Smart-home anomaly detection using combination of in-home situation and user behavior

by   Masaaki Yamauchi, et al.

Internet-of-things (IoT) devices are vulnerable to malicious operations by attackers, which can cause physical and economic harm to users; therefore, we previously proposed a sequence-based method that modeled user behavior as sequences of in-home events and a base home state to detect anomalous operations. However, that method modeled users' home states based on the time of day; hence, attackers could exploit the system to maximize attack opportunities. Therefore, we then proposed an estimation-based detection method that estimated the home state using not only the time of day but also the observable values of home IoT sensors and devices. However, it ignored short-term operational behaviors. Consequently, in the present work, we propose a behavior-modeling method that combines home state estimation and event sequences of IoT devices within the home to enable a detailed understanding of long- and short-term user behavior. We compared the proposed model to our previous methods using data collected from real homes. Compared with the estimation-based method, the proposed method achieved a 15.4 ratio with fewer than 10 method, the proposed method achieved a 46.0 than 10



There are no comments yet.


page 2

page 3

page 4

page 6

page 7

page 8

page 9

page 10


Intrusion Detection System in Smart Home Network Using Bidirectional LSTM and Convolutional Neural Networks Hybrid Model

Internet of Things (IoT) allowed smart homes to improve the quality and ...

The House That Knows You: User Authentication Based on IoT Data

Home-based Internet of Things (IoT) devices have gained in popularity an...

Effective Anomaly Detection in Smart Home by Integrating Event Time Intervals

Smart home IoT systems and devices are susceptible to attacks and malfun...

Detecting Anomalous User Behavior in Remote Patient Monitoring

The growth in Remote Patient Monitoring (RPM) services using wearable an...

Anomalous Communications Detection in IoT Networks Using Sparse Autoencoders

Nowadays, IoT devices have been widely deployed for enabling various sma...

IoTC2: A Formal Method Approach for Detecting Conflicts in Large Scale IoT Systems

Internet of Things (IoT) has become a common paradigm for different doma...

An Efficient SDN Architecture for Smart Home Security Accelerated by FPGA

With the rise in Internet of Things (IoT) devices, home network manageme...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Smart homes with multiple internet-connected home appliances have become widespread as part of the internet of things (IoT). More than 12 billion IoT devices were deployed in 2020, and it is estimated that the number of IoT appliances now surpasses the number of non-IoT versions [1]. Users can connect to their IoT devices (e.g., washing machines, home sensors, and cooking stoves) via smartphones and smartwatches. The growth of this trend is expected to continue indefinitely [1].

However, with this growth, the risk of cyberattacks targeting home IoT devices increases [2]. A major type of cyberattack on home IoT devices is the distributed denial-of-service attack, which affects multiple IoT devices simultaneously based on the devices’ inherent vulnerabilities [3, 4]. Fortunately, countermeasures exist [5, 6, 7].

Notably, it is very difficult to maintain the boundary security of IoT devices [8] because they employ many different communication protocols and connect to many different platforms. Moreover, proper boundary security would be exceedingly expensive [9]. Therefore, anomaly detection systems that comprehensively monitor a smart home or a smart factory to detect abnormal (out-of-the-ordinary) IoT behaviors (e.g., signals, operating status, and error reporting) [10, 11, 12]

are needed. For example, Sivanathan et al. proposed a monitoring system that analyzed legitimate behaviors of IoT devices by classifying their traffic flows 

[10]. Distributed denial-of-service attacks on smart homes have been detected by comparing suspicious traffic with usual behaviors based on home occupancy [11, 12].

Notably, cyberattacks on IoT devices create significant additional human risks [13]. In particular, attacks that take control of home IoT devices are considered dangerous not only in cyberspace but also in the physical world. For example, simultaneous attacks on high-power IoT devices can suddenly increase energy demands and lead to power outages [14]. As a discrete example, it has also been shown that in-home IoT televisions can be hijacked from the internet [15]; similar attacks have been shown to affect smart phones and smart watches [16].

To address attacks on home IoT devices leading to anomalous operations, we previously proposed a detection method [17] that modeled the behavior of users from sequences of events in their homes to assess normal behaviors. This sequence-based method trained its model by storing event sequences based on the time of day so that deviations from operations could be detected. However, this sequence-based method was too simplistic, and the home state was not studied in detail; hence, it was noted that an attacker could optimize attacks by studying the time-of-day behaviors.

