ZMAD: Lightweight Model-Based Anomaly Detection for the Structured Z-Wave Protocol

Carlos Kayembe Nkuba, Seunghoon Woo, Heejo Lee, Sven Dietrich

Research output: Contribution to journalArticlepeer-review

2 Citations (Scopus)


Smart home automation is part of the Internet of Things that enables house remote control via the use of smart devices, sensors, and actuators. Despite its convenience, vulnerabilities in smart home devices provide attackers with an opportunity to break into the smart home infrastructure without permission. In fact, millions of Z-Wave smart home legacy devices are vulnerable to wireless injection attacks due to the lack of encryption support and the lack of firmware updates. Worse yet, recent Z-Wave secure S2 devices with built-in encryption are also vulnerable to specific targeted attacks, i.e., attacking S2 devices is possible via vulnerable legacy devices or injecting malicious unencrypted packets that alter S2 devices normal operations. In this paper, we present ZMAD, a lightweight anomaly-based intrusion detection system (IDS) for monitoring and detecting wireless attacks on Z-Wave smart home devices. ZMAD uses a technique called packet formalization to address heterogeneous packets coming from various Z-Wave devices. ZMAD also uses a centralized learning approach to profile normal communication patterns of devices to increase Z-Wave Command Class coverage. By constructing a lightweight artificial neural network built from scratch in consideration of packet formalization and centralized learning, ZMAD can effectively detect abnormal behaviors in Z-Wave networks and runs on an external device to avoid network overhead. We applied ZMAD to an evaluation testbed constructed using 17 top-rated real-world Z-Wave smart home devices. From our experiments, we confirmed that ZMAD could effectively discover wireless injected packets with an accuracy of 98% for its artificial neural network. Our further analysis demonstrated that ZMAD is more effective than existing approaches, increasing the coverage of Z-Wave Command Classes by 663% while reducing five to 47 times the size of the trained model (23.1 KB) compared to existing deep learning architectures.

Original languageEnglish
Pages (from-to)60562-60577
Number of pages16
JournalIEEE Access
Publication statusPublished - 2023

Bibliographical note

Publisher Copyright:
© 2013 IEEE.


  • Internet of Things
  • Z-Wave
  • artificial neural network
  • intrusion detection systems
  • smart home security

ASJC Scopus subject areas

  • General Computer Science
  • General Materials Science
  • General Engineering


Dive into the research topics of 'ZMAD: Lightweight Model-Based Anomaly Detection for the Structured Z-Wave Protocol'. Together they form a unique fingerprint.

Cite this