Physical data is collected from the device using 12 different attached sensors, and is sent to Google Cloud using ESP32. The data is batched in rows of 50 data points, and time-series modelling is conducted using our Light GBM model to get a predicted range of values for the CPU power consumption.

According to the laws of physics, the CPU power consumption should not vary too far from the predicted values (if the sensors are giving “low” readings, an unusually high CPU power consumption suggests an attack on the device). Hence, if the real value of CPU power consumption is outside the predicted range, it is flagged as an anomaly and displayed on our frontend dashboard.

Network packets to and fro the device are collected using Wireshark, and converted into CSV files with 84 different network features using CICFlowMeter every 10 seconds. The CSV files are then sent to Google Cloud Storage, and the network model is used to get a prediction on whether each row is normal or anomalous.

The network model uses Light GBM to predict whether each network row is anomalous, and if it is, gives the prediction of what type of attack it is. This data is sent to Google BigQuery, and is fetched in the frontend dashboard using our backend APIs.