A Two-Level Hybrid Model for Anomalous Activity Detection in IoT Networks

In this paper we propose a two-level hybrid anomalous activity detection model for intrusion detection in IoT networks. The level-1 model uses flow-based anomaly detection, which is capable of classifying the network traffic as normal or anomalous. The flow-based features are extracted from the CICIDS2017 and UNSW-15 datasets. If an anomaly activity is detected then the flow is forwarded to the level-2 model to find the category of the anomaly by deeply examining the contents of the packet. The level-2 model uses Recursive Feature Elimination (RFE) to select significant features and Synthetic Minority Over-Sampling Technique (SMOTE) for oversampling and Edited Nearest Neighbors (ENN) for cleaning the CICIDS2017 and UNSW-15 datasets. Our proposed model precision, recall and F score for level-1 were measured 100% for the CICIDS2017 dataset and 99% for the UNSW-15 dataset, while the level-2 model precision, recall, and F score were measured at 100 % for the CICIDS2017 dataset and 97 % for the UNSW-15 dataset. The predictor we introduce in this paper provides a solid framework for the development of malicious activity detection in IoT networks.

[1]  Altyeb Altaher,et al.  Real time network anomaly detection using relative entropy , 2011, 8th International Conference on High-capacity Optical Networks and Emerging Technologies.

[2]  Ezz El-Din Hemdan,et al.  Cybercrimes Investigation and Intrusion Detection in Internet of Things Based on Data Science Methods , 2018 .

[3]  Ali A. Ghorbani,et al.  Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization , 2018, ICISSP.

[4]  Nikhil S. Mangrulkar,et al.  Network Attacks and Their Detection Mechanisms: A Review , 2014 .

[5]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.

[6]  Ali A. Ghorbani,et al.  Characterization of Encrypted and VPN Traffic using Time-related Features , 2016, ICISSP.

[7]  Ali A. Ghorbani,et al.  An Evaluation Framework for Intrusion Detection Dataset , 2016, 2016 International Conference on Information Science and Security (ICISS).

[8]  Kensuke Fukuda,et al.  ADMIRE: Anomaly detection method using entropy-based PCA with three-step sketches , 2013, Comput. Commun..

[9]  Nour Moustafa,et al.  UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set) , 2015, 2015 Military Communications and Information Systems Conference (MilCIS).

[10]  Ali A. Ghorbani,et al.  A detailed analysis of the KDD CUP 99 data set , 2009, 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications.

[11]  Alexander Y. Liu The Effect of Oversampling and Undersampling on Classifying Imbalanced Text Datasets , 2004 .

[12]  Deokho Kim,et al.  A Malicious Pattern Detection Engine for Embedded Security Systems in the Internet of Things , 2014, Sensors.

[13]  Mario Lemes Proença,et al.  Deep IP flow inspection to detect beyond network anomalies , 2017, Comput. Commun..

[14]  Nitesh V. Chawla,et al.  SMOTE: Synthetic Minority Over-sampling Technique , 2002, J. Artif. Intell. Res..

[15]  Ali A. Ghorbani,et al.  Toward developing a systematic approach to generate benchmark datasets for intrusion detection , 2012, Comput. Secur..

[16]  Hong Wen,et al.  Bayesian Statistical Inference in Machine Learning Anomaly Detection , 2010, 2010 International Conference on Communications and Intelligence Information Security.

[17]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[18]  Jill Slay,et al.  The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set , 2016, Inf. Secur. J. A Glob. Perspect..

[19]  Rituparna Chaki,et al.  Intrusion Detection in Wireless Ad-Hoc Networks , 2014 .

[20]  Maurizio A. Spirito,et al.  Denial-of-Service detection in 6LoWPAN based Internet of Things , 2013, 2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[21]  Syed Obaid Amin,et al.  RIDES: Robust Intrusion Detection System for IP-Based Ubiquitous Sensor Networks , 2009, Sensors.

[22]  Mario Lemes Proença,et al.  Baseline to help with network management , 2004, e-Business and Telecommunication Networks.

[23]  Lei Li,et al.  A novel rule-based Intrusion Detection System using data mining , 2010, 2010 3rd International Conference on Computer Science and Information Technology.

[24]  Pavan Pongle,et al.  A survey: Attacks on RPL and 6LoWPAN in IoT , 2015, 2015 International Conference on Pervasive Computing (ICPC).

[25]  Farrukh Aslam Khan,et al.  Intrusion Detection Systems for Wireless Sensor Networks: A Survey , 2009, FGIT-FGCN.

[26]  Choong Seon Hong,et al.  Attack Model and Detection Scheme for Botnet on 6LoWPAN , 2009, APNOMS.