RDTIDS: Rules and Decision Tree-Based Intrusion Detection System for Internet-of-Things Networks

A detailed study of resampling algorithms for cyberattack classification in engineering applications

The evolution of engineering applications is highly relevant in the context of protecting industrial systems. As industries are increasingly interconnected, the need for robust cybersecurity measures becomes paramount. Engineering informatics not only provides tools for knowledge representation and extraction but also affords a comprehensive spectrum of developing sophisticated cybersecurity solutions. However, safeguarding industrial systems poses a unique challenge due to the inherent heterogeneity of data within these environments. Together with this problem, it's crucial to acknowledge that datasets that simulate real cyberattacks within these diverse environments exhibit a high imbalance, often skewed towards certain types of traffics. This study proposes a system for addressing class imbalance in cybersecurity. To do this, three oversampling (SMOTE, Borderline1-SMOTE, and ADASYN) and five undersampling (random undersampling, cluster centroids, NearMiss, repeated edited nearest neighbor, and Tomek Links) methods are tested. Particularly, these balancing algorithms are used to generate one-vs-rest binary models and to develop a two-stage classification system. By doing so, this study aims to enhance the efficacy of cybersecurity measures ensuring a more comprehensive understanding and defense against the diverse range of threats encountered in industrial environments. Experimental results demonstrates the effectiveness of proposed system for cyberattack detection and classification among nine widely known cyberattacks.

An Adaptive Intrusion Detection System in the Internet of Medical Things Using Fuzzy-Based Learning

The Internet of Medical Things (IoMT) is a growing trend within the rapidly expanding Internet of Things, enhancing healthcare operations and remote patient monitoring. However, these devices are vulnerable to cyber-attacks, posing risks to healthcare operations and patient safety. To detect and counteract attacks on the IoMT, methods such as intrusion detection systems, log monitoring, and threat intelligence are utilized. However, as attackers refine their methods, there is an increasing shift toward using machine learning and deep learning for more accurate and predictive attack detection. In this paper, we propose a fuzzy-based self-tuning Long Short-Term Memory (LSTM) intrusion detection system (IDS) for the IoMT. Our approach dynamically adjusts the number of epochs and utilizes early stopping to prevent overfitting and underfitting. We conducted extensive experiments to evaluate the performance of our proposed model, comparing it with existing IDS models for the IoMT. The results show that our model achieves high accuracy, low false positive rates, and high detection rates, indicating its effectiveness in identifying intrusions. We also discuss the challenges of using static epochs and batch sizes in deep learning models and highlight the importance of dynamic adjustment. The findings of this study contribute to the development of more efficient and accurate IDS models for IoMT scenarios.

Plant and Salamander Inspired Network Attack Detection and Data Recovery Model

The number of users of the Internet has been continuously rising, with an estimated 5.1 billion users in 2023, which comprises around 64.7% of the total world population. This indicates the rise of more connected devices to the network. On average, 30,000 websites are hacked daily, and nearly 64% of companies worldwide experience at least one type of cyberattack. As per IDC's 2022 Ransomware study, two-thirds of global organizations were hit by a ransomware attack that year. This creates the desire for a more robust and evolutionary attack detection and recovery model. One aspect of the study is the bio-inspiration models. This is because of the natural ability of living organisms to withstand various odd circumstances and overcome them with an optimization strategy. In contrast to the limitations of machine learning models with the need for quality datasets and computational availability, bio-inspired models can perform in low computational environments, and their performances are designed to evolve naturally with time. This study concentrates on exploring the evolutionary defence mechanism in plants and understanding how plants react to any known external attacks and how the response mechanism changes to unknown attacks. This study also explores how regenerative models, such as salamander limb regeneration, could build a network recovery system where services could be automatically activated after a network attack, and data could be recovered automatically by the network after a ransomware-like attack. The performance of the proposed model is compared to open-source IDS Snort and data recovery systems such as Burp and Casandra.

A hybrid deep learning-based intrusion detection system for IoT networks

The Internet of Things (IoT) is a rapidly evolving technology with a wide range of potential applications, but the security of IoT networks remains a major concern. The existing system needs improvement in detecting intrusions in IoT networks. Several researchers have focused on intrusion detection systems (IDS) that address only one layer of the three-layered IoT architecture, which limits their effectiveness in detecting attacks across the entire network. To address these limitations, this paper proposes an intelligent IDS for IoT networks based on deep learning algorithms. The proposed model consists of a recurrent neural network and gated recurrent units (RNN-GRU), which can classify attacks across the physical, network, and application layers. The proposed model is trained and tested using the ToN-IoT dataset, specifically collected for a three-layered IoT system, and includes new types of attacks compared to other publicly available datasets. The performance analysis of the proposed model was carried out by a number of evaluation metrics such as accuracy, precision, recall, and F1-measure. Two optimization techniques, Adam and Adamax, were applied in the evaluation process of the model, and the Adam performance was found to be optimal. Moreover, the proposed model was compared with various advanced deep learning (DL) and traditional machine learning (ML) techniques. The results show that the proposed system achieves an accuracy of 99% for network flow datasets and 98% for application layer datasets, demonstrating its superiority over previous IDS models.

An efficient feature selection and classification approach for an intrusion detection system using Optimal Neural Network

Network flaws are used by hackers to get access to private systems and data. This data and system access may be extremely destructive with losses. Therefore, this network intrusions detection is utmost significance. While investigating every feature set in the network, deep learning-based algorithms require certain inputs. That’s why, an Adaptive Artificial Neural Network Optimized with Oppositional Crow Search Algorithm is proposed for network intrusions detection (IDS-AANN-OCSA). The proposed method includes several phases, including feature selection, preprocessing, data acquisition, and classification. Here, the datas are gathered via CICIDS 2017 dataset. The datas are fed to pre-processing. During pre-processing, redundancy eradication and missing value replacement is carried out with the help of random forest along Local least squares for removing uncertainties. The pre-processed datas are fed to feature selection to select better features. The feature selection is accomplished under hybrid genetic algorithm together with particle swarm optimization technique (GPSO). The selected features are fed to adaptive artificial neural network (AANN) for categorization which categorizes the data as BENIGN, DOS Hulk, PortScan, DDoS, DoS Golden Eye. Finally, the hyper parameter of adaptive artificial neural network is tuned with Oppositional Crow Search Algorithm (OCSA) helps to gain better classification of network intrusions. The proposed approach is activated in Python, and its efficiency is evaluated with certain performance metrics, like accuracy, recall, specificity, precision, F score, sensitivity. The performance of proposed approach achieves better accuracy 99.75%, 97.85%, 95.13%, 98.79, better sensitivity 96.34%, 91.23%, 89.12%, 87.25%, compared with existing methods, like One-Dimensional Convolutional Neural Network Based Deep Learning for Network Intrusion Detection (IDS-CNN-GPSO), An innovative network intrusion detection scheme (IDS-CNN-LSTM) and Application of deep learning to real-time Web intrusion detection (IDS-CNN-ML-AIDS) methods respectively.

Fog-Assisted Deep-Learning-Empowered Intrusion Detection System for RPL-Based Resource-Constrained Smart Industries

The Internet of Things (IoT) is a prominent and advanced network communication technology that has familiarized the world with smart industries. The conveniently acquirable nature of IoT makes it susceptible to a diversified range of potential security threats. The literature has brought forth a plethora of solutions for ensuring secure communications in IoT-based smart industries. However, resource-constrained sectors still demand significant attention. We have proposed a fog-assisted deep learning (DL)-empowered intrusion detection system (IDS) for resource-constrained smart industries. The proposed Cuda-deep neural network gated recurrent unit (Cu-DNNGRU) framework was trained on the N-BaIoT dataset and was evaluated on judicious performance metrics, including accuracy, precision, recall, and F1-score. Additionally, the Cu-DNNGRU was empirically investigated alongside state-of-the-art classifiers, including Cu-LSTMDNN, Cu-BLSTM, and Cu-GRU. An extensive performance comparison was also undertaken among the proposed IDS and some outstanding solutions from the literature. The simulation results showed ample strength with respect to the validation of the proposed framework. The proposed Cu-DNNGRU achieved 99.39% accuracy, 99.09% precision, 98.89% recall, and an F1-score of 99.21%. In the performance comparison, the values were substantially higher than those of the benchmarked schemes, as well as competitive security solutions from the literature.

Meta-Heuristic Optimization Algorithm-Based Hierarchical Intrusion Detection System

Numerous network cyberattacks have been launched due to inherent weaknesses. Network intrusion detection is a crucial foundation of the cybersecurity field. Intrusion detection systems (IDSs) are a type of machine learning (ML) software proposed for making decisions without explicit programming and with little human intervention. Although ML-based IDS advancements have surpassed earlier methods, they still struggle to identify attack types with high detection rates (DR) and low false alarm rates (FAR). This paper proposes a meta-heuristic optimization algorithm-based hierarchical IDS to identify several types of attack and to secure the computing environment. The proposed approach comprises three stages: The first stage includes data preprocessing, feature selection, and the splitting of the dataset into multiple binary balanced datasets. In the second stage, two novel meta-heuristic optimization algorithms are introduced to optimize the hyperparameters of the extreme learning machine during the construction of multiple binary models to detect different attack types. These are combined in the last stage using an aggregated anomaly detection engine in a hierarchical structure on account of the model’s accuracy. We propose a software machine learning IDS that enables multi-class classification. It achieved scores of 98.93, 99.63, 99.19, 99.78, and 0.01, with 0.51 for average accuracy, DR, and FAR in the UNSW-NB15 and CICIDS2017 datasets, respectively.

Towards Developing a Robust Intrusion Detection Model Using Hadoop-Spark and Data Augmentation for IoT Networks

In recent years, anomaly detection and machine learning for intrusion detection systems have been used to detect anomalies on Internet of Things networks. These systems rely on machine and deep learning to improve the detection accuracy. However, the robustness of the model depends on the number of datasamples available, quality of the data, and the distribution of the data classes. In the present paper, we focused specifically on the amount of data and class imbalanced since both parameters are key in IoT due to the fact that network traffic is increasing exponentially. For this reason, we propose a framework that uses a big data methodology with Hadoop-Spark to train and test multi-class and binary classification with one-vs-rest strategy for intrusion detection using the entire BoT IoT dataset. Thus, we evaluate all the algorithms available in Hadoop-Spark in terms of accuracy and processing time. In addition, since the BoT IoT dataset used is highly imbalanced, we also improve the accuracy for detecting minority classes by generating more datasamples using a Conditional Tabular Generative Adversarial Network (CTGAN). In general, our proposed model outperforms other published models including our previous model. Using our proposed methodology, the F1-score of one of the minority class, i.e., Theft attack was improved from 42% to 99%.

IIoT Malware Detection Using Edge Computing and Deep Learning for Cybersecurity in Smart Factories

The smart factory environment has been transformed into an Industrial Internet of Things (IIoT) environment, which is an interconnected and open approach. This has made smart manufacturing plants vulnerable to cyberattacks that can directly lead to physical damage. Most cyberattacks targeting smart factories are carried out using malware. Thus, a solution that efficiently detects malware by monitoring and analyzing network traffic for malware attacks in smart factory IIoT environments is critical. However, achieving accurate real-time malware detection in such environments is difficult. To solve this problem, this study proposes an edge computing-based malware detection system that efficiently detects various cyberattacks (malware) by distributing vast amounts of smart factory IIoT traffic information to edge servers for deep learning processing. The proposed malware detection system consists of three layers (edge device, edge, and cloud layers) and utilizes four meaningful functions (model training and testing, model deployment, model inference, and training data transmission) for edge-based deep learning. In experiments conducted on the Malimg dataset, the proposed malware detection system incorporating a convolutional neural network with image visualization technology achieved an overall classification accuracy of 98.93%, precision of 98.93%, recall of 98.93%, and F1-score of 98.92%.

Enhanced Anomaly Detection System for IoT Based on Improved Dynamic SBPSO

The Internet of Things (IoT) supports human endeavors by creating smart environments. Although the IoT has enabled many human comforts and enhanced business opportunities, it has also opened the door to intruders or attackers who can exploit the technology, either through attacks or by eluding it. Hence, security and privacy are the key concerns for IoT networks. To date, numerous intrusion detection systems (IDS) have been designed for IoT networks, using various optimization techniques. However, with the increase in data dimensionality, the search space has expanded dramatically, thereby posing significant challenges to optimization methods, including particle swarm optimization (PSO). In light of these challenges, this paper proposes a method called improved dynamic sticky binary particle swarm optimization (IDSBPSO) for feature selection, introducing a dynamic search space reduction strategy and a number of dynamic parameters to enhance the searchability of sticky binary particle swarm optimization (SBPSO). Through this approach, an IDS was designed to detect malicious data traffic in IoT networks. The proposed model was evaluated using two IoT network datasets: IoTID20 and UNSW-NB15. It was observed that in most cases, IDSBPSO obtained either higher or similar accuracy even with less number of features. Moreover, IDSBPSO substantially reduced computational cost and prediction time, compared with conventional PSO-based feature selection methods.

Machine-Learning-Based DDoS Attack Detection Using Mutual Information and Random Forest Feature Importance Method

Cloud computing facilitates the users with on-demand services over the Internet. The services are accessible from anywhere at any time. Despite the valuable services, the paradigm is, also, prone to security issues. A Distributed Denial of Service (DDoS) attack affects the availability of cloud services and causes security threats to cloud computing. Detection of DDoS attacks is necessary for the availability of services for legitimate users. The topic has been studied by many researchers, with better accuracy for different datasets. This article presents a method for DDoS attack detection in cloud computing. The primary objective of this article is to reduce misclassification error in DDoS detection. In the proposed work, we select the most relevant features, by applying two feature selection techniques, i.e., the Mutual Information (MI) and Random Forest Feature Importance (RFFI) methods. Random Forest (RF), Gradient Boosting (GB), Weighted Voting Ensemble (WVE), K Nearest Neighbor (KNN), and Logistic Regression (LR) are applied to selected features. The experimental results show that the accuracy of RF, GB, WVE, and KNN with 19 features is 0.99. To further study these methods, misclassifications of the methods are analyzed, which lead to more accurate measurements. Extensive experiments conclude that the RF performed well in DDoS attack detection and misclassified only one attack as normal. Comparative results are presented to validate the proposed method.

An investigation and comparison of machine learning approaches for intrusion detection in IoMT network

Internet of Medical Things (IoMT) is network of interconnected medical devices (smart watches, pace makers, prosthetics, glucometer, etc.), software applications, and health systems and services. IoMT has successfully addressed many old healthcare problems. But it comes with its drawbacks essentially with patient's information privacy and security related issues that comes from IoMT architecture. Using obsolete systems can bring security vulnerabilities and draw attacker's attention emphasizing the need for effective solution to secure and protect the data traffic in IoMT network. Recently, intrusion detection system (IDS) is regarded as an essential security solution for protecting IoMT network. In the past decades, machines learning (ML) algorithms have demonstrated breakthrough results in the field of intrusion detection. Notwithstanding, to our knowledge, there is no work that investigates the power of machines learning algorithms for intrusion detection in IoMT network. This paper aims to fill this gap of knowledge investigating the application of different ML algorithms for intrusion detection in IoMT network. The investigation analysis includes ML algorithms such as K-nearest neighbor, Naïve Bayes, support vector machine, artificial neural network and decision tree. The benchmark dataset, Bot-IoT which is publicly available with comprehensive set of attacks was used to train and test the effectiveness of all ML models considered for investigation. Also, we used comprehensive set of evaluation metrics to compare the power of ML algorithms with regard to their detection accuracy for intrusion in IoMT networks. The outcome of the analysis provides a promising path to identify the best the machine learning approach can be used for building effective IDS that can safeguard IoMT network against malicious activities.

VMFCVD: An Optimized Framework to Combat Volumetric DDoS Attacks using Machine Learning

Despite significant development in distributed denial of service (DDoS) defense systems, the downtime caused by DDoS damages reputation, crushes end-user experience, and leads to considerable revenue loss. Volumetric DDoS attacks are the most common form of DDoS attack and are carried out by an army of infected IoT devices or by reflector servers, which increase attacks at massive scales. In this work, we propose a voting-based multimode framework to combat volumetric DDoS (VMFCVD) attacks. VMFCVD is based on a triad of fast detection mode (FDM), defensive fast detection mode (DFDM), and high accuracy mode (HAM) methods. FDM is designed to classify network traffic when the server is under attack. The highly dimensionally reduced dataset helps FDM accelerate detection speed. During our experiment, the dimension reduction for FDM was more than 97% while maintaining an accuracy of 99.9% in most cases. DFDM is an extended version of FDM that enhances malicious network traffic detection accuracy by tightening the detection technique. HAM focuses on detection accuracy, showing substantial improvement over FDM and DFDM. HAM activates when the server is stable. VMFCVD is extensively experimented on the latest benchmark DDoS and botnet datasets, namely the CICIDS2017 (BoT & DDoS), CSE-CIC-IDS2018 (BoT & DDoS), CICDDoS2019 (DNS, LDAP, SSDP & SYN), DoHBrw2020, NBaIoT2018 (Mirai), UNSW2018 BoTIoT, and UNSW NB15 datasets. The VMFCVD results show that it outperforms recent studies. VMFCVD performs exceptionally well when the server is under DDoS attack.

B. Network traffic analysis through deep learning for detection of an army of bots in health IoT network

Purpose

IoT has a wide range of applications in the health-care sector and has captured the interest of many academic and industrial communities. The health IoT devices suffer from botnet attacks as all the devices are connected to the internet. An army of compromised bots may form to launch a DDoS attack, steal confidential data of patients and disrupt the service, and hence detecting this army of bots is paramount. This study aims to detect botnet attacks in health IoT devices using the deep learning technique.

Design/methodology/approach

This paper focuses on designing a method to protect health IoT devices from botnet attacks by constantly observing communication network traffic and classifying them as benign and malicious flow. The proposed algorithm analyzes the health IoT network traffic through implementing Bidirectional long-short term memory, a deep learning technique. The IoT-23 data set is considered for this research as it includes diverse botnet attack scenarios.

Findings

The performance of the proposed method is evaluated using attack prediction accuracy. It results in the highest accuracy of 84.8%, classifying benign and malicious traffic.

Originality/value

The proposed method constantly monitors the health IoT network to detect botnet attacks and classifies the traffic as benign or attack. The system is implemented using the BiLSTM algorithm and trained using the IoT-23 data set. The diversity of attack scenarios of the IoT-23 data set demonstrates the proposed algorithm's competence in detecting botnet types in a heterogeneous environment.

An Aggregated Mutual Information Based Feature Selection with Machine Learning Methods for Enhancing IoT Botnet Attack Detection

Due to the wide availability and usage of connected devices in Internet of Things (IoT) networks, the number of attacks on these networks is continually increasing. A particularly serious and dangerous type of attack in the IoT environment is the botnet attack, where the attackers can control the IoT systems to generate enormous networks of "bot" devices for generating malicious activities. To detect this type of attack, several Intrusion Detection Systems (IDSs) have been proposed for IoT networks based on machine learning and deep learning methods. As the main characteristics of IoT systems include their limited battery power and processor capacity, maximizing the efficiency of intrusion detection systems for IoT networks is still a research challenge. It is important to provide efficient and effective methods that use lower computational time and have high detection rates. This paper proposes an aggregated mutual information-based feature selection approach with machine learning methods to enhance detection of IoT botnet attacks. In this study, the N-BaIoT benchmark dataset was used to detect botnet attack types using real traffic data gathered from nine commercial IoT devices. The dataset includes binary and multi-class classifications. The feature selection method incorporates Mutual Information (MI) technique, Principal Component Analysis (PCA) and ANOVA f-test at finely-granulated detection level to select the relevant features for improving the performance of IoT Botnet classifiers. In the classification step, several ensemble and individual classifiers were used, including Random Forest (RF), XGBoost (XGB), Gaussian Naïve Bayes (GNB), k-Nearest Neighbor (k-NN), Logistic Regression (LR) and Support Vector Machine (SVM). The experimental results showed the efficiency and effectiveness of the proposed approach, which outperformed other techniques using various evaluation metrics.

Enhanced Network Intrusion Detection System

A reasonably good network intrusion detection system generally requires a high detection rate and a low false alarm rate in order to predict anomalies more accurately. Older datasets cannot capture the schema of a set of modern attacks; therefore, modelling based on these datasets lacked sufficient generalizability. This paper operates on the UNSW-NB15 Dataset, which is currently one of the best representatives of modern attacks and suggests various models. We discuss various models and conclude our discussion with the model that performs the best using various kinds of evaluation metrics. Alongside modelling, a comprehensive data analysis on the features of the dataset itself using our understanding of correlation, variance, and similar factors for a wider picture is done for better modelling. Furthermore, hypothetical ponderings are discussed for potential network intrusion detection systems, including suggestions on prospective modelling and dataset generation as well.

Memory-Efficient Deep Learning for Botnet Attack Detection in IoT Networks

Cyber attackers exploit a network of compromised computing devices, known as a botnet, to attack Internet-of-Things (IoT) networks. Recent research works have recommended the use of Deep Recurrent Neural Network (DRNN) for botnet attack detection in IoT networks. However, for high feature dimensionality in the training data, high network bandwidth and a large memory space will be needed to transmit and store the data, respectively in IoT back-end server or cloud platform for Deep Learning (DL). Furthermore, given highly imbalanced network traffic data, the DRNN model produces low classification performance in minority classes. In this paper, we exploit the joint advantages of Long Short-Term Memory Autoencoder (LAE), Synthetic Minority Oversampling Technique (SMOTE), and DRNN to develop a memory-efficient DL method, named LS-DRNN. The effectiveness of this method is evaluated with the Bot-IoT dataset. Results show that the LAE method reduced the dimensionality of network traffic features in the training set from 37 to 10, and this consequently reduced the memory space required for data storage by 86.49%. SMOTE method helped the LS-DRNN model to achieve high classification performance in minority classes, and the overall detection rate increased by 10.94%. Furthermore, the LS-DRNN model outperformed state-of-the-art models.

SMOTE-DRNN: A Deep Learning Algorithm for Botnet Detection in the Internet-of-Things Networks

Nowadays, hackers take illegal advantage of distributed resources in a network of computing devices (i.e., botnet) to launch cyberattacks against the Internet of Things (IoT). Recently, diverse Machine Learning (ML) and Deep Learning (DL) methods were proposed to detect botnet attacks in IoT networks. However, highly imbalanced network traffic data in the training set often degrade the classification performance of state-of-the-art ML and DL models, especially in classes with relatively few samples. In this paper, we propose an efficient DL-based botnet attack detection algorithm that can handle highly imbalanced network traffic data. Specifically, Synthetic Minority Oversampling Technique (SMOTE) generates additional minority samples to achieve class balance, while Deep Recurrent Neural Network (DRNN) learns hierarchical feature representations from the balanced network traffic data to perform discriminative classification. We develop DRNN and SMOTE-DRNN models with the Bot-IoT dataset, and the simulation results show that high-class imbalance in the training data adversely affects the precision, recall, F1 score, area under the receiver operating characteristic curve (AUC), geometric mean (GM) and Matthews correlation coefficient (MCC) of the DRNN model. On the other hand, the SMOTE-DRNN model achieved better classification performance with 99.50% precision, 99.75% recall, 99.62% F1 score, 99.87% AUC, 99.74% GM and 99.62% MCC. Additionally, the SMOTE-DRNN model outperformed state-of-the-art ML and DL models.

Cyber Ranges and TestBeds for Education, Training, and Research

In recent years, there has been a growing demand for cybersecurity experts, and, according to predictions, this demand will continue to increase. Cyber Ranges can fill this gap by combining hands-on experience with educational courses, and conducting cybersecurity competitions. In this paper, we conduct a systematic survey of ten Cyber Ranges that were developed in the last decade, with a structured interview. The purpose of the interview is to find details about essential components, and especially the tools used to design, create, implement and operate a Cyber Range platform, and to present the findings.