ZMAD: Lightweight Model-Based Anomaly Detection for the Structured Z-Wave Protocol

Carlos Kayembe Nkuba; Seunghoon Woo; Heejo Lee; Sven Dietrich

doi:10.1109/ACCESS.2023.3285476

IEEE Access (Jan 2023)

ZMAD: Lightweight Model-Based Anomaly Detection for the Structured Z-Wave Protocol

Carlos Kayembe Nkuba,
Seunghoon Woo,
Heejo Lee,
Sven Dietrich

Affiliations

Carlos Kayembe Nkuba: ORCiD; Department of Computer Science and Engineering, Korea University, Seoul, Republic of Korea
Seunghoon Woo: ORCiD; Department of Computer Science and Engineering, Korea University, Seoul, Republic of Korea
Heejo Lee: ORCiD; Department of Computer Science and Engineering, Korea University, Seoul, Republic of Korea
Sven Dietrich: Department of Computer Science, Hunter College, City University of New York (CUNY), New York, NY, USA

DOI: https://doi.org/10.1109/ACCESS.2023.3285476
Journal volume & issue: Vol. 11
pp. 60562 – 60577

Abstract

Read online

Smart home automation is part of the Internet of Things that enables house remote control via the use of smart devices, sensors, and actuators. Despite its convenience, vulnerabilities in smart home devices provide attackers with an opportunity to break into the smart home infrastructure without permission. In fact, millions of Z-Wave smart home legacy devices are vulnerable to wireless injection attacks due to the lack of encryption support and the lack of firmware updates. Worse yet, recent Z-Wave secure S2 devices with built-in encryption are also vulnerable to specific targeted attacks, i.e., attacking S2 devices is possible via vulnerable legacy devices or injecting malicious unencrypted packets that alter S2 devices normal operations. In this paper, we present ZMAD, a lightweight anomaly-based intrusion detection system (IDS) for monitoring and detecting wireless attacks on Z-Wave smart home devices. ZMAD uses a technique called packet formalization to address heterogeneous packets coming from various Z-Wave devices. ZMAD also uses a centralized learning approach to profile normal communication patterns of devices to increase Z-Wave Command Class coverage. By constructing a lightweight artificial neural network built from scratch in consideration of packet formalization and centralized learning, ZMAD can effectively detect abnormal behaviors in Z-Wave networks and runs on an external device to avoid network overhead. We applied ZMAD to an evaluation testbed constructed using 17 top-rated real-world Z-Wave smart home devices. From our experiments, we confirmed that ZMAD could effectively discover wireless injected packets with an accuracy of 98% for its artificial neural network. Our further analysis demonstrated that ZMAD is more effective than existing approaches, increasing the coverage of Z-Wave Command Classes by 663% while reducing five to 47 times the size of the trained model (23.1 KB) compared to existing deep learning architectures.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords