IoT-Flock: An Open-source Framework for IoT

Traffic Generation
Syed Ghazanfar, Faisal Hussain Atiq Ur Rehman, Ubaid U. Fayyaz Farrukh Shahzad, Ghalib A. Shah
Al-Khawarizmi Institute of Computer Al-Khawarizmi Institute of Computer Al-Khawarizmi Institute of Computer
Science (KICS) Lahore, Pakistan Science (KICS) Lahore, Pakistan Science (KICS) Lahore, Pakistan
[email protected], [email protected], [email protected],
[email protected] [email protected] [email protected]

Abstract—Network traffic generation is one of the primary In the current era, security is the major concern of IoT [1].
techniques that is used to design and analyze the performance Firewalls, intrusion detection systems (IDS) and intrusion
of network security systems. However, due to the diversity of prevention systems (IPS) are the major security shields to
IoT networks in terms of devices, applications and protocols, the
traditional network traffic generator tools are unable to generate protect the devices and network from cyber-attacks. Most of
the IoT specific protocols traffic. Hence, the traditional traffic the firewalls, IDS and IPS filter the normal and malicious
generator tools cannot be used for designing and testing the traffic based upon the signatures, i.e., static predefined rules.
performance of IoT-specific security solutions. In order to design While a few IDS and IPS use artificial intelligence (AI)
an IoT-based traffic generation framework, two main challenges
techniques along with signatures to detect the attack traffic.
include IoT device modelling and generating the IoT normal and
attack traffic simultaneously. Therefore, in this work, we propose The IDS and IPS that filter the intrusive attempts using both
an open-source framework for IoT traffic generation which signatures and AI techniques are more effective as compared
supports the two widely used IoT application layer protocols, to those which only use signatures. The AI-based IDS and IPS
i.e., MQTT and CoAP. The proposed framework allows a user to are trained and tested using normal and attack traffic datasets.
create an IoT use case, add customized IoT devices into it and
These datasets are collected by two approaches, i.e., either by
generate normal and malicious IoT traffic over a real-time
network. Furthermore, we set up a real-time IoT smart home using real systems to generate malicious and normal network
use case to manifest the applicability of the proposed framework traffic or by using some traffic generator tools which mimic
for developing the security solutions for IoT smart home by the real-time network traffic.
emulating the real world IoT devices. The experimental results No matter, the present IDS and IPS technology is quite
demonstrate that the proposed framework can be effectively used
to develop better security solutions for IoT networks without
mature but it is inadequate for IoT Systems [2]. The primary
physically deploying the real-time use case. cause is the communication protocols like CoAP, MQTT, etc.,
Index Terms—Traffic Generator, IoT Traffic Generator, IoT which IoT devices use, are not employed in a traditional
Flock, IoT Use Case, Intrusion Detection System, IoT Security network as different protocols carry different vulnerabilities
and requirements [2]. Another crucial factor is the limited
I. I NTRODUCTION processing and storage capacity of the IoT devices due to
which host-based IDS cannot be installed on IoT devices.
Internet of things (IoT) has recently induced as a topic However, the network-based IDS can protect the IoT network
of intense interest among the research community since it and devices from cyber-attacks if they are equipped with the
integrates various technologies. The main concept of IoT is support of IoT protocols.
that various devices comprising different technologies will There exist some datasets like KDD-99 [3], NSL-KDD
be connected and communicating with each other without [4], CAIDA [5], ISCX [6], etc., that are widely used for
human intervention. IoT is a communication paradigm that developing the security systems to protect the IoT networks
gives the concept of communication between the objects of from malicious attacks. However, these datasets have certain
our daily life, connected over the internet. IoT has gained the issues with respect to IoT, like these datasets don’t have the
capability of interacting with a wide variety of devices such traffic of commonly used IoT protocols, e.g., MQTT, CoAP,
as household appliances, industrial machines, robots, drones, etc. Moreover, some of these datasets are so old that they are
power generation systems and many others. By controlling and outdated, as there is a quite difference between the past and
managing a massive amount of data, produced by such devices, current cyber-attacks [7]. Nevertheless, this dilemma can be
IoT can provide new services to luxuriate human life. untangled by generating the dataset through a network traffic
generator tool which can generate both normal and attack
[© 20xx IEEE. Personal use of this material is permitted. Permission from traffic of commonly used IoT protocols.
