MidSiot: A Multistage Intrusion Detection System for Internet of Things

Dat-Thinh, Nguyen; Xuan-Ninh, Ho; Kim-Hung, Le

doi:https://doi.org/10.1155/2022/9173291

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Related Works Results and Discussion Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Innovative Artificial Intelligence-Based Internet of Things for Smart Cities and Smart Homes

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 9173291 | https://doi.org/10.1155/2022/9173291

MidSiot: A Multistage Intrusion Detection System for Internet of Things

Nguyen Dat-Thinh,^1,2Ho Xuan-Ninh,^1,2and Le Kim-Hung^1,2

Academic Editor: Hamed Nassar

Received20 Oct 2021

Revised04 Jan 2022

Accepted17 Jan 2022

Published21 Feb 2022

Abstract

Internet of Things (IoT) has been thriving in recent years, playing an important role in a multitude of various domains, including industry 4.0, smart transportation, home automation, and healthcare. As a result, a massive number of IoT devices are deployed to collect data from our surrounding environment and transfer these data to other systems over the Internet. This may lead to cybersecurity threats, such as denial of service attacks, brute-force attacks, and unauthorized accesses. Unfortunately, many IoT devices lack solid security mechanisms and hardware security supports because of their limitations in computational capability. In addition, the heterogeneity of devices in IoT networks causes nontrivial challenges in detecting security threats. In this article, we present a collaborative intrusion detection system (IDS), namely, MidSiot, deployed at both Internet gateways and IoT local gateways. Our proposed IDS consists of three stages: (1) classifying the type of each IoT device in the IoT network; (2) differentiating between benign and malicious network traffic; and (3) identifying the type of attacks targeting IoT devices. The last two stages are handled by the Internet gateways, whereas the first stage is on the local gateway to leverage the computational resources from edge devices. The evaluation results on three popular IDS datasets (IoTID20, CIC-IDS-2017, and BOT-IoT) indicate our proposal could detect seven common cyberattacks targeting IoT devices with an average accuracy of 99.68% and outperforms state-of-the-art IDSs. This demonstrates that MidSiot could be an effective and practical IDS to protect IoT networks.

1. Introduction

The number of devices connecting to the Internet has been growing at a breathtaking pace over the past decades. From two billion in 2006, it reached 200 billion in 2020 because of the proliferation of mobile computing and the Internet of Things (IoT) [1]. As a result, these devices play a critical role in primary industries (e.g., healthcare, manufacturing, retailing, security, and transportation) by providing intelligent services, such as tracking inventory, managing machines, monitoring patient health, and detecting abnormality. They are anticipated to boost the total global worth of IoT to 6.2 trillion dollars by 2025, most of which come from manufacturing (2.3 trillion dollars) and healthcare (2.5 trillion dollars) [2]. It is apparent that IoT is the driving force of evolution in every daily aspect.

However, ensuring security and privacy for the IoT devices is a nontrivial challenge due to their limitation in computational capability, which is insufficient for traditional security mechanisms. This makes them susceptible to wide-ranging cyberattacks, such as data leakage, spoofing, and DoS/DDoS. In a report published by Kaspersky, the first half of 2021 witnessed 1.5 billion attacks against smart devices aiming at stealing data, mining cryptocurrency, or building botnets [3]. In September 2016, an infamous attack performed by Mirai malware turned 380,000 devices into botnets that launched DDoS attacks against several services and organizations, including Dyn-a domain registration service provider [4]. Moreover, this malware is capable of mutating [5]. On 12 December 2017, its variant exploited a zero-day flaw in Huawei HG532 routers to speed up its infection. One year later, the number of variants was increased significantly, such as Okiru, Masuta, OMG, Wicked, Hakai, and Yowai [6].

To eliminate such security threats, an intrusion detection system (IDS) is commonly deployed at network gateways. It constantly monitors network traffics coming from various sources to detect abnormalities, which may be security threats. Following [7], the attack detection approaches of the IDS are categorized into signature-based and anomaly-based. The former approach identifies cyberattacks by comparing a set of signatures (or rules) extracted from known attacks with incoming traffic. We note that the key difference between IoT network traffic and other network traffics is the diversity and volume. The diversity of IoT network traffic comes from the heterogeneity of IoT devices and their communication protocols, resulting in diverse network behaviors. Furthermore, IoT devices exponentially increase and generate massive data traversing the Internet. Due to these characteristics, the rule-based detection mechanism, SNORT is a typical example, is insufficient for IoT networks. In detail, SNORT is ineffective for complex attacks signs of which are various and implicit in network traffic. In addition, SNORT needs to maintain a large rule-set and security experts in the loop to update these rules frequently. Therefore, it is not efficient and scalable enough for IoT scenarios. The latter approach, which is the most popular, makes use of machine learning (ML) to construct a model of normal network traffic patterns. This model is then used to measure the similarity between the incoming traffic and known patterns to detect malicious traffic. Although the anomaly-based approach using machine learning considerably alleviates the weaknesses of the signature-based approach, it still has several limitations.(i)Neglecting a collaborative edge-cloud architecture: Training and inferring tasks in machine learning are resource-intensive, so they are usually handled by cloud platforms in existing work. This might decrease the detection performance because the network traffic at the cloud level, which is merged from several gateways consisting of various data sources, is intricate. In contrast, edge devices are resource-constraint IoT devices that are insufficient to handle complex machine learning tasks (e.g., detecting abnormal activities, training detection models). Offloading these tasks on edge devices severely affects other services running on these devices. However, we believe that these devices could handle specific tasks to increase the IDS’s detection performance regardless of their limitation in computation capability. Therefore, a collaborative edge-cloud architecture for instruction detection systems is necessary to overcome this limitation.(ii)Lacking IoT device-type identification: Because the IoT device types are various and heterogeneous, their network behaviors are highly diverse. For example, the high UDP packet rate coming from IoT cameras is normal, but the one from temperature sensors is a sign of a security threat. This may lead to false attack detection. Thus, identifying device types and considering them as an input feature of the attack detection model is crucial to increase the detection accuracy of IDSs.(iii)Detecting a limited set of attack types: Existing works about IDS are extensive but primarily concerned with detecting a limited set of attacks in a general domain, such as DoS and spoofing. Given the rising prevalence of IoT, there is an essential need to address a larger set of attacks targeting IoT networks.

