ArticlePDF Available

Abstract

In the Internet of Things (IoT) systems, information of various kinds is continuously captured, processed, and transmitted by systems generally interconnected by the Internet and distributed solutions. Attacks to capture information and overload services are common. This fact makes security techniques indispensable in IoT environments. Intrusion detection is one of the vital security points, aimed at identifying attempted attacks. The characteristics of IoT devices make it impossible to apply these solutions in this environment. Also, the existing anomaly-based methods for multiclass detection do not present acceptable accuracy. We present an intrusion detection architecture that operates in the fog computing layer. It has two steps and aims to classify events into specific types of attacks or non-attacks, for the execution of countermeasures. Our work presents a relevant contribution to the state of the art in this aspect. We propose a hybrid binary classification method called DNN-kNN. It has high accuracy and recall rates and is ideal for composing the first level of the two-stage detection method of the presented architecture. The approach is based on Deep Neural Networks (DNN) and the k-Nearest Neighbor (kNN) algorithm. It was evaluated with the public databases NSL-KDD and CICIDS2017. We used the method of selecting attributes based on the rate of information gain. The approach proposed in this work obtained 99.77% accuracy for the NSL-KDD dataset and 99.85% accuracy for the CICIDS2017 dataset. The experimental results showed that the proposed hybrid approach was able to achieve greater precision about classic machine learning approaches and the recent advances in intrusion detection for IoT systems. In addition, the approach works with low overhead in terms of memory and processing costs.
7/14/2020 Hybrid approach to intrusion detection in fog-based IoT environments - ScienceDirect
https://www.sciencedirect.com/science/article/abs/pii/S1389128619315439?via%3Dihub 1/5
Get rights and content
Computer Networks
Volume 180, 24 October 2020, 107417
Hybrid approach to intrusion detection in fog-based IoT
environments
Cristiano Antonio de Souza , Carlos Becker Westphall , Renato Bobsin Machado , João Bosco Mangueira
Sobral , Gustavo dos Santos Vieira
Show more
https://doi.org/10.1016/j.comnet.2020.107417
Abstract
In the Internet of Things (IoT) systems, information of various kinds is continuously captured,
processed, and transmitted by systems generally interconnected by the Internet and distributed
solutions. Attacks to capture information and overload services are common. This fact makes
security techniques indispensable in IoT environments. Intrusion detection is one of the vital
security points, aimed at identifying attempted attacks. The characteristics of IoT devices make it
impossible to apply these solutions in this environment. Also, the existing anomaly-based
methods for multiclass detection do not present acceptable accuracy. We present an intrusion
detection architecture that operates in the fog computing layer. It has two steps and aims to
classify events into specific types of attacks or non-attacks, for the execution of countermeasures.
Our work presents a relevant contribution to the state of the art in this aspect. We propose a
hybrid binary classification method called DNN-kNN. It has high accuracy and recall rates and is
ideal for composing the first level of the two-stage detection method of the presented
architecture. The approach is based on Deep Neural Networks (DNN) and the k-Nearest Neighbor
(kNN) algorithm. It was evaluated with the public databases NSL-KDD and CICIDS2017. We used
the method of selecting attributes based on the rate of information gain. The approach proposed
Access through your institution
a a b
a b
Outline
Get Access
Share
Export
7/14/2020 Hybrid approach to intrusion detection in fog-based IoT environments - ScienceDirect
https://www.sciencedirect.com/science/article/abs/pii/S1389128619315439?via%3Dihub 2/5
Previous Next
1KB
1KB
in this work obtained 99.77% accuracy for the NSL-KDD dataset and 99.85% accuracy for the
CICIDS2017 dataset. The experimental results showed that the proposed hybrid approach was
able to achieve greater precision about classic machine learning approaches and the recent
advances in intrusion detection for IoT systems. In addition, the approach works with low
overhead in terms of memory and processing costs.
Keywords
Internet of things; Intrusion detection; Fog computing; Machine learning
Recommended articles Citing articles (0)
Research data for this article
for download under theCC BY NC 3.0 licence
Data for: Hybrid Approach for Intrusion Detection for Fog-Based IoT Environments
This dataset presents the code for the proposed hybrid intrusion detection method combining with Artificial Neural
Networks (ANN) and K-Nearest Neighbor (KNN).