Subsequently, we proposed another anomaly detection method [18]

that modeled home states by estimating the sensed values and operating statuses of IoT devices. That estimation-based method calculated the operating probability of the IoT device and assessed anomalies based on a baseline threshold. The estimation-based method achieved a better detection accuracy than a method to detect anomalous operation based on only the time of day information. As the estimation was based on the current home situation, it was difficult for attackers to exploit the system because they could not easily estimate the timing when an attack would be likely to succeed. However, this estimation-based method could not grasp user activities in detail over short periods.

Therefore, in this study, we propose a detection method that models user behavior by combining state estimation and behavior sequences of in-home activities performed over short periods. Hence, our sequence-based method can grasp the short-term activities of users in detail, whereas the estimation-based method grasps the long-term transitions of the home state. The proposed method stores the sequences in the estimated home states. Then, the proposed method calculates the occurrence probabilities of sequences, including detection target operations, and it detects anomalous operations when the probability is lower than a threshold value.

We simulated the proposed method and compared the results to those of the previous sequence-based and estimation-based methods using datasets of behaviors and sensor values collected from real homes.

The remainder of this article is organized as follows. We describe anomaly detection methods for operations of home IoT devices in Section 2. The proposed method, including the estimation of the in-home situation, storage of behavior sequences, and their combinations, is described in Section 3. Then, we report on the evaluation of the proposed method and the corresponding results in Section 4. Finally, we conclude the paper and discuss possible avenues for future research in Section 5.

2 Related Works

Here, we explain detection methods of anomalous operations that learn user behaviors based on their usage of home IoT devices.

Ramapatruni et al. proposed a method to detect anomalous operations. Their method used hidden Markov modeling (HMM) to learn a single user’s normal activities. HMM parameters were then trained with information obtained from IoT sensors. Then, the trained HMM detected anomalous operations when the probability of that operation occurring was lower than a baseline threshold. The accuracy of this method was demonstrated using a dataset collected from a smart-home environment. The authors collected detailed activity information on the user entering and leaving the home and the operations of the consumer electronics therein. Additionally, IoT activities from the living room, bedroom, bathroom, and closet devices were recorded. This method learned the behaviors of a single user in detail. However, the method could not be applied to a home containing multiple users 

[19]; it was examined in our previous work [17]. It is difficult to deploy this method in real homes because most involve multiple users, which greatly increases the difficulty. In contrast, our proposed method models the situation while focusing on the states of the home instead of the states of the user. Furthermore, the proposed method uses information that can be easily collected from commercially available IoT sensors and home gateways. Therefore, our proposed method can be applied to real home environments.

We previously proposed a method to detect anomalous operations even in cases of multiple users by utilizing their sequence of behaviors [17]. This sequence-based method detected anomalous operations at the home gateway, which was connected to all home IoT devices, sensors, and smartphones. The home gateway collected two types of information: the state information of the operations of devices (e.g., time of day, room temperature, and humidity) and the presence or absence of users in the home based on the statuses of their smartphones. The home gateway subsequently classified the states of the home by constructing a table of sensed values, storing the sequences of operations of IoT devices and data on the entry and exit of users in each cell. Finally, the home gateway judged whether legitimate or anomalous operations occurred by comparing sequences of current operations to the stored sequences of the current state. This sequence-based method handled cases of multiple users by constructing their sequences from the monitored operations. However, the sequence-based method used only the time-of-day information in the table to classify the states. Therefore, an attacker could estimate the optimal attack times based on the time of day. Owing to the large impact of sequence information utilization, the sequence-based method achieved high accuracy. However, the detailed analysis of state learning was deficient.

Hence, we proposed another anomaly detection method that estimated the states of a home based on the sensed values and operating statuses of IoT devices. This estimation-based method calculated the operating probability of each state and detected anomalies when the probability was low. The study compared this estimation-based method to one that used only time-of-day information, confirming that the estimation-based method was more accurate [18]. Therefore, an attacker could not exploit the system based only on time-of-day information. However, the method could not learn the short-term behavior patterns of users. Additionally, some details needed to be corrected, owing to the inadequate observed data.

In this study, we propose a more accurate detection method that combines the estimation- and sequence-based methods. The proposed method determines the current state in the home via estimation and the state transitions by learning the behavior patterns of users. Furthermore, we improve the estimation-based method [18] to achieve higher accuracy by fixing details and correcting the observed data.

3 Anomaly Detection Method based on In-home Situation and Behavior Sequence

We propose a new model that learns the behaviors of IoT users in a home to detect anomalous device operations as a safeguard against cyberattacks. The model learns sequences of user behaviors alongside corresponding states of the home. When an operation does not match the trained model, the model flags the operation as anomalous.

