The Internet of Things (IoT) is a key enabler for critical systems, but IoT devices are increasingly targeted by cyberattacks due to their diffusion and hardware and software limitations. This calls for designing and evaluating new effective approaches for protecting IoT systems at the network level. While recent proposals based on machine- and deep-learning provide effective solutions to the problem of attack-traffic classification, their adoption is severely challenged by the amount of labeled traffic they require to train the classification models. In fact, this results in the need for collecting and labeling large amounts of malicious traffic, which may be hindered by the nature of the malware possibly generating little and hard-to-capture network activity. To tackle this challenge, we adopt few-shot learning approaches for attack-traffic classification, with the objective to improve detection performance for attack classes with few labeled samples. We leverage advanced deep-learning architectures to perform feature extraction and provide an extensive empirical study—using recent and publicly available datasets—comparing the performance of an ample variety of solutions based on different learning paradigms, and exploring a number of design choices in depth (impact of embedding function, number of classes of attacks, or number of attack samples). In comparison to non-few-shot baselines, we achieve a relative improvement in the F1-score ranging from 8% to 27%.

Classifying attack traffic in IoT environments via few-shot learning

Di Monda Davide;
2024

Abstract

The Internet of Things (IoT) is a key enabler for critical systems, but IoT devices are increasingly targeted by cyberattacks due to their diffusion and hardware and software limitations. This calls for designing and evaluating new effective approaches for protecting IoT systems at the network level. While recent proposals based on machine- and deep-learning provide effective solutions to the problem of attack-traffic classification, their adoption is severely challenged by the amount of labeled traffic they require to train the classification models. In fact, this results in the need for collecting and labeling large amounts of malicious traffic, which may be hindered by the nature of the malware possibly generating little and hard-to-capture network activity. To tackle this challenge, we adopt few-shot learning approaches for attack-traffic classification, with the objective to improve detection performance for attack classes with few labeled samples. We leverage advanced deep-learning architectures to perform feature extraction and provide an extensive empirical study—using recent and publicly available datasets—comparing the performance of an ample variety of solutions based on different learning paradigms, and exploring a number of design choices in depth (impact of embedding function, number of classes of attacks, or number of attack samples). In comparison to non-few-shot baselines, we achieve a relative improvement in the F1-score ranging from 8% to 27%.
2024
Attack-traffic classification
Deep Learning
Few-shot learning
Internet of Things
Network security
File in questo prodotto:
File Dimensione Formato  
1-s2.0-S2214212624000656-main.pdf

accesso aperto

Descrizione: Classifying attack traffic in IoT environments via few-shot learning
Tipologia: Versione Editoriale (PDF)
Licenza: Creative commons
Dimensione 2.9 MB
Formato Adobe PDF
2.9 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.11771/36324
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 9
social impact