Learning autoencoder ensembles for detecting malware hidden communications in IoT ecosystems

In this work, we investigate the problem of revealing malware communications targeting the network traffic of IoT ecosystems also in the presence of different offensive behaviors. Without loss of generality, we assume that the attacker has already taken control of the IoT node, e.g., by using a well-documented CVE or by dropping a payload via phishing/spear-phishing (Gupta et al., 2017; Blinowski and Piotrowski, 2020). The reference scenario is depicted in Fig. 1. In more detail, Fig. 1a depicts the general attack model where a threat actor can abuse an IoT node to create a network covert channel. The hidden communication path can be used to exfiltrate information towards a remote server or to exchange commands without being spotted by an intrusion detection system or blocked by a firewall. Despite almost any protocol or traffic feature can be manipulated for hiding data, the resource-limited nature of IoT nodes poses constraints on the complexity of the covert channel (Zander et al., 2007). Hence, the hiding mechanism should be simple to not disclose the presence of the malware due to additional delays, anomalous energy consumption, or intermittent connectivity when an IoT node is remotely operated. To cope with such requirements, we consider a malware cloaking data within the TTL field of the IPv4 header (Skowron et al., 2020; Zander et al., 2007). Specifically, the malicious software manipulates the TTL of IPv4 traffic generated by the compromised IoT node to transport arbitrary information. To not appear suspicious, the malware should not directly write the secret data in the field (Zander et al., 2006). Rather, it should encode the bits 1 and 0 by increasing or decreasing the observed TTL of a suitable threshold or by exploiting the most popular values as “high” and “low” signals. The attacker should then design a proper information hiding mechanism by taking into account the “clean” traffic conditions and select accordingly how bits are encoded. To this aim, the threat actor is expected to perform a reconnaissance campaign to gather traffic information (e.g., by fingerprinting IoT devices) or deploy a packet sniffing routine for monitoring local network conversations (Mazurczyk and Caviglione, 2021; Zorawski et al., 2023). To have a general setting, we consider the two use cases depicted in Fig. 1b. In more detail:

Despite the specific reconnaissance and encoding mechanism, the final result could be organized into a heatmap. Figure 1b. depicts the “distribution” of TTL values obtained in a real IoT setup¹ during an observation window of 12 hours. As shown, the values for the TTL aggregate in two main ranges \(32-64\) and \(208 - 224\). Other values have an intermittent behavior, e.g., datagrams with a TTL equal to 128 are present only for 3 hours, thus limiting the duration of a possible covert communication. To avoid that it could be easily detected, the data hidden in the TTL should not represent an anomaly, i.e., disrupt the clean traffic conditions. Therefore, when the malware deploys a naive mechanism (see Case 1 in Fig. 1b), the bit 0 is encoded by using a TTL value equal to 64, whereas the bit 1 is encoded by using 100. Differently, a more advanced scheme tries to reduce the footprint left in the traffic, e.g., in terms of anomalous distributions or possible signatures. Hence, at each bit sent, the malware can slightly adapt its encoding scheme by selecting a different TTL value (see, Case 2 in Fig. 1b). As a result, the bit 0 is encoded by using a TTL value among 44, 56, and 57, whereas the bit 1 is encoded by using a TTL value among 210, 223, and 224.

To model the malware hidden communications and to quantify the performance of our approach, we built a benchmark dataset starting from real traffic traces described in (Sivanathan et al. (2018)). To avoid burdening the data, we removed IPv6, ICMP, DNS, and NTP conversations, as well as multicast/broadcast traffic. This is not a limitation: for instance, broadcast traffic is mainly link-local and thus not suitable for creating Internet-wide covert channels. Moreover, many vendors are slowly migrating to more secure protocols, such as the DNS Security Extensions. To prevent unwanted signatures, we also removed traffic generated by non-IoT devices, e.g., smartphones and laptops. The final dataset contains the traffic flows exchanged by 28 different IoT nodes (e.g., smart speakers and home hubs) over an entire week.

A realistic attack template has been obtained by modeling the presence of a malware compromising a specific IoT device. Typically, this requires exploiting a CVE for granting access to the device or by leveraging a configuration error (e.g., weak/default credentials) (Neshenko et al., 2019). In this work, we considered a threat abusing a smart camera to smuggle sensitive data towards a remote host controlled by the attacker. Specifically, the dataset borrowed from (Sivanathan et al. (2018)) allowed to take into account a local network populated with a mixed set of devices, controllers, and appliances communicating both directly or through the Internet. To model the threat depicted in Fig. 1b, we assumed that the Dropcam IoT device present in the original dataset has been under the control of the malware for 3 days. To create the covert communication, we rewrote the flows generated by the Dropcam directly in the original traffic captures by using the pcapStego tool (Zuppelli and Caviglione, 2021), and we implemented the two encoding schemes discussed in Section 3.1. Since we want to investigate Internet-wide covert communications hidden in the TTL field of IPv4 packets, we do not consider the presence of additional middleboxes or NAT devices, which can be considered “transparent” for our threat model.

To not make the detection trivial, we always used the most frequent/observed values present in the traffic traces. Specifically, for the Naive Encoding Scheme of Case 1 and for the Advanced Threat Scheme of Case 2, we used the values depicted in the heatmaps of Fig. 1b discussed in Section 3.2.

To prevent that bursts of manipulated datagrams would reveal the presence of the channel, we randomly interleaved packets containing hidden data with legitimate/unaltered ones (Zander et al., 2006). The secret information transmitted by the malware via the covert channel has been modeled with randomly-generated strings: this represents an attacker using some obfuscation technique, such as encryption or scrambling (McLaren et al., 2017). To bear with the exfiltration of several contents (e.g., username+password pairs or configuration files), each day of attack contains a different volume of hidden information, i.e., we considered the exfiltration of 69, 80, and 64 kbit of data. As a result, for both the encoding cases, the compromised IoT node manipulates the \(18\%\), \(1\%\), and \(12\%\) of the overall daily traffic, respectively. We point out that, since the resulting traffic traces are a modified subset of the data provided in (Sivanathan et al. (2018)), they have not been publicly released. Yet, they are available upon request, e.g., to advance the research in the field of covert communications targeting IoT ecosystems.

The idea behind our solution is to adopt a neural encoder-decoder architecture trained against traffic data. Basically, an autoencoder is an unsupervised (i.e., trained without any information concerning the nature of the attack/normal behavior) neural network model performing two main operations. First, it compresses the input data (i.e., a number of statistics computed over the traffic generated by the IoT network and described in Section 5.1) within a latent space. Then, it reconstructs the original information provided as input. In our setting, the model is only trained against the normal behavior. The underlying intuition is that the legitimate input data should be (almost) correctly reconstructed by the autoencoder. In other words, the encoding/decoding phases should not introduce a heavy distortion in the output. By contrast, outliers and anomalous values in the input will yield a deviant output.

The usage of the reconstruction error as a measure of outlierness to discover abnormal behaviors has already been proposed in the literature, but the adoption of unsupervised techniques (and in particular of encoder-decoder architectures) for revealing covert channels is substantially unexplored (Ahmad et al., 2021; Darwish et al., 2019; Elsadig and Gafar, 2022). As discussed in (Hinton and Salakhutdinov (2006); Bengio et al. (2006)), autoencoders are considered a valid solution to the problem of effectively summarizing the information of a given input into a low-dimensionality representation. In essence, these neural network models aim at yielding a duplicate of the input as output.

In this work, we employ the Sparse U-Net neural model shown in Fig. 2. Basically, it includes two main components, named Encoder and Decoder, respectively. Let \(\textbf{x} = \{x_1, \dots , x_N\}\) be a set of numeric features (in our case, a number of traffic flow statistics computed for a time slot). The former sub-network is devoted to mapping the input data with a latent space (encoding), i.e., learning a function \(\textbf{z} = \textit{enc}(\textbf{x})\), whereas the second one yields the overall network output by reconstructing the input from the features extracted by the encoder \(\textbf{y} = \textit{dec}(\textbf{z})\) (decoding). Gradient descent is employed to learn the model weights by minimizing a suitable loss function. In our approach, the Mean Square Error, i.e., \(Loss_{MSE}(\textbf{x}) = \frac{1}{N} \sum _i \Vert x_i - y_i\Vert _2\), is used as loss.

Notably, the architecture of Fig. 2 exhibits two main differences w.r.t. a standard encoder-decoder model: (i) Skip Connections are used to boost the predictive performances of the model and to reduce the number of iterations required for the learning algorithm convergence, and (ii) a hybrid approach including the usage of Sparse Dense Layers is adopted to make the autoencoder more robust to noise, especially since flows cloaking secret data often exhibit slight differences compared with normal behaviors. Both the encoder and decoder are composed of M hidden layers, therefore we adopted a symmetric architecture. The choice of skip connections simplifies the learning process of the network by providing as input to each layer of the decoder (D-\(DL_i\)), except for the shared latent space, both the previous (D-\(DL_{i-1}\)) and the correspondent encoder layer (E-\(DL_{M-i+1}\)). As regards the Sparse Layers, they are used to generate a wider number of discriminative features, which allow to extract a more representative latent space.