Dataset
DNN-kNN.txt
DNN-kNN_training.txt
View dataset on Mendeley Data
About research data
7/14/2020 Hybrid approach to intrusion detection in fog-based IoT environments - ScienceDirect
https://www.sciencedirect.com/science/article/abs/pii/S1389128619315439?via%3Dihub 3/5
Cristiano Antonio de Souza is a PhD student in Computer Science at the Federal University of Santa Catarina (UFSC).
He holds a degree in Computer Science from the State University of Western Paraná (2015). Master in Electrical
Engineering and Computer Science from the State University of Western Paraná (2018). Participates in research
groups: Research Group on Information Security, Networks and Systems (CNPq-UFSC); and Computational Security
Research Group (CNPq-UNIOESTE). His research interests focus on network security, intrusion detection and artificial
intelligence.
Carlos Becker Westphall is Full Professor (since 1993) at the Federal University of Santa Catarina - Brazil, where he
acts as the leader of the Network and Management Laboratory and also coordinates some projects funded by the
Brazilian National Research Council (CNPq). Obtained a degree in Electrical Engineering in 1985 and a M.Sc. degree
in Computer Science in 1988, both at the Federal University of Rio Grande do Sul, Brazil. Obtained a D.Sc. degree in
Computer Science (Network Management) at the University of Toulouse (Université Toulouse III - Paul Sabatier),
France, in 1991. Editorial board member of periodicals and technical program and/or organizing committee member
of conferences. He was the founder of LANOMS. He has contributed to Elsevier as editorial board member of the
“Computer Networks Journal”; to Springer as board of editors and senior technical editor of the “Journal of Network
and Systems Management”. He acted as a local group coordinator in the European MAX/ESPRIT II project which
involved the Alcatel- TITN, British Telecom, HP, CSELT, SIRTI and NKT Companies. Best paper of CLEI 2011. Awarded
“International Academy, Research, and Industry Association” Fellow (award plaque), in 2011. Paper at IEEE ComSoc
Technology News, in 2012. Achievement award - tutorial at WorldComp 2013. Awarded - best paper of ICN 2013. IEEE
Communications Society 20 years member (Certificate of Appreciation), in 2014.
Renato Bobsin Machado Graduated in Computer Science from the State University of Western Paraná (1998), master’s
degree in Computer Science from the Federal University of Santa Catarina (2005) and a PhD in Sciences from the State
University of Campinas (2013). He is currently a professor and researcher at the State University of Western Paraná,
7/14/2020 Hybrid approach to intrusion detection in fog-based IoT environments - ScienceDirect
https://www.sciencedirect.com/science/article/abs/pii/S1389128619315439?via%3Dihub 4/5
working in the Graduate Program in Electrical and Computer Engineering (PGEEC). Conducts research in the areas of
computer security, intrusion detection, cryptographic methods, distributed systems and data communication. He
coordinates the Laboratory for Research in Computational Security (LaPSeC) and participates in research groups:
Research Group on Information Security, Networks and Systems (CNPq-UFSC); and Computational Security Research
Group (CNPq-UNIOESTE).
João Bosco Mangueira Sobral Graduated in Mathematics at the Institute of Mathematics at Federal University of Rio
de Janeiro (1973). He holds a master’s degree from the Systems and Computation Program at COPPE/UFRJ (1977) and
a PhD in the Electrical Engineering Program of COPPE/UFRJ (1996). He is a Full Professor at Federal University of
Santa Catarina. He is currently coordinator of the Research Group on Information Security, Networks and Systems
(CNPq-UFSC). His area of interest in research is information security and networks.
Gustavo dos Santos Vieira holds a M.S degree in Electrical Engineering and Computer Science from the State
University of Western Paraná (2020). Graduated in Computer Science at the State University of Western Paraná (2016).
Participates in research groups: Research Group on Information Security, Networks and Systems (CNPq-UFSC); and
Computational Security Research Group (CNPq-UNIOESTE). He develops researches in the areas of Information
Security, Networks and Systems with a focus on computational intelligence applied in the detection of intrusion in
computer networks.
