Feature Representation of AutoEncoders for Unsupervised IoT Malware Detection

The feature representation of AutoEncoders (AEs) has been widely used for unsupervised learning, particularly in cybersecurity domain, and demonstrated promising performance. However, deeply investigations of the feature learner for the task of IoT attack detection in unsupervised learning have not been carried out yet. In this paper, we study the feature representation of AEs in combination with a subsequent clustering-based technique like Self-Organizing Maps (SOM) for unsupervised learning IoT attack detection. This aims to get insight into the characteristics of the AE learners in the tasks of unsupervised IoT detection such as identifying unknown/new IoT attacks and transfer learning. To highlight the behavior of AE-based learners, a feature reduction like Principle Component Analysis (PCA) is used to construct a feature space for facilitating SOM. The proposed models are investigated and assessed extensively by a number of experiments and analyses on the NBaIoT dataset. The experimental results highly suggest that AEs should be used for transferring models as training data is highly un-balanced and includes IoT attacks being similar to Benign. If the training data seems to be balanced, and contains IoT attacks being significantly deviated from Benign, the feature reduction like PCA is more preferable. © 2021, Springer Nature Switzerland AG.