Understanding IDS alerts for IoT

Even though anomaly-based intrusion detection systems are very promising for IoT environments, many such algorithms have the disadvantage that they can only tell that something is wrong, but not exactly what or why that is so. A similar story is with new types of detection systems built with neural networks or other powerful new machine learning techniques. Simply put, these self-learning systems learn directly from data, may reach a very high accuracy but only work as a so-called “black box” in the system. If the expert needs to understand the reasoning why the alert was generated it is very hard to break apart the analysis.

Similarly, it has also been shown that both human experts and specialized self-learning algorithms can find new vulnerabilities and patch systems (automatically). However, it seems the human expert is working in a very different way from the machine, so an alternative thesis can also be to investigate how to have synergetic effects between human expert / machine analysis.

Overall goals is to investigate how to make alerts from intrusion detection systems more useful for the human (or machine) that actually needs to (1) understand and then (2) react to the information. Or, as a alternative: have the human expert / machine work close together to improve the output.

An example how this thesis could be structures is to map which anomaly detection algorithms (or features thereof) for OT or IoT are more suitable than others given the comprehensibility of their output.

  • This thesis would start with a literature survey to match currently proposed algorithms / systems from literature with a small set of developed important criteria.
  • The thesis would also investigate what system-independent heuristics have been used or can be developed that can be utilized to enrich the alerts.
  • After that you need to consider heuristics / metrics for the experimental validation
  • And then construct a system and compare it to the baseline.
  • You can conduct this thesis individually or as team of two students, but we will prioritize groups of two students.

For whom is this a good thesis?
If you love security, have an understanding of system building, can work with the OS, this is a good thesis. You should also be interested in performing a literature survey (find relevant papers, read them, categorize them) and then take some of the described algorithms to build upon. If you have never used other people’s code, read a description of an algorithm to implement it yourself, this thesis may still be for you if you are up to a challenge.

How to apply? Submit your application before November 11, 2022.

If you have any question/comment about the thesis work, contact us:
Magnus Almgren; magnus.almgren@chalmers.se