CyberSecurity

in the Age of IoT

A Comprehensive Analysis
of the CIC 2023 Dataset

Reza Maliki Akbar

Data Analyst Associate
RevoU - 2023

Individual Exploration Project (RevoU NEXT)

IoT devices
experience an
average of 5.200
attacks per month.

Cyber Magazine
The Rising Importance of IoT and Cybersecurity

- Rapid integration of IoT in daily life: from smart

homes to industrial systems
- Enhancing convenience, efficiency, and
productivity
- The Flip Side: Increased vulnerability to cyber
attacks
 Challenges on IoT Security

- Inadequate security protocols and diverse

nature of IoT devices
- Complexity of IoT networks leading to
vulnerabilities
- Consequences: Impact on privacy, security, and
operational integrity
CheckPoint Blog: The Tipping Point: Exploring the Surge in IoT
Cyberattacks Globally
The Critical Role of IoT Cybersecurity Research
- Understanding threats faced by IoT devices
- Importance of real-world data and IoT cybersecurity datasets
- Role of datasets in enhancing IoT security

Internet of Things Applications, Security

Challenges, Attacks, Intrusion Detection,
and Future Visions: A Systematic Review |
IEEE Journals & Magazine
https://www.sectigo.com/uploads/resources/Evolution-of-IoT-Attacks-Interactive-IG_May2020.pdf
https://www.psacertified.org/blog/a-history-of-iot-security/
https://www.globalsign.com/en/blog/industrial-internet-of-things-cyber-attacks-infographic
https://securelist.com/honeypots-and-the-internet-of-things/78751/
 Objectives of Analyzing the CIC 2023 Dataset
- Identifying Common Attack Types in IoT
- This analysis categorizes and scrutinizes various cyber attacks targeting IoT devices, focusing on frequency and impact.
The objective includes detailing attack characteristics, methods, and typical targets. Such detailed categorization is
crucial for developing targeted cybersecurity strategies, enabling IoT manufacturers and network administrators to
anticipate and mitigate these threats effectively.
- Detecting Patterns and Anomalies in IoT Traffic
- The study thoroughly examines IoT network traffic to detect unusual patterns or anomalies indicating security threats.
Emphasis is on analyzing traffic flow, duration, and protocol anomalies to spot early signs of cyber attacks. This proactive
approach is key to preventing attacks from escalating and differentiating between benign and malicious activities.
- Uncovering Vulnerabilities in IoT Networks
- The analysis more into the network architecture and communication protocols within IoT systems to expose potential
vulnerabilities. Focus is on identifying weaknesses such as unsecured endpoints, flawed authentication, or unencrypted
transmissions. Highlighting these vulnerabilities provides critical insights for IoT developers and security teams, paving the
way for enhanced defense mechanisms against cyber threats.
https://www.unb.ca/cic/datasets/iotdataset-2023.html
Topology Diagram
Topology Chart
Common Attack Types in IoT
Frequency of IoT Attack Types
Impact Attack Analysis
1.
Insights and Recommendations
Insights:
1. Certain types of attacks, such as Dictionary Brute
Force and Backdoor_Malware, have significantly
higher average flow durations, which might indicate
that these attacks involve sustained engagement with
the target system, possibly to exfiltrate data or
maintain persistence.
2. Conversely, attacks like DoS variants, Mirai, and DDoS
attacks have shorter average flow durations, which
could suggest that these attacks are designed to
quickly overwhelm systems with high volumes of
traffic.
3. The most frequently occurring attack types are related
to DoS and DDoS activities. This prevalence indicates
that the IoT environment is often targeted by attackers
attempting to disrupt services through these methods.
4. More sophisticated attacks like Mirai variants are less
frequent but present a significant threat due to their
ability to leverage compromised IoT devices for
large-scale network disruption.
Recommendations:
1. Prioritize Defense Strategies: Given the high frequency of DoS and DDoS
attacks, prioritize defense strategies against these types of threats, such as
rate limiting, traffic analysis, and advanced filtering techniques.
2. Focus on Sustained Attack Mitigation: For attack types with higher
average flow durations, develop mitigation strategies that can detect and
disrupt ongoing unauthorized access or data exfiltration attempts, such as
advanced intrusion detection systems (IDS) and endpoint detection and
response (EDR) solutions.
3. Investigate Infrequent but High-Impact Attacks: Even though Mirai and
similar attacks occur less frequently, their impact can be severe. Implement
specific measures to detect and prevent botnet activities, including network
segmentation and IoT device hardening.
4. Enhance Anomaly Detection: Refine anomaly detection models to better
distinguish between high-impact attacks and benign traffic, especially for
attacks that do not conform to high-rate or high-duration patterns.
5. Network Traffic Analysis: Continuously analyze network traffic to detect
emerging patterns that may indicate new types of attacks or shifts in
attacker tactics, techniques, and procedures (TTPs).
Detecting Patterns and Anomalies in IoT Traffic
Anomalies Detection Clustering Analysis
Correlation Analysis Feature Importances
Multivariate Analysis Protocol Behaviour Analysis
1.
Insights and Recommendations
Insights:
1. Anomalous Behavior Patterns: Clusters at lower
flow durations and rates suggest potential scanning
or reconnaissance activities, while high-rate
anomalies could signal DoS attacks.
2. Distinct Network Behaviors: The distinct clusters
identified point to varied traffic patterns, with some
clusters potentially representing normal traffic and
others indicating aggressive network activities or
potential threats.
3. Feature Significance: flow_duration is the most
critical feature for anomaly detection, highlighting
the importance of monitoring session lengths, while
the high rate of certain protocols like IPv and LLC
suggests a need to scrutinize their traffic closely.
4. Protocol-Specific Risks: The anomaly rates across
different protocols indicate that IPv and LLC are
more frequently associated with anomalies, which
may require targeted security measures.
Recommendations:
1. In-Depth Cluster and Anomaly Analysis: Detailed investigation of both the
low-duration/rate clusters and high-rate anomalies is essential to determine the nature and
cause of these patterns.
2. Proactive Monitoring and Incident Response: Implement real-time monitoring with
automated alerts for immediate detection of high-rate traffic and long-duration flows, and
ensure network administrators are trained to respond promptly.
3. Temporal and Behavioral Analysis: Utilize time-series analysis to uncover any temporal
patterns in anomalies and establish a baseline of network behavior for ongoing monitoring.
4. Protocol Analysis and Policy Updates: Investigate the behaviors within
high-anomaly-rate protocols, and update security policies to mitigate identified risks, such
as encrypting traffic or improving authentication on vulnerable protocols.
5. Refinement of Detection Models: Continuously adjust the parameters of the anomaly
detection model to improve its accuracy and reduce false positives/negatives.
6. Holistic Security Strategy: Develop a comprehensive security strategy that integrates
insights from feature importance and protocol analysis to reinforce network defenses
where they are most needed.
7. Automated Monitoring for Anomalous Patterns: Deploy automated monitoring
systems that can detect the clusters of anomalies at low rates and durations, which could
indicate reconnaissance activities. These systems should flag high-rate anomalies that
could be potential DoS attacks for immediate review.
8. Real-Time Alerts: Implement a real-time alerting mechanism that notifies network
administrators of detected anomalies as they occur. This would include alerts for both the
identified clusters of anomalies as well as isolated outlier events.
Uncovering Vulnerabilities in IoT Networks
TCP Flag Analysis
Protocol Analysis
1.