IEEE must be obtained for all other uses, in any current or future media, A network traffic generator tool is a kind of software that al-
including reprinting/republishing this material for advertising or promotional
purposes, creating new collective works, for resale or redistribution to servers lows a user to generate the detailed custom packets. The traffic
or lists, or reuse of any copyrighted component of this work in other works.] generator tools are extensively used by researchers and secu-
rity providers in order to develop and test security applications traffic generator tool for switch testing. The developed traffic
like IDS, IPS, etc. Moreover, it can be used for the evaluation generator consists of both hardware and software modules.
of network performance like stress testing [8]. Furthermore, The software module generates configurations and parameters
network engineers use traffic generator tools for benchmarking according to the traffic model selected by the user. While the
the network features and to troubleshoot the network problems. hardware module generates the packets as specified by the
So far, many traffic generator tools/frameworks have been pro- software module and send it to the network interface module.
posed [9]–[13] by both the research and software development In [11], authors introduced a scriptable traffic generator which
community. However, these frameworks/tools have certain consists of both hardware and software modules. The software
shortcomings like IoT application layer protocols support is module was developed for packet configurations while the
still missing in these tools. Similarly, most of the traffic hardware module was developed to control the packets rate
generating tools lack of generating the attack traffic. Hence, and latency. However, it can only generate ICMP, ARP, TCP,
the existing traffic generator tools/frameworks are inadequate UDP and IP protocols traffic.
for developing and testing the security solutions of the IoT In [8], authors proposed a traffic generation framework for
networks. Therefore, we proposed a framework for IoT traffic testing the deep packet inspection (DPI) tools. The proposed
generation which can generate both the normal and attack framework generates network traffic based on user behaviour
traffic of two widely used IoT application layer protocols, i.e., emulation. They gathered the real-time traffic, analyzed it and
MQTT and CoAP. extracted the typical user behaviour to emulate it later for
The main focus of this work is to propose a framework testing the DPI tools. In [12], authors designed a hardware
which consists of an IoT traffic generator tool so that the IoT device which can generate the IoT traffic. The designed
researchers may easily build their own use case, model IoT hardware can generate traffic flows simultaneously based on
devices into it and then generate & analyse the traffic of the the interval length and data size. However, this device only
use case in order to develop better security solutions for IoT. generates layer 2 traffic. While in case of IoT, we are primarily
The proposed traffic generation framework can also be used concerned with application layer protocols like MQTT, CoAP,
in stress testing of different IoT-based network utilities like HTTP etc. In [15], authors proposed a traffic generator frame-
switches, routers, etc., by generating a large amount of IoT work by integrating the machine type communication (MTC)
device traffic. Moreover, it can also be used for the designing traffic models with big data. The framework was proposed to
and testing of IoT security providing entities like IDS, IPS, evaluate the performance of mobile networks.
etc. The key contributions of this work are as follows: In [13], authors designed a tool that not only generates the
• We proposed an open-source framework which consists network traffic but also evaluates the network performance
of an IoT traffic generator tool which is capable of as well as functional testing at the switch level. The tool
generating IoT normal and attack traffic over a real-time can be used to generate different test scenarios and analyze
network using a single physical machine. the response in order to check the functional aspects of the
• To our best knowledge, we are the first to design an switch network. In [16], authors proposed a traffic generator
open-source IoT traffic generator which supports two which can generate the network traffic of the network layer
application layer IoT protocols, i.e., MQTT and CoAP. and transport layer. The traffic generator supports TCP and
• We devised IoT device modelling by introducing the UDP protocols. A user has to specify the content, data size,
concept of time profile and data profile in order to better duration, flow features and traffic model in order to generate
emulate the IoT devices. the traffic.
