IEEE INTERNET OF THINGS JOURNAL, VOL. X, NO. X, XX 2019 1

Enhanced Cyber-Physical Security in Internet ofThings through Energy Auditing

Fangyu Li, Yang Shi, Student Member, IEEE, Aditya Shinde, Jin Ye, Senior Member, IEEE,WenZhan Song, Senior Member, IEEE

Abstract—Internet of Things (IoT) are vulnerable to bothcyber and physical attacks. Therefore, a cyber-physical securitysystem against different kinds of attacks is in high demand.Traditionally, attacks are detected via monitoring system logs.However, the system logs, such as network statistics, file accessrecords, can be forged. Furthermore, existing solutions mainlytarget cyber attacks. This paper proposes the first energy auditingand analytics based IoT monitoring mechanism. To our bestknowledge, this is the first attempt to detect and identify IoTcyber and physical attacks based on energy auditing. Using theenergy meter readings, we develop a dual deep learning modelsystem, which adaptively learns the system behaviors in a normalcondition. Unlike the previous single deep learning models forenergy disaggregation, we propose a disaggregation-aggregationarchitecture. The innovative design makes it possible to detectboth cyber and physical attacks. The disaggregation modelanalyzes the energy consumptions of system subcomponents, e.g.CPU, network, disk, etc. to identify cyber attacks, while theaggregation model detects the physical attacks by characterizingthe difference between the measured power consumption andprediction results. Using energy consumption data only, theproposed system identifies both cyber and physical attacks. Thesystem and algorithm designs are described in detail. In thehardware simulation experiments, the proposed system exhibitspromising performances.

Index Terms—IoT, deep learning, energy audit, cyber andphysical attack detection.

I. INTRODUCTION

INTERNET of Things (IoT) face complex and complicatedsecurity challenges. IoT devices are exposed to both cy-

ber and physical worlds, so attacks and threats may comefrom both cyber and physical channels [1]. With diversifiedand numerous applications, IoT systems require the adaptiveadjustment ability to solve not only cyber threats but alsophysical attacks [2], [3]. However, because of the limitedprocessing, storage and communication resources as well asthe unpredictable physical environment, traditional securitysoftware solutions are too heavy for IoT devices and oftencannot detect physical threats [1], [4]. Thus, the IoT securitysystem design is always challenging.

In an IoT system, the perception and application layershave the physical attack vulnerabilities, while the networklayer is facing possible cyber attacks [2]. Typically, the IoTsystem performance data can be used for analyzing the sys-tem behavior [5], such as network parameters [6], but those

Manuscript received XXX, 2018; revised XXX, 2018.F. Li, Y. Shi, A. Shinde, J. Ye and W.Z. Song are with Center for Cyber-

Physical Systems, University of Georgia, Athens, GA 30602, USA (e-mail:fangyu.li@uga.edu, adityas@uga.edu, yang.atrue@uga.edu, jin.ye@uga.edu,wsong@uga.edu).

anomaly detection approaches are usually targeting for cyberattacks [7]. When IoT systems carry ubiquitous computing,IoT devices are physically reachable [8], thus physical threatsand attacks become possible [9], which should be considered.

However, as system logs are also attack targets and canbe forged, IoT security should depend on a more “reliable”system monitoring mechanism. Energy auditing has beeninvestigated in the emerging smart grids [10], but has notbeen known as a major attack target. In addition, energyauditing is widely available in the IoT devices, for example,Jiang et al. [11] embedded wireless power meters in smartappliances to continuously measure the voltage and current.And smartphones [12] as well as energy-aware smart homesystems [13] also have energy auditing functions nowadays.Thus, we adopt the energy consumption reading as the sourceof the proposed security system. In addition, to further improvethe data fidelity and secrecy, the data can be obtained froma side-channel energy audit sensor, which is separated fromthe communication channel of IoT system. Furthermore, theenergy auditing channel can be encrypted, if needed [14]. Itis a new monitoring mechanism and can be generally appliedto most IoT devices and systems. The hypothesis is that cyberor physical attacks leave a trace in the energy profile. If anattack does not affect energy profile at all, it would perhapsbe negligible. In a real system implementation, if the energyauditing is not available in the application program interface(API) of the IoT device, a low-cost energy meter can bedesigned and attached to an IoT device, performing continuousenergy auditing and analytics to enhance security.

Because of the complexity and uncertainty, energy analyticshas been an active application of the artificial intelligence [15],[16]. Machine learning (ML), especially deep learning (DL),changes the energy analytics from programmatically to intelli-gently [17], [18]. Thanks to the multi-layered architecture, DLlearns complex data patterns between inputs and outputs [19].Assuming the normal system behavior patterns are modeledby DL models, the error between the real energy consumptiondata and prediction results can be used to detect anomalousevents based on statistical analysis [6].

