CADeSH: Collaborative Anomaly Detection for Smart Homes

Yair Meidan, Dan Avraham, Hanan Libhaber, Asaf Shabtai

Research output: Contribution to journalArticlepeer-review

5 Scopus citations


Although home Internet of Things (IoT) devices are typically plain and task oriented, the context of their daily use may affect their traffic patterns. That is, a given IoT device will probably not generate the exact same traffic data when operated by different people in different environments and when connected to different networks with different topologies and communication components. For this reason, anomaly-based intrusion detection systems tend to suffer from a high false positive rate (FPR). To overcome this, we propose a two-step collaborative anomaly detection method which first uses an autoencoder to differentiate frequent ('benign') and infrequent (possibly 'malicious') traffic flows. Clustering is then used to analyze only the infrequent flows and classify them as either known ('rare yet benign') or unknown (malicious). Our method is collaborative, in that 1) normal behaviors are characterized more robustly, as they take into account a variety of user interactions and network topologies and 2) several features are computed based on a pool of identical devices rather than just the inspected device. We evaluated our method empirically, using 21 days of real-world traffic data that emanated from eight identical IoT devices deployed on various networks, one of which was located in our controlled lab where we implemented two popular IoT-related cyber-attacks. Our collaborative anomaly detection method achieved a macro-average area under the precision-recall curve of 0.841, an F1 score of 0.929, and an FPR of only 0.014. These promising results were obtained by using labeled traffic data from our lab as the test set, while training the models on the traffic of devices deployed outside the lab, and thus demonstrate a high level of generalizability. In addition to its high generalizability and promising performance, our proposed method also offers benefits, such as privacy preservation, resource savings, and model poisoning mitigation. On top of that, as a contribution to the scientific community, our novel data set is available online.

Original languageEnglish
Pages (from-to)8514-8532
Number of pages19
JournalIEEE Internet of Things Journal
Issue number10
StatePublished - 15 May 2023


  • Autoencoders (AEs)
  • Distributed Denial of Service (DDoS)
  • Internet of Things (IoT)
  • IoT attack detection
  • botnets
  • clustering
  • collaborative anomaly detection
  • cryptomining

ASJC Scopus subject areas

  • Information Systems
  • Signal Processing
  • Hardware and Architecture
  • Computer Networks and Communications
  • Computer Science Applications


Dive into the research topics of 'CADeSH: Collaborative Anomaly Detection for Smart Homes'. Together they form a unique fingerprint.

Cite this