Insights and Recommendations

Insights:
1. High SYN Flag Count: The SYN flag is predominantly higher compared to
other flags. This suggests a large number of connection initiations, which
could be associated with SYN flood attack attempts where attackers
attempt to overwhelm the target server with a flood of TCP/SYN packets.
2. ECE and CWR Flags Not Utilized: The ECE and CWR flags are not
present, indicating that explicit congestion notification mechanisms are not
being utilized. This could mean that the network is not optimized for
congestion control.
3. IPv and LLC Protocols as Primary Channels: The IPv and LLC protocols
have the highest average rates and total counts, which likely indicates that
they are primary channels for network traffic and could be key targets or
tools in the execution of attacks within the IoT environment.
4. TCP's Role in Network Traffic: The substantial use of TCP protocol
suggests that many attacks are taking advantage of or mimicking typical
TCP traffic patterns, which is common in various cyber-attacks, including
DDoS and DoS scenarios.
5. Potential for Widespread Impact: The prominence of IPv and LLC
suggests that attacks could have a widespread impact on the network
infrastructure, affecting not only data transmission but also the control
plane of networking equipment.
Recommendations:
1. Monitor SYN Activity: Given the high number of SYN flags, it is
recommended to closely monitor SYN packets for potential SYN
flood attacks.
2. Implement Congestion Control: Consider implementing
congestion control mechanisms that utilize ECE and CWR flags
to help manage network traffic more effectively.
3. Prioritize IPv and LLC Traffic Analysis: Given their high rates,
it's crucial to analyze the traffic of IPv and LLC protocols closely
to understand the nature of the attacks and develop appropriate
defenses.
4. Enhance TCP Security Measures: Since TCP also shows a high
count, it’s important to implement security measures that can
handle a variety of TCP-based attacks like SYN flooding, which is
a common DDoS technique.
 Overall Recommendations