View full text
© 2020 Elsevier B.V. All rights reserved.
About ScienceDirect
Remote access
Shopping cart
7/14/2020 Hybrid approach to intrusion detection in fog-based IoT environments - ScienceDirect
https://www.sciencedirect.com/science/article/abs/pii/S1389128619315439?via%3Dihub 5/5
Advertise
Contact and support
Terms and conditions
Privacy policy
We use cookies to help provide and enhance our service and tailor content and ads. By continuing you agree to the use of cookies.
Copyright © 2020 Elsevier B.V. or its licensors or contributors. ScienceDirect ® is a registered trademark of Elsevier B.V.
ScienceDirect ® is a registered trademark of Elsevier B.V.
... In [10], a two-phase method, including binary and multiclass detection based on a two-layer deep neural network, is designed. The proposed method is implemented on NSL-KDD and CICIDS2017, which has performed better than other methods. ...
... The eighth step in the CSA is the fifth local search expressed in Equation (10). In this regard, the parameter τ plays a vital role in generating new solutions or local searches of the CapSA algorithm. ...
... The first test is related to the evaluation of BMECapSA in selecting effective features on the NSL-KDD dataset, i.e., the non-dominated solutions stored in the archive and examined in the last iteration of BME-CapSA regarding the number of selected features and accuracy. The results of the feature selection process are shown in Table 5. 'service"src_bytes' ' 99.44 hot"num_shells"srv_count"serror_rate"dst_host_same_srv_rate' 'dst_host_diff_srv_rate"dst_host_rerror_rate' 8 10 'service"src_bytes' 'hot"count"srv_count"serror_rate' 99.50 'dst_host_same_srv_rate"dst_host_diff_srv_rate' 'dst_host_same_src_port_rate"dst_host_rerror_rate' 9 11 'service"src_bytes' 'hot"num_shells"count"srv_count' 99.51 'serror_rate"srv_diff_host_rate"dst_host_same_srv_rate' 'dst_host_diff_srv_rate"dst_host_rerror_rate' 10 13 'duration"service"src_bytes' 'dst_bytes"su_attempted' 99.54 'is_host_login"srv_count"diff_srv_rate"dst_host_count' 'dst_host_same_src_port_rate"dst_host_srv_diff_host_rate' 'dst_host_serror_rate"dst_host_srv_serror_rate' 11 18 'duration"protocol_type"service"flag' 'src_bytes' 99.58 'dst_bytes"hot"num_root"is_host_login"srv_count"rerror_rate' 'diff_srv_rate"dst_host_count"dst_host_same_src_port_rate' 'dst_host_srv_diff_host_rate"dst_host_serror_rate' 'dst_host_srv_serror_rate"dst_host_srv_rerror_rate' 12 26 'duration"protocol_type"service"flag' 'src_bytes' 99.58 'dst_bytes"land"su_attempted"num_root' 'num_access_files"is_host_login"count' 'srv_count"srv_serror_rate"srv_rerror_rate"same_srv_rate' 'diff_srv_rate"srv_diff_host_rate' 'dst_host_count"dst_host_srv_count"dst_host_diff_srv_rate' 'dst_host_same_src_port_rate' 'dst_host_srv_diff_host_rate"dst_host_serror_rate' 'dst_host_srv_serror_rate"dst_host_srv_rerror_rate' As shown in Table 5, the BMECapSA method with different sizes (the number of selected features with different accuracies) can effectively identify important features and remove redundant features. In general, we can choose any step as the final solution. ...
... There are various attacks present which target IoT devices, such Mirai, Hajime, Hide and Seek, Bashlite, Tsunami, Brickerbot, and Luabot. There have been various attacks Various Machine Learning algorithms are applied to perform NIDS such as Artificial Neural Networks (ANN) [10], K-Nearest Neighbor (KNN) [11], Naive Bayesian (NB), and Support Vector Machine (SVM) [12]. However, the algorithms require the data to process the missing values of unstable results, and they run slowly because of the large amount of data. ...
