ARTEMIS: An Intrusion Detection System For MQTT Attacks in Internet of Things
Abstract—The Internet of Things (IoT) is now being used This paper aims to contribute to the design of effective
increasingly in transportation, healthcare, agriculture, smart intrusion detection approaches for IoT systems, where de-
home and city systems. IoT devices, the number of which is vices communicate using the MQTT protocol. We propose an
expected to reach 25 billion all over the world by 2021, are
required to be deployed very fast, taking into account commercial intrusion detection system (IDS) performing anomaly-based
pressures. This results in a very important layer, i.e. security, intrusion detection with machine learning (ML) algorithms to
being either completely neglected or having significant shortcom- create alerts when the observed behavior of the system deviates
ings. Since IoT has a heterogeneous structure, there is a need significantly from its normal behavior learnt by the algorithms.
for intrusion detection systems (IDSs) that take into account the The main contributions of this paper are as follows:
specifics of an IoT system architecture, including the computing
power limitations, variety of protocols and prevalence of zero-day • We describe a lightweight anomaly-based IDS for MQTT-
attacks. In this paper, we describe ARTEMIS, an IDS for IoT, based IoT networks.
which processes data from IoT devices using machine learning • We provide a comprehensive experimental evaluation of
to detect deviations from the normal behavior of the system and the anomaly detection performances of six ML algorithms
generates alerts in case of anomalies. We have implemented a
prototype of the system using IoT devices subscribed to topics for detection of simulated MQTT attacks using data
at an MQTT broker and provide experimental evaluation of the collected by the prototype IoT system developed.
system under MQTT-related attacks. • We provide a dataset consisting of packet captures gen-
Index Terms—IoT, Intrusion Detection, MQTT erated by simulating attacks on the implemented IoT net-
work. The unavailability of such IoT-specific datasets in
the literature is a major problem for security researchers.
The advances in and wide availability of networking in-
frastructures and smart devices in the last decade have given II. R ELATED W ORK
rise to The Internet of Things (IoT) phenomenon, enabling Intrusion detection in IoT has been a popular area of
the connectivity of physical and virtual objects to create smart research for the past few years, owing to the significant adverse
environments. Although IoT systems are relatively new, IoT- effects of cyber attacks on IoT systems. Kasinathan et al.
enabled devices have already created a large attack surface for [1] adapted Suricata, a signature-based IDS to detect DoS
hackers to exploit. Notorious security incidents include a mas- attacks in 6LoWPAN networks. Their system analyzes the
sive distributed denial of service (DDoS) attack1 launched by IDS alerts of channel interference rate and packet dropping
hacking into thousands of security cameras, hackers remotely rate to confirm the attack along with reducing the false alarm
taking control of a Jeep Cherokee2 , the Stuxnet virus destroy- rate. Liu et al. [2] proposed a signature-based IDS that utilizes
ing a fifth of Iran’s nuclear centrifuges3 , among others. Many Artificial Immune System (AIS) techniques. This approach is
of the current IoT devices lack basic security mechanisms, not a suitable deployment for IoT networks containing low
and there is a lack of standardization for IoT standards and capacity nodes due to the cost of attack signature storage and
protocols, which creates security loopholes. running algorithms. Cho et al. [3] proposed an anomaly-based
detection scheme for botnets in 6LoWPAN sensor networks.
The solution monitors the network traffic and notifies when
unexpected changes in the computed averages for packet
length and number of connections are observed for any node.
Lee et al. [4] leveraged the regular energy consumption as a prediction model. We use the formula below, in order to take
parameter to detect anomaly behavior in low capacity 6LoW- advantage of the outlier probabilities of the previous batches as
PAN networks. Summerville et al. [5] designed a deep-packet well, where mov avg is the moving average outlier probability,
inspection method for anomalies that is capable of running prev mov avg is the moving average outlier probability for
on resource constrained IoT devices. They experimented with the previous batch, avg is the outlier probability of the current
two Internet-enabled devices and the false positive rates for batch, and W0 is the weight. W0 essentially indicates how
the worm propagation, tunneling, SQL code injection, and much we value past data. In our experiments, we set it to 0.4.
directory traversal attack types were shown to be low. Pongle
mov avg = W 0 ∗ prev mov avg + (1 − W 0) ∗ avg (1)
and Chavan [6] designed three algorithms to detect wormhole
attacks in IoT networks. Although the system is suitable for Alerts are generated based on the difference of the current
low resource IoT devices, the authors did not report the false moving average and the previous moving average.
positive rates.
