How to use AWS IoT Device Defender custom metrics to detect anomalies in device metrics and improve your security posture | Amazon Web Services Blog

This article is a translation of How to Detect Anomalies in Device Metrics and Improve Your Security Posture Using AWS IoT Device Defender Custom Metrics published by Eknath Venkataramani and Ryan Dsouza.


IoT applications and devices are diverse and used in industries such as utilities, agriculture, manufacturing, mining, and consumer electronics. The exponential growth and threat growth of IoT devices means that IoT security must be considered from the start and built into the solution.

AWS IoT Device Defender is a service that helps protect IoT device fleets and can be used to audit and monitor IoT devices at scale. By default, this service can monitor 17 network-related metrics such as changes in connection patterns, devices communicating with unauthorized or unexpected endpoints, and changes in inbound and outbound device traffic patterns. You can use these metrics to learn how to monitor your fleet of IoT devices.

But what if you need to monitor device fleets or metrics by use case? For example, security-related metrics such as the number of devices connected to the Wi-Fi gateway, battery level or domain the device is connected to, changes to running applications or processes on the device, the device configuration. modification, remote connection or detection of other application-specific behavior.

In this blog, you will learn how to monitor security metrics specific to IoT applications. IoT administrators can configure security profiles to define expected device behavior based on custom metrics, monitor behavior patterns, and receive alerts when a device violates expected behavior. AWS IoT Device Defender custom metrics provide the flexibility to monitor the device fleet or use case-specific operational health and safety metrics, allowing you to respond to issues in a timely manner. It’s easy to set up and use on devices that connect to AWS IoT Core and helps improve the security posture of your IoT devices and systems. Understanding the state of your device is important to ensure the reliability, security, health, and performance of your IoT system. Device monitoring can provide development and operations teams with the information they need to troubleshoot issues. Use a predefined set of metrics and custom metrics to help you understand the state of your IoT system. Let’s see how to create sample custom metrics to monitor changes in processes running on IoT devices.

Solution overview and use cases

This article assumes the following:

  1. I’m building a Linux-based device. This device mything1 it will be fine
  2. An application that performs all business operations on the device myapp is created

myapp Communicate on the networkmyapp It turns out that it is important to monitor the behavior of. From the perspective of process behaviormyapp Knows that a child process should not be started. For example, launching child processes such as an unauthorized user-controlled shell to execute arbitrary commands or a cryptominer to mine cryptocurrency using device computing resources is a common security breach. With this context in mindmyapp Build a solution to monitor the number of child processes launched bymyapp Receives an alert from AWS IoT Device Defender when you start a new process.

Solution Requirements

  1. AWS Account
  2. You can use the AWS IoT Quick Connect Guide to register items, apply policies, attach certificates, and download sample device agents. In step 2 of the guide above, select Python SDK for your AWS IoT Device SDK.
  3. AWS IoT Device Defender Agent SDK (Python)
  4. Computer with the latest browsers such as Firefox and Chrome
  5. Basic understanding of Linux (creating directories, setting file permissions, etc.) and programming (compiling code)

Note: There is a screenshot of the code showing where in the existing AWS IoT Device Defender Agent SDK you need to add the code

Solution Architecture

Solution steps

Cloud side changes

  1. Create a custom metric that represents the number of child processes in myapp.

Navigate to Defend > Detect > Metrics in the left menu.

b. Click Create custom metric.

vs. Set value for name and set type Number Is specified.

d. The creation of the custom metric was successful.

2. Create a security profile.

Access the Security Profiles section from the security profiles contained in Detect in the left menu.

b. Under Create security profiles, click Create rule-based anomaly detection profile.

vs. Since we know that myapp should not start a child process, we need to select the metric as follows to define the expected behavior. The number of child processes of myapp and the expected value0Set as follows.

d. Also click the Additional metrics to keep drop-down list to add custom metrics.

e. Click Next. The Alert Target section will continue with the default values.

f. Click Next. If this rule is expected for the entire fleet, attach a security profile to all things. Note that you also have the option to select a specific monogroup to apply this profile.

g. Click Next. Click Save to review all settings and click Continue.

h. The Security Profiles page lists newly created security profiles.

