IoT-CAD: Context-Aware Adaptive Anomaly Detection in IoT
Systems Through Sensor Association
Rozhin Yasaei, Felix Hernandez, Mohammad Abdullah Al Faruque
Department of Electrical Engineering and Computer Science
University of California, Irvine, California, USA
{ryasaei,felixh1,alfaruqu}@uci.edu
ABSTRACT
The deployment of Internet of Things (IoT) devices in cyber-physical
applications has introduced a new set of vulnerabilities. The new
security and reliability challenges require a holistic solution due to
the cross-domain, cross-layer, and interdisciplinary nature of IoT
systems. However, the majority of works presented in the literature
primarily focus on the cyber aspect, including the network and
application layers, and the physical layer is often overlooked.
In this paper, we utilize IoT sensors that capture the physical
properties of the system to ensure the integrity of IoT sensors data
and identify anomalous incidents in the environment. We propose
an adaptive context-aware anomaly detection method that is op-
timized to run on a fog computing platform. In this approach, we
devise a novel sensor association algorithm that generates finger-
prints of sensors, clusters them, and extracts the context of the
system. Based on the contextual information, our predictor model,
which comprises an Long-Short Term Memory (LSTM) neural net-
work and Gaussian estimator, detects anomalies, and a consensus
algorithm identifies the source of the anomaly. Furthermore, our
model updates itself to adapt to the variation in the environment
and system. The results demonstrate that our model detects the
anomaly with 92.0% precision in 532ms, which meets the real-time
constraint of the system under test.
CCS CONCEPTS
• Computer systems organization → Embedded and cyber-
physical systems.
KEYWORDS
Internet of Things, context, sensor association, anomaly detection,
recurrent neural networks, LSTM encoder-decoder
1 INTRODUCTION
Over the last decade, IoT has grabbed substantial attention due to
advancements in computation and communication, and it is utilized
in many applications such as smart home, automotive, and medical
aid. The rapid growth of IoT has raised concerns about the security
and reliability of these systems. There are a tremendous amount
of work in the literature that focuses on various aspects of IoT
systems such as communication network [24, 38], hardware security
[5, 15, 21, 22] or software security [3, 34, 40, 41]. However, the
Permission to make digital or hard copies of part or all of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for third-party components of this work must be honored.
For all other uses, contact the owner/author(s).
ICCAD ’20, November 2–5, 2020, Virtual Event, USA
© 2020 Copyright held by the owner/author(s).
ACM ISBN 978-1-6654-2324-3/20/11. . . $15.00
https://doi.org/10.1145/3400302.3415672
Closed-loop Control System Monitoring System
Sensor Controller Actuator Sensor User
Environment Environment
Breaking Breaking
control loop control loop
: Attack : Fault
Figure 1: Two categories of IoT systems; (a) Closed-loop con-
trol system, and (b) Monitoring system.
physical layer of IoT as a cyber-physical system (CPS) is overlooked.
To ensure the security of CPS systems, in addition to a bottom-up
security attitude, a holistic approach is required [8–10, 12].
The ultimate goal of an IoT system is to control the environment
and maintain it in the desired state. In order to explain the important
role of sensors in fulfilling this goal, we categorize IoT systems
under two categories, as depicted in Figure 1: (i) a closed-loop control
system, and (ii) a monitoring system. On the one hand, a closed-loop
control system consists of three major components: (i) sensors; (ii)
controller; and (iii) actuators (see Figure 1(a)). The sensors monitor
the system and send the status to the controller, which processes the
sensor readings, decides how to react, and sends the control signals
to the actuators to maintain the state of system and environment.
On the other hand, monitoring systems mainly contain sensors
that measure numerous parameters in the system and provide the
user with information to take proper action (see Figure 1(b)). Al-
though a monitoring system cannot directly manipulate the envi-
ronment, it informs a supervising user of events that happen in
the system, and the user controls the system manually. Thus, a
monitoring system is eventually a part of a control loop.
In both categories, sensors are an essential component of the
control loop since sensor measurements determine the action that
is needed to maintain the system in the desired state. Malfunction
or manipulation of a sensor can break the control loop [4], and
consequently, disrupt the services offered by the IoT system. Fault
in a sensor device leads to the appearance of anomalous values in
its readings, whereas not all anomalies in sensor measurements
indicate sensor breakage because an unexpected event in the en-
vironment may cause an anomaly as well. Observing the possible
anomalies in an IoT system, we present a classification of anomalies
which facilitates identification of the anomaly’s source:
• Environmental Anomaly (EA): The environment is the
area that surrounds the sensor, and the sensor measures
its physical properties. Any anomaly in the environment
affects the measurements of the sensor and disrupts it. An
EA may occur as a result of malicious activities or unexpected
incidents in the environment.

