Smart home automation is part of the Internet of Things that enables house remote control via the use of smart devices, sensors, and actuators. Despite its convenience, vulnerabilities in smart home devices provide attackers with an opportunity to break into the smart home infrastructure without permission. In fact, millions of Z-Wave smart home legacy devices are vulnerable to wireless injection attacks due to the lack of encryption support and the lack of firmware updates. Worse yet, recent Z-Wave secure S2 devices with built-in encryption are also vulnerable to specific targeted attacks, i.e ., attacking S2 devices is possible via vulnerable legacy devices or injecting malicious unencrypted packets that alter S2 devices normal operations. In this paper, we present ZMAD, a novel lightweight anomaly-based intrusion detection system (IDS) for monitoring and detecting wireless attacks on Z-Wave smart home devices. ZMAD uses a technique called packet formalization to address heterogeneous packets coming from various Z-Wave devices. ZMAD also uses a centralized learning approach to profile normal communication patterns of devices to increase Z-Wave Command Class coverage. By constructing a lightweight artificial neural network built from scratch in consideration of packet formalization and centralized learning, ZMAD can effectively detect abnormal behaviors in Z-Wave networks and runs on an external device to avoid network overhead. We applied ZMAD to an evaluation testbed constructed using 17 top-rated real-world Z-Wave smart home devices. From our experiments, we confirmed that ZMAD could effectively discover wireless injected packets with an accuracy of 98% for its artificial neural network. Our further analysis demonstrated that ZMAD is more effective than existing approaches, increasing the coverage of Z-Wave Command Classes by 663% while reducing five to 47 times the size of the trained model (23.1 KB) compared to existing deep learning architectures.
ZMAD Devices' Pre-processed Traffic Dataset
This is the pre-processed dataset used in the paper:" ZMAD: Lightweight Model-based Anomaly Detection for the Structured Z-Wave Protocol".
The dataset can be used to test cybersecurity applications, Ai-based IDS, threat intelligence, and adversarial machine learning that target the Z-Wave protocol.
ZMAD dataset includes heterogeneous real Z-Wave devices traffic such as the main controller, several slaves' devices, actuators, and sensors.
The dataset consists of normal (benign) traffic and abnormal (attack) traffic collected from known Z-Wave vulnerabilities and fuzzing techniques.
For the academic/public use of the dataset, the researcher MUST cite the following paper:
C. K. Nkuba, S. Woo, H. Lee, and S. Dietrich, "ZMAD: Lightweight Model-based Anomaly Detection for the Structured Z-Wave Protocol," in IEEE Access, 2023.
For more information about the dataset, please contact Carlos Nkuba, on his email: firstname.lastname@example.org.
Follow update at : https://github.com/CNK2100/ZMAD-Dataset
Last Updated: 08 June 2023