|
| 1 | +# IoT Intrusion Detection System (Information Security Project) |
| 2 | + |
| 3 | +**Course:** Information Security / Network Security |
| 4 | +**Semester:** 3rd |
| 5 | +**Submitted To:** Prof. Khalid Mehmood Khan |
| 6 | +**Submitted By:** |
| 7 | + |
| 8 | +- 🧠 _Moavia Amir_ (2k24_BSAI_72) — [📧 contactmuawia@gmail.com](mailto:contactmuawia@gmail.com) |
| 9 | +- ⚙️ _Muhammad Ramzam_ (2k24_BSAI_31) — [📧 Ramzam@gmail.com](mailto:Ramzam@gmail.com) |
| 10 | + |
| 11 | +--- |
| 12 | + |
| 13 | +## 📘 Project Overview |
| 14 | + |
| 15 | +**IoT Intrusion Detection System** is a lightweight, classroom‑safe IDS that monitors MQTT traffic from ESP8266/NodeMCU sensors, detects anomalous behaviours (message‑rate floods, large‑payload floods, and tampering), and displays real‑time alerts on a local dashboard. The project demonstrates practical information security techniques for protecting IoT deployments and is intended for educational demonstration on owned devices and isolated networks. |
| 16 | + |
| 17 | +--- |
| 18 | + |
| 19 | +## 🔍 Problem Statement |
| 20 | + |
| 21 | +IoT devices are often resource‑constrained and poorly secured, making them vulnerable to message floods, tampering, and spoofing. These attacks can degrade service availability, corrupt telemetry, and open attack surfaces in smart systems. This project demonstrates how a simple IDS can detect such conditions and help preserve **integrity** and **availability** of IoT systems. |
| 22 | + |
| 23 | +--- |
| 24 | + |
| 25 | +## 🎯 Objectives |
| 26 | + |
| 27 | +- Build a reproducible IDS that monitors MQTT topics from ESP sensors. |
| 28 | +- Detect two core attack types: |
| 29 | + 1. **Message‑rate flood** — many small messages per second. |
| 30 | + 2. **Byte‑rate flood** — large payloads causing bandwidth spikes. |
| 31 | +- Demonstrate tampering/spoofing and an optional proxy (MITM) simulation. |
| 32 | +- Provide a minimal web UI showing live sensor data and alert status. |
| 33 | +- Ensure the demo is safe and limited to owned/isolated networks. |
| 34 | + |
| 35 | +--- |
| 36 | + |
| 37 | +## 🧠 System Overview |
| 38 | + |
| 39 | +| Component | Purpose | |
| 40 | +| --------------------- | ----------------------------------------------------------- | |
| 41 | +| **ESP8266 / NodeMCU** | Sensor (publishes temperature) and optional attacker device | |
| 42 | +| **Laptop** | Runs Mosquitto MQTT broker, IDS (Python), and Flask web UI | |
| 43 | +| **Phone** | Optional attacker (MQTT app or Termux) to simulate attacks | |
| 44 | +| **Software stack** | Mosquitto, Python (paho-mqtt, Flask), Arduino IDE | |
| 45 | + |
| 46 | +--- |
| 47 | + |
| 48 | +## 🔬 Working Principle (Simple) |
| 49 | + |
| 50 | +1. ESP sensor publishes JSON messages to `home/sensor/temp` at 1 msg/sec. |
| 51 | +2. Laptop (broker + IDS) subscribes to `home/sensor/#` and measures: |
| 52 | + - messages/sec per topic (msg_rate) |
| 53 | + - bytes/sec per topic (byte_rate) |