PLC Controller
Water Changes in trendlines follow similar patterns
Source
Oxygen
Water Sensor
Tank Nitrate
Sensor
Ammonia Changes in trendlines follow similar patterns
Pump Valve Sensor
Blower
(a) Wastewater plant
Figure 2: (a) Schema of wastewater plant, and synthetic sensors’ signals in the (b) first scenario (EA), (c) second scenario (SDA).
• Sensing Device Anomaly (SDA): When the operation of
a sensor is corrupted, its measurements do not follow the
same pattern, and an SDA is observed. This corruption occurs
because of either security or reliability issues. For instance,
[1, 45] discuss some attacks on the physical layer.
Current anomaly detection methods model the normal behavior
of a device [7, 13, 31, 33] and label any deviation from expected
behavior as an anomaly. Most of the works concentrate on anomaly
detection in the network layer of IoT systems [20]. In spite of rea-
sonable performance in network intrusion detection, these methods
have a high rate of false alarms when used with sensor signals. They
misinterpret the environmental variation in the sensors measure-
ments as an SDA and disregard the potential information encoded
in the relation between the system and the physical world, known
as the context of the system (refer to Sec. 3.1 for the definition of
context). Conventionally, context-aware methods are applied to a
variety of applications [2], and recently, these methods are used to
secure the authentication of co-located devices [16, 35, 36, 42].
In this work, we propose an adaptive data-driven model
for unsupervised anomaly detection in IoT systems based on
the sensor measurements. The model monitors the system
to detect anomalies, identifies the type of anomaly (SDA or
EA), and locates them. To this end, we develop an algorithm to
extract the patterns in sensor signals and generate the context of
system. Then, we associate the sensors from different modalities
based on the context and cluster the sensors with similar behavior.
We develop our customized Recurrent Neural Network (RNN), fol-
lowed by a consensus algorithm to detect and localize anomalies.
The consensus algorithm checks the consistency between sensors
in each cluster and determines the type of anomaly. An IoT system
has a dynamic structure that is open to changes, such as adding
new nodes, removing the existing ones, or updating the framework
and protocols. In order to address the variation in IoT systems over
time, our model is designed to be adaptive and update itself.
1.1 Motivational Example
As a real-world IoT system, we study the environmental training
center wastewater plant in Riccione [14]. The primary purposes of
wastewater treatment is the elimination of nitrate. Nitrate contam-
ination is a severe environmental problem because it can exhibit
toxicity toward aquatic life, present a public health hazard, and
affect the suitability of wastewater. In the treatment process, the
wastewater is pumped to the tanks, which are equipped with sen-
sors to monitor the concentration of oxygen, ammonia, and nitrate
Nitrate sensor Oxygen sensor Ammonia sensor Trendline (moving average)
Changes in trendlines follow similar patterns Anomalous changes
are only observed in
Anomalous
changes still nitrate sensor
follow the
pattern
Changes in trendlines follow similar patterns
Time Time
(b) Sensors signal in the case of EA (c) Sensor signals in the case of SDA
in the water. The actuators, such as blowers and valves, are con-
trolled by a Programmable Logic Controller to adjust the level of
chemicals (Figure 2(a)). Given the importance of the nitrate level,
anomaly detection is applied to detect abnormal changes. Consider
two scenarios with anomalous rise in nitrate level; In the first sce-
nario, environmental changes alter the water temperature, which
affects the chemical reactions in the water tank (Figure 2(b), an
example of EA). In the second scenario, the nitrate sensor is broken
or manipulated by an attacker. (Figure 2(c), an example of SDA). The
current anomaly detection methods rely solely on nitrate sensor
data, whereas the validity of its data is questionable. Thus, they can
not find the source of anomaly and discriminate EA and SDA.
A recent study [14] analyzes the sensors of this wastewater plant
and reveals the correlation between ammonia, oxygen, and nitrate
sensor data. More specifically, when the rise in oxygen density
reaches a certain threshold, the ammonia concentration decreases,
and the nitrate concentration increases. Further investigation re-
veals the scientific rationale for this correlation; oxygen triggers
the chemical reaction, which affects the ammonia and nitrate con-
centration. By considering this relationship, it is possible to validate
sensor signals. In the first scenario, the incident affects all sensors.
Despite irregularities in the sensor signals, they are consistent with
each other. Thus, we can conclude that the integrity of the sensors’
data is not compromised. In the second scenario, the anomaly in
the nitrate sensor data is inconsistent with the patterns of other
sensor signals. It indicates that the cause of the abnormality is fault
or attack. This type of relationship between sensors in not limited
to this wastewater plant and it is observed in many IoT systems
due to the availability of many heterogeneous sensors.
1.2 Threat Model
The proposed methodology aims to detect SDA and EA, which occur
due to an unexpected incident in the environment, reliability issue,
or security breakage. Accidental damage, degradation, and defects
are examples of plausible reliability problems that cause unintended
device malfunctions. In contrast, the security breakage scenario
involves an attacker who intentionally exploits the vulnerabilities
in the system. In this threat model, the adversary has access to the
sensor device and fiddles with it to inject fault, alter functionality,
or deny its service. As another possible scenario, the attacker can
control the communication channel and send faulty signal to the
controller as sensor measurements. The model can detect anomalies
in a standalone sensor, but to distinguish between SDA and EA in
a sensor, it should be associated with at least two other sensors. To
deceive this method, the attacker should be able to discover how
sensors are clustered, learn the correlations and patterns in the
sensors’ signals, and manipulate them in a way that imitates the Cluster C1

same correlation as before. It means that in addition to sensors, the Fingerprint Sensor Cluster C2
Sensors Data Generation Clustering

…
attacker should have full access to the clustering layout of sensors
Cluster Cg
and the trained anomaly detection model. It is assumed that the Gaussian Predictive Each cluster
attacker does not have these privileges. Estimator Model
1.3 Research Challenges
Anomaly detection in the IoT sensors is challenging due to the
following reasons [11]: Use new data for retraining NO
• The IoT data are multi-variant time-series data that are col- Predictive Gaussian Anomaly
lected from a heterogeneous network of sensors with differ- Sensors Data Model Estimator Detection
ent modalities, data dimensions, sampling rates, specifica-
tions, and locations. Report Consensus YES
anomaly and Algorithm
• Low cost and resource-constrained sensors are usually sensi- its source
tive to noise, and deployment of them in IoT systems affects
: Retraining
the quality of data. : Module
: Data