3.1 Models used for detection

The proposed method estimates home states and stores behavior sequences collected over time. First, it defines a timeslot scheme and updates the home status in each slot throughout the day. During training, the model calculates the state transition probability, , and the operation probability, , using the labeled home state as the training data. The method then estimates the home state by calculating the state probability of the training data using and . Following the calculation, the operation sequences of the home IoT devices are stored according to the estimated home state. High-probability sequences are considered legitimate behaviors. The overview of the learning model is described in Fig. 1. After storing the sequence, the proposed method calculates the probability of each behavior sequence that occurs in real time.

Figure 1: Overview of the training model of the proposed method. According to the estimated home state “State ”, a cooking stove is used after opening a refrigerator.

Next, we describe the components of the proposed model.

3.1.1 State of the home

The proposed method labels and estimates the current home state, , which is combined with the activity states of the users, , and the usage states of the devices, , obtained using the sensor values of IoT operations.

The activity state of users, , reflects the situation of users in the home (e.g., all users are away, at least one user is home and active, or all users are sleeping). Variable is thus defined several ways according to the home environment and the number and attributes of users. For example, “active,” “out,” “sleeping,” etc. can be considered; thus, we can set as .

There are four types of usage states, , related to how home IoT devices are used. The state prior to use is before, the state after use is after, the state during use is use, and others are none. Thus, the device state, , is defined as .

Furthermore, the proposed method calculates the state transition probability to forecast the changes in the home state over time. Because user behaviors differ greatly during day and night, the state transition probability, , in the home varies depending on the time of day. Therefore, in our model, the state transition probabilities are defined for each timeslot of the day. The transition probability from state to state in the -th timeslot of each day is defined by Equation (1), where is the state in the -th timeslot.


Additionally, the proposed method calculates the operation probability, , to reflect the activity of the users to the home states as devices are operated. The operation probability  differs for each state  and for each operation . Therefore, in this model, the operation probabilities are defined for each state. The operation probability  of the operation  in state  is defined by the following Equation (2):


3.1.2 Sequence of events in the home

The event sequences in the home are stored and used for detection. The information is obtained from the home network via IoT operation packets, including information of the connection and disconnection of smartphones.

As with the sequence-based method, an event sequence is defined as a series of events performed within  s, where is a parameter determining whether or not events are considered as a sequence. We consider actions A and B to be a series if they satisfy Equation (3), where and are the times when actions A and B are performed and is a function that obtains differences in seconds between and .


Furthermore, after storing the sequences in the estimated states, the proposed method calculates the behavior sequence probability  for detection. When the proposed method identifies an event sequence including the operations of the detection target device, the probability of occurrence of sequences is calculated by multiplying the state probabilities by the behavior sequence probability . The behavior sequence probability  in state  of the sequences  is defined by Equation (4).


where means that the estimated state is .

3.2 Training the model

The proposed method trains the model using data collected from the home divided into timeslots. We assign the observed values and labels of the home states  to the timeslots. Then, the proposed method calculates the state transition probability, , according to the labeled states, . The proposed method also calculates the operation probability  that the device is operated in each state. Next, the proposed method calculates the state probability  with and . The proposed method generates multiple sequences assuming that the homes have multiple users. Based on the calculated state probability  and the generated sequences, event sequences are stored for each estimated home state. Then, the proposed method calculates the operation probability  in each estimated state. The rest of this subsection explains the details.

3.2.1 Labeling the training dataset

To create the training data, we divided the observed data into multiple parts using timeslots and labeled the states accordingly. The state  is set by combining the activity state of the users  and the usage state of the device  as defined.

The state of the users  is set using IoT sensor data according to predefined rules. Because these rules vary depending on the target device, the type of IoT sensors, and the number of users, we set the labeling rule according to the scenario.

The device state  is determined based on the time the target device is operated. As shown in Fig. 2, we define the four states of the target device  as follows. use indicates that the device is in use, and before indicates that the device will be used within timeslots. Similarly, after indicates that the device has been used within timeslots, while none denotes other states. Variables and are parameters.

Figure 2: Labeling rule of device state , where is and is .

Furthermore, to change the state for each device operation, we update them as observed. An example of the learning data is described in Table 1.

Date information Observed information Labeled states
ID Date -th timeslot of the day CO2 Noise Operation Users Device Home
/-th timeslot of the data
4350 2020/1/3 23:56:00 1438/4318 34 1520 active none
4351 2020/1/3 23:57:00 1439/4319 34 1520 active before
4352 2020/1/3 23:58:00 1440/4320 34 1520 active before
4353 2020/1/3 23:58:20 1440/4320 34 1520 Refrigerator_Open active before
4354 2020/1/3 23:58:35 1440/4320 34 1520 Cooking oven_On active using
4355 2020/1/3 23:59:00 1/4321 34 1520 active after
4356 2020/1/4 00:00:00 2/4322 41 1480 sleep none
Table 1: Learning data samples include the observed information, the labeled states, and variable characters. The labels change even in the same timeslot according to the operations of the devices. In this table, we set the length of the timeslot to 1 min. As a sample rule for the state of users , we set sleep when the CO2 value is higher than and the noise value is lower than . As a sample rule of the device state , we set as and as .