Figure 3 illustrates the detection process for covert channels targeting the TTL field of IPv4 datagrams. This mechanism can be co-located within the firewall depicted in Fig. 1a or implemented through a dedicated appliance. Without loss of generality, we assume to monitor an “infinite datastream”, i.e., the traffic of the various IoT nodes feeds our detection mechanism in a continuous manner. At pre-fixed time intervals (i.e., a time slot in Fig. 3), we compute several statistics to describe the behavior of the TTL fields composing the aggregate traffic flow. Specifically, we compute metrics such as the minimum, average, maximum, or different percentiles, starting from TTL values gathered in a time slot. Preliminary, an autoencoder, pre-trained only against legitimate data flows, is used to reproduce the statistics, then the reconstruction error is calculated for the current example as the MSE between \({\textbf {x}}\) and \({\textbf {y}}\). If the error is smaller than a given outlierness threshold, the current data are labeled as “normal” and update the model, otherwise a warning is raised.

In the context of AE-based anomaly detectors, different techniques are commonly employed to compute anomaly scores. As mentioned above, these models primarily operate by learning to reconstruct input data and then quantifying the dissimilarity between the original input and the reconstructed output. Common methods for computing anomaly scores include Reconstruction Error, Probability Density Estimation, Clustering-based Approaches, and Ensemble Techniques. Additionally, an essential aspect of anomaly detection is determining the threshold for anomaly scores, which significantly impacts model performance. Several thresholding strategies are available, including Fixed Thresholding, Statistical Methods, Quantile-Based Thresholding, Density Estimation, Precision-Recall Curve Analysis, Domain-Specific Knowledge Incorporation, and Dynamic Thresholding. Although more sophisticated techniques may be used, we mainly focused on demonstrating the robustness of our approach by evaluating its performance across different threshold values, highlighting its effectiveness under various scenarios.

As it will be detailed in Section 5.3, the collection of TTL values can be done by using limited computing resources to prevent a decay in the overall traffic performance. A viable approach may require to instrument gateways with a lightweight and non-invasive software layer (Repetto et al., 2021).

A main limitation of the described approach relies on the necessity to learn the neural network model against the whole training set (that could be unfeasible in IoT networks with tight computational resources). Moreover, in real scenarios, the limited resources of the device where the detector is deployed and the presence of concept drifts in the observed behaviors (Folino et al., 2019) can affect the predictive performances of the autoencoder. To mitigate such issues, we devised an incremental learning scheme based on an ensemble of encoder-decoder architectures shown in Fig. 4. Basically, we consider the case where only a limited number of training examples \(\mathcal {D}\) can be gathered and stored in a data chunk (denoted as \(D_i\) in the figure). Our ensemble solution relies on building up a series of k base Deep Neural Network detectors (denoted as \(M_i, M_{i-1}, \ldots , M_{i-k}\)) sharing the same neural architecture described above. These autoencoders are trained from disjoint data chunks (denoted as \(D_i, D_{i-1}, \ldots , D_{i-k}\), respectively), which are fed with data instances gathered in different temporal intervals. Specifically, the incremental learning process adopted in our solution is loosely inspired by the work (Folino et al., 2021) proposing an ensemble-based deep learning approach trained on disjoint data chunks. Differently from this work where each model is trained independently, in our solution the model \(M_i\) is trained (i.e., fine-tuned) from the weights of the model \(M_{i-1}\) and the sample \(D_i\). The same procedure is also applied to all the models composing the ensemble. In this way the detection model will be able to gradually adapt to normal concept drifts that can occur, for instance, due to the deployment of new devices in the network that can modify the network statistics. This approach can also reduce the risk of catastrophic forgetting (Parisi et al., 2019) that affects DL models (and also different types of shallow architectures) when learned incrementally. Specifically, catastrophic forgetting refers to the phenomenon where a neural network trained on a new task or dataset tends to forget or overwrite knowledge it acquired during previous training on different tasks or datasets. In the literature, different solutions have been proposed to address this issue effectively, e.g., in (Faber et al. (2023)), the authors blend a lifelong change point detection with a suitable model update strategy to learn robust anomaly detectors, whereas (Li et al., 2022) use an experience replay mechanism based on self-imitation learning. While not the primary focus of our work, we attempted to address the issue of catastrophic forgetting by combining multiple models trained on data collected from distinct time windows. This approach allows us to mitigate the risk by preserving information about various normal behaviors. Then, the final anomaly score is computed by adopting a non-trainable combination strategy. By denoting the reconstruction error as Deviance Score (DS) (see, Fig. 4), we then consider the median, max, and average value of the k reconstruction errors \(\{DS_i, \ldots , DS_{i-k}\}\) yielded by the base models.

