Securing the Internet of Things: The Role and Challenges of Anomaly Detection

The rise of IoT devices has revolutionised decision-making across industries by enabling smarter connectivity. However, this connectivity also exposes organisations to significant security vulnerabilities. An important tool to minimise this risk is anomaly detection, a method that relies on machine learning (ML) to continuously monitor device behaviour and detect any unusual activity. Even so, implementing anomaly detection is not as easy as it seems. Understanding its advantages and limitations is key to maximising its effectiveness.

Anomaly Detection vs. Threat Detection: What is the Difference?

Before exploring anomaly detection, it is key to differentiate it from threat detection. While both approaches employ ML to secure IoT devices, they serve different purposes. Anomaly detection focuses on identifying unusual behaviour, whether or not it represents a threat, such as infrequent software updates or data backups. In contrast, threat detection specifically focuses on identifying malicious activity, for example, identifying a ransomware attack attempting to encrypt sensitive data or a brute-force login attempt.

Another difference is the type of data each approach utilises. Anomaly detection is easier to implement since it only requires device data to establish patterns of  “normal” behaviour. In contrast, threat detection relies on labelled data that differentiate malicious from non-malicious behaviour. This labelled data, such as information sets from previous attack simulations, is often more limited or difficult to obtain.   

In summary, the key difference between the two is the purpose that each one, anomaly detection and threat detection, serve. With its broader scope, anomaly detection offers greater flexibility, identifying both vulnerabilities and potential threats.    

The downside of anomaly detection

After clarifying the difference between anomaly detection and attack detection, let’s take a closer look at the challenges and benefits of focusing on anomaly detection. 

 Although anomaly detection is supposedly easier to implement across a broader range of use cases, it is not without challenges. The margin of error in anomaly predictions can lead to uncertainty, complicating security decisions and response strategies.

Error margins in predictions

Machine learning predictions, while powerful, are not always 100% accurate. A significant limitation in anomaly detection is the lack of labelled data. If device behaviour could be perfectly labelled as “anomalous” or “normal”, there would be no need for anomaly detection ML. In a real-world context, models work with unlabelled information and detect anomalies based on data patterns, which inevitably introduces a margin of error. Factors such as low-quality data, a poorly trained model, and subjective human inputs during the ML process can amplify this error. 

The role of subjectivity

Even the most sophisticated ML model requires human input at different stages during the training process. In anomaly detection, for example, some models require a pre-training estimate of the anomaly percentage in the data. This estimate is a baseline parameter that guides the model in predicting anomalies. Other models provide a post-training anomaly score, leaving it to the data scientist to decide what threshold separates anomalous from normal behaviour. Such human involvement, whether in pre-training estimates or post-training thresholds, can inadvertently increase the margin of error. 

Some strategies to Minimise Errors

Although it is almost impossible to eliminate the margin of error entirely, here are some ways to minimise it:

• Leverage multiple models: combining outputs from multiple models can help in obtaining more robust predictions, avoiding reliance on a single model. 

• Incorporate other statistical methods: employing techniques such as bootstrapping, which involves iteratively reusing existing data to make more accurate predictions when information is scarce. This method helps to obtain a pre-training estimate of the anomaly percentage and can better guide the model in predicting anomalies. 

• Enhance data quality: Identifying gaps in the data or enhancing its collection process can significantly boost the accuracy of anomaly detection models.

Wrapping up

Anomaly detection is fundamental in IoT security, offering flexibility in identifying unusual behaviours.. While its benefits make it attractive, ignoring its limitations could pose a threat to security. By applying the strategies outlined in this article to minimise error margins and reduce subjectivity in the ML process, organisations can enhance the effectiveness of anomaly detection, making it a reliable tool in the fight to secure IoT devices.