3.2.2 Calculating state transition probability and the operation probability

Based on the labeled home states for changing timeslots, we calculate state transition probabilities  from state  to state  at the -th timeslot during the day. This is used to calculate the probability  that the home state  is in timeslot . Although the time of the state transition varies daily, similar state transitions occur in similar timeslots. Therefore, is calculated by Equation (5) by considering the data from the -th timeslot to the -th timeslot of each day.


The variable  represents the number of timeslots in the training data at the -th timeslot of the day, the state of which is labeled as . denotes the number of similar timeslots around the target. Parameter  has a different value for each ; thus, we set the minimum value that satisfies for all states . Even if is not satisfied for all states , where is the maximum value for , we set as .

We next explain how to calculate the operation probability  which is used to correct the state probability . Operation probability  denotes the probability of the number of the operations  of the IoT device in state . is calculated using Equation (6):


Note that represents the number of occurrences of operation  in the state  in the  th timeslot of the day. If there are no operations  in the training data, is set to for all states  to avoid incorrect transitions.

3.2.3 Calculating state probability

The proposed method calculates the state probability  for each timeslot of the training data by the calculated and . Then, the proposed method stores the sequences of home events using the training data by the estimated home states because the proposed method stores sequences not only in the current home state but also in similar states. To determine the similar states, we use the calculated state probability. By storing sequences in the states that satisfy the conditional probability expression, we can store sequences in the similar states.

When the timeslot changes, the state transitions from the state of the previous timeslot using the learned state transition probability, . First, the proposed method calculates , the probability of state  when the timeslot is changed to , using the learned state transition probability .


Variable is a function that returns the corresponding -th timeslot of the day with timeslot ; is a function that returns the time corresponding to timeslot , and indicates a very small time. By considering the case that, in the previous timeslot, the state probability, , is updated by using the operation probability, , Equation (7) uses the state probability at . Then, the proposed method calculates based on so that the sum of the state probabilities of each state is using Equation (8):


When we observe an operation  of a home IoT device, the proposed method updates the state probability  using the operation probability . First, the proposed method calculates  according to Equation (9).


where represents the time when the proposed method observed operation . Then, the proposed method calculates the state probability, , after the operation of the home IoT device using Equation (8).

3.2.4 Storing sequences

Based on the calculated state probability , the proposed method stores the behavior sequences to estimated states. First, we must generate the sequences based on the observed operations and the users entering and leaving. This will account for multiple users operating devices within  s of each other. When the users operate devices from their respective smartphones, we can identify correct behavior sequences by classifying those who operated which home IoT device based on the IP address of the operating smartphones. There are many cases where it is impossible to distinguish which user performs each operation. Thus, as with the sequence-based method [17], we generate multiple types of sequences from a simple series of events by removing some of them for training. For example, when actions A, B, and C are performed within  s, equations , , and are satisfied. , , and represent the times when actions A, B, and C are performed, respectively. In this example case, we generate and use all seven types of event sequences: A-only, B-only, C-only, A-B, B-C, A-C, and A-B-C. If actions A and B are performed by the same user, and action C is performed by another, the correct event sequences, A-B and C-only, are learned. However, incorrect sequences, such as A-only, B-only, A-C, B-C, and A-B-C are also stored. If sequences A-B and C-only are frequently performed by users, the correct sequences will be stored multiple times. Therefore, by using only the sequences that are greater than or equal to a given threshold, we can identify frequent behaviors.

After generating the sequences, event sequence , which is related to the operation of the detection target home IoT device, is stored for each state in which the sequences are performed. We can determine the states for which the proposed method stores the sequences from the calculated probability, , in state  at timeslot . We select either Equation  (10) or (11) and store the sequences into all states satisfying the selected one.


Note that represents the time during which sequence  occurs. Here, is a function that returns the number from the top of the state probability of of all states, such as 1st, 2nd, etc. and are the parameters. When there are no states satisfying the selected equation, the proposed method does not store the sequence.

After storing the sequences, we calculate the behavior sequence probability  in estimated state  of the sequence  for detection. We can then calculate  using Equation (12):


where is a function that returns the occurrence times of sequence  in the estimated state  from the training data, and is a function that outputs the number of timeslots of the training data estimated as state .

