detection technique as a robust protection mechanism against cybersecurity threats in a next-generation smart setting.