![Phases of the CRISP-DM model. (reused with permission from [13])](https://www.researchgate.net/profile/Francois-Xavier-Aubet/publication/330511957/figure/fig1/AS:717368208658432@1548045317566/Phases-of-the-CRISP-DM-model-reused-with-permission-from-13_Q320.jpg)
![represents the organisation of an example KA. The Context Repository is the tree containing all the Context Nodes on the local node. At the bottom of the diagram the types of accesses are shown. A get access returns the value of the Context Node at the given address. A set access sets the value of the addressed Context Node to the value given in the call. [15]](https://www.researchgate.net/profile/Francois-Xavier-Aubet/publication/330511957/figure/fig2/AS:717368208670720@1548045317602/represents-the-organisation-of-an-example-KA-The-Context-Repository-is-the-tree_Q320.jpg)
![Example of anomaly detection. We can see normal regions in the data as well as some outliers. (adapted with permission from [2])](https://www.researchgate.net/profile/Francois-Xavier-Aubet/publication/330511957/figure/fig3/AS:717368208654337@1548045317636/Example-of-anomaly-detection-We-can-see-normal-regions-in-the-data-as-well-as-some_Q320.jpg)
![The example of a sliding window in a data stream. (adapted with permission from [3])](https://www.researchgate.net/profile/Francois-Xavier-Aubet/publication/330511957/figure/fig4/AS:717368208670721@1548045317669/The-example-of-a-sliding-window-in-a-data-stream-adapted-with-permission-from-3_Q320.jpg)
![The temporal relations. (adapted with permission from [4])](https://www.researchgate.net/profile/Francois-Xavier-Aubet/publication/330511957/figure/fig5/AS:717368208670722@1548045317695/The-temporal-relations-adapted-with-permission-from-4_Q320.jpg)
Content uploaded by Francois-Xavier Aubet
Author content
All content in this area was uploaded by Francois-Xavier Aubet on Jan 21, 2019
Content may be subject to copyright.
A preview of the PDF is not available
Machine Learning-Based Adaptive Anomaly Detection in Smart Spaces
Abstract and Figures
The increase in computing power allowed the rise of the Internet of Things (IoT). Due
to the nature of IoT-service it is vital to secure them, as they can impact the privacy
and the safety of the user. In this work, we propose an approach to secure sites of
cooperating IoT-services, known as smart space. Our solution monitors continuously
service interactions, and learns online the normal behaviour of services. Using the learnt
model of the normal behaviour it can detect anomalous accesses and block them in real-
time. We use online machine learning to handle concept drift. However, the learned
model is human understandable to allow the user to understand the behaviour of the
services. We show the performance of this approach, by evaluating it in regard to the
resource usage and the detection performance.
Figures - uploaded by Francois-Xavier Aubet
Author content
All figure content in this area was uploaded by Francois-Xavier Aubet
Content may be subject to copyright.
... They used Gravitational Search-based optimization (GSO) for optimizing LGB hyper parameters and compared with the Particle swarm optimization (PSO). They used a simulated IoT sensors data set called IoT data set that is cited in [24]. They reported an optimal accuracy of 100%. ...
The Internet-of-Things (IoT) environment has revolutionized the quality of living standards by enabling seamless connectivity and automation. However, the widespread adoption of IoT has also brought forth significant security challenges for manufacturers and consumers alike. Detecting network intrusions in IoT networks using machine learning techniques shows promising potential. However, selecting an appropriate machine learning algorithm for intrusion detection poses a considerable challenge. Improper algorithm selection can lead to reduced detection accuracy, increased risk of network infection, and compromised network security. This article provides a comparative evaluation to six state-of-the-art boosting-based algorithms for detecting intrusions in IoT. The methodology overview involves benchmarking the performance of the selected boosting-based algorithms in multi-class classification. The evaluation includes a comprehensive classification performance analysis includes accuracy, precision, detection rate, F1 score, as well as a temporal performance analysis includes training and testing times.
... The only characteristics in an unlabeled dataset that can be used describe the data objects for unsupervised ML models. In addition, a labeled dataset includes information about each data instance's class and utilized for supervised ML models [51]. ...
Physical objects that may communicate with one another are referred to “things” throughout the Internet of Things (IoT) concept. It introduces a variety of services and activities that are both available, trustworthy and essential for human life. The IoT necessitates multifaceted security measures that prioritize communication protected by confidentiality, integrity and authentication services; data inside sensor nodes are encrypted and the network is secured against interruptions and attacks. As a result, the issue of communication security in an IoT network needs to be solved. Even though the IoT network is protected by encryption and authentication, cyber-attacks are still possible. Consequently, it’s crucial to have an intrusion detection system (IDS) technology. In this paper, common and potential security threats to the IoT environment are explored. Then, based on evaluating and contrasting recent studies in the field of IoT intrusion detection, a review regarding the IoT IDSs is offered with regard to the methodologies, datasets and machine learning (ML) algorithms. In This study, the strengths and limitations of recent IoT intrusion detection techniques are determined, recent datasets collected from real or simulated IoT environment are explored, high-performing ML methods are discovered, and the gap in recent studies is identified.
