Fast, Lightweight IoT Anomaly Detection Using Feature Pruning and PCA

Anomaly detection is a method for identifying malware and other anomalies such as memory leaks on computing hosts and, more recently, Internet of Things (IoT) devices. Due to its lightweight resource use and efficacy, anomaly detection is a promising method to detect malware on small, resource-constrained hosts. Using Principal Component Analysis (PCA) to reduce the features, and hence the dimensionality of the anomaly detector, is common during the feature engineering process of classic machine learning methods, such as Support Vector Machines (SVM). However, as Neural Networks (NN) became more popular, many presumed that using PCA prior to using the data to train and deploy the model was unnecessary. In this work, we show that there is a significant advantage to using PCA for both SVM and NN-based anomaly detection. Doing so improves the performance and efficacy of malware detection models, and reduces the amount of data that needs to be stored on the device for on-device anomaly detection, thus making it useful for resource-constrained IoT devices. We also show that while pruning low-variance features may be an intuitive way to simplify a model, it is less effective than PCA to improve model training and deployment performance as well as model efficacy to detect malware.

Automated summary

Anomaly detection is a method for identifying malware and other anomalies, which can be applied to computing hosts and IoT devices. Using PCA for feature engineering in anomaly detection improves the performance and efficacy of detection models, particularly for resource-constrained IoT devices.