Figure 1 shows the big picture of the proposed IoT securitymechanism. Based on the monitoring data, machine learningand deep learning (ML/DL) intelligently learn ‘normal’ be-haviors from how IoT components operate and interact withone another, and to detect ‘abnormal’ behaviors. Moreover,learning based methods can intelligently predict unknown newattacks by learning from existing normal system behaviors.

In this paper, we propose a DL based IoT energy audit

IEEE INTERNET OF THINGS JOURNAL, VOL. X, NO. X, XX 2019 2

IoT Applications

IoT SystemMonitoring

Data

ML/DL SecurityModule

Cyber Attack

PhysicalAttack

No  Attack

Fig. 1: A big picture of the general learning based IoT security system.

analytics for detecting and identifying not only cyber but alsophysical attacks. Using the proposed DL models, a system isbuilt to detect anomalies in power consumption, which indicatecharacteristics of certain types of attacks. The contributions ofour work are as follows:

1) To our best knowledge, this is the first attempt to useenergy audit data in the IoT security system to detectboth cyber and physical threats and attacks;

2) We propose a dual deep learning model system. Unlikethe previous deep learning applications, our system hastwo deep learning models, the disaggregation model andaggregation model;

3) Our system detects operation anomalies based on onlythe energy audit readings without other sources. Thedual DL models are pre-trained based on the perfor-mance metrics and energy consumption of an IoT device.

4) Based on the disaggregated system performance metricsand energy consumption prediction, the attacks can notonly be detected but also identified.

II. RELATED WORK

The proposed energy audit and analytics based securitymechanism for IoT security is original and has not beenattempted before. In this section, we first introduce sometypical cyber and physical attacks and discuss their charac-teristics, then the most related works—power disaggregationand prediction, are presented.

A. Cyber and Physical AttacksRecently, Abdul-Ghani et al. [3] made a comprehensive IoT

attack survey including both cyber and physical attacks. Cyberattacks affect system statistics. For example, unauthorizedaccess which tries to manipulate sensitive data would generateabnormal network traffic [20]. Similarly, if the attackers use aport scan tool to look for weak ports [21], network propertieswould be abnormal. In addition, virus services may sendout sensitive data or run suspicious processes [22], wheresystem performances are related to the specific types viruses.A typical denial of service (DoS) attack sends a huge amountof packages to make the device unreachable [23], where alarge amount of received packages are reflected in the networktraffic. Physical attacks damage the IoT devices deployedin unattended environments [24]. Generally speaking, IoTfunctionality is threatened by physical layer damages [25].

B. Power Disaggregation and PredictionPower disaggregation aims to disaggregate the whole house

energy measurement to identify individual appliance’s energyconsumption, which is always referred to as a non-intrusiveload monitoring (NILM) problem. Kolter et al. used addi-tive factorial hidden markov models (FHMM), an extensionto hidden markov model (HMM)s for power disaggregation[15]. Kolter et al. proposed to use dictionary learning forenergy disaggregation [26]. With the recent DL developments,various neural network architectures such as recurrent neuralnetworks (RNN) with convolution layers, auto encoders andanother regression networks have been used to disaggregatethe power consumption to individual devices in a household[27]. However, those algorithms cannot directly apply to IoTdevices for disaggregation, because the state transition in IoTsoftware is far more dynamic and fast.

Power prediction has applications in optimizing energyconsumption and scheduling in high-performance computingdomains. Contreras et al. use a linear model to predict powerconsumption from hardware counter values [28]. The modelhas a relatively low complexity, however, it relies on data fromhardware counters during operations, which may be difficult toobtain. In addition, Economou et al. used the same principlesto model power utilization in a server environment [29]. Theyused utilization metrics of various components such as CPU,memory and network to get the total power utilization.

III. ALGORITHM AND SYSTEM DESIGN

Threat Model. Our system is designed to be sensitive to theabnormal energy pattern changes caused by physical and cyberattacks. In terms of physical attacks, energy changes due totempering, physical damage, jamming, etc., can be detectedand identified. Speaking of cyber attacks, network and soft-ware attacks [30] are our targets, including DoS, unauthorizedaccess, virus and worms, Trojan horse, etc.. Energy anomaly isthe evidence of attacks, furthermore, different energy patternsindicate the attack types.

