Contact · Newsletter · DEUTSCH
The embedded IDS (IDS = Intrusion Detection System) enables IoT endpoints with embedded systems (e.g. sensors, actuators, controllers) and other resource-limited digital subsystems integrated into networks to monitor incoming and outgoing network traffic based on AI.
To do this, the IDS is first trained with typical traffic data from the network to be monitored in a machine learning (ML) phase, creating an ML model that enables the target system to identify and report anomalies in the network traffic.
This allows cyberattacks to be detected at an early stage and defensive measures to be initiated in good time.
In contrast to "normal" large intrusion detection systems in the IT world, which require a relatively large amount of memory and computing power, our embedded IDS – as the name suggests – is designed for use in embedded systems, which generally only offer very limited memory capacity and computing power.
The entire IDS must therefore work extremely efficiently in order to function reliably despite the limited resources.
Our embedded intrusion detection system is self-sufficient as it does not require a cloud connection for anomaly detection.
The network traffic data is first compared with a whitelist and only then analyzed in real time using an ML model.
The main component of the Embedded IDS is the IDS Data Exploration Tool, or IDET for short. Using the data provided, IDET generates an ML model, meaning an AI algorithm for real-time monitoring of network traffic.
In the first step, the typical network traffic of the respective network environment is recorded with a data logger, saved in the form of CSV files and loaded into the IDET.
In addition, the usual communication flows for a specific node within a network segment are saved in another CSV file – the whitelist – based on IP addresses, direction, port numbers and protocol names and also loaded into the IDET.
In the next step, the IDS is trained in a machine learning phase and an ML model file is generated, which is then installed on the target system together with a so-called inference code.
With these two components (inference code and ML model), the target system can finally detect anomalies in network traffic in real time.
Code templates are available for the inference code, which can be adapted to the respective target system – e.g. a Raspberry Pi.
Fig. 1: Workflow of the Embedded IDS
Anomaly detection is carried out by the so-called inference engine on the target system and consists of two individual functions: First, a whitelist filter checks the real-time network traffic data against the whitelist.
If there is a deviation here, a message is sent to an anomaly event handler, which generates a message for each incoming message and forwards it to external systems.
If the traffic data received by the inference engine matches the whitelist rules, the actual ML inference takes place in the second check step.
The traffic data is classified using the trained ML model in order to detect a possible anomaly.
If an anomaly is detected, the anomaly event handler also receives a corresponding message.
Fig. 2: Anomaly detection
The whitelist is a static set of rules in CSV format and describes the usual TCP/IP-based communication flows for a specific node within a network segment based on IP, direction, port number and protocol. This makes it possible to determine whether a TCP/IP-based communication connection between two systems is intended or not.
However, a whitelist entry cannot be used to see what exactly happens within this connection.
The whitelist can therefore be compared to a firewall set of rules for a single system.
Fig. 3: Scheme of an autoencoder
The trained ML model for the inference engine is based on a so-called autoencoder. This is a special architecture for artificial neural networks that works with an encoder-decoder function combination.
The encoder converts the input into a code representation, whereby the input data is reduced to the essential features (also referred to as latent features in this context).
The decoder can then reconstruct the input data from this code. With this procedure plus some additional functions, ML models can be created that recognize anomalies very effectively.
Autoencoder-based models are created using unsupervised machine learning, so the training data does not require any labels, which means it does not have to be manually classified before training.
We use the open source framework from TensorFlow for training, creating and deploying the ML models.
You will receive free access to an instance of the IDS Data Exploration Tool (IDET) on the Internet, which you can access via a web browser for 30 days.
During this period, your individual settings, CSV files and generated ML models remain stored on the Internet.
You will also receive a network traffic data logger and inference code example for your Raspberry Pi plus a screencast for commissioning the Embedded IDS.
You can of course take advantage of the support provided by our experts during the test phase.
If you have any questions regarding registration, our sales team will be happy to help you!
Phone: +49(0)511 · 40 000-34
E-mail: sales@ssv-embedded.de
SSV SOFTWARE SYSTEMS
Dünenweg 5
30419 Hannover
Phone: +49(0)511 · 40 000-0
Fax: +49(0)511 · 40 000-40
© 2024 SSV SOFTWARE SYSTEMS GmbH. All rights reserved.
ISO 9001:2015