To solve the above limitation, we present MidSiot, a machine learning-based three-stage IDS designed for IoT networks supporting collaboration between local gateways and Internet gateways of Internet Service Provider (ISP) (solving the first limitation). In more detail, to leverage edge computing and enhance the attack detection accuracy, the first stage is operated at local gateways to identify IoT devices based on their behaviors in the network (solving the first limitation), whereas the next two stages powered by a machine learning model are handled by the Internet gateways to not only differentiate between normal and malicious network traffic, but also accurately identify the seven common attack types (solving the first limitation). The evaluation results on existing IDS datasets for the IoT domain (IoTID20, BOT-IoT, and CIC-IDS-2017) show that MidSiot could detect seven popular attacks targeting IoT devices with an average accuracy of 99.68%. Our main contributions presented in this study are as follows:(1)A collaborative architecture for IoT IDSs to leverage the computational resources of edge gateway to enhance IDS’s detection performance.(2)A lightweight and robust machine learning-based IDS constituting of three stages to accurately detect various cyberattacks pointing at IoT devices.(3)We intensively evaluate our proposal on popular IDS datasets and examine the resampling techniques to address imbalanced datasets during our experiments.

The remainder of the article is organized as follows. In Section 2, we discuss related work. The MidSiot architecture and its detection method are presented in Section 3. Section 4 reports the evaluation of our method through IDS datasets, and we conclude our work in Section 5.

In recent years, there has been an increased interest in exploring machine learning for enhancing the detection quality of IDSs [17, 18]. In [9], the authors proposed an anomaly detection mechanism using a single machine learning classifier. The authors of [10] presented a scalable k-NN-based online anomaly detection addressing the lazy-learning problem in wireless sensor networks [10]. The works in [16] also employed anomaly detection techniques for IDSs using binary classification. This means that they cannot identify the type of attack. In [11], the authors proposed an ensemble of autoencoders for online IDS whose performance is comparable to offline anomaly detectors. Ref. [12] is a novel approach for IDSs in which the authors applied convolutional neural network to predict the attack types. 98% accuracy on the NSL-KDD dataset was achieved in this experiment. There are also hybrid-IDSs where anomaly-based and signature-based approaches are used to develop the IDS. Such a typical system is introduced in [19], in which packet header anomaly detection, network traffic anomaly detection, and SNORT are combined. In [13], the authors leveraged four machine learning algorithms to derive rule-sets used as signatures for their IDS. In [8], a hierarchical architecture including multiple neural networks was proposed to detect malicious packets and identify the attack types hidden inside these packets. The authors in [14] introduced a hierarchical structure for IDS that separates the detection process into different steps. The authors in [20] suggested a distributed architecture for smart home IDSs that offload complex tasks onto the Internet Service Provider (ISP) and deliver simple ones to the smart home gateway [20].

In terms of datasets used for IDSs, the authors in [21] proposed a new dataset called IoTID20, which was also evaluated in their work by implementing several machine learning algorithms (e.g., logistic regression, decision tree, random forest), which results in increasing F1-score for both binary classification and multiclass classification. The authors in [15] developed a new realistic botnet dataset for use in IoT networks, and as a result, it mainly consists of DDoS attacks. Another dataset is CICIDS-2017 including attack traffic generated by their testbed and realistic background traffic created by the B-profile system [22]. All of these 3 datasets were constructed using the CICFlowMeter tool (formerly known as ISCXFlowMeter), thereby having a similar set of features. Regarding resampling methods for network intrusion detection system (NIDS), the literature at [23] compared multiple undersampling techniques for NIDS on CICIDS-2017 and CICIDS-2018 datasets, including random, cluster centroids, and nearmiss algorithms. The authors concluded that these undersampling methods reduced models’ training time, and K-nearest neighbor has the most significant improvement. There are also other works that implemented a combination of several resampling techniques, such as oversampling and undersampling [24]. Their experimental results showed that the oversampling method increases the training time, whereas the undersampling method decreases this time. In addition, if the dataset is highly imbalanced, these methods improve the recall score notably. The authors in [25] proposed an algorithm-level class balancing technique that addresses the underlying issue about attack class imbalance in IDS datasets, resulting in identifying various attack categories with better accuracy than the CNN models.