• Furthermore, we implemented a real-time smart home use In addition to the literature, many open-source traffic gen-
case using the proposed IoT traffic generation framework erator tools are developed by the software development com-
and demonstrated how the generated traffic can be used munity. For example, Packet Sender [9] is an open-source
to develop a machine learning based security solution. tool that supports sending and receiving TCP, UDP and SSL
The rest of the paper is structured as follows: Sec- traffic in order to test network APIs and network connectivity.
tion II presents a review of some existing traffic generator Likewise, D-ITG tool [10] emulates the network traffic of TCP,
tools/frameworks. Section III describes the features, archi- UDP, ICMP protocols. Moreover, it also measures the network
tecture and working of the proposed framework. Section performance metrics like throughput, delay, losses, etc., based
IV discusses the experimentation and demonstrates how IoT upon the network flows.
traffic can be generated and used for developing machine Although, many traffic generator tools/frameworks have
learning based security solutions. Lastly, Section V concludes been developed by both the research and software develop-
the paper. ment community IoT application layer protocols support is
still missing. Furthermore, a large number of network traffic
II. RELATED W ORK generator tools do not generate the attack traffic. Hence, the
The network traffic generator tools are used extensively for existing traffic generator tools are inadequate for testing the
evaluation of network performance like throughput calculation, performance and security of the IoT networks. Therefore, we
stress testing [8], etc. So far, many traffic generator tools have proposed a novel open-source framework which consists of a
been proposed in the literature. In [14], authors proposed a traffic generator tool. The proposed framework can generate
 the use case. While creating a device, a user has to give the
information about the device name, device IP address, device
type, number of devices and protocol type in order to emulate
the device traffic over the real-time network using IoT-Flock.
If a user selects MQTT protocol, then the MQTT GUI form
will be enabled and the user has to give the further device
information of MQTT device. In order to emulate an
MQTT device, a user has to mention MQTT broker IP &
port, username & password of the MQTT broker if exists and
MQTT device type, i.e., subscriber or publisher.
If the device is a subscriber, then the user must mention the
topic name which the device needs to be subscribed. For this
purpose, a user can either select a topic from the topic list
which the user has already saved or he/she may add a new
topic if the topic name does not exist the topic list.
If the device is a publisher, then the user must mention the
Fig. 1. Layer-wise Core Functionalities of IoT-Flock
topic name along with the time profile and data profile in order
to emulate the device behaviour.
the two widely used IoT application layer protocols, i.e., - For the time profile, a user must tell in which frequency
MQTT and CoAP. Moreover, it can generate the normal and a device publishes the data, i.e., whether a device sends data
attack traffic over a real-time network which is imperative for after some specific interval (i.e., periodically, randomly, etc.)
testing and evaluating the security solutions proposed for IoT. or after the occurrence of some event.
- For the data profile, a user must tell what type of data the
III. P ROPOSED F RAMEWORK device will is published by IoT device? It may be a numeric
The proposed framework consists of an open-source IoT or binary or String data. Moreover, the user must define the
traffic generator tool which can generate the normal and attack data values or range of values that the device can publish in
traffic of IoT devices over a real-time network. We named it real-time in order to emulate the publishing device.
as IoT-Flock. Fig. 1 shows layer-wise core functionalities of Both the time profile and data profile can be saved in the
the IoT-Flock. The IoT-Flock has following distinct features as database so that they may be used later if some other device
compared to other commercially or publicly available traffic has the same time or data profile.
generator tools: Likewise, if a user selects CoAP protocol from the main
• IoT-Flock has two working modes, i.e., GUI mode and window, then the CoAP related GUI will be enabled and the
console mode which allows a user to create real-time IoT user has to give information about CoAP server IP & port,
use cases add thousands of IoT devices into the use case. CoAP method, time profile and data profile. The CoAP method
• IoT-Flock provides XML support to import or export the includes four options, i.e., GET, POST, PUT and UPDATE
designed use case. Thus, a user can create, share and run which are briefly described in Table I.
