, Shutao Xia^1,2, Mingwei Xu⁴

#### Abstarct

The ever-growing volume of IoT traffic brings challenges to IoT anomaly detection systems. Existing anomaly detection systems perform all traffic detection on the control plane, which struggles to scale to the growing rates of traffic. In this paper, we propose HorusEye, a high throughput and accurate two-stage anomaly detection framework. In the first stage, preliminary burst-level anomaly detection is implemented on the data plane to exploit its high-throughput capability (eg, 100Gbps). We design an algorithm that converts a trained iForest model into white list matching rules, and implement the first unsupervised model that can detect unseen attacks on the data plane. The suspicious traffic is then reported to the control plane for further investigation. To reduce the false-positive rate, the control plane carries out the second stage, where more thorough anomaly detection is performed over the reported suspicious traffic using flow-level features and a deep detection model. We implement a prototype of HorusEye and evaluate its performance through a comprehensive set of experiments. The experimental results illustrate that the data plane can detect 99% of the anomalies and offload 76% of the traffic from the control plane. Compared with the state-of-the-art schemes, our framework has superior throughput and detection performance.

#### Problem to solve

Accurate anomaly detection of IoT traffic.

#### Method

We propose a two-stage IoT anomaly detection framework, named HorusEye,1 with high-throughput processing and powerful detection capabilities. In the first stage, we design an unsupervised model on the data plane, called Gulliver Tunnel,2 which filters out a small amount of suspicious traffic at line speed. In the second stage, we propose a novel unsupervised deep learning model, named Magnifier, which is deployed on the control plane. This further investigates the traffic flagged as suspicious (in the first ) and produces more accurate detection results. To design HorusEye, we must overcome three key challenges: (i) It is difficult to deploy an unsupervised model with both high anomaly recall and offloading capabilities on a programmable switch that only supports simple instructions and has limited resources;(ii) it is challenging to extract and maintain the required flow features on the limited switch memory (e.g., 120 Mb SRAM); (iii) it is challenging to achieve a low false-positive rate using a high throughput deep model, since the control plane is a major throughput bottleneck.


#### Result

We implement the prototype of HorusEye.3 and conduct comprehensive experiments on a real IoT testbed. The results show that HorusEye can achieve single-port 100Gbps detection on the switch. It also exhibits excellent anomaly detection accuracy, achieving a recall rate as high as 99%. Moreover, HorusEye can offload 76% of the normal traffic away from the control plane. Compared with the state-of-the art schemes, Kitsune and Mousika, HorusEye has superior throughput and detection performance.


#### Bibtex

```
@inproceedings{dong2023horuseye,
title={$\{$HorusEye$\}$: A Realtime $\{$IoT$\}$ Malicious Traffic Detection Framework using Programmable Switches},
author={Dong, Yutao and Li, Qing and Wu, Kaidong and Li, Ruoyu and Zhao, Dan and Tyson, Gareth and Peng, Junkun and Jiang, Yong and Xia, Shutao and Xu, Mingwei},
booktitle={32nd USENIX Security Symposium (USENIX Security 23)},
pages={571--588},
year={2023}
}
```