Algorithm Design. The proposed IoT security analyticssystem is shown in Figure 2, which is an end-to-end system.The device power consumption data are organized into a timeseries. First, a pre-processing step is applied to maintain thewaveforms and condition data samples. Next, the energy con-sumption data are fed into the disaggregation model. The dis-aggregation model generated the modeled CPU usage, network

IEEE INTERNET OF THINGS JOURNAL, VOL. X, NO. X, XX 2019 3

TX 1 throughput and the disk usage using the input powersequences. (If applicable, these individual performance metricscan be used separately outside the system for finer analytics.)If cyber attacks happen, the disaggregated system subcom-ponents from energy auditing will differ from the measuredsystem statistics. Because the DL models are trained based onknown system behaviors, only the normal system responseswill be reflected. Then, the predicted power consumption andthe true power consumption will be compared to generate aprediction error. In the end, a time series anomaly detectionmethod is applied to detect the possible attacks. If either cyberor physical attack happens, the abnormal prediction error willbe detected. Algorithm 1 and Figure 2 show the whole end-to-end system operation workflow. To be noted, in the trainingphase the ground truth of system performance metrics arerequired, but in the real operations, based on the pre-trainedmodels, only the energy audit data are needed.

Power Consumption

EnergyDisaggregation

System Performance

metrics

Attack Analytics

EnergyPredictionPrediction

ErrorCyber & Physical Attack Detection

Preprocessing

Fig. 2: Workflow of the proposed IoT security system. Theblock in gray indicates the possible attack analytics when thesystem performance metrics are measured.

Algorithm 1 Proposed IoT security system.1: Input: Energy audit reading of the IoT device.2: Output: Whether the device is compromised.3: Preprocessing (Section III-A).4: Energy disaggregation (Section III-C).5: If applicable, the disaggregated performance metrics are com-

pared with the ground truth to indicate which IoT component isnot behaving normal.

6: System performance metrics aggregation for energy prediction(Section III-D).

7: Anomaly detection based on the prediction error (Section III-E).

A. Pre-processing

The power consumption, as well as the performance metrics,are time series data. Because the energy meter could acciden-tally lose some data samples, a conditioning step to maintaina stable sampling frequency is very important for the furtheranalysis. Typically, an interpolation step is implemented.

Next, energy meter readings and collected system perfor-mance data are susceptible to noise. This is more likelyfor the energy consumption reading as it is read from anI/O (input/output) port on the device. Noisy data may havea negative effect on the model training. The edges causedby the sharp rise in CPU and disk usage could be usefulfeatures in the models. Hence the data need to be smoothed

1In the network chart, TX and RX are the abbreviations of Transmit andReceive, which may refer to packet or bytes.

whilst still maintaining edges. The median filtering is an edgepreserving noise removal technique [31]. Figure 3 shows theedge-preserving filtering results on power data, which retainthe main power consumption patterns. After filtering, the dataare normalized to lie between 0 and 1 before feeding into theDL model. The scaler is fit only to the training set. In the laterstage, the validation and testing sets are rescaled for real-worldinterpretation based on the values from the training set.

Fig. 3: Preprocessing power data to remove the high frequencynoises without damaging the edges. (a) Raw power data. (b)Power data after filtering.

B. Deep learning model components

1) Convolutional neural network: The convolutional neuralnetwork (CNN) is a popular deep learning algorithm whichhas been successfully applied to time series classification andprediction [17]. Hence, we use CNN based models to learnpower disaggregation and prediction. Formally, extracting afeature map using a 1D convolution operation is given by:

a(l+1)j (τ) = σ

blj + F l∑f=1

Kljf (τ) ∗ alf (τ)

, (1)

where F l is the number of feature maps in layer l, alf denotesthe feature map f in layer l, σ is a non-linear function, Kl

jf

is the kernel convolved over feature map f in layer l to createthe feature map j in layer (l + 1) as a(l+1)

j . A designed DLmodel can consist of more than one convolutional layers, thusit is effective to learn complex feature patterns.

2) Activation function: In the proposed models, convo-lution layers with rectified linear unit (ReLU) activationsy = max(0, b + W ∗ x), are used, where x is the inputsequence, W is the set of 1d kernels used for convolution.The final layers of both models predict the value of the timeseries at a single point. A sigmoid activation function givenby σ(x) = 1

1+e−x is used for the last layer.