a use case through an XML file. 2) Business Logic Layer: The business logic layer is
• IoT-Flock can also generate MQTT and CoAP related at- responsible for implementing the user requirements that have
tacks. To our best knowledge, this feature is not supported been gathered from the presentation layer. We used four open-
yet by any other open-source IoT traffic generator tool. source APIs and database management system (DBMS) to
Thus, a user can easily create both normal and attacking implement the user required functionalities which include
devices in the same use case and generate their traffic. MQTT API [17], CoAP API [18] and libtins API [19]. The
MQTT API [17] is used to create MQTT publisher and MQTT
A. IoT-Flock Architecture subscriber devices. An MQTT subscriber device will first
We followed layered architecture in order to develop the send the subscribe request to the MQTT broker against some
IoT-Flock. IoT-Flock comprises of three layers, i.e., presen- topic to establish the connection with MQTT broker and then
tation layer, business logic layer and network layer. The will receive messages when some IoT device will publish a
following subsections describe these layers.
1) Presentation Layer: The presentation layer is respon-
sible for viewing the interface to the end-user. It works in TABLE I
COAP METHODS
two modes, i.e., console mode and graphical user interface
(GUI) mode. In console mode, a user will import the use case Method Description
XML file through the console and run the tool for generating GET Retrieves the information corresponding to the URI request
POST Requests the server to process the representation enclosed in
the IoT traffic as defined in the XML file. In GUI mode, a the request
user will first create an IoT use case then add different IoT PUT Requests to update or create a resource identified by URI
devices into it. A user can add MQTT and CoAP devices into DELETE Requests to delete the resource identified by the URI
 Fig. 2. Flow Diagram of IoT-Flock

message to the MQTT broker against the subscribed topic. instead of re-creating it. Moreover, the generated XML file
Similarly, an MQTT publisher device will first establish a can be shared with anyone to ease him/her in understanding
connection with MQTT broker then will publish the message the use case. Lastly, the user will click on the ‘Start’ button
to the MQTT broker using MQTT API [17]. Likewise, the to initiate the emulation of the use case.
CoAP API [18] is used to send the user request to the CoAP C. Attack Types in IoT-Flock
server. The libtins API [19] is used to generate an attacking
device. Finally, SQL DBMS is used to store the use case Currently, we included four recent IoT application layer
related information. vulnerability attacks in the IoT-Flock. However, one can add
3) Network Layer: The network interface layer is respon- more types of attacks in IoT-Flock by extending the source
sible for assigning a unique virtual IP to each IoT device from code. These attacks are reported recently in a well-known
a single physical system. Moreover, it is also responsible for vulnerability reporting platform, i.e., national vulnerability
sending and receiving the data to/from the network. database (NVD) [20]. Below is the description of these attacks.
MQTT Packet Crafting Attack - In this attack, MQTT
B. IoT-Flock Working packets are specially crafted to crash an application. The
The flow diagram shown in Fig. 2(a) illustrates the working attacker first establishes a connection with MQTT broker at
of IoT-Flock. It consists of four steps: create use case, add Transport layer and then sends the MQTT publish command
IoT devices to use case, save XML and run the use case & right at the beginning instead of sending a connection request
generate IoT traffic. Upon starting the IoT-Flock in GUI mode, to MQTT broker [21].
a user will first create the desired use case by simply clicking MQTT Publish Flood - IoT devices follow a periodic or
at ‘+ new use case’ button. After entering the use case name, event-driven model for sending data using application layer
the user will click on ‘OK’ to create the use case and the protocols. In the periodic model, the device is set to send
use case window will appear. Now the user has to add IoT data after every x interval, e.g., temperature sensor sends
devices into the use case. Fig. 2(b) shows the device creation temperature data after every five seconds to the server and in
steps. A user can create both IoT normal and attack device event-driven model device send data when some event occurs
with respect to use case. After adding the devices, the next e.g motion sensor is configured to only send data to the server
step is to generate an XML file of the use case. In case, if a when it detects motion in the environment. According to [22],
user needs to re-run the use case after some time, then a user MQTT publishing message at a high rate can cause a denial
can simply load and run the saved XML file of the use case of service (DoS) attack.