3.3 Detection using the learned model

After training the model, when an event sequence, , includes operations of the detection target device, the proposed method calculates the state probability  using Equations (7), (8), and (9). The proposed method calculates the probability of occurrence  of the sequence  by multiplying the state probabilities, , by the behavior sequence probability, , as described in Equation (13):


When the calculated occurrence probability, , satisfies Equation (14), the proposed method detects the operation as an anomalous operation.


Function returns the length of sequence ; the length of the sequence reflects the number of events comprising the sequence. is a parameter of the sequence constructed by  events. We set multiple thresholds for each length of the sequence because long sequences are rare.

4 Evaluation

To evaluate the proposed method, we simulated anomaly detection using data from two real homes. We evaluated the effectiveness of each part by comparing the detection results to the results of alternative methods.

In this evaluation, we chose the operations of a cooking stove as the detection target device. We prepared the proposed method according to the target device and the home environments.

4.1 Evaluation environment

Here, we describe the details of the detection simulation of the proposed and compared methods. First, we explain how the datasets were collected. Then, we set the proposed anomaly detection method suitable for each home by defining the states of the home and the labeling rules. Thereafter, we describe the metrics of the comparison and present the results.

4.1.1 Data collection in real homes

We collected data of user behaviors and observed the values of the installed home IoT sensors from two real houses, A and B111The collection experiment of data on the in-home activities of users and sensor values in real homes received approval from the Research Ethics Committee of the Graduate School of Information Science and Technology, Osaka University.. Home A had two users who operated devices, and home B had one. We used monthly data of each home as one case for the simulation, resulting in 20 cases. We describe the case using the data of home A as , , , and home B as , , , .

First, we collected the date information of events, including operations of consumer electronics and user entry/exit statuses, as shown in Table 2. Because each home included home appliances that were not connected to the internet, we collected their information by asking users to record their device use times. For the simulation, we assumed that each home appliance was an IoT appliance, and the recorded operation logs were used for the purposes described. Logs were compiled as buttons were pressed on the home appliances and when users entered and left the home. Because there were several omissions in the collected logs, we corrected them via labeling rules, as described in Section 4.1.2.

Device or event Action
User position Entry / Exit
Room light On / Off
Air conditioner Cooling / Heating / Turning up /
Turning down / Off
Electric fan On / Off
Heater On / Off
Washing machine On
Refrigerator Opening
TV On / Off
Cooking stove On / Off
Microwave On
Toaster oven On
Rice cooker On
Table 2: Collected operations and events by our experimental system deployed in real homes.

Then, we installed IoT sensors in each home and collected the sensor values shown in Table 3 in 5 min intervals.

Sensor data Range of sensor values
Room temperature 0 - 50°C
Humidity 0 - 100%
Atmosphere 260 - 1,260 mbar
CO2 0 - 5,000 ppm
Noise 30 - 130 dB
Table 3: Collected sensor data from installed IoT sensors in real homes.

4.1.2 Settings of anomaly detection method

To simulate anomaly detection for a cooking stove, we set up the state of the home and labeling rules. For this evaluation, the timeslot was assumed to be 1 min for capturing state transitions.

Setting home states

We set the usage state of the devices  based on cooking states: because cooking stoves are frequently used during cooking. State use refers to the cooking state, before and after indicate times before and after cooking, respectively, and none implies other states. Note that to grasp the cooking state exactly, we also used operations of the cooking appliances other than the cooking stove to label the states . Specifically, when the cooking stove, microwave, toaster oven, or rice cooker was operated, we set as use; the details are described in Section 4.1.2.

We set the activity state of the users as . Hence, at least one person was active, everyone in the home was out, or everyone was sleeping, respectively.

We set the home states  by combining and . However, states  and did not exist because users cannot cook while they are sleeping or out of the home. Hence, we set 10 states excluding the above for detection.

Labeling rule

Using the defined states from Section 4.1.2, we labeled each timeslot of the training data. In consideration of privacy concerns, we labeled the home states from the observed information taken from the IoT devices and sensors. In particular, because there were several omissions in the collected logs, we corrected them based on the rules.

The activity states of the users  are labeled as follows.

  • The timeslots that the home was empty were tabulated by counting the number of users in the home based on their entry and exit time information. However, when we observed an operation of a home IoT device, we changed the number of users in the home to and set the states of the timeslot after the time corresponding to the change. This is because the logs included some omissions of entries and exits. In this case, we excluded logs of the day from the calculation of and .

