An Efficient One-Class SVM for Anomaly Detection in the Internet of Things

Insecure Internet of things (IoT) devices pose significant threats to critical infrastructure and the Internet at large; detecting anomalous behavior from these devices remains of critical importance, but fast, efficient, accurate anomaly detection (also called “novelty detection”) for these classes of devices remains elusive. One-Class Support Vector Machines (OCSVM) are one of the state-ofthe-art approaches for novelty detection (or anomaly detection) in machine learning, due to their flexibility in fitting complex nonlinear boundaries between normal and novel data. IoT devices in smart homes and cities and connected building infrastructure present a compelling use case for novelty detection with OCSVM due to the variety of devices, traffic patterns, and types of anomalies that can manifest in such environments. Much previous research has thus applied OCSVM to novelty detection for IoT. Unfortunately, conventional OCSVMs introduce significant memory requirements and are computationally expensive at prediction time as the size of the train set grows, requiring space and time that scales with the number of training points. These memory and computational constraints can be prohibitive in practical, real-world deployments, where large training sets are typically needed to develop accurate models when fitting complex decision boundaries. In this work, we extend so-called Nyström and (Gaussian) Sketching approaches to OCSVM, by combining these methods with clustering and Gaussian mixture models to achieve significant speedups in prediction time and space in various IoT settings, without sacrificing detection accuracy.

[1]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[2]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[3]  K. Jarrod Millman,et al.  Array programming with NumPy , 2020, Nat..

[4]  Yiqiang Sheng,et al.  HAST-IDS: Learning Hierarchical Spatial-Temporal Features Using Deep Neural Networks to Improve Intrusion Detection , 2018, IEEE Access.

[5]  Salvatore J. Stolfo,et al.  A Geometric Framework for Unsupervised Anomaly Detection , 2002, Applications of Data Mining in Computer Security.

[6]  Hossam Faris,et al.  Unsupervised intelligent system based on one class support vector machine and Grey Wolf optimization for IoT botnet detection , 2019, Journal of Ambient Intelligence and Humanized Computing.

[7]  Dorin Comaniciu,et al.  Mean shift analysis and applications , 1999, Proceedings of the Seventh IEEE International Conference on Computer Vision.

[8]  Nick Feamster,et al.  nPrint: A Standard Data Representation for Network Traffic Analysis , 2020, ArXiv.

[9]  Martin J. Wainwright,et al.  Randomized sketches for kernels: Fast and optimal non-parametric regression , 2015, ArXiv.

[10]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[11]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[12]  Nick Feamster,et al.  A Comparative Study of Network Traffic Representations for Novelty Detection , 2020, ArXiv.

[13]  Seokjun Lee,et al.  Packet Diversity-Based Anomaly Detection System with OCSVM and Representative Model , 2016, 2016 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[14]  Marimuthu Palaniswami,et al.  DP1SVM: A dynamic planar one-class support vector machine for Internet of Things environment , 2015, 2015 International Conference on Recent Advances in Internet of Things (RIoT).

[15]  Daniele Calandriello,et al.  Statistical and Computational Trade-Offs in Kernel K-Means , 2019, NeurIPS.

[16]  M. Shyu,et al.  A Novel Anomaly Detection Scheme Based on Principal Component Classifier , 2003 .

[17]  Andrew W. Moore,et al.  Discriminators for use in flow-based classification , 2013 .

[18]  Imran Razzak,et al.  Randomized nonlinear one-class support vector machines with bounded loss function to detect of outliers for large scale IoT data , 2020, Future Gener. Comput. Syst..

[19]  Mohiuddin Ahmed,et al.  A survey of network anomaly detection techniques , 2016, J. Netw. Comput. Appl..

[20]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[21]  Hongxing He,et al.  Outlier Detection Using Replicator Neural Networks , 2002, DaWaK.

[22]  Petros Drineas,et al.  On the Nyström Method for Approximating a Gram Matrix for Improved Kernel-Based Learning , 2005, J. Mach. Learn. Res..

[23]  Samory Kpotufe,et al.  Quickshift++: Provably Good Initializations for Sample-Based Mean Shift , 2018, ICML.

[24]  Lorenzo Rosasco,et al.  Less is More: Nyström Computational Regularization , 2015, NIPS.

[25]  Bharath K. Sriperumbudur,et al.  Gaussian Sketching yields a J-L Lemma in RKHS , 2019, AISTATS.

[26]  Amit P. Sheth,et al.  Machine learning for Internet of Things data analysis: A survey , 2017, Digit. Commun. Networks.

[27]  Rong Jin,et al.  Nyström Method vs Random Fourier Features: A Theoretical and Empirical Comparison , 2012, NIPS.