 TABLE II TABLE III
ACTUAL TRAFFIC FEATURES EMULATED TRAFFIC FEATURES

Device Name Average Mode Average Behavior Device Name Data Profile Time Profile Behavior
Value Time Temp Sensor 33-35 C 180s Periodic
Temp Sensor 34.72 C 35 C 180s Periodic Light Sensor 99-120 Lux 180s Periodic
Light Sensor 120 Lux 100 Lux 180s Periodic Motion Sensor 0-1 3s-5s Random
Motion Sensor 0.5 1 3s-5s Random Humidity Sensor 39-42 % 180s Periodic
Humidity Sensor 40 % 42 % 180s Periodic

Home’ by following the steps shown in Fig. 2. Furthermore,

CoAP Segmentation Fault Attack - While communicating we also created an attack network of 8 devices generating four
with the CoAP server, a valid Uri-Path is an essential part types of attacks as mentioned in Section III-C by running IoT-
of the request and response packet. Recently, an attack is Flock tool on a different machine. To discriminate the normal
reported in which the attacker when sets the Uri-Path as null, and attack traffic, we fixed two IPV4 address ranges, e.g., IP
then CoAP server mishandles such packets hence causes the range from 192.168.1.2 to 192.168.1.254 fixed for normal
segmentation fault [23]. Moreover, an attacker can generate network devices and IP range from 192.168.2.2 to
the DoS attack by sending such packets in a large amount. 192.168.2.254 fixed for attacking network devices.
CoAP Memory Leak Attack - CoAP server sends or 2) Data Capturing: After creating both the normal and at-
receives data based upon the CoAP methods as called by tack networks, we first started the normal network to generate
the clients. It is reported that when an attacker sends invalid IoT normal traffic. After 10 minutes, we started the attack
options to the CoAP server, it causes the memory crash as network. The whole emulation ran for 30 minutes and we
the processing of packet with single invalid option wastes 24 captured both the normal and attack traffic using Wireshark
bytes of memory [24]. [25] and saved it into a .pcap file for further analysis.
3) Features Extraction: Once we got the .pcap file of both
IV. E XPERIMENTAL ANALYSIS
normal and attack network, we then extracted the features from
A. Experimental Setup .pcap file to train the machine learning classifiers for attack
1) Use Case Creation & Traffic Generation: A real-time detection. For this purpose, we used a publicly available tool,
IoT smart home system is deployed in our laboratory and i.e., CICFlowmeter [26] to extract the network traffic flow
office environment. In our smart home use case ten IoT devices features of the given .pcap file and saved it into a .csv file.
are installed. Each device contains four types of environment The CICFlowmeter [26] extracts more than 80 features from a
monitoring sensors, i.e., temperature sensor, humidity sensor, .pcap file. The further details of these features are mentioned in
motion sensor and light sensor. All the devices and sensors [27]. We extracted network traffic features from the .pcap file
communicate over MQTT protocol within a wireless local and labelled them with respect to normal and attack device IP
area network (WLAN) environment. All the sensors except addresses. The final .csv file had 400 samples of both normal
the motion sensors are set to send the data periodically to the and attack traffic.
server after every 3 minutes where this received data is saved 4) Features Selection: Feature selection plays a significant
into a database. The motion sensor sends data to the server role in the performance of a machine learning (ML) model
only when it detects motion. The data saved in the server as it selects the significant features which are imperative for
database is read by a rule engine which controls the switching data classification and ignores the useless features which can
of home appliances based on the conditions as defined by the disturb the performance of ML model. For features selection,
user. In our case, the rule engine is controlling three types we used mutual information feature selection technique which
of appliances which includes air conditioners (AC), lights and calculates the mutual information among the features for a
fans. discrete target variable in order to select the important features
To implement the above discussed real-time use case into from a dataset. We selected the top 10 features for better
IoT-Flock, we first analyzed the traffic patterns of the real-time training and testing of the machine learning model.