3. First, make sure you are in the correct region. Next, update your IoT policy on the AWS IoT Policy page to get Device Defender metrics mything1 Allows the scope of permissions only to those preceded by only.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": [
      "Effect": "Allow",
      "Action": [
      "Resource": [
      "Effect": "Allow",
      "Action": [
      "Resource": [

Device side changes

1. Download the sample agent from Github.

git clone

2. Example agent structure

a. Is a module that has the following roles

I. Collect the metrics that interest you. In this case it is the number of child processes of myapp. Metrics collection is a command line argument -i Note that this occurs at the intervals defined in .

ii. Metrics collected, Use the module to format AWS IoT Device Defender Detect into the required teeth Use the module to specify the name of the metric that will be sent to AWS IoT Device Defender Detect.

b. Is used to communicate with AWS IoT collector Whenawsiot A high-level module that combines the SDK.

3. Switch,Tags Include the new metric as a property of the class.

def num_child_processes(self):
    return "num_child_procs_myap

4. num_child_processes Include Switch.

has. Constructor function (init) To set the default: self.num_child_processes = []

b. Metrics Create a class member function to set network send metrics

def add_num_child_processes(self, num_child_processes): 
    self.num_child_processes = {"number": num_child_processes}

vs. Finally, metrics are member functions_v1_metrics Previously specified in Tag Convert to property.

if self.num_child_processes: 
    report[t.custom_metrics] = {t.num_child_processes: [self.num_child_processes] }

5. Updated to include functions needed to find the number of child processes in myapp.

We will use two functions here.

I. The first ismyapp A function to find the self-representing process object. This function must be defined outside the Collector class

def find_process(process_name):
    # Return the first process object 
    # which matches `process_name` exactly
    for proc in ps.process_iter():
        if process_name ==
            return proc

ii. The other ismyapp To find the child process of Collector classroom staticmethod It is a member function. :

def get_num_child_processes(metrics):
    process_name = "myapp"
    my_process = find_process(process_name)
    num_child_processes = 0
    if my_process:
        num_child_processes = len(my_process.children(recursive=True))

b. Member Duties collect_metrics so,custom_metrics If is enabled get_num_child_processes Add a line to call

if self._use_custom_metrics:

6. Install the package:pip install ./aws-iot-device-defender-agent-sdk-python --upgrade

7. Run and test modules individually to ensure they are error-free.

Note that we passed the command line arguments.-cm Enables collection of custom metrics.

b. Make a copy of the current shell and rename it to myapp to create a fake myapp.

ⅰ.cp `which sh` ./myapp

ii. Launch my app./myapp

III. Start a long-running process like cat that waits for user input:cat

8. Run,-cmIn addition to (to enable custom metrics), use the required parameters myapp Continuously monitor the number of processes spawned by.

python aws-iot-device-defender-agent-sdk-python/AWSIoTDeviceDefenderAgentSDK/ -f json -e  -r  -c  -k  -cm -id mything1

9. Go to the DefenderMetrics tab on the Things page and you can quickly see the number of child processes of myapp (again make sure you are in the correct AWS Region).

10. You should also be able to see the alarm generated when violated.


This blog showed how to create a rule-based security profile to set custom metrics in AWS IoT Device Defender, and the modifications required by the sample agent to send this device information to AWS IoT Device Defender. .. Now you can start creating your own custom metrics specific to your device fleet or use case, receive alerts, investigate issues, and take mitigation actions. You can use AWS IoT Device Defender’s built-in mitigation actions to perform alert mitigation steps such as adding items to groups, overriding default policy versions, and renewing certificates. ‘device.

To learn more

About the Author

Eknath Venkataramani is a security engineer on the AWS IoT team. He is currently focused on protecting multiple AWS IoT service versions by identifying and designing new IoT features that make it easier for IoT customers to be secure.
Ryan DsouzaRyan Dsouza is a Principal Architect for AWS Solutions for IoT. New York-based Ryan Ryan uses the breadth and depth of AWS capabilities to help you design, build, operate, and deliver measurable business results for more secure, scalable, and innovative solutions. Ryan has over 25 years of experience in OT/IIoT security across digital platforms, smart manufacturing, energy management, construction and industrial automation, and a variety of industries. Prior to AWS, Ryan worked for Accenture, SIEMENS, General Electric, IBM, and AECOM, serving clients through a digital transformation initiative.

This article was translated by Solutions Architect Totsuka.

Leave a Comment