In recent years, many researchers have geared toward blockchain applications in intrusion detection systems thanks to its potential in protecting data integrity and privacy. The authors in [26] investigated the challenges and limitations of blockchain to intrusion detection in addition to their applications, such as the overhead traffic with limited handling capability of intrusion detection and extensive energy and cost usage of blockchain. Despite these difficulties, blockchain still has the potential to mitigate the data sharing and trust management issues in collaborative intrusion detection. As far as collaborative intrusion detection systems are concerned, a series of research [27–29] provided blockchain challenge-based collaborative intrusion detections. In these systems, the authors leveraged the strength of blockchain to investigate the trust mechanism in a network of IDS nodes. Their goals are to enhance the robustness of trust management against attacks as well as to protect the alarm aggregation process from malicious inputs. The works in [30, 31] made some contributions in the same direction, but the authors specifically targeted intrusion detection systems in a software-defined network. The authors in [32] proposed a deep blockchain framework to offer security-based distributed intrusion detection and privacy-based blockchain with smart contracts in IoT networks. Although the experimental results of the intrusion detection system were optimistic, the classification algorithm in use was a bidirectional long short-term memory, which accompanying blockchain might aggregate more computational burden on operating IoT devices.

To summarize the related works, Table 1 presents the state-of-the-art intrusion detection systems and their characteristics, including targeting security threats, attack detection method, evaluation datasets, attack-type and device-type detection, and lightweight. We can see that none of them is lightweight enough to classify the type of attack and its target. In addition, several approaches are evaluated by non-IoT datasets or testbeds having a small number of IoT devices. Thus, previous IDS proposals are insufficient for deploying to practical IoT ecosystem.

3. The MidSiot IDS

3.1. System Overview

In this section, we explain how our proposal works. First of all, Figure 1 illustrates the architecture of the proposed IDS that comprises three stages distributed between local network infrastructures and ISPs. The first stage is operated at the local gateways to identify connected IoT devices through their network behaviors. The next stage, which is conducted at the Internet gateways of ISPs, classifies network traffic of such IoT devices as normality or abnormality. When abnormal traffic is detected, it is transferred to the third stage to identify the attack types. Since the last two stages are done on ISPs which aggregate a huge volume of network traffic, correctly identifying the IoT device types along with their network traffic at the first stage is essential in increasing attack detection performance at following stages, especially for large-scale attacks targeting at multiple networks.

Second, Figures 2 and 3 present the block diagram of main operational phases in MidSiot, including the training and prediction phases, respectively. They also illustrate the connection and interfaces of components of the proposed IDS. In more detail, as shown in Figure 2, the raw network packets are captured by the packet flow inspection component from network traffic and transformed into network flows. These flows are then fed into the feature extraction component, extracting network features and computing network flow statistics. In addition, feature selection algorithm is applied to filter inappropriate features from the output features. In the training phase, these features are aggregated into a dataset used to train the models. Once models are trained successfully, the ISPs store these models used for the second and third stages in their local storages, while the models used for the first stage are sent to the local gateways. We note that the second stage employs several models, and each model is responsible for classifying network traffic for a specific device type.

In the prediction phase illustrated in Figure 3, the network features are constructed similarly with the training phase; however, they are then fed to models for detecting malicious traffic. In more detail, the model of the first stage running on the local gateway is loaded to identify the device type of such features. All this information is transferred to ISP’s Internet gateways, where a well-trained model corresponding to the device type is used to detect abnormality in these features. If malicious activities are detected, they are forwarded to the third stage to detect attack types by using a universal attack detection model. The detection results, including the IoT device under the attack and the type of attack, are sent to the action manager component to trigger necessary actions (logging attack behaviors, blocking the network traffic of victims, notifying administrators about the attack). Note that, because MidSiot’s structure uses linked stages, the errors of one stage might affect not only the following stages but also the overall system’s performance. For example, if MidSiot misclassifies the device type, the second-stage results are potentially false. This is because the second-stage model is trained to learn the network patterns associated with a specific device type, and these patterns are different for each device type. Similarly, if the second-stage model misclassifies normal network traffic as abnormal, the final stage result is incorrect and triggers a false alert.

3.2. Network Flow Generation

Network flow generator is used to generate network flows from a batch of raw network packets. In MidSiot, it is powered by the deep packet inspection method that aggregates packets into flows sharing source/destination IP, source/destination port, and protocol and calculates flow features and statistics. In addition, this method supports extracting MAC addresses, making it possible to label devices. Therefore, we could obtain 83 network features (e.g., FlowID, SourceIP, DestinationIP, SourcePort, DestinationPort, TimeStamp, and Protocols) listed in Appendix VI (Table 2).