1. Security Awareness and Training: Conduct security awareness training for all users in the IoT environment
to recognize potential threats and understand best practices for security.
2. Incident Response Planning: Develop and regularly update incident response plans that include scenarios
for the most common and impactful attack types to ensure readiness in the event of an incident.
3. Regular Security Audits: Perform regular security audits of the IoT environment to identify and remediate
vulnerabilities that could be exploited by attackers.
4. Continuous Monitoring: Implement continuous monitoring tools to detect and respond to unusual
patterns in real-time.
5. Develop Comprehensive Defense Strategies: Security analytics should not only focus on the prevention
of attacks but also on the detection and response. This includes intrusion detection systems, firewalls, and
anti-malware tools that are specifically tuned to the peculiarities of IoT environments.
6. Conduct Further Research on Attack Patterns: The dataset can be used to identify patterns specific to
different types of attacks, which can help in developing predictive models that anticipate and mitigate
potential breaches in real-time.
https://public.tableau.com/app/profil
e/cyberneo/viz/tableau_cic-iot-23-m
aliki/Dashboard

maliki-explorationproject-iot-cybersec | Kaggle
Tableau Public CIC IoT 2023 - Maliki
Appendix - Definition from Data Dictionaries (1)
DDoS (Distributed Denial of Service):
Attacks that aim to make a machine or network resource unavailable to its intended users by overwhelming it with
traffic from multiple sources.
- ACK Fragmentation: Overwhelming a target with fragmented ACK packets.
- UDP Flood: Saturating bandwidth by flooding the target with UDP packets.
- SlowLoris: Keeping connections open by sending incomplete HTTP requests.
- ICMP Flood: Overloading the target with ICMP Echo Request (ping) packets.
- RSTFIN Flood: Disrupting connections by sending a mix of RST and FIN packets.
- PSHACK Flood: Flooding the target with TCP packets with PUSH and ACK flags.
- HTTP Flood: Bombarding a web server with legitimate-looking HTTP requests.
- UDP Fragmentation: Sending fragmented UDP packets to exhaust resources.
- TCP Flood: Overwhelming a target with TCP connection requests.
- SYN Flood: Consuming server resources with excessive SYN requests.
- SynonymousIP Flood: Spoofing the source IP to be similar to the target's IP.
Appendix - Definition from Data Dictionaries (2)
DoS (Denial of Service):
Targeting a single system to make it inaccessible to intended users by overloading it with requests, causing resource
exhaustion.
- TCP Flood: Overloading a system with TCP connection requests.
- HTTP Flood: Sending an excessive amount of HTTP requests to a web server.
- SYN Flood: Flooding a target with SYN requests to prevent legitimate network traffic.
- UDP Flood: Bombarding a system with UDP packets to saturate network resources.

Recon (Reconnaissance):
Information gathering activities used to prepare for other types of cyberattacks.
- Ping Sweep: Determining which IP addresses correspond to active devices.
- OS Scan: Identifying the operating system of network-connected devices.
- Vulnerability Scan: Finding known weaknesses in network services and applications.
- Port Scan: Checking for open ports to identify possible attack vectors.
- Host Discovery: Detecting devices on a network that can be attacked.
Appendix - Definition from Data Dictionaries (3)
Brute Force:
Methodically testing every possible combination of passwords or passphrases until the correct one is found.
- Dictionary Brute Force: Trying every word in a dictionary file against passwords or passphrases.

Spoofing:
Masquerading as a different IP address or MAC address to gain unauthorized access to personal information, traffic redirection,
or session hijacking.
- ARP Spoofing: Associating the attacker's MAC address with the IP of a legitimate network member.
- DNS Spoofing: Redirecting traffic to fraudulent sites by corrupting the DNS resolution process.

Mirai (Malware Attack):

A malware strain that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in
large-scale network attacks.
- GREIP Flood: Using GRE IP packets to flood and overwhelm systems.
- Greeth Flood: Attacking the Ethernet layer with GRE encapsulated frames.
- UDPPlain: A simple UDP packet flood targeting various ports.
Appendix - Definition from Data Dictionaries (4)

Web-based:
Attacks that exploit vulnerabilities in web applications and services.
- SQL Injection (SQLi): Inserting malicious SQL statements into a database query.
- Command Injection: Executing harmful commands in a system via a vulnerable application.
- Backdoor Malware: Installing malware to gain remote access to a system.
- Uploading Attack: Uploading and executing malicious files on a server.
- XSS (Cross-Site Scripting): Injecting malicious scripts into web pages.
- Browser Hijacking: Redirecting a user's browser to unwanted websites without permission.
 TCP Flags

https://www.johnpfernandes.com/2018/12/17/tcp-flags-what-they-mean-and-how-they-help/
https://www.site24x7.com/learn/linux/tcp-flags.html
 THANK YOU!
Reza Maliki Akbar
@maliki_borneo

LinkedIn
GitHub
Portfolio