  • The timeslots at night containing noise values were lower than a threshold, and the CO2 concentration value was higher than a threshold; the installed IoT sensors in each home sensed the values. We defined the thresholds by the sleeping time that we asked of the subjects, including the noise and CO2 values of the sleeping time. Concretely, we defined the night from 22:00 to 9:59, the noise threshold as 35 dB, and the CO2 threshold as 1,500 ppm in home A and 400 ppm in home B. When two sleep timeslots existed within 90 min, we labeled the timeslots between the two as sleep, because the indicators were temporarily lowered during sleep. When we observed an operation in sleep states, we corrected the states to active because more than one user was awake and active. Concretely, when a user operated devices in the time frame of 22:00 to 4:59, we changed the user states to active before 5 h from the time of operation; when a user operated devices at the time from 5:00 to 9:59, we changed the user states to active after 4 h from the timeslot during which the device was operated.

  • This refers to states other than out and sleep.

Then, the usage states of device  (i.e., cooking or not) in this evaluation are labeled as follows.

  • This refers to timeslots in which a user operates a cooking appliance, including the cooking stove, microwave, toaster oven, and rice cooker. Because the cooking continues for a certain time, we set the timeslots after the operating cooking appliances as use, where the is a parameter of cooking time. We did not include the refrigerator in the cooking appliances because it is used frequently even when users are not cooking. Furthermore, when there are two use states within 15 min, we labeled the timeslots between the two as use.

  • This indicates the timeslots before use.

  • This indicates the timeslots after use.

  • This indicates states other than the use, before, and after.

We labeled the home states, , by combining the labeled states of the users  and those of the devices .

4.1.3 Metrics

We evaluated the proposed method using two metrics: detection and misdetection ratios. For the simulation, we mixed 100 anomalous operations of the cooking stove at random times during the day. Furthermore, we considered the actual operations of the home IoT devices originally included in the recorded log as legitimate operations. The detection ratio and misdetection ratio was calculated using Equation (15) and (16).


Here, TP is the number of true positives of detected anomalous operations; FN is the number of false negatives; and equals , where indicates the number of days included in the detection data.


Here, the FP is the number of false positives that are legitimate operations the methods could not determine as legitimate; the TN is the number of true negatives.

For the evaluation, we used cross-validation. First, we trained the models with data for one month excluding one day. Then, we simulated the detection of the trained model using the excluded data. By changing the excluding day and summarizing the detection results, we obtained a detection result from the monthly data.

We changed the parameter values in each combination respectively and collected the combinations of detection and misdetection ratios. We describe the detection results as figures with the misdetection ratio on the horizontal axis and the detection ratio on the vertical axis. Thus, we only plotted the results having the highest values on the vertical axis among the results that were less than or equal to the values on the horizontal axis.

Note that when the operation of the target device occurred, a decision was made based on the sequence that was generated up to and just before the operation. Hence, the operations subsequent to the target operation were not used for the detection of the target operation.

4.1.4 Compared methods

To evaluate the effectiveness of the proposed method, we compared it to the other methods. Thus, we demonstrated the improvements gained by combining the sequence information. By comparing with the sequence-based method, we confirmed the effectiveness of estimation of the in-home situation. The differences between the proposed method and the compared methods are described in Table 4.

Method State Sequence
Proposed Estimating situation
Estimation-based [18] Estimating situation
Sequence-based [17] Time of day
Table 4: Differences between the proposed and compared methods.
Estimation-based anomaly detection method

We compared our new method to the estimation-based anomaly detection method. This method estimates the states of the home based on the sensed values and operating statuses of IoT devices. As with the proposed method, the estimation-based method calculated the  and  using Equations (5-9). We calculated the probability that the operation was legitimate by multiplying to and by summarizing them. If the value was higher than a threshold  the equation was regarded as legitimate, as shown in Equation 17.


where denotes the operation of the cooking stove.

Sequence-based anomaly detection method

We compared our new method to the sequence-based anomaly detection method [17]. This method models the behaviors of users from sequences of events in the home at each time of day. The sequence includes operations performed within  s. When this method observes a sequence related to the detection target operation, it counts the number of stored equivalent sequences that occurred during the time of day within  s of the observed sequence. When the ratio of the counted number of all stored operations of the target device was greater than or equal to the threshold, , the target operation included in the sequence was judged as legitimate. is the parameter, and the denotes the length of the sequence.

Anomalous operations of the cooking stove must be detected immediately because such operations present higher risks to users compared to other devices such as TVs, air conditioners, etc. Therefore, for this evaluation, the proposed and sequence-based methods could only use the sequences leading up to the target operations. Additionally, the cooking stove was often operated as the first event of a sequence when users wished to cook. These points differ from the evaluation of the previous sequence-based method [17].

