The Internet of Things on AWS – Official Blog

Detect anomalies on connected devices using AWS IoT Device Defender

We often see security breaches depicted in media and popular culture. In the HBO series Silicon Valley, a compromised refrigerator is used by hacker Gilfoyle to run a malicious piece of software. The reality of connected devices isn’t very different from this fictitious scenario.

The compromised refrigerator can send consumer data to unauthorized endpoints. Connected devices such as a connected refrigerator need to be secured to ensure safe operation of IoT applications.

However, it can be a challenge for organizations to manage the security of connected devices. Despite all the security measures in place, a determined hacker such as Gilfoyle can still manage to infiltrate your connected devices. Detecting a compromised device is critical to taking timely action. AWS IoT Device Defender, in conjunction with an agent running on your device, enables you to detect abnormal device behavior and take necessary action.

In this article, we walk you through the following:

  • Setting up a connected device to talk to AWS IoT Core
  • Deploying and configuring an AWS IoT Device Defender agent for gathering diagnostic data from the device
  • Creating cloud resources to monitor and detect misbehaving devices
  • Running a rogue agent on your device to simulate a compromised device
  • Validating a notification being sent in response to malicious activity

The following diagram shows the high-level architecture for our setup

Set up your connected device

Follow these steps to create a representation of your device in AWS IoT Core, and generate the necessary security credentials to allow your device to talk to AWS IoT Core.

Let’s call the device “MyDevice”. At this point, you will have a “MyDevice” AWS IoT Thing created in your AWS account. You should also have downloaded a security certificate onto your device. The newly created device should appear in your AWS IoT console, as shown here.

Install and configure the AWS IoT Device Defender agent

  • Download the AWS IoT Device Defender agent into a folder “DDAgent” on your device.
  • Copy the following x.509 certificate, private key, and root CA that you created previously during setup of connected device, into the “DDAgent” folder:
    • MyDevice.cert.pem
    • MyDevice.private.key
    • root-CA.crt
  • Run the following command to start the AWS IoT Device Defender agent. You might have to run the agent with elevated privileges to allow it to collect necessary metrics.
Python ./ \
  --endpoint "" \
  -r ./root-CA.crt -c ./MyDevice.cert.pem -k MyDevice.private.key \
  -id MyDevice  --format json -i 300

The AWS IoT Device Defender agent should now be publishing metrics and you should see logs in the terminal, as shown here.

AWSIoTPythonSDK.core.protocol.mqtt_core - INFO - Performing sync publish...
Received a new message: 
from topic: 

Create cloud resources to monitor and detect abnormal behavior

The cloud infrastructure involves the following:

  1. Grouping devices in the form of an AWS IoT Thing Group to target anomaly detection.
  2. A security profile that defines anomalous behaviors for a group of devices or for all devices in your account, and that specifies what actions to take when an anomaly is detected.
  3. Behaviors that tell AWS IoT Device Defender how to recognize when a device is doing something abnormal. A behavior is defined using a metric, an operator on the metric, a value to compare the metric against and, in some cases, a time period.
  4. An alert that is sent out when the device performs an action that does not match the behavior defined in step 2.

Anomaly detection target grouping

We create an AWS IoT Thing Group named “allMyDevices” to associate with the AWS IoT Device Defender security profile. We will add the “MyDevice” Thing we created above to this group.

  1. Navigate to the AWS IoT console.
  2. In the Manage section, choose Groups.
  3. Choose Create.
  4. In the Create a thing group dialog box, specify “allMyDevices” for Name, and then choose Create thing group.
  5. You should see the details of the newly created group, as shown here
  6. Now choose Add a thing under Actions, and select MyDevice.


We will create an SNS notification, “MisbehavingDevices”, and add an email subscription to it.

  1. Open the Amazon SNS console.
  2. Choose Create topic.
  3. Name your topic “MisbehavingDevices”.
  4. Choose Create topic.
  5. Choose Create subscription under the newly created SNS topic, choose Email as the protocol, and provide your email address for Endpoint. Then choose Create subscription.

You will get an email at the end of this process. Follow the link in the email to complete the SNS notification process. Make a note of the ARN of the SNS topic we created. We will need this during the security profile definition.

