1. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Secure and Safe Internet ofThings (SerIoT)
1 Horizon 2020, Project No. 780139
Traffic Generator and
Detector of malicious traffic
S. Evmorfos, G. Vlachodimitropoulos, N. Bakalos (ICCS) and E. Gelenbe (IITIS)
2. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Relevant References
2 Horizon 2020, Project No. 780139
S. Evmorfos, G. Vlachodimitropoulos, N. Bakalos and E. Gelenbe,
“Neural network architectures for the detection of SYN flood
attacks,”
in IoT systems, PETRA 2020: The 13th International Conference on
PErvasive Technologies Related to Assistive Technologies, pp. 69:1-
69:4 (2020), ACM https://dl.acm.org/doi/10.1145/3389189.3398000
Prior Related Work:
O. Brun, Y. Yin and E. Gelenbe,
“ Deep Learning with dense random neural network for detecting
attacks against IoT-connected home environments, “
Procedia Computer Science 134: 458-463 (2018)
3. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Attack Traffic Generator
3 Horizon 2020, Project No. 780139
Use of VirtualBox:
Creation of a number of VMs (18.04 compatibility)
NAT network configuration enables the created VMs to connect to the Internet
VM-1 : Client IP->192.168.56.100 script b9generator.py
VM-2 : Server IP->192.168.56.101 script server.py
4. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Attack Traffic Generator
4 Horizon 2020, Project No. 780139
FIRST COMMUNICATION CAPTURED
Two scripts running on each VM (server.py on server VM, b9generator.py on client
VM)
400 Full TCP connections established
Communication captured using Wireshark -> b9traffic.pcap
5. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Attack Traffic Generator
5 Horizon 2020, Project No. 780139
All the traffic generated by the bot network: captured by Wireshark
Realtimesenario.pcap
*observation: The server was running short on its resources and its capability to
handle requests was massively inhibited
Realtimesenario.pcap :annotated as such -> 5sec windows and every window is
assigned to a metric (half opened TCP connections)
6. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Attack Traffic Generator
6 Horizon 2020, Project No. 780139
After a while the attack
is in full effect.
Therefore the ability of
the server to handle
requests is massively
inhibited. So, Wireshark
shows a number of
retransmissions.
7. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Neural Network Architectures for the Detection
of SYN flood attacks in IoT systems
7 Horizon 2020, Project No. 780139
Presentation Overview:
• IoT – new Era
• New security challenges
• Our approach
• Results - Comparison
8. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
IoT new era
8 Horizon 2020, Project No. 780139
IoT: More devices connected in the Internet than people
9. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
IoT new era
9 Horizon 2020, Project No. 780139
IoT is the interconnection of WAN and proximity networks
Scope: Providing complex services
10. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
New security challenges
10 Horizon 2020, Project No. 780139
Nothing new comes without cost:
Cybersecurity methodologies cannot solve the existing Security risks
New reality: Need to reassess our notion of network security
11. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
New security challenges
11 Horizon 2020, Project No. 780139
Where the problem is located:
Securing the Sensor and actuator networks from Denial of Service
Security challenges in the border of WAN and Proximity networks
IoT gateways
Hubs
Fog
12. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
New security challenges
12 Horizon 2020, Project No. 780139
SYN flood attack (DDoS):
The attacker initializes many TCP connections with the
target, but never establishes them
Result: The target node cannot handle new requests
13. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Our approach
(by steps)
13 Horizon 2020, Project No. 780139
1. Set up neural networks as regressors
2. Train them with normal traffic (non malicious in the sense that there is no SYN
attack being launced)
3. The model predicts the next part of the communication Sequence
4. If predicted and upcoming sequence diverge “significantly” : node under attack
14. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Our approach
14 Horizon 2020, Project No. 780139
Comparison of two different Neural Network architectures:
LSTM (Recurrent)
Gelenbe Network (feedforward)
15. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Our Approach
15 Horizon 2020, Project No. 780139
16. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Our Approach
16 Horizon 2020, Project No. 780139
HOW TO DETECT
• Deep learning model for handling time series
• The model is being trained on time series produced by non malicious pcap
extracts ( as a regressor )
• The trained model predicts the next data point (the number of incomplete TCP
connections for the next window)
• If the actual value diverges significantly from the predicted ( predefined
Threshold ), the IP is considered to be under attack
17. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Results - Comparison
17 Horizon 2020, Project No. 780139
No need for much storage and computing resources
Real time response
18. This project has received funding from
the European Union’s Horizon 2020
Research and Innovation programme
under grant agreement No. 780139
Results - Comparison
18 Horizon 2020, Project No. 780139
Accuracy False Positives False negatives
LSTM 62.7% 37.3% 0%
Gelenbe 80.7% 19.3% 0%
The Random Neural Network (Gelenbe-Network) seems to be more adamant
in capturing the nuances of normal traffic