• Due to lack of prior knowledge about possible anomalies and

scarcity of anomalous observations, there is not enough la-
beled anomalous data available, and conventional supervised
machine learning technique are not applicable.
• IoT systems have dynamic characteristics that may be al-
tered over time because of environmental changes, human
interaction, mobility of devices, and updating firmware or
software. Consequently, a static model fails to imitate the
system in the long-term.
1.4 Our Contributions
To the best of our knowledge, this is the first context-aware anom-
aly detection method for IoT systems. Our novel contributions to
address the aforementioned challenges are summarized below:
• Context-aware sensor association algorithm: We develop
a multi-modality clustering method to associate sensors that
experience similar contextual variation.
• Consensus-based strategy for unsupervised anomaly
detection: We design a methodology to pinpoint the anom-
alies without reliance on prior knowledge about possible
anomalies.
• Adaptive data-driven model: Our proposed anomaly de-
tection model is periodically updated at run-time to adapt
itself to new states caused by variations in the system.
2 RELATED WORKS
General anomaly detection algorithms can be classified into the
following main categories [14]:
Statistical or Probabilistic Methods: These methods create
a statistical or probabilistic model based on history data, which
represents normal behavior [17, 39]. Upcoming observation is then
compared with this model, and it is marked as an anomaly if it is
statistically unlikely, or the probability of such observation is low.
Proximity Methods: These methods compute distances be-
tween data points to differentiate between anomalous and normal
data. Two well-known techniques that fall in this category are the
Local Outlier Factor [6] and clustering [18] methods.
Predictive Methods: In these methods, the anomaly detection
problem is converted to obtaining an accurate sequence prediction
algorithm that captures the recent and long-term trends in data
Figure 3: The architecture of our methodology in the train-
ing and inference stage.
sequences and reproduces them to predict future measurements.
Afterward, the predictions are compared with the new observations
to spot deviations from expected normal behavior. Recurrent Neural
Networks (RNN) are capable of capturing the relationship between
measurements over time because the feedback loops in the hidden
layer of RNN can imitate memory.
Long-Short Term Memory (LSTM) layer was introduced in 1997
by [19] to overcome the shortcomings of RNN. It has gained a lot of
attention lately because of its high accuracy in sequence prediction
[7, 31, 33]. Conv-LSTM encoder-decoder is one of the neural net-
work architectures that is used in the literature to enhance sequence
prediction performance [23, 25, 27, 43, 44]. It contains convolutional
layers to extract the essential features of input sequences and LSTM
layers to perform the sequence prediction based on the features.
Then, the anomaly is identified based on the reconstruction error
of the model. LSTM-LSTM encoder-decoder [32, 37, 46] is another
popular architecture which follows a similar strategy but it utilize
LSTM layers instead of convolutional layers for feature extraction.
Our methodology inherent the advantages of both probabilistic
and predictive methods. We implement and compare the Conv-
LSTM and LSTM-LSTM encoder-decoder as our predictive models.
Then, the reconstruction error, derived from the difference between
real and predicted values, is modeled by a Multivariate Gaussian
Estimators to detect the anomaly.
3 ANOMALY DETECTION METHODOLOGY
Our proposed methodology (see Figure 3) detects SDA and EA in an
IoT system to ensure sensing devices operate as they are expected.
3.1 Context Generation
The context of a system is defined as an abstraction formed by ex-
tracting features from system circumstances and individual element
constructs[26]. It describes the condition in which the system is
operating and affects the outcome of the system. The first step
for obtaining our context-aware data-driven model is to generate
the context of the system by encoding its physical properties. Un-
derstanding and transforming this information such that it can be
mathematically described is called context generation. Following
 After sensor association, we evaluate the system to ensure that
there is no standalone sensor which is not clustered. A standalone
sensor is vulnerable because it is not related to any group of sensors
that can verify its proper operation. In this case, the anomaly detec-
tion still can be applied to the independent sensor individually, but
the SDA and EA are indistinguishable. The user is warned about
this vulnerability in sensors and can resolve the issue by adding
more sensors to the system.
Algorithm 1: Customized clustering algorithm for extract-
ing patterns in sensor fingerprints and sensor association.
Input: Fingerprints: 𝐹 ∈ 𝐼𝑅𝑛×𝑘 , number of sensors: 𝑛,
sub-sequence length: 𝑙, overlap: 𝑜
Output: Cluster layout 𝐶 = {𝑐 1, 𝑐 2, . . . , 𝑐𝑔 }
Initialize 𝑑 = 𝑘−𝑜
𝑙−𝑜
Initialize 𝑝𝑚𝑎𝑥 = max # of patterns in sub-sequence
Initialize 𝑖𝑡𝑒𝑟𝑚𝑎𝑥 = max # of iterations