3.3. Data Preprocessing

In IDS datasets, not all features are suitable for machine learning algorithms; some of them may degrade the model training performance, whereas others make models overfit. Therefore, employing a feature selection algorithm is necessary. First, all identity-based features (e.g., ip_src, ip_dst, flow_id, timestamp) are dropped to prevent the overfit issues, even features related to MAC addresses after labeling connected devices. We then adopt Pearson’s correlation coefficient to identify and remove unimportant features. In more detail, the importance index of each feature is its linear correlation coefficient value varying between −1 and 1. Finally, we remove all features having an importance index lower than 0.8. As a result, the final dataset only comprises 40 features, excluding all labels. We note that In MidSiot, Pearson correlation was only used during the training phase to construct a set of concise and suitable features for machine learning models. This feature set is then saved and loaded to the IDS in the detection phases. This means that Pearson correlation is inactive in the detection phase. Therefore, it has no impact on the detection procedure.

	Input: Raw network packets
	Output: Processed data
(1)	Initialize:
(2)	Generate network flows:
(3)	Label device type:
(4)	Drop invalid flows and identity columns:
(5)	Normalize data:
(6)	Select features using Pearson’s Correlation Coefficient:
(a)
(b)
(7)	Return

Algorithm 1 Overview. Let denote a list of raw packets, and is the list of processed flows. The major steps of this algorithm are described as follows:(1)Network Flow Generation, in Line 2, receives a list of raw packets X and generates network flows by aggregating packets sharing , , .(2)Label Device Types, in Line 3, the device type of each flow is deduced via . In addition, this step is performed during the training phase only.(3)Drop and Normalize Data, in Lines 4 and 5, any flows in F having a value at any field will be dropped. Afterward, the remaining flows are normalized to facilitate the machine learning processes.(4)Pearson’s Correlation Coefficient, in Line 6, the Pearson’s correlation coefficient is applied on the normalized flows to select only important features . Finally, the flow list will have some features dropped and only features from are retained, which results in .

3.4. Multistage Attack Detection Algorithm

3.4.1. The Overview

The details of the multistage attack detection algorithm is described in Algorithm 2. In more detail, let denote a list of raw packets and is the resulting attack type. The entire detection process consists of the following main steps:(i)Processing data, including generating network flows, dropping unnecessary features, and normalizing data are performed similarly to the Algorithm 1. However, as this is the detection process, device-type labeling and features selecting using Pearson’s correlation coefficient are inactive.(ii)Classifying device type, the classification model from the storage of the local home gateway to perform prediction on the processed flow to deduce the device type.(iii)Sending the result to the ISP, the processed flow in addition to the prediction results is forwarded to the ISP to further perform abnormality and attack-type detection.(iv)Detecting the attacks, the model is applied on the flow to deduce whether that flow is normal or abnormal. If it is abnormal, move on to the next step; otherwise, mark this flow as (which represents benign).(v)Classifying attack type, a universal attack-type detection model is loaded from the storage of the ISP gateway. This model will be then applied on the malicious flow to deduce the kind of attack that has happened. At the end of this process, we know the device type of the flow, whether the flow is malicious or benign, and the attack type of the flow if it is malicious.

	Input: Raw network packets
	Output: Attack type
(i)	Local home gateway:
(1)	Generate network flows:

(2)	Drop unnecessary features:

(3)	Normalize data:

(4)	Load device type classification model:

(5)	Classify device type: Device type

(6)	Send to ISP:
(ii) Internet Service Provider (ISP)
(1)	Initialize:
(2)	Load all abnormality detection models:

(3)	Load abnormality detection model:

(4)	Attack detection:

(5)	Ifis notthen
(a)	Load attack type detection model:

(b)	Attack classification:

(c)
(6)	Else

(7)	Return

3.4.2. The First Stage

The primary benefit of the first stage is to enhance the accuracy of the attack detection model in the next steps. In more detail, since the IoT device types are various and heterogeneous, their network behaviors are highly diverse. For example, the high UDP packet rate coming from IoT cameras is normal, but the one from temperature sensors is a sign of a security threat. This may lead to false attack detection. Thus, identifying device types and considering them as an input feature of the attack detection model is crucial to increase the accuracy. Furthermore, this stage should be done on the local gateway for two reasons: (1) local gateways have sufficient computation power to handle a part of the detection process, which reduces the burden for the cloud; and (2) if device-type classification is done with the other two steps on the cloud, merge a multitude of network packets coming from various IoT networks. This aggregation may make the network data exhibit more generic characteristics than device-specific ones, reducing the device-type classification performance. This directly affects the attack detection accuracy. Therefore, running the device-type classifiers in the local gateways closed to IoT devices could mitigate this issue since only a limited number of device types are considered.

3.4.3. The Second and Third Stages

Take a datasetwhere , , is the input instance that represents a network flow. has features. indicates the number of features of a network flow contained in the dataset . is the result of each detection record. A decision tree recursively partitions the feature space such that the samples with the same labels or similar target values are grouped together. Let the data at node be represented by . For each split consisting of a feature and a threshold , partition the data into and subsets:

The quality of a candidate split of node is then computed using an impurity function or loss function , the choice of which depends on the task being solved (classification or regression):

Select the parameters to minimize the impurity:

Repeat for subsets and until the maximum allowable depth is reached or .