devices as shown in Table II. For time profile, we observed 5) Model Training: After selecting the features, we split the
that all sensors except the motion sensor are sending data data into training and testing set by randomly splitting 20%
periodically, i.e., after every 180s. So, we set their time profile data for testing and 80% for training. We then trained and
as periodic at 180s and set data profile using (1): tested three commonly used ML models, i.e., Naive Bayes
(NB), Random Forest (RF) and K-Nearest Neighbor (KNN)
Data Range = (MIN [Average V alue, Mode V alue], over the pre-processed dataset.
MAX[Average V alue, Mode V alue]) (1) B. Performance Metrics
For motion sensor, we set it to send 1 and 0 randomly between For the performance evaluation of the machine learning
time range 3s to 5s. Once we finalized the time profile and classifiers, we calculated three commonly used performance
data profile of the smart home use case as shown in Table III, parameters over the testing data which include sensitivity,
next we created a use case in IoT-Flock and named it as ‘Smart specificity and accuracy. The sensitivity is defined as the
 TABLE IV REFERENCES
RESULTS
[1] E. Hossain, I. Khan, F. Un-Noor, S. S. Sikander, and M. S. H. Sunny,
Parameters NB KNN RF “Application of big data and machine learning in smart grid, and
Sensitivity 99.01 99.96 99.98 associated security concerns: A review,” IEEE Access, vol. 7, pp. 13 960–
Specificity 95 99.88 99.99 13 988, 2019.
Accuracy 97.14 99.92 99.99 [2] B. B. Zarpelao, R. S. Miani, C. T. Kawakani, and S. C. de Alvarenga, “A
survey of intrusion detection in internet of things,” Journal of Network
and Computer Applications, vol. 84, pp. 25–37, 2017.
[3] KDD Cup 1999 Data, (accessed January 2, 2020). [Online]. Available:
ability of the system to correctly detecting the attack. The http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[4] NSL-KDD dataset, (accessed January 6, 2020). [Online]. Available:
specificity is defined as the ratio of normal packets that https://www.unb.ca/cic/datasets/nsl.html
mistakenly are classified as malicious packet. The accuracy [5] Center for Applied Internet Data Analysis (CAIDA), (accessed January
is defined as the ratio of correct predictions with respect to all 6, 2020). [Online]. Available: https://www.caida.org/data/
[6] ISCX, (accessed January 6, 2020). [Online]. Available:
samples. Mathematically, these are expressed in (2)-(4): http://www.iscx.ca/datasets/
[7] W. Haider, J. Hu, J. Slay, B. P. Turnbull, and Y. Xie, “Generating realistic
TP intrusion detection system dataset based on fuzzy qualitative modeling,”
Sensitivity = × 100 (2) Journal of Network and Computer Applications, vol. 87, pp. 185–192,
TP + FN 2017.
[8] P. Megyesi, G. Szabó, and S. Molnár, “User behavior based traffic
emulator: A framework for generating test data for dpi tools,” Computer
TN
Specificity = × 100 (3) Networks, vol. 92, pp. 41–54, 2015.
TN + FP [9] Packet Sender, (accessed January 2, 2020). [Online]. Available:
https://packetsender.com/
TP + TN [10] D-ITG, (accessed January 12, 2020). [Online]. Available:
http://www.grid.unina.it/software/ITG/
Accuracy = × 100 (4) [11] P. Emmerich, S. Gallenmüller, D. Raumer, F. Wohlfart, and G. Carle,
TP + FN + TN + FP “Moongen: A scriptable high-speed packet generator,” in Proceedings of
the 2015 Internet Measurement Conference. ACM, 2015, pp. 275–287.