Initialize the center of clusters randomly
foreach 𝑗 ∈ {1, 2, . . . , 𝑑 } do
foreach 𝑖 ∈ {1, 2, . . . , 𝑛} do
Split fingerprint 𝐹𝑖 to obtain sub-sequences 𝑓𝑖 𝑗 ;
Clustering:
foreach 𝑖𝑡𝑒𝑟 ∈ {1, 2, . . . , 𝑖𝑡𝑒𝑟𝑚𝑎𝑥 } do
foreach 𝑖 ∈ {1, 2, . . . , 𝑛} do
𝑗 𝑗
𝑝𝑖 = 𝐴𝑟𝑔𝑚𝑖𝑛𝑥 ∈𝐶 𝐻𝑎𝑚𝑚𝑖𝑛𝑔(𝑓𝑖 , 𝑐𝑒𝑛𝑡𝑒𝑟 (𝑥));
foreach 𝑥 ∈ {1, 2, . . . , 𝑝𝑚𝑎𝑥 } do
𝑗 𝑗
𝑐𝑒𝑛𝑡𝑒𝑟 (𝑥) = 𝑚𝑒𝑎𝑛({𝑓𝑖 |𝑝𝑖 = 𝑥 });
if no changes in 𝑐𝑒𝑛𝑡𝑒𝑟 (𝑥) then
break;
foreach 𝑥 ∈ {1, 2, . . . , 𝑝𝑚𝑎𝑥 } do
Calculate inter-cluster (𝑂𝐶) metrics;
𝑗 𝑗
if 𝐻𝑎𝑚𝑚𝑖𝑛𝑔(𝐹𝑖 , 𝑐𝑒𝑛𝑡𝑒𝑟 (𝑝𝑖 ) > 𝑂𝐶 then
𝑗 𝑗
Remove 𝐹𝑖 from cluster 𝑝𝑖 ;
𝑗
Add 𝐹𝑖 in unclustered nodes;
𝑗 the Gaussian estimator 𝐺. 𝛼 is a predefined threshold value, and it
Update 𝑝𝑚𝑎𝑥 ;
if |𝑐𝑖 | < 3 then
Remove cluster 𝑥;
𝑗 algorithm to differentiate between EA and SDA. EA occurs as a
Update 𝑝𝑚𝑎𝑥 ;
Add clusters to pattern histories 𝑃𝑖 ;
Perform the clustering again on pattern histories 𝑃𝑖 ,
𝑖 ∈ [1, 𝑛] to associate sensors;
return Sensors Cluster layout 𝐶 = {𝑐 1, . . . , 𝑐𝑔 }
3.3 Predictive Model
The next module of our methodology is the predictive model that
predicts the future measurements of sensors according to the clus-
tering layout and history of measurements. We construct a Re-
current Neural Networks (RNN) for each cluster of sensors as the
predictive model. As it is depicted in 6, our RNN comprises LSTM
encoder-decoder and dense layers, which encode the features of in-
put sequences of length 𝑙𝑖 and predict the future sequences of length
𝑙𝑜 based on the encoded features. Sequences of data are derived from
the input time-series signals using the sliding window technique.
Afterward, the sequences are scaled through a Min-Max Scaler be-
fore being treated by the encoder because input signals come from
Time Series Signals
Dense Layer (100)
Min-Max Scaler
LSTM Decoder
LSTM Encoder
Dropout (0.5)
Output Layer
Encoded
States
Figure 6: The architecture of RNN used as predictive model.
multi-modality sensors with different signal ranges. Eventually, we
have a set of predictive models 𝐷𝑇 = {𝑀1, 𝑀2, . . . , 𝑀𝑔 } where 𝑔 is
the number of clusters in the system and 𝑀𝑖 represents the model
for cluster 𝑐𝑖 . Given cluster 𝑐𝑖 that contains 𝑛𝑖 nodes, the model
𝑀𝑖 takes as input a matrix 𝑋𝑖 ∈ R𝑙𝑖 ×𝑛𝑖 to predict another matrix
𝑌𝑖 ∈ R𝑛𝑖 ×𝑙𝑜 . On top of predictive models, Multivariate Gaussian
Estimators are trained to learn the probability of finding a par-
ticular error vector. This probability is used to ascertain whether
the errors between predictions and real measurements correspond
to the system’s normal behavior, or an anomaly has occurred. A
multivariate Gaussian distributor 𝐺𝑖 = N (𝜇𝑖 , 𝜎𝑖 ) is fitted on the
reconstruction error matrix 𝐸𝑖 , which is the difference between
the real values and predicted values. The parameters 𝜇𝑖 and 𝜎𝑖 are
computed using Maximum Likelihood Estimation.
𝑚 𝑚
1 Õ 𝑘 1 Õ 𝑘
𝜇𝑖 = 𝑒𝑖 𝑗 = 𝑒 𝑖 𝑗 , 𝜎𝑖 = (𝑒 𝑗 − 𝜇 𝑗 )(𝑒 𝑘𝑗 − 𝜇 𝑗 )𝑇
𝑚 𝑚
𝑘=1 𝑘=1
3.4 Anomaly Detection
In the training stage, the predictive models and estimator modules
are periodically used at run-time to infer anomalies. The frequency
in which anomaly detection is performed can vary depending on
the system specifications. At the run-time, an input measurement
𝑥 𝑡 is compared with model prediction 𝑦𝑡 , and the reconstruction
error 𝑒 𝑡 is calculated. Then, 𝑥 𝑡 classified as anomalous if 𝑝 𝑡 < 𝛼,
where 𝑝 𝑡 is the probability of obtaining the error vector given by
is tuned to maximize the F-score of the model.
When anomalous data is discovered, we utilize our consensus
result of an incident in the environment. If the EA causes an anom-
aly in a sensor signal, the correlated sensors are affected by the
event and show abnormal changes in their signals. In contrast, SDA
influences the sensors individually and results in an anomaly in one
or some of the sensors in a cluster. For each cluster, the consensus
algorithm inspects the consistency of the sensor behaviors. It uses
a voting mechanism to check if all sensors in a cluster agree on the
occurrence of an environmental incident. To account for inertia
in the physics of the system, we check the consensus in the time
intervals instead of data points.
3.5 Model Adaptation
Due to the high variation in the IoT system and environment, we
add the property of aliveness to our method, which means the
model automatically gets updated to adapt to the system alteration
and make more accurate predictions. As Figure 3 demonstrates, the
sensor association, predictive model, and estimator modules are
trainable. There are two levels of updating the model; i)complete
update, which retrains all trainable modules in order, and ii) partial
update, which only retrains the predictor model. These update
processes are triggered under three circumstances:
• Change in the number of sensors in the system (either added
or removed) triggers complete update.
• Each time the sensors send data, the anomaly detection
model first validates the new data. Afterward, partial up-
date is triggered using the new anomaly-free data.
• If complete update is not provoked during a fixed interval
of time 𝑡𝑟𝑒𝑡𝑟𝑎𝑖𝑛 , it is triggered automatically. This way, the
model accounts for changes in the environment, location,
and placement. This parameter 𝑡𝑟𝑒𝑡𝑟𝑎𝑖𝑛 can be tuned by the
user, depending on how frequently the system layout is
changed.

