RADAR: A Robust Behavioral Anomaly Detection for IoT Devices in Enterprise Networks (CMU-CyLab-19-003)

IoT devices deployed inside enterprise networks (e.g., routers, storage appliances, cameras) are emerging security threats for enterprises. It is impractical for security administrators to address IoT threats with existing enterprise or smart home security techniques, e.g., host-based or mobile-based detection are not applicable, network firewall rules are too coarse-grained, signature-based detection fails with zero-day attacks, and existing anomaly detection mechanisms are ineffective for IoT devices (e.g., cannot detect IoT backdoor access) as they are proposed for computer activities (e.g., email spear phishing). Fortunately, we observe that unlike generalpurpose computing devices, the normal behavior of an IoT device is limited (e.g., a camera has zooming-in, video streaming and audio recording behaviors). Based on this insight, we revisit behavioral anomaly detection at the network layer. Designing such a system is challenging on two fronts. First, we need a behavior model to abstract the key characteristics of IoT-specific behaviors (e.g., commands or arguments used) from network traffic. Second, in practical enterprise environment, the network traces for learning normal behavior models are unlabeled and potentially polluted.We address these challenges in designing RADAR, a practical and robust behavioral anomaly detection system for enterprise IoT devices. We design a novel learning mechanism that can build benign behavior models (finite-state-machines) for IoT devices, from unlabeled and potentially polluted network traces. We show that our approach achieves high detection accuracy (F-Score improved by 5X comparing with other approaches) and is robust to polluted behavior samples (F-Score>0.9 when 15% of the network traffic of IoT devices is polluted).