IoT Network Attack Detection and Mitigation Erol Gelenbe, Piotr Fr¨ ohlich and Mateusz Nowak IITIS-PAN, Polish Academy of Sciences ul. Baltycka 5, PL Gliwice 44100, Poland Stavros Papadopoulos, Aikaterini Protogerou, Anastasios Drosou and Dimitrios Tzovaras ITI-CERTH, GR 57001 Thermi Thessaloniki, Greece Abstract—Cyberattacks on the Internet of Things (IoT) can cause major economic and physical damage, and disrupt pro- duction lines, manufacturing processes, supply chains, impact the physical safety of vehicles, and damage the health of human beings. Thus we describe and evaluate a distributed and robust attack detection and mitigation system for network environments where communicating decision agents use Graph Neural Net- works to provide attack alerts. We also present an attack mitiga- tion system that uses a Reinforcement Learning driven Software Defined Network to process the alerts generated by the attack detection sysem, together with Quality of Service measurements, so as to re-route sensitive traffic away from compromised network paths using. Experimental results illustrate both the detection and re-routing scheme. Index Terms—IoT Security, Graph Neural Nets, Cognitive Packet Network, Random Neural Networks, Software Defined Networks I. I NTRODUCTION The IoT [1] has the potential to improve the critical pro- cesses that are at the heart of our socio-economic systems [2], [3]. However, it creates raises risks that go way beyond the individal technologies such as the Internet, wireless networks and machine to machine systems [4], [5]. In addition to risks related to system malfunctions [6], quality of service (QoS) failures, and excessive energy consumption, the theft and tampering of data, conventional network attacks and attacks that deplete the energy of autonomous sensors and actuators also need to be considered [7]–[13]. Since IoT devices can carry out real-time measurements and controls much faster than human reaction times, we must design IoT networks that both detect and mitigate security risks automatically and adaptively, while preserving Quality of Service (QoS), and energy efficiency [6], [14]. Thus we propose an autonomic [15] scheme offering (a) distributed attack detection based on deep learning (DL) and graph neural networks to achieve high detection probabilities with low false alarm rates [16], [17], and (b) mitigation that exploits network Self-Awareness [18], [19] centered on Software Defined Networks [20] to achieve secure QoS based routing of traffic flows using machine learning and adaptivity [21], [22]. Thus Section II discusses a multi-agent system (MAS) for network attack detection, and summarizes its performance. The overall system architecture for attack detection and mit- igation is presented in Section III. The node attack detection probability estimated by MAS is used to compute safer paths in the network using reinforcement learning as described in Sections III-A and III-B. Experimental results are presented in Section III-C, and Section IV presents conclusions and future work. II. DISTRIBUTED ATTACK DETECTION IoT systems are distributed have a heterogeneous structure which is an additional challenge for real-time anomaly de- tection [23], [24]. Thus the distributed MAS for detecting attacks monitors the network traffic in a distributed manner, and outputs to the novel routing system described in Section III, to mitigats attacks with a SDN based routing engine. The MAS’s mutually communicating multiple agents can improve its robustness by incorporating redundancy in the detection algorithm [25]. The MAS also offers scalability, since its modularity allows new agents to be added if the IoT network grows, and agents exchange information [26] in a structure inspired by Graph Neural Networks [16], [17]. The structure of the IoT network is reflected by the graph G(V,E), where V corresponds to the set of nodes of the IoT network, and E ⊂ V × V is a set of edges which represent the nodes which communicate (directly or indirectly) with each other through the IoT network. The nodes can represent sensors or actuators, edge nodes, servers or routers in the IoT network. We associate a real-valued feature vector x i ∈ R N V to each i ∈ V , where N V is its length. Similarly we associate the feature N E -vector of real numbers e ij ∈ R N E with each edge (i, j ) ∈ E. An example of the features for the nodes and edges is given in Table I. Measurements that collect the feature vector parameters are taken in the IoT network during successive time slots [(t − 1)T,tT where T is the slot length and t is the slot index. The slots are long enough to provide representative data, but short enough to reflect time variations in the system. Thus all feature vectors are also associated with individual slots and successive values. Thus x t,k i the k − th successive value of x i within the t − th slot, while e t,k ij is the k − th successive value of e ij in the t − th slot. We will denote by e t ij and X t i , respectively, the feature vector values at the end of the t − th slot, while e 0 ij and X 0 i are their values when the measurement system starts to operate and the first slot begins. The MAS uses four Deep Neural Networks (DNNs): • The EDNN (edge DNN) which undertakes the update: e k+1,t ij ← EDNN (x k,t j ,x k,t i ,e k,t ij ) . (1) EDNN uses an edge’s current features, and the features of the two nodes at its edges, to update its features.