4 RESULTS AND EVALUATION

4.1 Fog Computing Architecture
Cloud servers are the common and potent available computation
resource in IoT systems. However, the bandwidth of network and
data transmission become a bottleneck due to Rapid expansion of
IoT nodes and the quantity of data. As a result, fog computing has
emerged, which provides storage, computation, and application
services closer to end-user with dense geographical distribution
[29]. In the fog architecture (Figure 7), the bottom layer comprises a
heterogeneous network of edge nodes with limited resources. The
fog nodes in the middle layer collect and process the data from edge
devices and communicate to the cloud via the internet.
Our methodology is fog-empowered, and the developed model
for our target IoT system is implemented on a fog node. For the
IoT systems with a high density of devices and a massive volume
of data, our method is scalable, and it still supports fog computing.
Basically, the LSTM encoder-decoder networks are responsible for
most of the computation in our method. Thus, instead of training an
extensive network for the whole system, we construct a small net-
work for each cluster of associated sensors that can be distributed
between fog nodes. Furthermore, we perform several optimizations
to meet resource constraints. In the sensor association, we use the
binary fingerprint instead of time-series signals, which lowers stor-
age usage and complicity. The sliding window technique in LSTM
network contributes to reducing storage usage as well.
Cloud
Figure 8: The scaled-down version of experimental setup.
4.2 Experimental Setup
To build and evaluate our methodology, we implement an IoT
testbed in our laboratory. Our experimental setup consists of an
Ad-Hoc network of multi-modality IoT sensors, a Software-Defined
Radio (SDR) connected to an edge computing device, a gateway,
and a laptop as fog node . For this particular research, we have used
62 sensors which measure 13 different physical parameters (see
Table 1). The acoustic sensor is a wide range microphone with two
right and left channels that captures the sound of the space and its
output is amplified and recorded by the handy recorder ZOOM-H6.
The raspberry pi board, which is directly connected to ZOOM-H6,
collects its data and transmits it over the Internet and this part of
the system simulates devices such as Google Home or Alexa. The
other sensors are on the low-power embedded boards operated by
TinyOS which are equipped with a wireless communication module
based on IEEE 802.15.4 standard. We have implemented the IEEE
802.15.4 standard in the SDR device (USRP-B210) and created a
Table 1: List of sensors in our experimental setup.
Sensor Sensor board # of sensors
Temperature MTS-CM5000 12

Humidity MTS-CM5000 12
Visible light MTS-CM5000 12
Infrared light MTS-CM5000 12
Force and load MTS-CO1000 2
Tilt MTS-CO1000 2
Fog

Accelerometer MTS-CO1000 2
Presence detector MTS-SE1000 2
Magnetic MTS-SE1000 1
CO_2 MTS-AR1000 1
Edge

CO MTS-AR1000 1
Dust MTS-SH3000 1
Acoustic ZOOM-H6 2

Figure 7: Fog computing hierarchy in IoT systems.