C. Disaggregation model

Energy disaggregation is unidentifiable and thus a difficultprediction problem because more than one sources are ex-tracted from a single observation. A typical regression modelresulting in a deterministic prediction does not take intoaccount the uncertainty factors. The proposed disaggregation

IEEE INTERNET OF THINGS JOURNAL, VOL. X, NO. X, XX 2019 4

model is a modified seq2point model [17]. The midpoint xτof the output is mapped from a neural network F based on theinput Yt:t+w−1 as xτ = Fp(Yt:t+w−1)+ε, where w denotes theanalysis window length. The loss function describes the dif-ference between the approximate and posterior distribution ofthe midpoint value as L =

∑T−w+1t=1 log p(xτ |Yt:t+w−1, θp),

where θp are the DL parameters, which are selected by trials.In our current study, we disaggregate the power consump-

tion to three components, and we will discuss the reason inthe Section IV-C. Note that, since the CPU, TX and Diskperformances are all time series as well as the energy reading,1D features are adequate to represent the inherent relations.So we adopt 1D convolution operators. In addition, as ourapplication is for IoT systems, the computation burden isalso in consideration, which means if a model uses smallermemory space and less computation resources but achieves asimilar performance, it should be adopted. Simply speaking, tocharacterize the time series properties, a convolution operatorshould have certain length, but it should be as short as possible,which benefits the computation cost and improves the systemsensitivity. The architecture of the disaggregation model isshown in Figure 4, where the input layer size is [51× 1].

Input Layer

Convolution Layer

MaxPooling

Convolution Layer

Convolution Layer Convolution Layer Convolution Layer

Convolution Layer Convolution Layer Convolution Layer

Flatten Layer Flatten Layer Flatten Layer

Dense Layer Dense Layer Dense Layer

CPU TX Disk

Energy

Fig. 4: Architecture of power disaggregation model.

D. Aggregation based prediction model

Unlike the traditional energy consumption study, wherethe total power consumption is the direct summation of allassociated appliances [28], the power consumption and IoTsystem performance metrics have a non-linear relationship. Wepropose to use a DL based aggregation model to predict thepower consumption, whose architecture is shown in Figure 5,where the input layer size is [21 × 3]. The model usesperformance metrics such as CPU usage, network TX data anddisk usage patterns to predict the power consumption at certain

instant. The input is a sequence of high dimensional vectors.Each dimension corresponds to one performance metric. Sinceenergy consumption readings are time series data, 1D convolu-tions are performed. The input is passed to the first convolutionlayer which transforms the vector using 20 kernels. Unlikepopular CNN models which use smaller kernels, we use longerkernels in the first layer for capturing features like edges whichextend over a longer time. The transformed vectors are passedon to a “max pooling” layer to reduce the vector lengthswhile still capturing significant features, which is followed byanother convolution layer containing 10 kernels with sigmoidactivations. Once the convolutional operations are performed,the extracted features are forwarded to the last dense layer,which is a regression machine predicting a single numberrepresenting the power value for the corresponding input. Theloss function is the mean square error (MSE) between thepredication result and ground truth for N time steps, expressed

as: 1N

N∑t=1

[y(t)− y(t)]2.

Input Layer

Convolution Layer

MaxPooling

Convolution Layer

Flatten Layer

Dense Layer

CPU

Energy

DiskTX

Fig. 5: Architecture of the power prediction model.

E. Anomaly detection

The anomaly detection for time series data is usuallybased on statistical analysis. A classic threshold for normaldistribution data is 3σ, where σ denotes the standard deviation.We commonly use µ ± 3σ, where µ denotes the mean oftime series, to represent a normal data, which means if a datasample is out of this range, it is statistically likely to be ananomaly. In the real-time IoT security system, the µ and σ varyfrom time to time, thus, an online estimation is used based onthe Welford’s algorithm [32]:

µn =(n− 1)µn−1 + xn

n= µn−1 +

xn − µn−1

n, (2)

σ2n =

M2,n

n=M2,n−1 + (xn − µn−1)(xn − µn)

n, (3)

where, M2,n is the second order moment. Based on the onlinetime series statistics, the system anomaly detection can be

IEEE INTERNET OF THINGS JOURNAL, VOL. X, NO. X, XX 2019 5

implemented in a real time style for the IoT applications.Note, in the online security system, the analysis window lengthdetermines the system sensitivity, which means short analysiswindow would be more sensitive but also more willinglygenerate false alarms.

IV. EXPERIMENTS AND EVALUATIONS

Simulating a real IoT system operation, we run a program,which samples random data with a fixed interval and car-ries variety of signal processing, storage, compression andtransmission operations. The system consists of 12 RaspberryPi wireless boards connected to a router in a mesh networkstyle. An energy meter [33] is implanted to monitor the powerconsumption of the IoT device, shown in Figure 6. Thesenodes simulate the IoT devices running various applications.In this section, we describe how the system components work.And the system performance is evaluated in specially designedexperiments with both cyber and physical attacks simulated.

