CADeSH: Collaborative Anomaly Detection for Smart Homes

Yair Meidan, Dan Avraham, Hanan Libhaber, Asaf Shabtai

Research output: Contribution to journalArticlepeer-review

1 Scopus citations


Although home IoT (Internet of Things) devices are typically plain and task oriented, the context of their daily use may affect their traffic patterns. That is, a given IoT device will probably not generate the exact same traffic data when operated by different people in different environments and when connected to different networks with different topologies and communication components. For this reason, anomaly-based intrusion detection systems tend to suffer from a high false positive rate (FPR). To overcome this, we propose a two-step collaborative anomaly detection method which first uses an autoencoder to differentiate frequent (‘benign’) and infrequent (possibly ‘malicious’) traffic flows. Clustering is then used to analyze only the infrequent flows and classify them as either known (’rare yet benign’) or unknown (‘malicious’). Our method is collaborative, in that (1) normal behaviors are characterized more robustly, as they take into account a variety of user interactions and network topologies, and (2) several features are computed based on a pool of identical devices rather than just the inspected device. We evaluated our method empirically, using 21 days of real-world traffic data that emanated from eight identical IoT devices deployed on various networks, one of which was located in our controlled lab where we implemented two popular IoT-related cyber-attacks. Our collaborative anomaly detection method achieved a macro-average area under the precision-recall curve of 0.841, an F1 score of 0.929, and an FPR of only 0.014. These promising results were obtained by using labeled traffic data from our lab as the test set, while training the models on the traffic of devices deployed outside the lab, and thus demonstrate a high level of generalizability. In addition to its high generalizability and promising performance, our proposed method also offers benefits such as privacy preservation, resource savings, and model poisoning mitigation. On top of that, as a contribution to the scientific community, our novel dataset is available online.

Original languageEnglish
Pages (from-to)1
Number of pages1
JournalIEEE Internet of Things Journal
StateAccepted/In press - 1 Jan 2022


  • Anomaly detection
  • Autoencoders
  • Behavioral sciences
  • Botnets
  • Clustering
  • Collaboration
  • Collaborative Anomaly Detection
  • Cryptomining
  • Detectors
  • Distributed Denial-of-Service (DDoS)
  • Internet of Things
  • Internet of Things (IoT)
  • IoT Attack Detection
  • Telecommunication traffic
  • Training

ASJC Scopus subject areas

  • Signal Processing
  • Information Systems
  • Hardware and Architecture
  • Computer Science Applications
  • Computer Networks and Communications


Dive into the research topics of 'CADeSH: Collaborative Anomaly Detection for Smart Homes'. Together they form a unique fingerprint.

Cite this