IoTSTEED: Bot-side Defense to IoT-based DDoS Attacks (Extended). Guo, H. & Heidemann, J. Technical Report ISI-TR-738, USC/Information Sciences Institute, June, 2020.
IoTSTEED: Bot-side Defense to IoT-based DDoS Attacks (Extended) [link]Paper  abstract   bibtex   
We propose IoTSTEED, a system running in edge routers to defend against Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices. IoTSTEED watches traffic that leaves and enters the home network, \emphdetecting IoT devices at home, \emphlearning the benign servers they talk to, and \emphfiltering their traffic to other servers as a potential DDoS attack. We validate IoTSTEED's accuracy and false positives (FPs) at detecting devices, learning servers and filtering traffic with replay of 10 days of benign traffic captured from an IoT access network. We show IoTSTEED correctly detects all 14 IoT and 6 non-IoT devices in this network (100% accuracy) and maintains low false-positive rates when learning the servers IoT devices talk to (flagging 2% benign servers as suspicious) and filtering IoT traffic (dropping only 0.45% benign packets). We validate IoTSTEED's true positives (TPs) and false negatives (FNs) in filtering attack traffic with replay of real-world DDoS traffic. Our experiments show IoTSTEED mitigates all typical attacks, regardless of the attacks' traffic types, attacking devices and victims; an intelligent adversary can design to avoid detection in a few cases, but at the cost of a weaker attack. Lastly, we deploy IoTSTEED in NAT router of an IoT access network for 10 days, showing reasonable resource usage and verifying our testbed experiments for accuracy and learning in practice.
@TechReport{Guo20b,
        author =        "Hang Guo and John Heidemann",
        title =         "IoTSTEED: Bot-side Defense to {IoT}-based {DDoS} Attacks (Extended)",
	institution = 	"USC/Information Sciences Institute",
        year =          2020,
	sortdate = 		"2020-06-24", 
	project = "ant, lacanic",
	jsubject = "topology_modeling",
        number =     "ISI-TR-738",
        month =      jun,
	jlocation = 	"johnh: pafile",
	keywords = 	"ddos, iot, defense",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Guo20b.html",
	otherurl =		"https://ant.isi.edu/%7ehangguo/papers/Guo20b.pdf",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Guo20b.pdf",
	blogurl = "https://ant.isi.edu/blog/?p=1483",
        abstract = "We propose IoTSTEED, a system running in edge routers to defend
against Distributed Denial-of-Service (DDoS) attacks launched from
compromised Internet-of-Things (IoT) devices.  IoTSTEED watches
traffic that leaves and enters the home network, \emph{detecting} IoT
devices at home, \emph{learning} the benign servers they talk to,
and \emph{filtering} their traffic to other servers as a potential DDoS
attack.  We validate IoTSTEED's accuracy and false positives (FPs) at
detecting devices, learning servers and filtering traffic with replay
of 10 days of benign traffic captured from an IoT access network.  We
show IoTSTEED correctly detects all 14 IoT and 6 non-IoT devices in
this network (100\% accuracy) and maintains low false-positive rates
when learning the servers IoT devices talk to (flagging 2\% benign
servers as suspicious) and filtering IoT traffic (dropping only 0.45\%
benign packets).  We validate IoTSTEED's true positives (TPs) and
false negatives (FNs) in filtering attack traffic with replay of
real-world DDoS traffic.  Our experiments show IoTSTEED mitigates all
typical attacks, regardless of the attacks' traffic types, attacking
devices and victims; an intelligent adversary can design to avoid
detection in a few cases, but at the cost of a weaker attack.  Lastly,
we deploy IoTSTEED in NAT router of an IoT access network for 10 days,
showing reasonable resource usage and verifying our testbed
experiments for accuracy and learning in practice.",
}

Downloads: 0