Fig. 6: An energy meter labeled by a dashed frame is im-planted to monitor the Raspberry Pi board. The 12 RaspberryPis form a local network.

A. Data collection

The DL models for power disaggregation and prediction arepre-trained on real data. In the training phase, the performancemetrics and energy audit data are needed. In order to getperformance metrics, the statistics are collected using the/proc file system on Linux. The energy consumption readingis collected using the API of Raspberry Pi, where the energymeter is attached to. The model can be trained for any deviceas long as its performance metrics and power consumptioncan be recorded. For this task, the performance metrics forCPU usage, network usage and disk usage are monitored andstored while the device is running an application. Streamingthe data continuously to the collection database is taxing on theembedded devices. In addition, to minimize the influence onthe power consumption, the system performance statistics aresampled every 5 seconds. As the smart energy meter used inthe system can be viewed as a side-channel sensor, the powerconsumption reading is separately extracted and saved.

B. Data preprocessing

The system is designed to detect volume attacks such asnetwork floods and physical tampering such as heating the

device. None of these attacks cause transient anomalies. Asdiscussed in Section III-A, a median filter acting as an edgepreserving filter is used to pre-process the raw data collectedfrom the sensor and the device. Then a normalization step isapplied. Figure 7 shows a data segmentation after both filteringand normalization. Note that the power segment does not lieexactly between 0 and 1, because the normalization is appliedon the whole data not only on this segment.

Fig. 7: Collected data after preprocessing. From the top to thebottom are (a) Power, (b) CPU, (c) TX and (d) Disk.

C. Feature selection

It is intuitive to claim that for a complex system op-erating complicated applications, more system performancemetrics should be collected. However, typically, IoT devicesare specially designed for certain purposes, so limited systemperformance metrics could be adequate for system monitoringand attack detection tasks. From Figure 7, the CPU usageis highly correlated with the power consumption. In orderto quantitatively analyze the importance of each performancemetrics in the power consumption, a correlation matrix iscomputed, shown in Table I. CPU has the highest correlationwith the power consumption, while the correlation coefficientsshow that the network RX feature has a very low relation withpower consumption. This is likely specific to the applicationwe are running. One possible explanation is that due to greaterdata transmission than receiving, the power consumption isaffected more by the TX and the effect of RX is maskedout. Since the correlation is very low, the RX feature isdropped. Thus, in our system, no matter the aggregation orthe disaggregation model, only CPU usage, Disk usage andTX throughput are employed for analytics.

IEEE INTERNET OF THINGS JOURNAL, VOL. X, NO. X, XX 2019 6

TABLE I: Correlations among power consumption and systemperformance metrics, CPU, TX, RX and Disk.

CPU TX RX Disk PowerCPU 1 -0.66 0.022 0.34 0.95TX -0.66 1 -0.018 -0.26 -0.66RX 0.022 -0.018 1 0.016 0.04Disk 0.34 -0.26 0.016 1 0.5

Power 0.95 -0.66 0.04 0.5 1

D. Model training

For training both disaggregation and aggregation models,the dataset is split into training, validation and testing setsbased on the 5 fold cross-validation rule. The total datasetcontains 88,650 samples, out of which 40,000 points areused for training, while 10,000 are used for validation, andthe rest are used for testing. The data samples are shuffledafter windowing them into smaller subsequences/segments.For training and evaluation, MSE is used as a metric. Todetermine if the model has fitted the data, the MSE on thevalidation dataset is tracked. Early stopping is a suitabletechnique to stop training once a model is fit. If the MSEon the validation set does not decrease over a pre-determinedset of epochs, it is assumed that the model is fitted and trainingwill be stopped [34]. Early stopping and back propagation areused to train both the disaggregation and prediction models.

Fig. 8: Disaggregation results. (a) Normalized power consump-tion with disaggregated (b) CPU, (c) Disk, and (d) TX.

E. Disaggregation

In our experiments, only CPU, TX and Disk are consideredas system performance metrics. Thus, the energy consumption

is disaggregated to these three components. Figure 8 showsan example of the disaggregation results. Figure 8(a) is thenormalized power consumption plot, while Figure 8(b)-8(d)are the disaggregated CPU, TX and Disk components, respec-tively. In the training phase, as the model shown in Figure 4,the loss functions of all the disaggregated components arecombined together as the total MSE. So there are some misfitsin the individual components, but the total prediction error isacceptable. The inaccurate energy audit reading could causesome problems, and from the results we can observe thatcertain small energy oscillations are ignored or not reflectedin the disaggregation results. In addition, in Figure 8(d), thepredicted TX fails to fit all the detailed system behaviors, butonly the general trend is learned. The possible reason can beconcluded to the architecture of the DL model, and the hyperparameter selection influences the model performance.