Table IV summarizes the overall results of the three machine [12] Y. Kuwabara, T. Yokotani, and H. Mukai, “Hardware emulation of iot
learning classifiers which are used for detecting malicious devices and verification of application behavior,” in 2017 23rd Asia-
Pacific Conference on Communications (APCC). IEEE, 2017, pp. 1–6.
traffic. [13] J. Pullmann and D. Macko, “Network tester: A generation and evaluation
of diagnostic communication in ip networks,” in 2018 16th International
Conference on Emerging eLearning Technologies and Applications
V. C ONCLUSION (ICETA). IEEE, 2018, pp. 451–456.
[14] Y. Wang, Y. Li, X. Wang, and Z. Xiaohui, “A novel traffic generator
Security is the major concern which may cramp the pro- for switch testing,” in 2015 International Conference on Environmental
liferation of IoT devices. Network traffic generation is a key Engineering and Remote Sensing. Atlantis Press, 2015.
[15] W.-H. Hsu, Q. Li, X.-H. Han, and C.-W. Huang, “A hybrid iot traffic
technique which is used to design and analyze the performance generator for mobile network performance assessment,” in 2017 13th
of network security solutions like firewall, intrusion detection International Wireless Communications and Mobile Computing Confer-
system (IDS), intrusion prevention system (IPS), etc. In this ence (IWCMC). IEEE, 2017, pp. 441–445.
[16] X.-h. Kuang, J. Li, and F. Xu, “Network traffic generator based on
work, we proposed an open-source traffic generation frame- distributed agent for large-scale network emulation environment,” in In-
work, i.e., IoT-Flock which supports two IoT application layer ternational Conference on Intelligent Science and Big Data Engineering.
protocols. Most of the existing open-source traffic generators Springer, 2018, pp. 68–79.
[17] MQTT-API, (accessed January 6, 2020). [Online]. Available:
lack of generating the attack traffic, however, IoT-Flock can https://github.com/qt/qtmqtt
generate both the attack and normal IoT traffic in order to train [18] CoAP-API, (accessed January 6, 2020). [Online]. Available:
and test the IoT network security solutions. To demonstrate https://github.com/qt/qtcoap
[19] Libtins, (accessed January 6, 2020). [Online]. Available:
how the IoT-Flock can help in generating an IoT security https://libtins.github.io/
solution, we first analyzed the traffic behaviour of a real-time [20] National Vulnerability Database (NVD), (accessed January 6, 2020).
smart home use case. We then created the smart home use [Online]. Available: https://nvd.nist.gov/
[21] CVE-2016-10523 Detail, (accessed January 6, 2020). [Online].
case in IoT-Flock. After that, we created an attacking network Available: https://nvd.nist.gov/vuln/detail/CVE-2016-10523
to attack the IoT devices using IoT-Flock and captured the [22] CVE-2018-1684 Detail, (accessed January 6, 2020). [Online]. Available:
traces of both normal and attack traffic. Finally, we extracted https://nvd.nist.gov/vuln/detail/CVE-2018-1684
[23] CVE-2019-12101, (accessed January 6, 2020). [Online]. Available:
the features then trained and tested the three commonly https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12101
used machine learning algorithms for detecting the malicious [24] CVE-2019-9004, (accessed January 6, 2020). [Online]. Available:
traffic in IoT smart home use case. Among these models, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12101
[25] Wireshark, (accessed January 6, 2020). [Online]. Available:
Random Forest classifier performed the best with an accuracy https://www.wireshark.org/
of 99.99%. One can download IoT-Flock from GitHub [28], [26] CICFLOWMETER, (accessed January 6, 2020). [Online]. Available:
create real-time IoT use case, generate the use case traffic and http://www.netflowmeter.ca/
[27] NETWORK TRAFFIC FLOW ANALYZER, (accessed January 6, 2020).
test or design security solutions for IoT use case by utilizing [Online]. Available: http://www.netflowmeter.ca/netflowmeter.html
IoT-Flock. Currently, IoT-Flock supports four recently reported [28] IoT-Flock: An Open-source Framework for IoT Traffic
IoT attacks, however, one can add more IoT attacks in the tool Generation, (accessed March 4, 2020). [Online]. Available:
https://github.com/ThingzDefense/IoT-Flock
by extending the source code of the tool.