An Ensemble Intrusion Detection Technique Based on Proposed Statistical Flow Features for Protecting Network Traffic of Internet of Things

Internet of Things (IoT) plays an increasingly significant role in our daily activities, connecting physical objects around us into digital services. In other words, IoT is the driving force behind home automation, smart cities, modern health systems, and advanced manufacturing. This also increases the likelihood of cyber threats against IoT devices and services. Attackers may attempt to exploit vulnerabilities in application protocols, including Domain Name System (DNS), Hyper Text Transfer Protocol (HTTP) and Message Queue Telemetry Transport (MQTT) that interact directly with backend database systems and client–server applications to store data of IoT services. Successful exploitation of one or more of these protocols can result in data leakage and security breaches. In this paper, an ensemble intrusion detection technique is proposed to mitigate malicious events, in particular botnet attacks against DNS, HTTP, and MQTT protocols utilized in IoT networks. New statistical flow features are generated from the protocols based on an analysis of their potential properties. Then, an AdaBoost ensemble learning method is developed using three machine learning techniques, namely decision tree, Naive Bayes (NB), and artificial neural network, to evaluate the effect of these features and detect malicious events effectively. The UNSW-NB15 and NIMS botnet datasets with simulated IoT sensors’ data are used to extract the proposed features and evaluate the ensemble technique. The experimental results show that the proposed features have the potential characteristics of normal and malicious activity using the correntropy and correlation coefficient measures. Moreover, the proposed ensemble technique provides a higher detection rate and a lower false positive rate compared with each classification technique included in the framework and three other state-of-the-art techniques.

[1]  Hui-Tang Lin,et al.  DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis , 2017, Comput. Secur..

[2]  Radu State,et al.  A Big Data Architecture for Large Scale Security Monitoring , 2014, 2014 IEEE International Congress on Big Data.

[3]  Wentao Shang Challenges in IoT Networking via TCP / IP Architecture , 2016 .

[4]  Nour Moustafa,et al.  UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set) , 2015, 2015 Military Communications and Information Systems Conference (MilCIS).

[5]  Ali Dehghantanha,et al.  A Two-Layer Dimension Reduction and Two-Tier Classification Model for Anomaly-Based Intrusion Detection in IoT Backbone Networks , 2019, IEEE Transactions on Emerging Topics in Computing.

[6]  Fabio Roli,et al.  An approach to the automatic design of multiple classifier systems , 2001, Pattern Recognit. Lett..

[7]  Ali Dehghantanha,et al.  Robust Malware Detection for Internet of (Battlefield) Things Devices Using Deep Eigenspace Learning , 2019, IEEE Transactions on Sustainable Computing.

[8]  Wentao Ma,et al.  Estimator with forgetting factor of correntropy and recursive algorithm for traffic network prediction , 2013, 2013 25th Chinese Control and Decision Conference (CCDC).

[9]  Li Zhang,et al.  Hybrid decision tree and naïve Bayes classifiers for multi-class classification tasks , 2014, Expert Syst. Appl..

[10]  A. Nur Zincir-Heywood,et al.  Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification , 2016, IEEE Systems Journal.

[11]  Ajith Abraham,et al.  Feature deduction and ensemble design of intrusion detection systems , 2005, Comput. Secur..

[12]  Mohamed Nassar,et al.  Secure Outsourcing of Network Flow Data Analysis , 2013, 2013 IEEE International Congress on Big Data.

[13]  Sherif Abdelwahed,et al.  A Model-Based Validated Autonomic Approach to Self-Protect Computing Systems , 2014, IEEE Internet of Things Journal.

[14]  Dilip Sarkar,et al.  The Early Bird Gets the Botnet: A Markov Chain Based Early Warning System for Botnet Attacks , 2016, 2016 IEEE 41st Conference on Local Computer Networks (LCN).

[15]  Yacine Bouzida,et al.  Neural networks vs . decision trees for intrusion detection , 2006 .

[16]  Georgios Kambourakis,et al.  DNS amplification attack revisited , 2013, Comput. Secur..

[17]  Jill Slay,et al.  Flow Aggregator Module for Analysing Network Traffic , 2018 .

[18]  Jian Ma,et al.  Sentiment classification: The contribution of ensemble learning , 2014, Decis. Support Syst..

[19]  Leonardo B. Oliveira,et al.  Defending Internet of Things against Exploits , 2015, IEEE Latin America Transactions.

[20]  Yu Cheng,et al.  Ghost-in-ZigBee: Energy Depletion Attack on ZigBee-Based Wireless Networks , 2016, IEEE Internet of Things Journal.

[21]  Heejo Lee,et al.  Botnet Detection by Monitoring Group Activities in DNS Traffic , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).