F. Aggregation based energy prediction

Shown in Figure 2, the input to the aggregation basedprediction model is a sequence of three-dimensional vectors.Each dimension corresponds to one of the performance met-rics, CPU, TX and Disk. MSE is also adopted in the modeltraining. Figure 9 shows the prediction results as well as therecorded energy consumption data with different convolutionfilter sizes. Figures 9(a) and 9(b) demonstrate the differencesusing filter lengths 21 and 101. The MSE of these two modelsare similar: MSE21 = 0.032 and MSE101 = 0.031. Becauseof the random cross-validation, the performances are actuallyon the same level. Since our system targets at the IoT devices,the filter with 101 samples taking too much memory space isless suitable. (Note that during the training and testing, thecomputational cost increases non-linearly with the data size.)Thus, we employ 21 as the convolution filter length.

Fig. 9: Power prediction model results with convolution filterlength equals (a) 21 and (b) 101.

G. Cyber and physical attack detection

In the previous Figures 8 and 9, the proposed systemperformance is shown with normal system behaviors. So boththe disaggregation and aggregation models produce predictionresults with very small errors. In this section, we simulate theboth cyber and physical attacks in the IoT system.

First, we simulate a high temperature situation as a physicalattack by heating up the Raspberry Pi chip using a heating

IEEE INTERNET OF THINGS JOURNAL, VOL. X, NO. X, XX 2019 7

lamp. Because the easiest physical damage is to directly harmits components [30], heating attack can be viewed as a simplebut representative physical attack. If the IoT device is over-heated, the system will fail. Second, according to Section II-A,typical cyber attacks affect network statistics. Thus, we simu-late a DoS attack on the network throughputs, which generatesheavy TX transmission and the associated energy anomalies.Figure 10 shows the predicted energy consumption and themeasured energy consumption. The simulated physical attackis shown between around 150s and 600s, while the cyber attackis between around 900s and 1100s.

Fig. 10: Cyber and physical attacks are simulated in theexperiments. The energy meter data are plotted as groundtruth, while the predicted energy consumption is plotted asprediction. The anomalous mismatches indicate the attacks.

Then, based on differences between actual energy consump-tions and prediction results, we apply the anomaly detection todetect and identify the attacks. Figure 11 shows the predictionerror, true attacks and detected anomalies. The anomalies aredetected based on the statistical changes of the predictionerrors. Both physical and cyber attacks are detected, whichproves the effectiveness of the proposed system. Note that theDoS attack is not constant all the time, and there are somebreaks during the attack, which can also be identified.

Fig. 11: Power prediction error with true attacks and detectedanomalies. It is clear that the proposed system detects bothcyber (between 900s and 1100s) and physical (between 150sand 600s) attacks successfully.

Furthermore, the attack types can be identified. Figure 12shows a detailed analysis of the TX statistics. The predictionerror is obtained by the comparison between disaggregatedTX and measured TX. The detected anomalies have a goodcorrespondence with the true cyber attacks, which indicatesthis is a network attack reflected on TX. Thus, if the systemperformance metrics are applicable, not only the cyber attack

can be detected, but also the attack types can be identifiedaccording to the abnormal system metrics.

Fig. 12: Cyber attack analysis on the TX statistics.

V. CONCLUSION

In this paper, we propose a DL based IoT security systemusing energy auditing data. The side-channel energy meterreadings enable the proposed system to detect not only cyberbut also physical attacks and threats. In addition, the energyauditing data are hard to be compromised compared with othersources. The dual disaggregation and aggregation deep learn-ing models learn the normal performances of the IoT system,and can also provide detailed analytics of individual systemperformance metrics, if applicable. The anomaly detectionbased on the prediction errors tracks both cyber and physicalanomalous behaviors. With the proposed approach, IoT systemwill be better monitored and secured.

ACKNOWLEDGMENT

Our research is partially support by NSF-CNS-1066391,NSF-CNS-0914371, NSF-CPS-1135814, NSF-CDI-1125165,and Southern Company.

REFERENCES

[1] M. A. Al-Garadi, A. Mohamed, A. Al-Ali, X. Du, and M. Guizani, “Asurvey of machine and deep learning methods for internet of things (IoT)security,” arXiv preprint arXiv:1807.11023, 2018.

[2] H. Ning, H. Liu, and L. Yang, “Cyber-entity security in the internet ofthings,” Computer, p. 1, 2013.

[3] H. A. Abdul-Ghani, D. Konstantas, and M. Mahyoub, “A comprehensiveIoT attacks survey based on a building-blocked reference model,”International Journal of Advanced Computer Science and Applica-tions(IJACSA), vol. 9(3), 2018.

