An Adaptive IDS Scheduling Framework for Host Based Mimicry Attack Detection in IoT Networks

Abstract

With the expanding applicability of the Internet of Things (IoT), novel IoT network security challenges also appear more frequently. Host-based Mimicry Attacks (HMA) are one of them that is difficult to detect by traditional Intrusion Detection Systems (IDS) since they mimic legitimate network and host behaviors to evade detection. Additionally, IDSs consume host device resources when their implementations, partially or fully, are executed in the device, and thus it is needed to be scheduled properly so as to save device resources when possible. Current IDS solutions capable of detecting HMAs mostly use randombased scheduling or do not use scheduling at all and so are always executed. Random-based scheduling solutions have low HMA detection accuracy, while solutions without scheduling do not save device resources. This work proposes an adaptive IDS scheduling framework that suspends IDS execution based on device trust and resumes IDS execution when the device is under attack. Extensive experimentation using the Cooja simulator and Python script shows that the proposed framework achieves a device behavior classification accuracy of at least 97.15% when under attack while saving at least 81.98% of CPU energy when not under attack for a network of 40 devices, as compared to those when executing the IDS without any scheduling scheme. © 2024 IEEE.