IoTShield: Defending IoT Systems Against Prevalent Attacks Using Programmable Networks

The growing proliferation of Internet of Things (IoT) devices in smart homes, smart agriculture, and smart energy grids has greatly improved their functionality, efficiency, and responsiveness — but it has also widened the attack surface of these networks. The inherent security vulnerabilities of IoT devices, have rendered them susceptible to a variety of flow-based attacks such as Distributed Denial of Service (DDoS), scanning, spoofing, data exfiltration and web-based attacks, thereby diminishing their potential benefits. This paper presents IoTShield, a Software Defined Network (SDN) based dual-stage defensive framework, designed to mitigate different flow-based attacks targeting IoT systems. Leveraging recent advancements in programmable networks, our defensive framework enables each programmable switch within the connectivity layer of the network to be responsible of identifying a single attack category among prevalent attacks. Furthermore, to effectively mitigate the spread of these attacks, detected attacks are classified at the network controller, facilitating timely updates to the data plane defensive rules. As a proof of concept, using CICIoT2023 dataset, we first illustrate that deploying separate detectors for DDoS and Web-based attack categories on programmable data planes reduces false alarms by 58% and 97%, respectively. Furthermore, a single DDoS attacks detector based on lightweight Decision Tree (DT) model in the data plane, achieves 80-99% of accuracy in detecting different types of attack flows, with fine-grained classification offloaded to the control plane where a Convolutional Neural Network (CNN) classifier achieves 99% accuracy. Besides, IoTShield significantly reduces the latency and load on controller to perform the attack detection; with only 0.14 milliseconds of additional median queuing delay.