Intruders' Behavior Unveiled: A Dual-Tier Behavior-driven Model for Malicious Activity Detection in IoT Network Using Graph Learning

In recent years, IoT technology has transformed smart homes, with most households now including several IoT devices that provide convenience and automation. However, the security of these smart homes is paramount, as vulnerabilities can expose residents to risks like unauthorized access, data breaches, and operational disruption. Network-based threats pose a particularly critical risk due to the numerous vulnerabilities in wireless communication between devices, making it possible for attackers to intercept data or do malicious activities. While traditional intrusion detection systems exist, they are often ineffective in detecting zero-day attacks and lack the ability to identify malicious patterns across diverse threat scenarios due to limited diversity in their detection models. Moreover, these systems are not designed to fully detect all types of intrusions, especially those involving both external network activities and internal IoT communications among smart home devices. This gap is made worse by the challenges in creating specialized IoT datasets that cover a diverse set of malicious activities and data types, which require extensive technical knowledge, a diverse range of devices, and expertise in capturing, executing, and labeling attack scenarios. Such datasets are crucial for data-driven intrusion detection systems. Addressing these challenges, this thesis introduces a dual-tier detection system that effectively can zero-day attacks, and is designed in a way to be scalable for learning the behavior of diverse malicious activities. the proposed solution leverages data from both the smart home hub’s internet connection and the internal network communication of IoT devices to detect and profile malicious activities using a novel graph learning approach. Furthermore, to support this research, we have created the largest IoT smart home dataset, incorporating real-world data from over 50 devices and more than 100 carefully designed attack scenarios, captured over a five-month period. The analysis of this dataset and the performance of our detection model demonstrate promising results, providing a valuable resource and foundation for advancing smart home IoT security.