 Table 2: Comparison with the state-of-art methods
wireless network of sensors in which SDR collects the sensor’s data Base Context 𝐹 0.5 𝐹1
Method Precision Recall
Model Aware score score
and send commands to them. SDR is connected to an edge comput-
IoT-CAD LSTM Yes %92 %56 %81 %70
ing device, a raspberry pi board, which works as a base station and [31] LSTM No %64 %44 %58 %52
gathers all data. The base station contains a Wi-Fi module and links [28] Conv LSTM No %51 %95 %56 %66
the local network of IoT devices to the Internet through a router. [30] One Class SVM No %89 %25 %60 %39
It provides the system with the capability to be monitored in any
device which is connected to the internet by looking up the base indicate that this strategy is capable of finding relations between
station and logging using the password. The algorithms and anom- sensors with similar contextual variations, further confirmed by
aly detection model are implemented on a Laptop with 8Gb DDR4 the anomaly detection results in the next section.
RAM, and the Intel(R)Core(TM) i5-6300HQ 2.3GHz processor which 4.3.2 Anomaly Detection Evaluation. The anomaly detection
receives the data from base station and do the computations as a model is unsupervised and it is trained only on the normal data
fog node in the IoT system. A powerful router such as Qotom Mini and evaluated using a validation dataset with synthetic anomalies.
PC Q500G6 has similar capabilities and is capable of running the To analyze the results, True Positives (TP), False Positives (FP),
model at the gateway level. Figure 8 demonstrates the components and False Negatives (FN ) are counted in the results to compute the
of our experimental setup and their connections. validation scores. Although the most intuitive performance measure
4.3 Evaluation is accuracy, which is the ratio of correctly predicted observation
to the observations, it is not appropriate for unbalanced datasets
We evaluate our methodology using the data collected by the sensor such as anomaly detection where one category representing the
layout of Section 4.2. overwhelming majority of the data points. Therefore, we use the
4.3.1 Sensor Association Evaluation. One of the contributions Precision(P), Recall(R) and 𝐹 𝛽 𝑠𝑐𝑜𝑟𝑒 as performance metrics.
of our clustering algorithm is the capability to automatically tune
𝑇𝑃 𝑇𝑃 𝑃 × 𝑅 × (1 + 𝛽 2 )
the number of clusters and remove the ones which lack a sufficient 𝑃= ,𝑅 = , 𝐹 𝛽 𝑠𝑐𝑜𝑟𝑒 =
𝑇𝑃 + 𝐹𝑃 𝑇𝑃 + 𝐹𝑁 𝛽2 × 𝑃 + 𝑅
number of sensors or have sensors that are far apart regarding the
hamming distance between their fingerprints. Initially, we set the Recall expresses the ability to find all anomalous observation in a
number of clusters to 20 in our system under test, and the algo- dataset while precision expresses the proportion of the observations
rithm reduces the number to 6. In order to assess the performance of our model labels as anomaly, actually is anomalous. 𝐹 𝛽 𝑠𝑐𝑜𝑟𝑒 is
sensor association method, Inter-cluster and Intra-cluster distances the weighted average of precision and recall which provides a
are calculated for all clusters and plotted in Figure 9. The notable better intuition toward both key important capability of model. We
difference between inter-cluster distance and the intra-cluster dis- implement the current state-of-art methods for anomaly detection
tance indicates that related sensors are clustered together, and the in time-series data. Due to importance of precision, 𝐹 0.5 𝑠𝑐𝑜𝑟𝑒 which
clusters are well separated from each other. favors precision over recall is calculated for evaluation in addition
Another validation method used is physical intuition, which to 𝐹 1 𝑠𝑐𝑜𝑟𝑒. According to the results in Table 2, our methodology
explains the relationships among the associated sensors. For ex- has the best performance with highest 𝐹 𝑠𝑐𝑜𝑟𝑒𝑠 and precision.
ample, co-located sensors experience a similar context. Therefore, 4.4 Robustness
they are expected to be associated with each other. This intuition
We evaluate the robustness of our methodology by adding three
supports the result of our algorithm in which co-located humidity,
different types -pink, Gaussian, and uniform- of noise signals to the
temperature, and light sensors are clustered together, as it is shown
sensor measurements and observing the performance of the model.
in Figure 11. Another intuition behind the fact is that any physical
As Figure 10 indicates, although the precision of anomaly detection
process may have multi-modality emissions, and the sensors which
is decreased as the noise power increases in all models, our model
capture the emission of one incident should be clustered together.
is more resilient to noise and maintains the high precision.
It explains the clustering of PIR, vibration sensor (accelerometer
and force), magnetic door switch, and acoustic sensor since they all 95
capture the event of entrance through the door. These observations
Precision of anomaly detection (%)

