sify anomalous traffic in real-world IoT traffic flows.
We assess several methods, from traditional tech-
niques with supervised learning to deep neural net-
works. We initially performed the binary classifica-
tion of traffic flows, where the system classifies each
new flow into normal or anomalous. The random
forest algorithm and the multilayer neural network
achieved the best (and satisfying) performance values.
We also evaluated a multiclass classification ap-
proach, on which the classifier should identify the
type of attack of each flow it classifies as anomalous.
The results in this approach were considerably worse
than the ones we got with binary classification. Al-
though the training and test sets are balanced in terms
of benign and malign traffic, they were unbalanced in
the types of malicious flows and some methods failed
when identifying some types of malign traffic. Even
though the training set counts with thousands of sam-
ples of one of such traffic, the relatively small number
of samples available for training had negatively im-
pacted the performance of the models. Still, a possi-
ble future work would be to evaluate the application
of multiclass identification methods only on flows that
binary classification methods identify as malign.
As future work, we also intend to expand the anal-
ysis of deep models with greater capacity to identify
temporal patterns and evaluate model resilience to ad-
versarial machine learning.
This work is funded by national funds through FCT
– Fundac¸
ao para a Ci
encia e a Tecnologia, I.P., un-
der the Scientific Employment Stimulus - Institutional
Call - CEECINST/00051/2018 and in the context of
the project UIDB/04524/2020.