[4] H. Guo, S. Li, B. Li, Y. Ma, and X. Ren, “A new learningAutomata-Based pruning method to train deep neural networks,” IEEEInternet of Things Journal, vol. 5, no. 5, pp. 3263–3269, Oct. 2018.[Online]. Available: http://dx.doi.org/10.1109/JIOT.2017.2711426

[5] F. Li, A. Shinde, Y. Shi, J. Ye, X. Li, and W. Z. Song, “System statisticslearning-based iot security: Feasibility and suitability,” IEEE Internet ofThings Journal, pp. 1–8, 2019.

[6] M. Zou, C. Wang, F. Li, and W. Song, “Network phenotyping for net-work traffic classification and anomaly detection,” in IEEE InternationalSymposium on Technologies for Homeland Security (HST), 2018.

[7] J. Pacheco and S. Hariri, “IoT security framework for smart cyberinfrastructures,” in Foundations and Applications of Self* Systems, IEEEInternational Workshops on. IEEE, 2016, pp. 242–247.

[8] R. Roman, J. Zhou, and J. Lopez, “On the features and challengesof security and privacy in distributed internet of things,” ComputerNetworks, vol. 57, no. 10, pp. 2266–2279, 2013.

IEEE INTERNET OF THINGS JOURNAL, VOL. X, NO. X, XX 2019 8

[9] A. Banerjee, K. K. Venkatasubramanian, T. Mukherjee, and S. K. S.Gupta, “Ensuring safety, security, and sustainability of mission-criticalcyber-physical systems,” Proceedings of the IEEE, vol. 100, no. 1, pp.283–299, 2012.

[10] D. E. Phillips, R. Tan, M.-M. Moazzami, G. Xing, J. Chen, and D. K. Y.Yau, “Supero: A sensor system for unsupervised residential powerusage monitoring,” in 2013 IEEE International Conference on PervasiveComputing and Communications (PerCom). IEEE, 2013, pp. 66–75.

[11] X. Jiang, M. Van Ly, J. Taneja, P. Dutta, and D. Culler, “Experienceswith a high-fidelity wireless building energy auditing network,” inProceedings of the 7th ACM Conference on Embedded NetworkedSensor Systems. ACM, 2009, pp. 113–126.

[12] A. Carroll, G. Heiser, and Others, “An analysis of power consumptionin a smartphone.” in USENIX annual technical conference, vol. 14.Boston, MA, 2010, p. 21.

[13] M. Jahn, M. Jentsch, C. R. Prause, F. Pramudianto, A. Al-Akkad, andR. Reiners, “The energy aware smart home,” in Future InformationTechnology (FutureTech), 2010 5th International Conference on. IEEE,2010, pp. 1–8.

[14] R. Tan, S.-Y. Chiu, H. H. Nguyen, D. K. Y. Yau, and D. Jung, “A jointdata compression and encryption approach for wireless energy auditingnetworks,” ACM Transactions on Sensor Networks (TOSN), vol. 13,no. 2, p. 9, 2017.

[15] J. Z. Kolter and T. Jaakkola, “Approximate inference in additive factorialhmms with application to energy disaggregation,” in Artificial Intelli-gence and Statistics, 2012, pp. 1472–1482.

[16] L. Ghelardoni, A. Ghio, and D. Anguita, “Energy load forecasting usingempirical mode decomposition and support vector regression.” IEEETrans. Smart Grid, vol. 4, no. 1, pp. 549–556, 2013.

[17] C. Zhang, M. Zhong, Z. Wang, N. Goddard, and C. Sutton, “Sequence-to-point learning with neural networks for nonintrusive load monitoring,”arXiv preprint arXiv:1612.09106, 2016.

[18] M. Mohammadi, A. Al-Fuqaha, S. Sorour, and M. Guizani, “Deeplearning for IoT big data and streaming analytics: A survey,” IEEECommunications Surveys & Tutorials, 2018.

[19] Y. LeCun, Y. Bengio, and G. Hinton, “Deep learning,” nature, vol. 521,no. 7553, p. 436, 2015.

[20] M. M. Ahemd, M. A. Shah, and A. Wahid, “IoT security: A layeredapproach for attacks & defenses,” in Communication Technologies(ComTech), 2017 International Conference on. IEEE, 2017, pp. 104–110.

[21] McMaster University, “The Five-Layer TCP/IP model: Descrip-tion/Attacks/defense - computing and software wiki,” 2008.

[22] The OWASP Foundation, “Owasp top 10 - 2013 the ten most criticalweb applications security risks,” 2013.