The rapid expansion of Internet of Things (IoT) adoption has brought about significant cybersecurity challenges, with botnet attacks being a critical concern. To address this issue, machine learning algorithms, particularly boosting-based approaches, have shown promise in detecting and mitigating botnet intrusions. However, the selection of an appropriate algorithm plays a crucial role in achieving accurate detection and reducing the probability of infection. This article focuses on the utilization of boosting-based algorithms for botnet detection in IoT environments. It evaluates the performance of five boosting-based machine learning algorithms in botnet binary detection. The empirical findings underscored the significant potential of boosting-based algorithms in effectively detecting botnet attacks within IoT environments. The histogram gradient boosting algorithm achieved the best performance for binary detection with an accuracy rate of 0.999977. In addition, a temporal evaluation is presented to evaluate the computational requirements of each algorithm to cope with the resources constrained nature of IoT.
Publicly available datasets are an indispensable tool for researchers, as they allow testing new algorithms on a wide range of different scenarios and making scientific experiments verifiable and reproducible. Research in IoT security is no exception. In particular, the design of traffic classification and intrusion detection solutions for network security relies on network traces obtained from real networks or realistic testbeds. In this paper, we provide a detailed survey on the existing datasets containing IoT network traffic. We classify them according to several features that help researchers quickly find the datasets that fit their specific needs. In total, we survey 74 datasets that we found by analyzing more than 100 scientific articles. We also discuss the weaknesses of existing datasets, identify challenges, and point to future directions for creating new IoT datasets.
Intrusion detection is one of the key points in computer security, and it aims to identify attempted attacks by unauthorized users. Several researches are being developed to solve security problems in environments involving the Internet of Things, Fog Computing, and Cloud Computing. This mini-course has a theoretical and practical profile, aims to describe aspects of the context of intrusion detection in IoT and Fog Computing, presents Machine Learning techniques commonly used in intrusion detection, expose state-of-the-art approaches, and present some results obtained in developed research. 1.1. Introduction With the development of technological resources and the popularization of the Internet, there has been significant growth in the number of computational applications. Faced with this new technological context, difficulties have arisen in maintaining the security of applications and data, given that the techniques for exploiting vulnerabilities in these computational infrastructures are constantly being improved to acquire access to systems and obtain and use improperly sensitive information. Malicious users can exploit vulnerabilities in computer systems to carry out illicit activities. The attackers' main motivation is to obtain privileged digital content that can bring some benefit to the attacker and/or cause significant damage to the target of the attacks. Currently, the Internet of Things (IoT) is spreading in all areas that apply computational resources. IoT devices allow everyday objects to be connected to the Internet, computers, and smartphones [Atzori et al. 2010]. The idea is to increasingly unite the physical and digital worlds by communicating objects with other devices, data centers, and clouds.
Network forensics focuses on the identification and investigation of internal and external network attacks, the reverse engineering of network protocols, and the uninstrumented investigation of networked devices. It lies at the intersection of digital forensics, incident response and network security. Network attacks exploit software and hardware vulnerabilities and communication protocols. The scope of a network forensic investigation can range from Internet-wide down to a single device’s network traffic. Network analysis tools (NATs) aid security professionals and law enforcement in the capturing, identification and analysis of network traffic. However, in most instances, the sheer volume of data to be analyzed is enormous and, despite some built-in NAT automation, the investigation of network traffic is often an arduous process. Furthermore, significant expert time remains wasted in the investigation of a high frequency of false positive alerting from automated systems. To address this globally impacting problem, artificial intelligence based approaches are becoming increasingly employed to automatically detect attacks and increase network traffic classification accuracy. This paper provides a comprehensive survey of the state-of-the-art in network forensics and the application of expert systems, machine learning, deep learning, and ensemble/hybrid approaches to a range of application areas in the field. These include network traffic analysis, intrusion detection systems, Internet-of-Things devices, cloud forensics, DNS tunneling, smart grid forensics, and vehicle forensics. In addition, the current challenges and future research directions for each of the aforementioned application areas is discussed.
Traffic on the network is increasing immensely. Unprecedented development and close integration of devices for the Internet of Things (IoT) have contributed to an enormous amount of data in recent years. A persistent concern is the detection and prevention of network intrusions. In this paper, we have analyzed the Network Intrusion Detection System (NIDS) deployment, methodology, and the taxonomy of attacks detected by a NIDS. The purpose of the study is to emphasize the role of NIDS in confronting attacks. Deep Learning (DL), has significantly aided Machine Learning (ML) inefficiencies and produced time and cost-effective security solutions. By analyzing the work done by various researchers, it has been observed that deep learning algorithms give better accuracy and performance in confronting attacks with KDD Cup- 99 Dataset.
The Internet of Things (IoT) consists of distributed devices. The devices are managed by microservices that cooperate in an ad-hoc way for implementing diverse use cases. The op-portunistic cooperation, and the heterogeneous distributed computing environments make it difficult to manually keep track of the communication relationships between IoT services. We show how a communication graph can be built autonomously, and how it can be used to identify traffic anomalies. A special focus is on bootstrapping the allowed connections of a service. We provide a quantitative evaluation of the added latency of our security feature, and of the graph changes in a real world scenario.
