and built.

However, many intrusion detection devices require a significant amount of

computing power and energy [3].

1.1. Motivation and Contributions. New threats regularly arise because IoT devices run in
an embedded and interdependent setting. Furthermore, since IoT devices are always left
unattended, a malicious attacker may gain access to them. Since IoT devices are usually
connected to cellular networks [4], eavesdropping may reach privately held information
from the contact platform. Aside from these security concerns, IoT systems cannot
continue to have sophisticated security measures due to their limited energy and
processing capacity. To secure IoT applications from cyber-attacks, another line of
defense should be installed into IoT networks. AI-based systems have recently gained
credibility in a common framework for detecting network attacks, such as IoT networks.
IoT sensors and network traffic should be logged and analyzed to learn standard
patterns. When a person's behavior deviates from the ordinary, this is a sign of irregular
behavior. These methods have also been checked to predict emerging risks, developing a
set of IoT interfaces and network security protocols.

The main contributions of this research are detailed as follows:

(a) A deep-learning based approach with current databases is employed to categorize the
attacks

(b) A safeguard is introduced for the IoT network's reputation and ensures that it is only
available to approved users

(c) A basis for incorporating IDS into an IoT-based system as an application is proposed.

2. Related Work
IoT networks face additional security challenges than conventional computer systems
due to a variety of reasons. Firstly, IoT systems are incredibly complex in processors,
platforms, communication methods, and protocols. Secondly, to bind physical objects,
IoT systems comprised of Internet-connected modules and control devices are used.
Thirdly, there are no well-established limits of IoT schemes, which often shift due to the
versatility of users and computers. Fourthly, they will be physically endangered by IoT
structures or a part of them. Fifthly, limited resources make it impossible to incorporate
advanced security techniques and applications on IoT computers. Finally, because of the
exponential expansion of IoT-based computers, those networks could be vulnerable to
attacks on privacy and protection [5 ,6 ].

Several tools and applications have been created to mitigate network attacks by detecting
inconsistencies in the IoT environment using machine-learning and deep-learning
techniques. Several state-of-the-art strategies for classifying these anomalies using
machine learning techniques in the IoT infrastructure have been reported in the
literature. Nonetheless, deep learning methods have been used for the same reason by a
few. Deep learning methods have proved to be the best state of the art for pattern
matching, and they can detect any input in an IoT system as true or false. Signaturebased
techniques, specification-based methods, anomalybased tactics, and mixed strategies are
the four main types of ID attacks [1].

Signature-based methods start by looking for correlations between a set of network data
and a function database. If the scanned data suits the signature record, the data would be
considered illegal. It is helpful to determine the type of attack precisely. It is a low-labor-
intensive project with little demand. They encourage machine managers to define rules
and thresholds in advance. The same rules will be followed. IDS detects the current
system and network status. The IDS will detect an abnormal state and react
appropriately once the threshold is exceeded or the rules are violated [6].

Anomaly-based methods aim to figure out which phenomena are abnormal and which
are not. The main advantage of using this method is to detect potentially new intrusions.
However, its one disadvantage is prone to false positives. Machine learning algorithms
are currently being studied in anomaly-based intrusion detection methods to improve
their advantages. Machine learning algorithms can monitor active activity and equate it
to known intrusion footprints to identify potential attacks using anomaly-based
intrusion detection techniques. In a hybrid approach, multiple recognition techniques
are used in the same scheme. This solution would eliminate the current limitations of a
single mechanism and increase the overall stability of the IoT method. The wholly
developed IDS, on the other hand, would be extremely large and complicated. The
technique will become more complex as a result, and more capital will be required. In
addition, intrusion detection can be time and expense-consuming due to the many
protocols involved [7]. Vigneswaran et al. [8] developed an anomalybased IDS that
functions in traditional networks and trains and tests the model using the KDDCup99
dataset. The proposed solution has an accuracy of 95 % and should be adopted.
However, they use the KDDCup99 dataset, which lacks homogeneous data and few
specific records, making reliable findings challenging to come by.

Ajaeiya et al. [9] advocated for anomaly-based IDS that only uses network functionality.
The R-tree algorithm outperforms the other machine learning models with a 99.5
percent true positive rate and a 0.001 percent false-positive rate. Their results showed
how effective mathematical algorithms like Random Forest could be. Their dataset, on
the other hand, is not a test that raises questions about its validity. Abubakar et al. [10]
proposed an SDN-compatible identification tool. They had a signature-based ID and an
anomaly-based ID that were trained and tested on the NSLKDD dataset. The detection
precision is higher than 97.4 %. Intrusions observed solely by anomaly detection, on the
other hand, cannot be distinguished from those detected by signature detection.

Tang and Kapitnov et al. [11] suggested a protocol for connected networks that uses
blockchain technologies to facilitate peer-to-peer communication. The protocol ensures
the communication mechanism's protection and manages
variability in working states. Currently, researchers are looking at turning blockchain
into a multiagent system.

Li et al. [12] suggested an enhanced method for extracting IoT data features to detect IDS
for smart cities using deep migration learning. They have said that their plan would
compensate for the lack of an appropriate training set. They also claimed that their
approach yielded higher detection rates at high performance than conventional
approaches and significantly reduced clustering time.

Arshad et al. [3] suggested a new intrusion prevention scheme for IoT systems with
limited resources. As a result, intrusion protection is disabled for IoT devices and the
edge router. To browse network packets, IoT devices are used as IDS nodes. It can only
receive raw packets from the host router node, which contain confidential data. For
genuine time-destroying behavior in domestic IoT gadgets, Anthi et al. [7] proposed
three-layer IDS architecture. The protection layers in this architecture define intrusion
for IoT systems based on their normal or irregular behavior.
2.1. Threats in IoT. IoT signifies a heterogeneous environment of sensing devices
connecting over the Internet [13]. The threads associated with IoT differ from the
conventional networks because it has limited computational power and memory.
Furthermore, IoT devices utilize insecure wireless communication media, that is,
802.15.4, LoRa, ZigBee, and 802.11ac. Moreover, IoT devices lack standard operating
systems, different formats, and application-specific functionality, due to which standard
security protocol is difficult to develop [14]. All these shortcomings cause various types
of security and privacy threats.

In addition, the communicating Io T devices are mostly multivendor, demanding a

reliable tool to act as a bridge [15]. Various research works have highlighted the issue of
software updates to billions of IoT devices [16]. Therefore, the detection of threats and
challenges associated with IoTbased systems is significant during the design and
implementation of the security measures for IoT machines. Internet Engineering Task
Force (IETF) has recognized various IoT threats [17], such as man-in-the-middle
(MiTM) attack, Denial of Service (DoS) attack, replacement of firmware with malicious
code, privacy threats, and eavesdropping attacks.

The basic ideas of security and privacy rotate about the Availability of the network,
Confidentiality, and Integrity of data. Any unauthorized access of data may cause a
breach of availability, confidentiality, or integrity. Thus, privacy threat is a concern with
the privacy of the data, while security threads influence the integrity of the data and
availability of the network. Figure 1 illustrates different privacy and security threats
associated with IoT devices.

2.2. Security Threats

2.2.1. Denial of Service (DoS). DoS is a common and basic implementation of security
threats that could be utilized against an IoT device. DoS attack is a preferred tool for
intruders due to the low-security features in many IoT devices. DoS attack happens when
the attackers take control

Figure 1: Privacy and security of IoT threats.

to make a device unavailable. The main aim of a DoS attack is to down the network by
sending illegal requests. The advanced type of the DOS is referred to as Distributed DoS
(DDoS), where several attacks are involved in a single target [18]. Different kinds of
DDoS attacks are used, but all of them have the same objective. The most common of
attack's type is a Botnet attack in an IoT network [19].

2.2.2. Man-in-the-Middle (MiTM). These attack approaches are considered old enough
in the cyber world [20]. Sybil attacks, message tamper, and spoofing can be classified as
MiTM attacks. IP spoofing, DNS spoofing, ARP Spoofing, and HTTPS spoofing are the
common attacks of spoofing.

2.2.3. Malware. Malicious software is also known as malware. It exists either in the
trojan horse, worm, spyware, virus, malvertising, or rootkit [21]. A few examples that are
suffered from malware are healthcare devices, vehicular sensors, and smart home
products.

2.3. Privacy Threats. The users and their data are comprised in the IoT devices are
inference attacks, sniffing, and deanonymization.
2.3.1. Man-in-the-Middle (MiTM). As we know, there are two types of MITM attacks, one
is active and the other is passive. The passive MiTM attacks silently listen to the transfer
of data among two devices. This attack does not change the data but violates privacy
only. After accessing a device, an intruder can watch silently for a couple of days before
attempting the attack. The increasing numbers of IoT devices such as smartphones, toys,
and wristwatches produce a high impact of passive MiTM attack sniffing and
eavesdropping. Similarly, active MiTM attacks are included in harming the data. For
example, a client will communicate with the server, possibly connecting with the MiTM
attacker, who is personating to be the server, as illustrated in Figure 2.

2.3.2. Data Privacy. It is concerned with data leakage [22], identity theft, data tampering,
and reidentification [23]. Data tempering is used to alter the data and it can be
categorized

FIgURE 2: Example of MiTM attack.

as an active attack of data privacy. Similarly, data leakage and reidentification are an
example of passive attacks of data privacy.

To summarize, an IoT-based system is not fully secure because it facilitates the users to
access their data without any trouble. But on the other side, it provides an insecure
atmosphere for the attackers to access any network segment. Various ways of the threats
are depicted in Figure 3, through which IoT-based systems may compromise. Thus, users
should be aware of all these security weaknesses to protect themselves from cyber
threats. Various methods are employed to reduce cyber threats. Most recently, AI-based
system has been used to classify network traffic on a large setup.

3. Materials and Methods

Various machine learning algorithms, including deep learning models, are utilized to
find network attacks. In the proposed system, the first data balancing is performed
through the Minority Oversampling Technique (SMOTE) method [24] to avoid
overfitting. Then, random forest, voting classifier (ensemble of logistic regression,
random forest, and Gaussian Naive Bayes), artificial neural network (ANN), and 1D CNN
(convolutional neural network) are applied to find the normal and abnormal traffic in
IoT environments. Figure 4 demonstrates the proposed IDS for the IoT network.

3.1. ToN-IoT Telemetry Dataset. In this work, we used a dataset known as the ToN-IoT
Telemetry dataset [25], which can be retrieved at the ToN-IoT repository [26]. This
dataset was gathered from various sources through Telemetry of IoT devices plus logs of
operating systems and network traffic of IoT-based systems.

The ToN-IoT datasets were categorized with a label of normal or attack for binary
classification. They also included a type of subclasses: DDoS, backdoor, injection,
normal, password cracking, ransomware, and Cross-site Scripting (XSS). In the
Train_Test_datasets folder [26], the total number of seven datasets were evaluated for
IoT devices, including Weather, Thermostat, GPS Tracker, Fridge, Garage Door,
Modbus, and Motion Light. The distribution of attacks for each dataset is presented in
Figure 5. A brief description of these cyber-attacks is provided in Table 1.
3.2. Data Balancing. The Synthetic Minority Oversampling Technique (SMOTE) method
[24] is usually employed for

Figure 3: Dimensions of IoT threats.

Figure 4: Overview of the proposed model.

data balancing. The main idea of SMOTE is to create new minority cases by
incorporating various minority cases that remain together. Initially, the k-nearest
neighbors of all minority cases are identified. Then, minority cases are initiated on the
positions among the minority cases and their k nearest neighbors till the database is
balanced. Thus, the problem of overfitting is avoided.

3.3. Classification. The proposed model is evaluated through various machine learning
algorithms and deep learning models: random forest, voting classifier, ANN, and 1D
CNN. The following parameters are used during the training of classifiers, as presented
in Table 2.

3.4. Evaluation Criteria. The main purpose of this model is to classify the normal and
abnormal attacks based on the following outcomes, as illustrated in Table 3.

The following formulae are evaluated based on TP, TN, FP and FN as reported in Table
4. Also, confusion matrix is evaluated to demonstrate how much data is correctly and
wrongly classified.

4. Results and Comparisons

The experiments are carried out using machine learning and a deep learning model on
the ToN-IoT datasets. Metrics used to evaluate the performance are accuracy, precision,
recall, and F-score [31]. The highest result achieved through different classifiers for each
dataset is presented in Table 5. For example, the result shows that the voting classifier
has achieved the highest accuracy of 99.7 % for the Thermostat, GPS Tracker, Garage
Door, and Modbus dataset. Furthermore, these results are presented in the form of a
confusion matrix, as illustrated in Table 6.

The accuracy obtained through the employed classifier against each dataset is presented
in Table 7 . The random