B. Data Collection
The main shortcoming of previous work is that they were
mostly not evaluated with datasets specific to IoT and/or IoT- In the system prototype developed, we have a DHT11 sensor
specific communication protocols and attacks. Closest to our connected to a Raspberry Pi, which sends temperature and
work is that of Alaiz-Moreton et al. [7], which utilized three humidity data out. For diversity, we subscribe to some topics
methods, Extreme Gradient Boosting (XGBoost), GRU Recur- in public MQTT test brokers such as and
rent Neural Networks, and LSTM Recurrent Neural Networks, The Node-RED5 IoT programming tool is used
for detecting 3 types of attacks, DoS, man-in-the-middle, and to set up connections between publish and subscribe nodes.
an MQTT-specific intrusion. However, we consider different C. Feature Design
ML algorithms and focus on detection of anomalies rather than
multi-class attack classification. We use the information in the TCP, MQTT and IP layers
of packets. In addition to these features we also calculate,
III. M ETHODOLOGY for each packet, the average time between the 20 preceding
A. System Architecture packets. A complete set of the 31 features used can be seen
in Table I.
The architecture of the IoT network and IDS we model in TABLE I
this work is as shown in Fig. 1. F EATURE SET AND DESCRIPTIONS
Forest were used to train a model with only benign data. TABLE IV
For autoencoder, we did not change the default parameters ACCURACY S CORES OF THE ML METHODS
of the library. Random forest already achieved good results Benign Train Benign Train Attack Train Attack Train
with the default parameters, therefore only the n estimators - - - -
Attack Test Attack Test Attack Test Attack Test
parameter was changed to 100. We used the PyOD imple- Without JSON With JSON Without JSON With JSON
mentation of OCSVM and the SelectKBest method was used Autoencoder - - 0.5945 0.6378
SO GAAL - - 0.8415 0.7860
to select the best 24 features among the 31. We created our Random Forest - - 1.0 0.8007
K-Means - - 1.0 0.8007
clustering models with the k-means and Brich methods from OCSVM 0.9998 0.9998 - -
the Python sklearn library8 . We have 2 clusters, inlier and Isolation Forest 0.7534 0.8417 - -
outlier. For Brich, the branching threshold was set to 0.2.
Both the training and test sets of the attack dataset contain
normal behaviour (benign) and fuzzing attack packets. Fur-
thermore, JSON objects require special handling as they are In this paper, we described the design and implementation of
not a primitive data type. Thus, we created filtered versions a lightweight anomaly-based IDS for IoT networks, focusing
of the mentioned datasets, which do not include packets on attacks on MQTT. We generated a dataset that contains
with JSON objects in their payloads. The distribution of the attacks for MQTT and provided it for the use of the security
number of packets in the datasets is summarized in Table II. community. Our IDS integrates various ML techniques to
We evaluated the performances of the methods with ROC classify IoT network behavior as normal or anomalous. We
provided a comparative analysis of the performances of the k-
PACKET D ISTRIBUTIONS I N T HE DATASETS means, SO GAAL, OCSVM, Random Forest, Isolation Forest
and autoencoder models for the anomaly detection task. The
Benign Attack Benign Attack
Without JSON Without JSON With JSON With JSON experiment results suggest that ML-based intrusion detection
Dataset Dataset Dataset Dataset in MQTT-based IoT networks can achieve impressive results
# of Benign Packets 58748 232941 102738 286985
# of Attack Packets 0 135123 0 135123 even when not trained with previously known attacks.
Total # of Packets 58748 368064 102738 422108