To showcase the effectiveness of our approach, we examine the micro-averaging of the previously-defined metrics. Specifically, we will provide a comparison among performances for different schemes and sizes, the impact of the various different base models, and a sensitivity analysis accounting for the scarcity of training data.

We now analyze the model behavior at learning time to investigate whether our architecture allows a fast training by reducing the number of epochs required to learn an effective detection model. Figure 7 depicts the loss behavior over the number of epochs. In particular, for each epoch we computed the loss value by averaging the losses obtained by each model for each chunk in the same epoch. The shading area indicates the standard deviation. As shown, the model requires a limited number of training epochs to converge. This is mainly due to the adoption of the skip connections, which enables a fast convergence of the training algorithm, as expected.

Lastly, an important aspect concerns the feasibility of deploying our AI-based framework in realistic IoT deployments. Even if performing the detection within simple sensors/devices is seldom feasible, a possible solution is to locate the needed layers within the gateways often used to connect and orchestrate the IoT nodes. However, many cost-effective middleboxes are endowed with limited hardware-storage capabilities, thus requiring a lightweight and optimized approach. As regards operations needed to gather information, techniques based on code layering or kernel augmentation are prime candidates (Vieira et al., 2021). In fact, collecting the TTL values with a per-packet granularity usually accounts for an additional transmission delay of \(\sim 100\) ns when using the extended Berkeley Packet Filter and 1 ms with a C implementation exploiting libpcap over commodity hardware (Caviglione et al., 2021). The use of TTL is a good example of a real covert communication mechanism, which directly stores data within a field/feature of network packets (Caviglione and Mazurczyk, 2022). Extending the gathering/detection phase is straightforward as it only requires to collect data from a different portion of the header and compute statistics of a similar complexity. Yet, if hidden communications exploit more advanced schemes, e.g., manipulation of textual entries in DNS queries, the proposed idea needs some additional tweaks, i.e., a suitable inspection mechanism and an effective set of metrics should be searched for. Luckily, real attacks targeting simple IoT nodes rarely employ sophisticated data hiding mechanisms (Mazurczyk and Caviglione, 2015; Neshenko et al., 2019; Noor and Hassan, 2019; Caviglione and Mazurczyk, 2022). The availability of efficient traffic inspection tools and statistics computed by security appliances can further ease the design of the required metrics. A relevant network security advancement concerns the definition of “independent” metrics, i.e., indicators not bounded to a specific field or data hiding mechanism. For instance, the presence of a flow containing a covert communication could be spotted through anomalous jitters or general behaviors of IoT nodes, such as aggressive battery drains. This is still an open problem, which is also part of our future research.

As regards the ML phases of training and inference, the former can be performed offline, while the prediction time is 0.5 ms for a single data batch and 2 seconds for the whole test set. Such footprints open to many design choices. First, the approach can be used for real-time processing of traffic flows within the edge entity in charge of managing the IoT ecosystem. Other optimizations are possible, for instance by taking advantage of the “stateless” nature of our approach. In fact, covert communications are spotted by using information on the overall traffic (grouped in time slots), which prevents the need of storing information on a per-flow basis. Second, part of the detection could be offloaded: the local middlebox could send “local” information to as-a-Service platform, which could perform computing-intensive detection strategies. Evaluating the use of softwarized and cloud-native blueprints to prevent malware hiding data within future IoT deployments is part of our ongoing research.

For the sake of completeness, we also compared the execution times of both the training and the inferences phases of the models. Figure 8 depicts the results. As shown, our model performs slightly worse compared to the other solutions. This is mainly because it relies on data windows, worsening the overall performances. However, since our approach is able to process a single window in 16 seconds, it is possible to deploy the model in a real-time fashion, as well as on resource-constrained devices, especially in terms of storage capabilities.