... Designing a security framework for the IoT application is a problematic task because of the dynamic IoT network nature. Various Machine Learning algorithms are applied to perform NIDS such as Artificial Neural Networks (ANN) [10], K-Nearest Neighbor (KNN) [11], Naive Bayesian (NB), and Support Vector Machine (SVM) [12]. However, the algorithms require the data to process the missing values of unstable results, and they run slowly because of the large amount of data. ...
... Based on this modification, the hierarchical PSO has the ability to explore SMO to produce the variants with its strength. The PSO and SMO variants are combined, updating the velocity as proposed in Equations (10) and (11) v k+1 ...
Article
Full-text available
The Internet of Things (IoT) network integrates physical objects such as sensors, networks, and electronics with software to collect and exchange data. Physical objects with a unique IP address communicate with external entities over the internet to exchange data in the network. Due to a lack of security measures, these network entities are vulnerable to severe attacks. To address this, an efficient security mechanism for dealing with the threat and detecting attacks is necessary. The proposed hybrid optimization approach combines Spider Monkey Optimization (SMO) and Hierarchical Particle Swarm Optimization (HPSO) to handle the huge amount of intrusion data classification problems and improve detection accuracy by minimizing false alarm rates. After finding the best optimum values, the Random Forest Classifier (RFC) was used to classify attacks from the NSL-KDD and UNSW-NB 15 datasets. The SVM model obtained accuracy of 91.82%, DT of 98.99%, and RFC of 99.13%, and the proposed model obtained 99.175% for the NSL-KDD dataset. Similarly, SVM obtained accuracy of 85.88%, DT of 88.87%, RFC of 91.65%, and the proposed model obtained 99.18% for the UNSW NB-15 dataset. The proposed model achieved accuracy of 99.175% for the NSL-KDD dataset which is higher than the state-of-the-art techniques such as DNN of 97.72% and Ensemble Learning at 85.2%.
... A novel intrusion detection technique implementing both multi-objective genetic algorithm (NSGA-II) and artificial neural network (ANN) along with decision tree-based random forest classifier for effective detection of anomalies in the network was proposed in [38]. The activity of the log data is mapped using the algorithm as heuristic miner in [39]. ...
... The comparison results show that the proposed 3LIDS-CGAN achieves high accuracy compared to other existing models. For instance [38] consider two datasets for intrusion detection still do not detect real-time intrusion thus reducing accuracy and attack detection rate. Table 10 illustrates the numerical analysis of accuracy. ...
Article
Full-text available
Security threat protection is important in the internet of things (IoT) applications since both the connected device and the captured data can be hacked or hijacked or both at the same time. To tackle the above-mentioned problem, we proposed three-level intrusion detection system conditional generative adversarial network (3LIDS-CGAN) model which includes four phases such as first-level intrusion detection system (IDS), second-level IDS, third-level IDS, and attack type classification. In first-level IDS, features of the incoming packets are extracted by the firewall. Based on the extracted features the packets are classified into three classes such as normal, malicious, and suspicious using support vector machine and golden eagle optimization. Suspicious packets are forwarded to the second-level IDS which classified the suspicious packets as normal or malicious. Here, signature-based intrusions are detected using attack history information, and anomaly-based intrusions are detected using event-based semantic mapping. In third-level IDS, adversary packets are detected using CGAN which automatically learns the adversarial environment and detects adversary packets accurately. Finally, proximal policy optimization is proposed to detect the attack type. Experiments are conducted using the NS-3.26 network simulator and performance is evaluated by various performance metrics which results that the proposed 3LIDS-CGAN model outperforming other existing works.
Article
E-commerce, often known as electronic commerce, is the purchasing and selling of goods over the internet using electronic devices to share data. Banks and other financial institutions are frequently added as third-party platforms to traditional e-commerce platforms. As a result, it raises issues with integrity and cyber security. We suggest a deep learning-based strategy called the Hybrid Interactive Autodidactic School-Based Teaching-Learning Optimization (HIASTLO) algorithm to address these issues. The IoT-based e-commerce blockchain is used to extract and reject the various cyberattacks in the network, and deep learning is utilised to improve the weight and bias of the neural networks. We used a variety of performance indicators, including accuracy, precision, and recall, to identify cyberattacks. We also evaluated how well our work performed when compared to previous BSIoTNET, BCFC, DRNN, DNN-KNN, MOO-FS, LRNN, and HDLM efforts. Furthermore, MudraChain and NormaChain are used to examine the transaction time of our suggested task. The results show that our suggested work performs better than any other methods and offers highly secure internet services.