The Internet of Things (IoT) can be considered as Service Oriented Architecture (SOA) of Microservices (µS). The µSs inherently process data that affects the privacy, safety, and security of its users. IoT service security is a key challenge. Most state of the art providing IoT system security is policy based. We showcase a graph-based access control that runs as module on IoT nodes, or in the network. Our solution intercepts and firewalls inter-service communication. It automatically creates a model of legitimate communication relationships. The model is interactively updated via a simple-to-understand interface. Our solution adds inevitable IoT security to existing IoT systems.
Security problems in environments hosting Internet-of-Things (IoT) devices have become apparent, as traditional signature-based anomaly detection techniques fail to secure them due to complex device-to-device (D2D) interactions and heterogeneous traffic patterns. To tackle this emerging security disparity, we propose IoT-KEEPER, a two-tier platform for securing IoT communications within and across edge networks. In specific, IoT-KEEPER secures not only the device-to-infrastructure (Internet) communication, but also D2D communications between devices within edge networks. Different from existing offline solutions that perform network traffic classification over already collected data, IoT-KEEPER continuously inspects the network to identify any suspicious activities and enforce necessary security policies to block such activities. Unlike legacy solutions such as firewall and NIDS, IoT-KEEPER is able to detect and block anomalous activities in the network with its feature-based clustering framework in real time, without requiring explicit traffic signatures nor additional hardware installation. We have deployed a real-world testbed to demonstrate that IoT-KEEPER can identify misbehaving IoT devices based on their network activity with high accuracy, and enforce security policies to isolate such devices in real time. IoT-KEEPER is lightweight, responsive and an effectively handle complex D2D interactions without requiring explicit attack signatures or sophisticated hardware.
Security experts have demonstrated numerous risks imposed by Internet of Things (IoT) devices on organizations. Due to the widespread adoption of such devices, their diversity, standardization obstacles, and inherent mobility, organizations require an intelligent mechanism capable of automatically detecting suspicious IoT devices connected to their networks. In particular, devices not included in a white list of trustworthy IoT device types (allowed to be used within the organizational premises) should be detected. In this research, Random Forest, a supervised machine learning algorithm, was applied to features extracted from network traffic data with the aim of accurately identifying IoT device types from the white list. To train and evaluate multi-class classifiers, we collected and manually labeled network traffic data from 17 distinct IoT devices, representing nine types of IoT devices. Based on the classification of 20 consecutive sessions and the use of majority rule, IoT device types that are not on the white list were correctly detected as unknown in 96% of test cases (on average), and white listed device types were correctly classified by their actual types in 99% of cases. Some IoT device types were identified quicker than others (e.g., sockets and thermostats were successfully detected within five TCP sessions of connecting to the network). Perfect detection of unauthorized IoT device types was achieved upon analyzing 110 consecutive sessions; perfect classification of white listed types required 346 consecutive sessions, 110 of which resulted in 99.49% accuracy. Further experiments demonstrated the successful applicability of classifiers trained in one location and tested on another. In addition, a discussion is provided regarding the resilience of our machine learning-based IoT white listing method to adversarial attacks.
The deterministic and restricted nature of industrial control system networks sets them apart from more open networks, such as local area networks in office environments. This improves the usability of network security, monitoring approaches that would be less feasible in more open environments. One of such approaches is machine learning based anomaly detection. Without proper customization for the special requirements of the industrial control system network environment, many existing anomaly or misuse detection systems will perform sub-optimally. A machine learning based approach could reduce the amount of manual customization required for different industrial control system networks. In this paper we analyze a possible set of features to be used in a machine learning based anomaly detection system in the real world industrial control system network environment under investigation. The network under investigation is represented by architectural drawing and results derived from network trace analysis. The network trace is captured from a live running industrial process control network and includes both control data and the data flowing between the control network and the office network. We limit the investigation to the IP traffic in the traces.
Data summarization is an important technique to understand large datasets and discover useful patterns. In this paper we formulate a problem of summarizing network flow data to discover periodic communication behavior. An efficient implementation method for discovering periodic patterns is described in this paper and it has successfully discovered such patterns in a simulated and real application.
Industrial control systems play a major role in the operation of critical infrastructure assets. Due to the polling mechanisms typically used to retrieve data from field devices, industrial control network traffic exhibits strong periodic patterns. This paper presents a novel approach that uses message repetition and timing information to automatically learn traffic models that capture the periodic patterns. The feasibility of the approach is demonstrated using three traffic traces collected from real-world industrial networks. Two practical applications for the learned models are presented. The first is their use in intrusion detection systems; the learned models represent whitelists of valid commands and the frequencies at which they are sent; thus, the models may be used to detect data injection and denial-of-service attacks. The second application is to generate synthetic traffic traces, which can be used to test intrusion detection systems and evaluate the performance of industrial control devices.