Significant
0.6 85
precision drop
Resilient
0.5 75
to noise
0.4
Distance

65
Highly
sensitive
0.3 55
to noise
0.2 45

0.1 35
0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 2.5 3 5
Noise energy (Watt/Hz)
0 LSTM - Guassian noise LSTM - Pink noise LSTM - Uniform noise
Cluter1 Cluter2 Cluster3 Cluster4 Cluster5 Cluster6 All ConvLSTM - Guassian noise ConvLSTM - Pink noise ConvLSTM - Uniform noise
IoT-CAD - Guassian noise IoT-CAD - Pink noise IoT-CAD - Uniform noise
Inter-cluster distance Intra-cluster distance clusters
Figure 9: The inter-cluster and intra-cluster distances of sen- Figure 10: Evaluating the resilience of different models to
sor clusters. pink, Gaussian, and uniform noise signals.
REFERENCES
[1] M. M. Ahemd, M. A. Shah, and A. Wahid. 2017. IoT security: A layered ap-
proach for attacks amp; defenses. In 2017 International Conference on Commu-
nication Technologies (ComTech). 104–110. https://doi.org/10.1109/COMTECH.
2017.8065757
[2] Unai Alegre, Juan Carlos Augusto, and Tony Clark. 2016. Engineering context-
aware systems and applications: A survey. Journal of Systems and Software 117
(2016), 55–83.
[3] D. Altolini, V. Lakkundi, N. Bui, C. Tapparello, and M. Rossi. 2013. Low power
link layer security for IoT: Implementation and performance analysis. In 2013
9th International Wireless Communications and Mobile Computing Conference
(IWCMC). 919–925. https://doi.org/10.1109/IWCMC.2013.6583680
[4] Anomadarshi Barua and Mohammad Al Faruque. 2020. Hall Spoofing: A Non-
Invasive DoS Attack on Grid-Tied Solar Inverter. 29th Usenix Security (2020).
[5] Ferdinand Brasser, Brahim El Mahjoub, Ahmad-Reza Sadeghi, Christian Wachs-
mann, and Patrick Koeberl. 2015. TyTAN: tiny trust anchor for tiny devices. In
2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC). IEEE, 1–6.
[6] Markus M Breunig, Hans-Peter Kriegel, Raymond T Ng, and Jörg Sander. 2000.
LOF: identifying density-based local outliers. In ACM sigmod record, Vol. 29. ACM,
93–104.
[7] Sucheta Chauhan and Lovekesh Vig. 2015. Anomaly detection in ECG time
signals via deep long short-term memory networks. In 2015 IEEE International
Conference on Data Science and Advanced Analytics (DSAA). IEEE, 1–7.
[8] Hsin Chung Chen, Mohammad Abdullah Al Faruque, and Pai H Chou. 2016.
Security and privacy challenges in IoT-based machine-to-machine collaborative
scenarios. In Proceedings of the Eleventh IEEE/ACM/IFIP International Conference
on Hardware/Software Codesign and System Synthesis.
[9] Sujit Rokka Chhetri, Sina Faezi, Arquimedes Canedo, and Mohammad Abdul-
lah Al Faruque. 2019. QUILT: quality inference from living digital twins in
IoT-enabled manufacturing systems. In Proceedings of the International Confer-
ence on Internet of Things Design and Implementation. ACM, 237–248.
[10] Sujit Rokka Chhetri, Nafiul Rashid, Sina Faezi, and Mohammad Abdullah
Al Faruque. 2017. Security trends and advances in manufacturing systems in
the era of industry 4.0. In IEEE/ACM International Conference on Computer-Aided
Design (ICCAD).
[11] Andrew Cook, Göksel Mısırlı, and Zhong Fan. 2019. Anomaly Detection for IoT
Time-Series Data: A Survey. Internet of Things Journal (2019).
[12] Sina Faezi, Sujit Rokka Chhetri, Arnav Vaibhav Malawade, John Charles Chaput,
William H Grover, Philip Brisk, and Mohammad Abdullah Al Faruque. 2019. Oligo-
Snoop: A Non-Invasive Side Channel Attack Against DNA Synthesis Machines..
In NDSS.
[13] Pavel Filonov, Andrey Lavrentyev, and Artem Vorontsov. 2016. Multivariate
Industrial Time Series with Cyber-Attack Simulation: Fault Detection Using an
LSTM-based Predictive Data Model. arXiv:1612.06676 [cs.LG]
[14] Federico Giannoni, Marco Mancini, and Federico Marinelli. 2018. Anomaly
Detection Models for IoT Time Series Data. arXiv (2018).
[15] B. Halak, M. Zwolinski, and M. S. Mispan. 2016. Overview of PUF-based hardware
security solutions for the internet of things. In 2016 IEEE 59th International
Midwest Symposium on Circuits and Systems (MWSCAS). 1–4. https://doi.org/10.
1109/MWSCAS.2016.7870046
[16] Jun Han, Albert Jin Chung, Manal Kumar Sinha, Madhumitha Harishankar, Shijia
Pan, Hae Young Noh, Pei Zhang, and Patrick Tague. 2018. Do you feel what I
hear? Enabling autonomous IoT device pairing using different sensor types. In
2018 IEEE Symposium on Security and Privacy (SP). IEEE, 836–852.
[17] Mee Lan Han, Jin Lee, Ah Reum Kang, Sungwook Kang, Jung Kyu Park, and
Huy Kang Kim. 2015. A Statistical-Based Anomaly Detection Method for Con-
nected Cars in Internet of Things Environment. In Internet of Vehicles - Safe and
Intelligent Mobility, Ching-Hsien Hsu, Feng Xia, Xingang Liu, and Shangguang
Wang (Eds.). Springer International Publishing, Cham, 89–97.
[18] Zengyou He, Xiaofei Xu, and Shengchun Deng. 2003. Discovering cluster-based
local outliers. Pattern Recognition Letters 24, 9-10 (2003), 1641–1650.
[19] Sepp Hochreiter and Jürgen Schmidhuber. 1997. Long short-term memory. Neural
computation 9, 8 (1997), 1735–1780.
[20] E. Hodo, X. Bellekens, A. Hamilton, P. Dubouilh, E. Iorkyase, C. Tachtatzis,
and R. Atkinson. 2016. Threat analysis of IoT networks using artificial neural
network intrusion detection system. In 2016 International Symposium on Networks,
Computers and Communications (ISNCC). 1–6. https://doi.org/10.1109/ISNCC.
2016.7746067
[21] C. Lesjak, H. Bock, D. Hein, and M. Maritsch. 2016. Hardware-secured and
transparent multi-stakeholder data exchange for industrial IoT. In 2016 IEEE
14th International Conference on Industrial Informatics (INDIN). 706–713. https:
//doi.org/10.1109/INDIN.2016.7819251