Article
The impetuous expansion of the Internet of Things (IoT) network has resulted in a noticeable increase in the production of sensitive user data. With this, to meet the demand for real-time response, a processing layer is introduced near the user end which is known as the fog computing layer. The fog layer lies in the user’s vicinity and thus highly attracts malicious and/or curious intruders. As a result, the trust of the network gets negatively impacted. Motivated by the aforementioned issue, the authors consider Reputation-based trust and propose a RepuTE Framework in the Fog-IoT domain. The given framework consists of a soft voting ensemble learning model that classifies and predicts two popular reputation-based attacks namely, DoS/ DDoS and Sybil attacks. Furthermore, a novel feature selection technique is also presented that selects the most relevant features well in advance. The performance evaluation is done on NSL-KDD, CICDDOS2019, IoTID20, NBaIoT2018, TON_IoT, and UNSW_NB15 benchmarked IoT and network traffic datasets. The comprehensive performance analysis depicts that the proposed model attains 99.99% accuracy and outperforms other recent state-of-the-art works. This indicates the potential of the proposed approach for reputation-based attack filtration in the IoT domain.
Chapter
Development of latest technologies creates human life more convenient and easier. However, along with such technological advancements, several complications are generated in various segments. Network security also experiences inconvenient situations those are literally originated from infinite number of complex intrusions. A network intrusion detection system (NIDS) is an advanced and revolutionary system that has been established to resolve the problematic behaviors of the networking environment through accurate detection of unidentified attacks. Several methods and techniques have been taken active part for the development of an ideal NIDS but merging with deep learning technologies, NIDS achieves miracle performance against various intrusive activities in the security domain. In this paper, we serialize and present an adequate number of existing deep learning-based NIDSs in the Internet of things (IoT), cloud, fog, and edge networks domain. Different NIDS approaches along with their utilization, advantages, and restrictions are perfectly described in this paper so that people can achieve proper and detailed knowledge of security issues in the above-mentioned networks.
Chapter
The Internet of Things (IoT) is a collection of connected computing devices that includes several of our everyday gadgets which allow data to be transferred over the network. The IoT system has its application in various fields including, transportation, smart home, hospitals, smart grid, etc. The ability of devices connected to the web makes them exposed to multiple security intrusions and affects the security traits of the system. Hence, it is vital to investigate intrusion techniques in the IoT context to prevent or identify these intrusions. The primary focus of this review is on intrusion detection systems (IDS) for the IoT system. Therefore, this paper presents a comprehensive review of the latest IDS schemes for the IoT system designed using intelligence techniques, including machine learning, deep learning, and bio-inspired learning. The issues and challenges faced by the IoT-based IDS are presented. Finally, the comparative study and discussion on reviewed IDS scheme are described.KeywordsIoTIDSMachine learningBio-inspired learningDeep learning
Article
Full-text available
In recent years, machine learning-based intrusion detection systems (IDSs) have proven to be effective; especially, deep neural networks improve the detection rates of intrusion detection models. However, as models become more and more complex, people can hardly get the explanations behind their decisions. At the same time, most of the works about model interpretation focuses on other fields like computer vision, natural language processing, and biology. This leads to the fact that in practical use, cybersecurity experts can hardly optimize their decisions according to the judgments of the model. To solve these issues, a framework is proposed in this paper to give an explanation for IDSs. This framework uses SHapley Additive exPlanations (SHAP), and combines local and global explanations to improve the interpretation of IDSs. The local explanations give the reasons why the model makes certain decisions on the specific input. The global explanations give the important features extracted from IDSs, present the relationships between the feature values and different types of attacks. At the same time, the interpretations between two different classifiers, one-vs-all classifier and multiclass classifier, are compared. NSL-KDD dataset is used to test the feasibility of the framework. The framework proposed in this paper leads to improve the transparency of any IDS, and helps the cybersecurity staff have a better understanding of IDSs’ judgments. Furthermore, the different interpretations between different kinds of classifiers can also help security experts better design the structures of the IDSs. More importantly, this work is unique in the intrusion detection field, presenting the first use of the SHAP method to give explanations for IDSs.
Article
Network traffic anomaly detection is an important technique of ensuring network security. However, there are usually three problems with existing machine learning based anomaly detection algorithms. First, most of the models are built for stale data sets, making them less adaptable in real-world environments; Second, most of the anomaly detection algorithms do not have the ability to learn new models again based on changes in the attack environment; Third, from the perspective of data multi-dimensionality, a single detection algorithm has a peak value and cannot be well adapted to the needs of a complex network attack environment. Thus, we propose a new anomaly detection framework, and this framework is based on the organic integration of multiple deep learning techniques. In the first step, we used the Damped Incremental Statistics algorithm to extract features from network traffic; Second, we train Autoencoder with a small amount of label data; Third, we use Autoencoder to mark the abnormal score of network traffic; Fourth, the data with the abnormal score label is used to train the LSTM; Finally, the weighted method is used to get the final abnormal score. The experimental results show that our HELAD algorithm has better adaptability and accuracy than other state of the art algorithms.
Conference Paper
Intrusion Detection System (IDS) can identify the malicious exercises and anomalies in the network and present robust protection for the network systems. Also, clustering of attacks in IDS is important for defining defense policies. Identifying appropriate number of clusters is one of the issues that several scholars in literature are dealing with it. Hence, finding the optimal value for a number of clusters is always essential. On the other hand, with the emergence of the Internet of Everything (IoE) in modern IT technologies, the volume of the produced data in the network rises exponentially. Thus, detecting the malicious network traffic and adversaries is a huge burden to IDS. Motivated by these considerations, in this paper, we design an architecture to tackle the clustering problem in IDS and propose an automatic clustering algorithm considering two basic concepts of clustering, which are coherence and separation. In the automatic clustering method, we try to find clusters with the most similarity between cluster elements and the least similarity between elements of two clusters. After identifying two different types of an objective function, based on the above concepts, we try to find the best solutions by the help of Artificial Bee Colony (ABC), Particle Swarm Optimization (PSO), and Differential Evolution (DE). Comparison of the results shows that the proposed method with any type of the introduced optimization algorithm has low average number of evaluations functions, high accuracy, and low computation cost.
Article
The appealing features of Cloud Computing continue to fuel its adoption and its integration in many sectors such industry, governments, education and entertainment. Nevertheless, uploading sensitive data to public cloud storage services poses security risks such as integrity, availability and confidentiality to organizations. Moreover, the open and distributed (decentralized) structure of the cloud has resulted this class of computing, prone to cyber attackers and intruders. Thereby, it is imperative to develop an anomaly network intrusion system to detect and prevent both inside and outside assaults in cloud environment with high detection precision and low false warnings. In this work, we propose an intelligent approach to build automatically an efficient and effective Deep Neural Network (DNN) based anomaly Network IDS using a hybrid optimization framework (IGASAA) based on Improved Genetic Algorithm (IGA) and Simulated Annealing Algorithm (SAA). The IDS resulted is called “MLIDS” (Machine Learning based Intrusion Detection System). Genetic Algorithm (GA) is improved through optimization strategies, namely Parallel Processing and Fitness Value Hashing, which reduce execution time, convergence time and save processing power. Moreover, SAA was incorporated to IGA with the aim to optimize its heuristic search. Our approach consists of using IGASAA in order to search the optimal or near-optimal combination of most relevant values of the parameters included in construction of DNN based IDS or impacting its performance, like feature selection, data normalization, architecture of DNN, activation function, learning rate and Momentum term, which ensure high detection rate, high accuracy and low false alarm rate. For simulation and validation of the proposed method, CloudSim 4.0 simulator platform and three benchmark IDS datasets were used, namely CICIDS2017, NSL-KDD version 2015 and CIDDS-001. The implementation results of our model demonstrate its ability to detect intrusions with high detection accuracy and low false alarm rate, and indicate its superiority in comparison with state-of-the-art methods