For the classification of IDS, for node represents a region of with instances of . Assume that is the proportion of class instance in and can be obtained by the following formula:

The common measure of impurity is named Gini and can be obtained by the following formula:

Cross-entropy can be obtained by the following formula:

Misclassification can be obtained by the following formula (not being used in the proposed system):

4. Results and Discussion

4.1. Evaluation Metrics

In our experiments, we adopted several evaluation metrics, such as precision (P), recall (R), F-measure (F), and accuracy. Let TP, FP, and FN denote true positives, false positives, and false negatives, respectively, and these evaluation metrics are defined as

To evaluate the quality of attack detection models, we use the model accuracy as a primary evaluation metric that is directly computed from the confusion matrix based on the following formula:

We evaluate the performance of these resampling methods through macroaverage F1-score performed independently on each class. Let MAP and MAR denote macroaverage precision and macroaverage recall, and the macroaverage F1-score is defined aswhere

where K is the total number of classes.

4.2. Dataset and Attack Class Balancing

We assessed MidSiot on three different datasets: IoTID20, CIC-IDS-2017, and BOT-IoT.(i)The IoTID20 dataset consists of two IoT devices (a smart home device SKT NGU and an EZVIZ Wi-Fi camera) and several non-IoT devices marked as external devices. The cyberattacks on these devices are classified into four attack categories and seven attack subcategories described in detail in Table 3.(ii)The CIC-IDS-2017 dataset contains the network traffic of six cyberattack types listed in Table 4 targeting 12 different IoT devices, which are labeled according to their operating systems and architectures. It also has several external devices to generate normal traffic.(iii)The BOT-IoT has five IoT devices and several external devices. The malicious network traffic of these devices is classified into three attack categories and detailed in Table 5.

Through rigorously analyzing the evaluation datasets, we figured out that the number of samples of each attack type is slightly imbalanced; thus, employing resampling methods is necessary. In our experiments, we experimented and evaluated the Random Undersampling algorithm (RU) and its conjunction with Synthetic Minority Oversampling Technique (RU-SMOTE).(i)Random Undersampling is a random selection process running on overwhelmed attack types to reduce their size. However, randomly selecting data points might accidently ignore critical information, resulting in degraded classification performance.(ii)Synthetic Minority Oversampling Technique (SMOTE) balances the dataset by synthesizing new samples for the minority class. In more detail, it selects a cluster of samples and draws a line between them; new samples are the points along this line.

To implement these resampling methods, we utilized imblearn library [33] supporting multiple resampling techniques along with several running strategies for both binary and multiclass classification. In binary classification, we need to configure the ratio between minority class and majority class after resampling, whereas this configuration is unnecessary in multiclass classification. From the results illustrated in Figures 4-6, it is obvious that these resampling techniques have no significant impact on the performance of models. Furthermore, if the number of samples in majority classes drastically outweighs ones of minority classes, they may decrease the attack detection quality of the smaller classes. Therefore, our models are trained without resampling techniques.

4.3. Results and Discussion

To select classification algorithms for our multistage IDS, we examined the detection time and accuracy of several supervised machine learning algorithms on the IoTID20 dataset. In detail, the ability to classify benign and malicious network traffic (binary attack detection) and identify precisely the types of attacks (multiclass attack detection) are both considered. Since operating on network gateways requires a lightweight attack detection model, experimented algorithms are simple machine learning algorithms, including linear support vector machine, quadratic support vector machine, K-nearest-neighbor, linear discriminant analysis, quadratic discriminant analysis, multilayer perceptron, long short-term memory, autoencoder classifier, and decision tree classifier; their results are presented in Table 6. As shown in the table, the decision tree classifier outperforms other algorithms, and it is considered a lightweight machine learning algorithm [34]. This classifier is thus selected for the attack detection model of MidSiot. Note that empty values in the table (denoted by N/A) imply the long training time exceeding two hours. Moreover, training a decision tree classifier is trivial and possibly performed on IoT devices. We also applied Classification and Regression Tree (CART) to boost the detection performance. In more detail, CART splits training data into two subsets based on a specific feature k and a threshold (e.g., “flow duration 100”). This split is repeated on each subset until it reaches the maximum depth or subset size equals to 0. As a result, the computational complexity of the classifier is reduced to with m being the number of samples in the training set. This significantly increases the training and prediction rate to deal with large datasets.

Attack detection results: Table 7 reports the overall performance of each MidSiot’s stage on evaluated datasets. We can see that MidSiot could not only accurately differentiate between normal and malicious traffic in the second stage, but also identify the type of attacks in the third stage. The average accuracy of such stages is about 99.98% and 99.68%, respectively. Regarding classifying IoT devices, our proposal achieved a high classification accuracy reported at 95.55% on average. In detail, device-type classification for BOT-IoT achieves the highest result, at 99.92%, whereas the results of IoTID20 and CIC-IDS-2017 are about 92.57% and 94.17%, respectively. To have a better understanding the attack detection performance of MidSiot, Tables 8–10 illustrate the confusion matrices, which present the comparison between predicted attacks and the actual ones.