[22] Christian Lesjak, Norbert Druml, Rainer Matischek, Thomas Ruprechter, and
Gerald Holweg. 2016. Security in industrial IoT – quo vadis? e & i Elektrotechnik
und Informationstechnik 133, 7 (01 Nov 2016), 324–329. https://doi.org/10.1007/
s00502-016-0428-4
[23] Tao Lin, Tian Guo, and Karl Aberer. 2017. Hybrid Neural Networks for Learning
the Trend in Time Series. (2017), 2273–2279. https://doi.org/10.24963/ijcai.2017/
316
[24] Wei-Chao Lin, Shih-Wen Ke, and Chih-Fong Tsai. 2015. CANN: An intrusion
detection system based on combining cluster centers and nearest neighbors.
Knowledge-based systems 78 (2015), 13–21.
[25] Y. Liu, H. Zheng, X. Feng, and Z. Chen. 2017. Short-term traffic flow prediction
with Conv-LSTM. In 2017 9th International Conference on Wireless Communi-
cations and Signal Processing (WCSP). 1–6. https://doi.org/10.1109/WCSP.2017.
8171119
[26] Barthélémy Longueville, Mickaël Gardoni, et al. 2003. A survey of context
modeling: approaches, theories and use for engineering design researches. In
DS 31: Proceedings of ICED 03, the 14th International Conference on Engineering
Design, Stockholm. 437–438.
[27] YANG Zhihong TU Mengfu LU Jinjun LU Jixiang, ZHANG Qipei and PENG Hui.
2019. Short-term Load Forecasting Method Based on CNN-LSTM Hybrid Neural
Network Model. AEPS 43, 8 (2019), 131. https://doi.org/10.7500/AEPS20181012004
[28] W. Luo, W. Liu, and S. Gao. 2017. Remembering history with convolutional LSTM
for anomaly detection. In 2017 IEEE International Conference on Multimedia and
Expo (ICME). 439–444. https://doi.org/10.1109/ICME.2017.8019325
[29] Lingjuan Lyu, Jiong Jin, Sutharshan Rajasegarar, Xuanli He, and Marimuthu
Palaniswami. 2017. Fog-empowered anomaly detection in IoT using hyperellip-
soidal clustering. Internet of Things Journal (2017).
[30] Junshui Ma and Simon Perkins. 2003. Time-series novelty detection using one-
class support vector machines. In International Joint Conference on Neural Net-
works.
[31] Pankaj Malhotra, Anusha Ramakrishnan, Gaurangi Anand, Lovekesh Vig, Puneet
Agarwal, and Gautam Shroff. 2016. LSTM-based encoder-decoder for multi-sensor
anomaly detection. arXiv preprint arXiv:1607.00148 (2016).
[32] Pankaj Malhotra, Vishnu TV, Anusha Ramakrishnan, Gaurangi Anand, Lovekesh
Vig, Puneet Agarwal, and Gautam Shroff. 2016. Multi-Sensor Prognos-
tics using an Unsupervised Health Index based on LSTM Encoder-Decoder.
arXiv:1608.06154 [cs.LG]
[33] Pankaj Malhotra, Lovekesh Vig, Gautam Shroff, and Puneet Agarwal. 2015. Long
short term memory networks for anomaly detection in time series. In Proceedings.
Presses universitaires de Louvain, 89.
[34] Jonathan M McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Vir-
gil Gligor, and Adrian Perrig. 2010. TrustVisor: Efficient TCB reduction and
attestation. In 2010 IEEE Symposium on Security and Privacy. IEEE, 143–158.
[35] Markus Miettinen, N Asokan, Thien Duc Nguyen, Ahmad-Reza Sadeghi, and
Majid Sobhani. 2014. Context-based zero-interaction pairing and key evolution
for advanced personal devices. In Proceedings of the 2014 ACM SIGSAC Conference
on Computer and Communications Security. ACM, 880–891.
[36] Markus Miettinen, Thien Duc Nguyen, Ahmad-Reza Sadeghi, and N Asokan. 2018.
Revisiting context-based authentication in IoT. In 2018 55th ACM/ESDA/IEEE
Design Automation Conference (DAC). IEEE, 1–6.
[37] Yao Qin, Dongjin Song, Haifeng Chen, Wei Cheng, Guofei Jiang, and Garrison
Cottrell. 2017. A Dual-Stage Attention-Based Recurrent Neural Network for
Time Series Prediction. arXiv:1704.02971 [cs.LG]
[38] Shahid Raza, Linus Wallgren, and Thiemo Voigt. 2013. SVELTE: Real-time intru-
sion detection in the Internet of Things. Ad hoc networks 11, 8 (2013), 2661–2674.
[39] H. Sedjelmaci, S. M. Senouci, and M. Al-Bahri. 2016. A lightweight anomaly
detection technique for low-resource IoT devices: A game-theoretic methodology.
In 2016 IEEE International Conference on Communications (ICC). 1–6. https:
//doi.org/10.1109/ICC.2016.7510811
[40] Arvind Seshadri, Mark Luk, and Adrian Perrig. 2008. SAKE: Software Attestation
for Key Establishment in Sensor Networks. In Distributed Computing in Sensor
Systems, Sotiris E. Nikoletseas, Bogdan S. Chlebus, David B. Johnson, and Bhaskar
Krishnamachari (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 372–385.
[41] Arvind Seshadri, Mark Luk, Adrian Perrig, Leendert van Doorn, and Pradeep K.
Khosla. 2006. SCUBA: Secure Code Update By Attestation in sensor networks. In
Workshop on Wireless Security.
[42] Jiang Wan, Anthony Lopez, and Mohammad Abdullah Al Faruque. 2018. Physical
layer key generation: Securing wireless communication in automotive cyber-
physical systems. ACM Transactions on Cyber-Physical Systems 3, 2 (2018), 13.
[43] Yuankai Wu and Huachun Tan. 2016. Short-term traffic flow forecast-
ing with spatial-temporal correlation in a hybrid deep learning framework.
arXiv:1612.01022 [cs.CV]
[44] Haiyang Yu, Zhihai Wu, Shuqin Wang, Yunpeng Wang, and Xiaolei Ma. 2017.
Spatiotemporal Recurrent Convolutional Networks for Traffic Prediction in Trans-
portation Networks. Sensors 17, 7 (2017). https://doi.org/10.3390/s17071501
[45] K. Zhao and L. Ge. 2013. A Survey on the Internet of Things Security. In 2013
Ninth International Conference on Computational Intelligence and Security. 663–
667. https://doi.org/10.1109/CIS.2013.145
[46] Z. Zhao, W. Chen, X. Wu, P. C. Y. Chen, and J. Liu. 2017. LSTM network: a deep
learning approach for short-term traffic forecast. IET Intelligent Transport Systems
11, 2 (2017), 68–75. https://doi.org/10.1049/iet-its.2016.0208