4.1.5 Parameter values

Training and detection were performed for each combination of values set in Table 5. We simulated all combinations with each value set for each parameter and evaluated the detection results.

Parameter Set values
Table 5: Values of parameters for the proposed and compared methods.

4.2 Evaluation results

The evaluation results of the proposed and compared methods for each month are shown in Fig. 3.

Figure 3: Detection results for each month’s data of each home.

The proposed method achieved a higher detection ratio with the same misdetection ratio of the sequence-based method in the case of home , . In particular, compared with the highest detection ratios having less than 10% misdetections, the proposed method achieved a 46.0% higher detection ratio than the sequence-based method in home . This occurred because the proposed method has a narrower time range regarded as legitimate than the sequence-based method. When the sequence-based method tries to reduce misdetections, the legitimate range is expanded as the learning data increases because the devices are operated at various times of day. In contrast, because the proposed method estimates the state according to the state of each day, the legitimate time range can be narrowed. Furthermore, the detection of single operations by the proposed method is another reason for its improved performance; the single operation means that there are no other operations before  s. When the sequence-based method cannot use short-term information, it cannot determine legitimate/anomalous operations because it must learn from only the time-of-day information. Because the proposed method learns from the short- and long-term information, it can determine whether single operations are legitimate or anomalous from the long-term information. However, the detection results of the methods were almost the same in homes , , , , and . In these cases, the operations were performed at the same time of day and were included in the same sequences. Thus, the sequence-based method learned the behaviors accurately.

The proposed method also achieved a higher detection ratio with the same misdetection ratio of the estimation-based method in the case of homes , , , , and . In particular, compared with the highest detection ratios having less than 10% misdetections, the proposed method achieved a 15.4% higher detection ratio than did the estimation-based method in home . This occurred because the proposed method can learn the relations between operations of the cooking stove and the operations of other frequently used devices, which included air conditioners, heaters, room lights, washing machines used in the morning, and refrigerators. As an example of a legitimate behavior, a user might turn off a heater before using the cooking stove in order to regulate the ambient temperature. The estimation-based method only determines whether the users are about to cook. When users operated non-cooking devices, the probability of cooking was only slightly increased, and the estimation-based method could not determine the state. However, the proposed method can learn the behavior sequence including the operations of such devices to grasp the legitimate operations of the cooking stoves. In contrast, when there were fewer operations related to non-cooking devices, such as in homes , , , , , , , , , and , the detection results of the proposed method were slightly improved. During the recorded months, devices such as heaters and air conditioners were not used, and their operations were almost always single-use or used with cooking equipment. Therefore, nearly all operations of the cooking stoves could be determined as legitimate or not by estimating the home states.

The detection results of all methods were not stable in homes , , , , and . The numbers of operations included in these cases were too small to train the behavior models sufficiently. However, the misdetections in those homes were not significant because there were only a small number of operations.

5 Conclusion and Future Works

To detect anomalous operation attacks on IoT devices in a home, we proposed a detection method that estimates the home state based on the observed values of IoT sensors and device operations and learns the event sequences of users in the home in each estimated state. After training, when a device operation is observed to determine whether it is legitimate or anomalous, the proposed method calculates the occurrence probability of the sequence related to the target operation. If the occurrence probability is lower than the threshold, the operation is detected as anomalous. For this evaluation, we simulated anomaly detection using behavioral logs and sensor data obtained from real homes for one month. We evaluated the improvements of the proposed method and the effectiveness of each part by comparing the proposed method to other methods, one of which did not use sequence information and the other did not estimate the in-home situation. We found that the proposed method achieved a 15.4% higher detection ratio with fewer than 10% misdetections by using the sequence information, and it achieved a 46.0% higher detection ratio with fewer than 10% misdetections by using the estimation of the in-home situation. Thus, the proposed approach can analyze the legitimate behavior of users and legitimate usages of the IoT devices comprehensively by using long- and short-term information, that is, by estimating the home state transition and using the sequence of behaviors. However, a certain amount of data was required to learn the behaviors of users in the home.

In this study, we simulated the proposed method by setting a cooking stove as the target device. Evaluating the proposed method when other devices are used as detection targets remains as a future task. Furthermore, although we used data for one month for this evaluation, another future task will involve collecting data for a longer period of time and from many actual homes to verify the utility of the method.

This work was supported by the Mitsubishi Electric Cybersecurity Research Alliance Laboratories. They supported collection, analysis, and interpretation of data and the design study of estimating in-home situations.