Comparing with baseline methods: We compared attack detection quality between our proposal and state-of-the-art IDS and reported the results in Table 11. Overall, MidSiot outperforms its competitors on CICIDS-2017 and BOT-IoT datasets and is comparable with them on IoTID2020 dataset. In more detail, regarding CIC-IDS-2017, the best of our competitors achieves 99.9% in both binary and multiclass classification, whereas our proposed IDS achieves better results recorded about 99.99% and 99.97%, respectively. Similar results are also found in the BOT-IoT dataset, in which our proposal achieves 99.99% accuracy in binary classification and 99.93% in multiclass classification problems. In the IoTID20 dataset, the best competitor detects the attack types with 100% accuracy, and MidSiot also has very competitive results reported at 99.15%. Compared with state-of-the-art IDSs, MidSiot employed more machine learning models to enhance detection accuracy. This demands high computation costs and training datasets to train these models. Indeed, each stage in MidSiot has a different training dataset, which requires a huge effort to label. For example, the first-stage model needs to label the device type of network traffic, whereas the second-stage model demands labeling abnormal traffic. Moreover, deploying the first-stage model from the cloud to IoT local gateway consumes network bandwidth and may trigger delays.

In conclusion, by using a hierarchical architecture and chaining stages together, MidSiot effectively classifies device types, identifies abnormal network traffic, and differentiates cyberattack types.

5. Conclusion

In this article, we proposed a distributed intrusion detection system for IoT scenarios, in which connected devices are not only resource-constraint but also heterogeneous in hardware specification. To accurately detect various types of cyberattacks, the proposed IDS consists of three stages: (1) classifying device types; (2) detecting malicious network flows; and (3) identifying attack types. In the experiments on three popular IOT-IDS datasets (IoTID20, CIC-IDS-2017, and BOT-IoT), we demonstrated that our proposal could detect several attacks with an accuracy of 99.68% on average and outperforms state-of-the-art IDSs. In addition, we examined two resampling techniques to balance the datasets and discovered that these techniques slightly reduce the detection rate of minority attack types. In short, MidSiot is beneficial for both the industrial and research communities interested in further developing intrusion detection systems for IoT.

Data Availability

The training data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was funded by the fund supporting research activities from the University of Information Technology, Vietnam National University, Ho Chi Minh City.

