Internet of Things (IoT) devices are increasingly permeating homes, industries, and many other environments. The need for robust security measures in IoT networks has never been more critical, since they are becoming the preferred target for cyberattacks. In this paper, we address the challenge of detecting abnormal communication patterns in IoT networks using Graph Neural Networks (GNNs). To this end, we have conducted a comprehensive and fair comparison of machine learning approaches and GNNs, for both static and dynamic graphs, across three recent datasets, IoT23, IoTID20, IoT Traces, that contain recordings of network communications among IoT devices in real environments. Differently from the state-of-the-art, we face the problem as a node anomaly detection task under the realistic assumption of only having normal traffic samples for training the GNNs. Furthermore, we have also restricted the false positive rate below 1% to make the system practical for human operators willing to use it as an Anomaly-based IDS (A-IDS). Finally, the experimental results highlight the relevance of structural information to effectively address the task in real-world conditions.
Detecting malicious IoT network communication through Graph Neural Networks in real-world conditions
Carletti, Vincenzo;Foggia, Pasquale;Rosa, Francesco;Vento, Mario
2025
Abstract
Internet of Things (IoT) devices are increasingly permeating homes, industries, and many other environments. The need for robust security measures in IoT networks has never been more critical, since they are becoming the preferred target for cyberattacks. In this paper, we address the challenge of detecting abnormal communication patterns in IoT networks using Graph Neural Networks (GNNs). To this end, we have conducted a comprehensive and fair comparison of machine learning approaches and GNNs, for both static and dynamic graphs, across three recent datasets, IoT23, IoTID20, IoT Traces, that contain recordings of network communications among IoT devices in real environments. Differently from the state-of-the-art, we face the problem as a node anomaly detection task under the realistic assumption of only having normal traffic samples for training the GNNs. Furthermore, we have also restricted the false positive rate below 1% to make the system practical for human operators willing to use it as an Anomaly-based IDS (A-IDS). Finally, the experimental results highlight the relevance of structural information to effectively address the task in real-world conditions.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