| 54 | +3. If `msg_rate` or `byte_rate` exceeds set thresholds → IDS raises an **ALERT** and the web UI shows a red warning. |
| 55 | +4. Attacks are simulated safely using a second ESP or a phone (MQTT app / Termux). |
| 56 | + |
| 57 | +--- |
| 58 | + |
| 59 | +## 🛠 Hardware & Software Requirements |
| 60 | + |
| 61 | +**Hardware** |
| 62 | + |
| 63 | +- ESP8266 / NodeMCU (sensor) |
| 64 | +- Optional second ESP (attacker) or smartphone |
| 65 | +- Laptop with Wi‑Fi and USB port |
| 66 | + |
| 67 | +**Software** |
| 68 | + |
| 69 | +- Mosquitto MQTT broker |
| 70 | +- Python 3.8+ with `paho-mqtt` and `Flask` |
| 71 | +- Arduino IDE (for flashing ESP) |
| 72 | +- (Optional) Termux or MQTT mobile app |
| 73 | + |
| 74 | +--- |
| 75 | + |
| 76 | +## 🚀 Quick Start (classroom demo) |
| 77 | + |
| 78 | +1. Install and start Mosquitto on laptop. |
| 79 | +2. Upload `esp_sensor.ino` to an ESP and set `BROKER_IP` to your laptop IP. |
| 80 | +3. Run `python3 ids_web.py` on laptop (default thresholds: `MSG_THRESHOLD=30 msg/s`, `BYTES_THRESHOLD=4000 B/s`). |
| 81 | +4. Open the UI: `http://<laptop-ip>:5000` — confirm **OK** status. |
| 82 | +5. Simulate attacks: |
| 83 | + - **Message‑rate flood:** start phone/ESP attacker with interval `50 ms` → IDS triggers message‑rate alert. |
| 84 | + - **Byte‑rate flood:** phone (Termux) publishes ~900B every `200 ms` → IDS triggers byte‑rate alert. |
| 85 | +6. Stop attacker → status returns to OK. |
| 86 | + |
| 87 | +> **Safety:** Only run tests on your own devices and local network. Do not run attacks on external or institutional networks. |
| 88 | +
|
| 89 | +--- |
| 90 | + |
| 91 | +## 📂 Folder Structure |
| 92 | + |
| 93 | +``` |
| 94 | +IoT_IDS/ |
| 95 | +├─ README.md # (this file) |
| 96 | +├─ requirements.txt # paho-mqtt, Flask |
| 97 | +├─ esp/ |
| 98 | +│ ├─ esp_sensor.ino |
| 99 | +│ └─ esp_attacker.ino |
| 100 | +├─ python/ |
| 101 | +│ ├─ ids_web.py |
| 102 | +│ ├─ phone_attacker.py |
| 103 | +│ └─ mqtt_proxy.py |
| 104 | +└─ slides/ |
| 105 | +└─ one_slide.txt |
| 106 | +``` |
| 107 | + |
| 108 | +--- |
| 109 | + |
| 110 | +## 🔧 Tuning & Extensions |
| 111 | + |
| 112 | +- Adjust `MSG_THRESHOLD` and `BYTES_THRESHOLD` in `ids_web.py` to match your classroom network. |
| 113 | +- Possible extensions: add rate‑limiting actions (block/quarantine), store alerts to CSV for the report, integrate cloud dashboards (ThingSpeak/Blynk), or add authentication and TLS for MQTT. |
| 114 | + |
| 115 | +--- |
| 116 | + |
| 117 | +## 🧾 Deliverables & Evaluation Evidence |
| 118 | + |
| 119 | +- Live demo (2–3 minutes): normal → message flood → large‑payload flood → tamper/proxy. |
| 120 | +- Source code: ESP sketches + Python scripts in the repo. |
| 121 | +- Report / screenshots showing alert and logs. |
| 122 | + |
| 123 | +--- |
| 124 | + |
| 125 | +## 📫 Contact |
| 126 | + |
| 127 | +- Moavia Amir — contactmuawia@gmail.com |
| 128 | +- Muhammad Ramzam — Ramzam@gmail.com |
| 129 | + |
| 130 | +--- |
0 commit comments