References

W. a. Kassab and K. A. Darabkh, “A-Z survey of internet of things: architectures, protocols, applications, recent advances, future directions and recommendations,” Journal of Network and Computer Applications, vol. 163, Article ID 102663, 2020.
View at: Publisher Site | Google Scholar
A. Menard, “How can we recognize the real power of the internet of things,” Advanced Robotics, vol. 1, pp. 4-5, 2017.
View at: Google Scholar
J. Sengupta, S. Ruj, and S. Das Bit, “A comprehensive survey on attacks, security issues and blockchain solutions for iot and iiot,” Journal of Network and Computer Applications, vol. 149, Article ID 102481, 2020.
View at: Publisher Site | Google Scholar
M. Eskandari, Z. H. Janjua, M. Vecchio, and F. Antonelli, “Passban ids: an intelligent anomaly-based intrusion detection system for iot edge devices,” IEEE Internet of Things Journal, vol. 7, no. 8, pp. 6882–6897, 2020.
View at: Publisher Site | Google Scholar
G. Kambourakis, C. Kolias, and A. Stavrou, “The mirai botnet and the iot zombie armies,” in Proceedings of the MILCOM 2017-2017 IEEE Military Communications Conference (MILCOM), pp. 267–272, IEEE, Baltimore, MD, USA, October 2017.
View at: Publisher Site | Google Scholar
G. Gallopeni, B. Rodrigues, M. Franco, and B. Stiller, “A practical analysis on mirai botnet traffic,” in Proceedings of the 2020 IFIP Networking Conference (Networking), pp. 667-668, IEEE, Espoo, Finland, June 2020.
View at: Google Scholar
A. Gangwar and S. Sahu, “A survey on anomaly and signature based intrusion detection system (ids),” International Journal of Engineering Research and Applications, vol. 4, no. 4, 2014.
View at: Google Scholar
C. Zhang, J. Jiang, and M. Kamel, “Intrusion detection using hierarchical neural networks,” Pattern Recognition Letters, vol. 26, no. 6, pp. 779–791, 2005.
View at: Publisher Site | Google Scholar
K. Wang and S. J. Stolfo, “Anomalous payload-based network intrusion detection,” in Proceedings of the International Workshop on Recent Advances in Intrusion Detection, pp. 203–222, Springer, Sophia Antipolis, France, September 2004.
View at: Publisher Site | Google Scholar
M. Xie, J. Hu, S. Han, and H.-H. Chen, “Scalable hypergrid k-nn-based online anomaly detection in wireless sensor networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 8, pp. 1661–1670, 2012.
View at: Google Scholar
Y. Mirsky, T. Doitshman, Y. Elovici, and A. Shabtai, “Kitsune: an ensemble of autoencoders for online network intrusion detection,” 2018, arXiv preprint arXiv:1802.09089.
View at: Publisher Site | Google Scholar
K. Ince, “A novel approach for intrusion detection systems: V-ids,” Turkish Journal of Electrical Engineering and Computer Sciences, vol. 29, no. 4, pp. 1929–1943, 2021.
View at: Google Scholar
V. Kumar, A. K. Das, and D. Sinha, “Uids: a unified intrusion detection system for iot environment,” Evolutionary Intelligence, vol. 14, no. 1, pp. 47–59, 2021.
View at: Publisher Site | Google Scholar
E. Anthi, L. Williams, M. Slowinska, G. Theodorakopoulos, and P. Burnap, “A supervised intrusion detection system for smart home iot devices,” IEEE Internet of Things Journal, vol. 6, no. 5, pp. 9042–9053, 2019.
View at: Publisher Site | Google Scholar
N. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull, “Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: bot-iot dataset,” Future Generation Computer Systems, vol. 100, pp. 779–796, 2019.
View at: Publisher Site | Google Scholar
Z. Liu, N. Thapa, A. Shaver, K. Roy, X. Yuan, and S. Khorsandroo, “Anomaly detection on iot network intrusion using machine learning,” in Proceedings of the 2020 International Conference on Artificial Intelligence, Big Data, Computing and Data Communication Systems (icABCD), pp. 1–5, IEEE, KwaZulu Natal, South Africa, August 2020.
View at: Publisher Site | Google Scholar
H. Kaur, G. Singh, and J. Minhas, “A review of machine learning based anomaly detection techniques,” 2013, arXiv preprint arXiv:1307.7286.
View at: Publisher Site | Google Scholar
A. L. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Communications surveys & tutorials, vol. 18, no. 2, pp. 1153–1176, 2015.
View at: Google Scholar
M. A. Aydın, A. H. Zaim, and K. G. Ceylan, “A hybrid intrusion detection system design for computer network security,” Computers & Electrical Engineering, vol. 35, no. 3, pp. 517–526, 2009.
View at: Google Scholar
M. Gajewski, J. M. Batalla, G. Mastorakis, and C. X. Mavromoustakis, “A distributed ids architecture model for smart home systems,” Cluster Computing, vol. 22, no. 1, pp. 1739–1749, 2019.
View at: Publisher Site | Google Scholar
I. Ullah and Q. H. Mahmoud, “A scheme for generating a dataset for anomalous activity detection in iot networks,” in Proceedings of the Canadian Conference on AI, pp. 508–520, Ottawa, Ontario, May 2020.
View at: Publisher Site | Google Scholar
I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization,” ICISSp, vol. 1, pp. 108–116, 2018.
View at: Publisher Site | Google Scholar
B. Silva, R. Silveira, M. Silva Neto, P. Cortez, and D. Gomes, “A comparative analysis of undersampling techniques for network intrusion detection systems design,” Journal of Communication and Information Systems, vol. 36, no. 1, pp. 31–43, 2021.
View at: Publisher Site | Google Scholar
S. Bagui and K. Li, “Resampling imbalanced data for network intrusion detection datasets,” Journal of Big Data, vol. 8, no. 1, pp. 1–41, 2021.
View at: Publisher Site | Google Scholar
P. Bedi, N. Gupta, and V. Jindal, “I-siamids: an improved siam-ids for handling class imbalance in network-based intrusion detection systems,” Applied Intelligence, vol. 51, no. 2, pp. 1133–1151, 2021.
View at: Publisher Site | Google Scholar
W. Meng, E. W. Tischhauser, Q. Wang, Y. Wang, and J. Han, “When intrusion detection meets blockchain technology: a review,” IEEE Access, vol. 6, pp. 10179–10188, 2018.
View at: Publisher Site | Google Scholar