This work was also supported by JSPS KAKENHI Grant Number JP21J12993. It supported designing the method to combine the estimation of in-home situations and behavior sequences and the writing of this paper.

We would like to thank Editage ( for English language editing. Authors state no conflict of interest.


  • [1] Lueth K.L., State of the IoT 2020: 12 billion IoT connections, surpassing non-IoT for the first time, IoTAnalytics, 19 November 2020,
  • [2] Stellios I., Kotzanikolaou P., Psarakis M., Alcaraz C., Lopez J., A survey of IoT-enabled cyberattacks: Assessing attack paths to critical infrastructures and services, IEEE Commun. Surveys Tuts., 2018, 20(4), 3453–3495.
  • [3] Pa Y.M.P., Suzuki S., Yoshioka K., Matsumoto T., Kasama T., Rossow C., IoTPOT: A novel honeypot for revealing current IoT threats, J. Inf. Process., 2016, 24(3), 522–533.
  • [4] Lyu M., Sherratt D., Sivanathan A., Gharakheili H.H., Radford A., Sivaraman V., Quantifying the reflective DDoS attack capability of household IoT devices, Proc. 10th ACM Conf. on Secur. and Privacy in Wireless and Mobile Networks (18–20 July 2017, New York, USA), ACM, 2017, 46–51.
  • [5] Martin V., Cao Q., Benson T., Fending off IoT-hunting attacks at home networks, Proc. 2nd Workshop on Cloud-Assisted Netw. (11–12 December 2017, Incheon, Republic of Korea), ACM, 2017, 67–72.
  • [6] Xu K., Wang F., Jia X., Secure the internet, one home at a time, Secur. Commun. Netw., 2016, 9(16), 3821–3832.
  • [7] Shirali-Shahreza S., Ganjali Y., Protecting home user devices with an SDN-based firewall, IEEE Trans. Consum. Electron., 2018, 64(1), 92–100.
  • [8] McPherson R., Irvine J., Using smartphones to enable low-cost secure consumer IoT devices, IEEE Access, 2020, 8, 28607–28613.
  • [9] West C., Harriss L., Cyber security of consumer devices, UK Parliament, 07 February 2019,
  • [10]

    Sivanathan A., Gharakheili H.H., Sivaraman V., Managing IoT cyber-security using programmable telemetry and machine learning, IEEE Trans. Netw. Service Manag., 2020, 17(1), 60–74.

  • [11] Xu K., Wang F., Egli R., Fives A., Howell R., Mcintyre O., Object-oriented big data security analytics: A case study on home network traffic, Proc. Int. Conf. Wireless Algorithms, Syst., and Appl. (23–25 June 2014, Harbin, China), Springer Int. Publishing, 2014, 313–323.
  • [12] Xu K., Wang F., Gu L., Gao J., Jin Y., Characterizing home network traffic: An inside view, Pers. Ubiquitous Comput., 2014, 18(4), 967–975.
  • [13] Komninos N., Philippou E., Pitsillides A., Survey in smart grid and smart home security: Issues, challenges and countermeasures, IEEE Commun. Surveys Tuts., 2014, 16(4), 1933–1954.
  • [14] Soltan S., Mittal P., Poor H.V., BlackIoT: IoT botnet of high wattage devices can disrupt the power grid, Proc. 27th USENIX Secur. Symp. (15–17 August 2018, Baltimore, USA), USENIX Association, 2018, 15–32.
  • [15] Vault 7: CIA hacking tools revealed - CIA malware targets iPhone, Android, smart TVs., Wikileaks, 7 March 2017,
  • [16] Whittaker Z., Smartwatch hack could trick patients to ‘take pills’ with spoofed alerts, TechCrunch, 9 July 2020,
  • [17] Yamauchi M., Ohsita Y., Murata M., Ueda K., Kato Y., Anomaly detection in smart home operation from user behaviors and home conditions, IEEE Trans. Consum. Electron., 2020, 66(2), 183–192.
  • [18] Yamauchi M., Tanaka M., Ohsita Y., Murata M., Ueda K., Kato Y., Modeling home IoT traffic using users’ in-home activities for detection of anomalous operations, Proc. 32nd Intl. Teletraffic Congr., Ph.D. Workshop (22–24 September 2020, Osaka, Japan), ITC, 2020, 1–2.
  • [19] Ramapatruni S., Narayanan S.N., Mittal S., Joshi A., Joshi K., Anomaly detection models for smart home security, Proc. 2019 IEEE 5th Int. Conf. on Big Data Secur. on Cloud, High Perform. and Smart Comput., and Intell. Data and Secur. (27–29 May 2019, Washington, DC, USA), IEEE Computer Society, 2019, 19–24.