Anomaly Detection in Internet of Things System Calls Using a Centroid-Based Vector-Space Model

Identifying attacks on Internet of Things (IoT) systems through anomaly detection remains a critical area of research. One common and effective strategy in this field involves monitoring system-related data during normal operation to establish a baseline of expected behavior, followed by continuous monitoring to identify deviations from this baseline. System call sequences, which provide a low-level representation of the behavior of a system, are widely regarded as a valuable resource for anomaly detection; however, challenges such as the categorical nature of system call data, inconsistencies in sequence lengths, repeating patterns, and the diversity of activities across single-and multi-process environments complicate the effectiveness of existing methods. To address these challenges, we propose a centroid-based anomaly detection approach that transforms IoT system call data into word vectors, creating a central vector to represent normal behavior. A weighted vector-space model is then used to set a threshold distance for distinguishing between normal and malicious sequences. The effectiveness of the proposed method is evaluated across three distinct datasets: the Australian Defense Force Academy Linux Dataset (ADFA-LD) and the University of New Mexico (UNM) datasets, including UNM-Sendmail and UNM-Line Printer Remote (LPR). The method surpasses existing approaches on the ADFA-LD dataset, achieving an accuracy of 99.02%, a false-positive rate (FPR) of 1.96%, and an area under the receiver operating characteristic curve (AUC) of 0.9923. For the UNM datasets, the performance metrics indicate a detection accuracy of 99.7%, an FPR of 0.28%, and an AUC of 0.9983. The average processing time was measured as 1–3 ms. The experimental results and subsequent analysis reveal promising performance, demonstrating the generalizability of the proposed method across various datasets.