Security profile

We will now create a security profile named “CheckRogueDevices”, and associate it with the target grouping “allMyDevices” that we created previously. We’ll also add the alert “MisbehavingDevices” that we created.

In the security profile, we will add two behaviors: one cloud side and one device side. The device-side behavior is reported by the AWS IoT Device Defender agent that we installed previously.

The first behavior, “msgReceive”, verifies that every five minutes the number of messages received from our device is less than 100. This behavior doesn’t need any device-side agent to be running.}The second behavior, “bytesOut”, verifies that every five minutes the number of bytes sent out by the device is less than 10,000 (approximately 10 K). AWS IoT Device Defender relies on the agent to report this metric, so the agent must be running on the device for this metric.

  "name": "bytesOut",
  "metric": "aws:all-bytes-out",
  "criteria": {
      "comparisonOperator": "less-than",
      "value": {
          "count": 10000
      "durationSeconds": 300

Go back to the AWS IoT Device Defender console. Navigate to Security profiles under the Defend, Detect section, and then choose Create. Name your security profile “CheckRogueDevices”. Create two behaviors: “msgReceive” and “bytesOut” by selecting Add behavior and selecting the appropriate Metric, Operator, and Value, as shown in the following figure.

Choose Detect, Security profiles, CheckRogueDevices. At this point you should see the following screen in your AWS IoT Device Defender console.

Run the rogue agent

Now let’s simulate a hacked device by running an agent that generates random packets of data, sends them to AWS IoT Core, and also receives the same packets. The amount of traffic generated by this rogue agent is more that the criteria we have specified in the behaviors we created above and should be sufficient to generate AWS IoT Device Defender violations.


Here is the code snippet of the rogue agent that is generating malicious traffic.

# MQTT message callback
def messageReceivedCallback(client, userdata, message):
    print('From topic %s, Received data %s\n' % (message.topic, message.payload))

# Connect and subscribe to AWS IoT
rogueAgent.subscribe(topic, 1, messageReceivedCallback)

# Publish to the same topic in a loop forever every 1 sec
while True:
    message = {}
    # Generate random 100 character string
    message['message'] = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(100))
    messageJson = json.dumps(message)
    rogueAgent.publish(topic, messageJson, 1)
    print('To topic %s: Published data: %s\n' % (topic, messageJson))

Copy the code for the file in the DDAgent folder you created earlier.

Run the following command to start the rogue agent:

python ./ \
  --endpoint "" \
  -r ./root-CA.crt -c ./MyDevice.cert.pem -k MyDevice.private.key \
  -id RogueAgent

The rogue agent should be sending and receiving random messages to AWS IoT Core. You should see messages in your console, as follows:

Published to topic /rogue/agent: Published data: {"message": "411BV90X7CO4XHOU77U3QFPJZ1E9JWVIZRMF9ET1QPFO6LY14FQF4WD6XFF9F6PP7SAHPIOEM6UHY0WNKBWQEWD1K8Y1UBF60V57"}

From topic /rogue/agent, Received data {"message": "411BV90X7CO4XHOU77U3QFPJZ1E9JWVIZRMF9ET1QPFO6LY14FQF4WD6XFF9F6PP7SAHPIOEM6UHY0WNKBWQEWD1K8Y1UBF60V57"}

Violation notifications

Give the rogue agent about five minutes to do its job. The traffic from the rogue agent should result in two AWS IoT Device Defender violations: “msgReceive” and “byteOut”. You should get an email from the Amazon SNS notification for these violations. You can also view the violations in the AWS IoT Device Defender console. In the navigation pane, choose Defend, Detect, Violations:


AWS IoT Device Defender can detect abnormal device behavior and take actions. Even if Gilfoyle from Silicon Valley manages to hack into your cutting-edge, next-generation Jetpack, you can sleep peacefully, because you will get notified as soon as Gilfoyle’s rogue agent starts doing any activity. For additional information about AWS IoT Device Defender, check out the launch presentation from the AWS Summit in Chicago. To get started, sign in to the AWS IoT Device Defender console.