W. Li, Y. Wang, J. Li, and M. H. Au, “Towards blockchained challenge-based collaborative intrusion detection,” in Applied Cryptography and Network Security Workshops, J. Zhou, R. Deng, Z. Li et al., Eds., pp. 122–139, Springer International Publishing, Cham, Switzerland, 2019.
View at: Publisher Site | Google Scholar
W. Li, Y. Wang, J. Li, and M. H. Au, “Toward a blockchain-based framework for challenge-based collaborative intrusion detection,” International Journal of Information Security, vol. 20, no. 2, pp. 127–139, 2021.
View at: Publisher Site | Google Scholar
W. Li, S. Tug, W. Meng, and Y. Wang, “Designing collaborative blockchained signature-based intrusion detection in iot environments,” Future Generation Computer Systems, vol. 96, pp. 481–489, 2019.
View at: Publisher Site | Google Scholar
R. M. A. Ujjan, Z. Pervez, and K. Dahal, “Snort based collaborative intrusion detection system using blockchain in sdn,” in Proceedings of the 2019 13th International Conference on Software, Knowledge, Information Management and Applications (SKIMA), pp. 1–8, Ukulhas, Maldives, August 2019.
View at: Publisher Site | Google Scholar
W. Fan, Y. Park, S. Kumar, P. Ganta, X. Zhou, and S.-Y. Chang, “Blockchain-enabled collaborative intrusion detection in software defined networks,” in Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 967–974, Guangzhou, China, November 2020.
View at: Publisher Site | Google Scholar
O. Alkadi, N. Moustafa, B. Turnbull, and K.-K. R. Choo, “A deep blockchain framework-enabled collaborative intrusion detection for protecting iot and cloud networks,” IEEE Internet of Things Journal, vol. 8, no. 12, pp. 9463–9472, 2020.
View at: Publisher Site | Google Scholar
G. Lemaître, F. Nogueira, and C. K. Aridas, “Imbalanced-learn: a python toolbox to tackle the curse of imbalanced datasets in machine learning,” Journal of Machine Learning Research, vol. 18, no. 1, pp. 559–563, 2017.
View at: Google Scholar
R. Bikmukhamedov and A. Nadeev, “Lightweight machine learning classifiers of iot traffic flows,” in Proceedings of the 2019 Systems of Signal Synchronization, Generating and Processing in Telecommunications (SYNCHROINFO), pp. 1–5, IEEE, Minsk, Belarus, July 2019.
View at: Publisher Site | Google Scholar
S. Gamage and J. Samarabandu, “Deep learning methods in network intrusion detection: a survey and an objective comparison,” Journal of Network and Computer Applications, vol. 169, Article ID 102767, 2020.
View at: Publisher Site | Google Scholar
R. Vinayakumar, M. Alazab, K. P. Soman, P. Poornachandran, A. Al-Nemrat, and S. Venkatraman, “Deep learning approach for intelligent intrusion detection system,” IEEE Access, vol. 7, pp. 41525–41550, 2019.
View at: Publisher Site | Google Scholar
N. Elmrabit, F. Zhou, F. Li, and H. Zhou, “Evaluation of machine learning algorithms for anomaly detection,” in Proceedings of the 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–8, IEEE, Dublin, Ireland, June 2020.
View at: Publisher Site | Google Scholar
H. Alkahtani and T. H. Aldhyani, “Intrusion detection system to advance internet of things infrastructure-based deep learning algorithms,” Complexity, vol. 2021, Article ID 5579851, 18 pages, 2021.
View at: Publisher Site | Google Scholar
Y. Song, S. Hyun, and Y.-G. Cheong, “Analysis of autoencoders for network intrusion detection,” Sensors, vol. 21, no. 13, p. 4294, 2021.
View at: Publisher Site | Google Scholar
A. Y. Hussein, P. Falcarin, and A. T. Sadiq, “Enhancement performance of random forest algorithm via one hot encoding for iot ids,” Periodicals of Engineering and Natural Sciences (PEN), vol. 9, no. 3, pp. 579–591, 2021.
View at: Google Scholar
I. Ullah and Q. H. Mahmoud, “Design and development of a deep learning-based model for anomaly detection in iot networks,” IEEE Access, vol. 9, pp. 103906–103926, 2021.
View at: Publisher Site | Google Scholar
N. Islam, F. Farhin, I. Sultana et al., “Towards machine learning based intrusion detection in iot networks,” Computers, Materials & Continua, vol. 69, no. 2, pp. 1801–1821, 2021.
View at: Publisher Site | Google Scholar
M. A. Ferrag, L. Maglaras, A. Ahmim, M. Derdour, and H. Janicke, “Rdtids: rules and decision tree-based intrusion detection system for internet-of-things networks,” Future Internet, vol. 12, no. 3, p. 44, 2020.
View at: Publisher Site | Google Scholar
M. A. Ferrag, L. Maglaras, S. Moschoyiannis, and H. Janicke, “Deep learning for cyber security intrusion detection: approaches, datasets, and comparative study,” Journal of Information Security and Applications, vol. 50, Article ID 102419, 2020.
View at: Publisher Site | Google Scholar
S. Dwibedi, M. Pujari, and W. Sun, “A comparative study on contemporary intrusion detection datasets for machine learning research,” in Proceedings of the 2020 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 1–6, IEEE, Arlington, VA, USA, November 2020.
View at: Publisher Site | Google Scholar
S. Pokhrel, R. Abbas, and B. Aryal, “Iot security: botnet detection in iot using machine learning,” 2021, arXiv preprint arXiv:2104.02231.
View at: Google Scholar
M. Ge, X. Fu, N. Syed, Z. Baig, G. Teo, and A. Robles-Kelly, “Deep learning-based intrusion detection for iot networks,” in Proceedings of the 2019 IEEE 24th Pacific Rim International Symposium on Dependable Computing (PRDC), pp. 256–25609, IEEE, Kyoto, Japan, December 2019.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Nguyen Dat-Thinh et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1680

Downloads

859

Citations

Wireless Communications and Mobile Computing

Innovative Artificial Intelligence-Based Internet of Things for Smart Cities and Smart Homes

MidSiot: A Multistage Intrusion Detection System for Internet of Things

Abstract

1. Introduction

2. Related Works

3. The MidSiot IDS

3.1. System Overview

3.2. Network Flow Generation

3.3. Data Preprocessing

3.4. Multistage Attack Detection Algorithm

3.4.1. The Overview

3.4.2. The First Stage

3.4.3. The Second and Third Stages

4. Results and Discussion

4.1. Evaluation Metrics

4.2. Dataset and Attack Class Balancing

4.3. Results and Discussion

5. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright