Improving Centralized Intrusion Detection with Hardware Operational Metrics in Internet of Things

In recent years, there has been an increase in research concerning Intrusion Detection Systems (IDS) for Internet of Things (IoT). Detecting network attacks is important to ensure network integrity and availability. Existing methods in the literature typically rely on monitoring network metrics and behavior for intrusion detection. On the other hand, the attack footprint affects not only the network metrics but also the operational metrics of individual devices. Operational metrics could be used to enable informed anomaly detection and enhance network-based intrusion detection systems approaches in the literature. Thus, this work evaluates the use of operational metrics from individual sensors for intrusion detection in the IoT paradigm. For that, we implemented and analyzed a centralized IDS that utilizes both network and operational metrics. Blackhole, Greyhole, and Flooding attacks were simulated on a network with emulated IoT devices. The IDS is implemented with an XGBoost classifier model that is validated by classifying a network with out-of-distribution attack cases. Despite the overhead caused in terms of processing and metrics transmission to the IDS, the operational metrics presented higher information gain and SHAP values in the collected metrics and increased IDS detection rate to 97% in the implemented attacks. (AU)