[23] S. Kumarasamy and A. Gowrishankar, “An active defense mechanismfor TCP SYN flooding attacks,” arXiv preprint arXiv:1201.2103, 2012.

[24] M. Abomhara and G. M. Køien, “Cyber security and the internet ofthings: vulnerabilities, threats, intruders and attacks,” Journal of CyberSecurity, vol. 4, no. 1, pp. 65–88, 2015.

[25] A. Pandey and R. C. Tripathi, “A survey on wireless sensor networkssecurity,” International Journal of Computer Applications, vol. 3, no. 2,pp. 43–49, 2010.

[26] J. Z. Kolter, S. Batra, and A. Y. Ng, “Energy disaggregation via discrim-inative sparse coding,” in Advances in Neural Information ProcessingSystems, 2010, pp. 1153–1161.

[27] J. Kelly and W. Knottenbelt, “Neural nilm: Deep neural networksapplied to energy disaggregation,” in Proceedings of the 2nd ACMInternational Conference on Embedded Systems for Energy-EfficientBuilt Environments. ACM, 2015, pp. 55–64.

[28] G. Contreras and M. Martonosi, “Power prediction for intel XScale/splreg/processors using performance monitoring unit events,” in Low PowerElectronics and Design, 2005. ISLPED’05. Proceedings of the 2005International Symposium on. IEEE, 2005, pp. 221–226.

[29] D. Economou, S. Rivoire, C. Kozyrakis, and P. Ranganathan, “Full-system power analysis and modeling for server environments.” Inter-national Symposium on Computer Architecture-IEEE, 2006.

[30] J. Deogirikar and A. Vidhate, “Security attacks in IoT: a survey,” inI-SMAC (IoT in Social, Mobile, Analytics and Cloud)(I-SMAC), 2017International Conference on. IEEE, 2017, pp. 32–37.

[31] E. Arias-Castro, D. L. Donoho, and Others, “Does median filtering trulypreserve edges better than linear filtering?” The Annals of Statistics,vol. 37, no. 3, pp. 1172–1206, 2009.

[32] D. E. Knuth, “The art of computer programming, 2: seminumericalalgorithms, addision wesley,” Reading, MA, 1998.

[33] A. Hindle, A. Wilson, K. Rasmussen, E. J. Barlow, J. C. Campbell,and S. Romansky, “Greenminer: A hardware based mining softwarerepositories software energy consumption framework,” in Proceedings ofthe 11th Working Conference on Mining Software Repositories. ACM,2014, pp. 12–21.

[34] R. Caruana, S. Lawrence, and C. L. Giles, “Overfitting in neural nets:Backpropagation, conjugate gradient, and early stopping,” in Advancesin neural information processing systems, 2001, pp. 402–408.

Fangyu Li is a postdoctoral fellow with the Collegeof Engineering, University of Georgia. He receivedhis PhD in Geophysics from University of Okla-homa. His Master and Bachelor degrees were bothin Electrical Engineering, obtained from TsinghuaUniversity and Beihang University, respectively. Hisresearch interests include signal processing, seis-mic imaging, machine learning, deep learning, dis-tributed computing, Internet of Things (IoT), andcyber-physical systems (CPS).

Yang Shi is a Ph.D. student in the Departmentof Computer Science, University of Georgia. Hereceived his B.Eng (2015) degree in Automationfrom Central South University, China and M.S.(2017) degree in Computer Science from Univer-sity of Georgia. His research interests include dis-tributed computing, machine learning, and Internetof Things.

Aditya Shinde received his BE in Electronics andTelecommunication Engineering from University ofMumbai in 2016. He is currently pursuing his MS inArtificial Intelligence at The University of Georgia.His research interests include machine learning andits applications in cyber security and IoT security.

Jin Ye (IEEE S’13-M’14-SM’16) received B.S. andM.S. degrees in electrical engineering from Xi’anJiaotong University in 2008 and 2011, respectively.She received her Ph.D. in electrical engineeringfrom McMaster University in 2014. She is currentlyan assistant professor of electrical engineering atthe University of Georgia. Her main research areasinclude power electronics, electric machines, energymanagement systems, renewable energy systems,and electrified transportation.

WenZhan Song received his Ph.D. in ComputerScience from Illinois Institute of Technology (2005),B.S. and M.S. degrees from Nanjing Universityof Science and Technology (1997 and 1999). Heis a Chair Professor of Electrical and ComputerEngineering in the University of Georgia. Dr. Song’sresearch focuses on cyber-physical systems and theirapplications in energy, environment, food and healthsectors. He received NSF CAREER award in 2010.