IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 19, NO.
1, JANUARY 2023
An Intelligent Two-Layer Intrusion Detection
System for the Internet of Things
Mohammed M. Alani , Senior Member, IEEE, and Ali Ismail Awad , Senior Member, IEEE
Abstract—The Internet of Things (IoT) has become an
enabler paradigm for different applications, such as health-
care, education, agriculture, smart homes, and recently,
enterprise systems. Significant advances in IoT networks
have been hindered by security vulnerabilities and threats,
which, if not addressed, can negatively impact the deploy-
ment and operation of IoT-enabled systems. This article
addresses IoT security and presents an intelligent two-
layer intrusion detection system for IoT. The system’s in-
telligence is driven by machine learning techniques for in-
trusion detection, with the two-layer architecture handling
flow-based and packet-based features. By selecting sig-
nificant features, the time overhead is minimized without
affecting detection accuracy. The uniqueness and novelty
of the proposed system emerge from combining machine
learning and selection modules for flow-based and packet-
based features. The proposed intrusion detection works at
the network layer, and hence, it is device and application
transparent. In our experiments, the proposed system had
an accuracy of 99.15% for packet-based features with a
testing time of 0.357 µs. The flow-based classifier had an
accuracy of 99.66% with a testing time of 0.410 µs. A com-
parison demonstrated that the proposed system outper-
formed other methods described in the literature. Thus, it
is an accurate and lightweight tool for detecting intrusions
in IoT systems.
Index Terms—Efficiency, flow-based features, Internet of
Things (IoT), intrusion detection, machine learning, packet-
based features.
I. INTRODUCTION
HE Internet of Things (IoT) has evolved to become an
T enabler for various applications, including healthcare, au-
tonomous driving, education, agriculture, military, smart homes,
and recently, enterprise systems. An IoT network is beneficial
Manuscript received 10 April 2022; revised 15 June 2022; accepted
30 June 2022. Date of publication 18 July 2022; date of current version
8 November 2022. Paper no. TII-22-1533. (Corresponding author: Ali
Ismail Awad.)
Mohammed M. Alani is with the School of IT Administration and
Security,Seneca College of Applied Arts and Technology, Toronto, M2J
2X5, Canada, and also with Toronto Metropolitan University, Toronto,
ON M5B 2H3, Canada (e-mail: [email protected]).
Ali Ismail Awad is with the College of Information Technology, United
Arab Emirates University, Al Ain 17551, UAE, with the Department of
Computer Science, Electrical and Space Engineering, Luleå University
of Technology, 971 87 Luleå, Sweden, also with the Electrical Engi-
neering Department, Faculty of Engineering, Al-Azhar University, Qena
83513, Egypt, and also with the Centre for Security, Communications
and Network Research, University of Plymouth, PL4 8AA Plymouth, U.K.
(e-mail: [email protected]; [email protected]).
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TII.2022.3192035.
Digital Object Identifier 10.1109/TII.2022.3192035
1551-3203 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: UNIVERSITY TEKNOLOGI MALAYSIA. Downloaded on February 13,2023 at 02:58:30 UTC from IEEE Xplore. Restrictions apply.
683
because it can facilitate people’s interactions with real-world ap-
plications. The development of IoT systems goes hand-in-hand
with advances in technologies such as sensing, actuating, cloud
computing, and big data analytics and visualization [1].
An enterprise Internet of Things (E-IoT) is an anticipated
extension of the IoT model. An E-IoT comprises the same IoT
components and facilitates the engagement of IoT devices (e.g.,
sensors and actuators) to automate enterprise operations, such as
business processes. An E-IoT can enhance decision-making and
improve an enterprise’s efficiency by collecting, aggregating,
analyzing, and visualizing heterogeneous data from different
sensors [2].
The development of the IoT has turned it into a mandatory
enabler for many applications. However, the different compo-
nents and layers of an IoT network are vulnerable to various
security threats [3] that could affect whatever application the
IoT is used for [4], [5]. Therefore, security is a key concern
for any real-world smart environment based on the IoT model.
Different approaches have been adopted to address these security
threats [6]–[9].
Limitations in the computing capabilities and storage of IoT
devices have made it difficult to deploy standard encryption tech-
niques and common intrusion detection systems (IDSs). There-
fore, customized intrusion detection as a second line of defense
has become imperative for IoT systems. Intrusion detection
classifies traffic and applications as benign or malicious [10].
Therefore, a machine learning classifier is the right tool for
building an accurate IDS [11], [12]. According to the survey
described in [4], a few IDSs have been specifically designed and
customized for the IoT.
This study addresses the lack of an efficient IDS that is fully
customized for the IoT and presents an intelligent two-layer IDS
based on machine learning. The central idea of the proposed
system is that it combines flow-based and packet-based features
to achieve high detection accuracy. Furthermore, only the most
influential features are used, which hence, reduces the detection
time and the processing load for the detection process.
As discussed in Section II, previous research on intrusion de-
tection in IoT environments has focused on either flow-based or
packet-based features. Limiting the detection process to packet-
or flow-specific features reduces the performance in detecting
various types of attacks. Malicious actors utilize different attack
techniques. These may rely on individual malicious packets,
such as in port scanning, or on a group of malicious packets that
can be compiled into a network flow, such as man-in-the-middle
attacks. In this research, we address this gap by devising a
684
two-layer system that detects an attack through both packet and
network flow features.
A. Research Contributions
Our research into the proposed IDS makes the following
contributions.
1) This research presents a novel two-layer IoT IDS based on
machine learning that handles traffic at both packet level
and flow level. To the best of our knowledge, the proposed
two-layer architecture handling two types of features is
novel and unique.
2) The proposed IDS relies on a reduced number of fea-
tures, which helps to make the system more efficient
and realizable. The feature selection technique used not
only reduces the dimensionality of the data going into the
classifier but also reduces the number of features that the
system needs to collect in the data acquisition phase of
deployment.
3) The selected classifiers achieve very high accuracy, low
false positive rate (FPR), low false negative rate (FNR),
and reduced detection time in comparison to other ap-
proaches.
Compared to other systems described in the literature, the
proposed IDS for IoT applications is unique and efficient due
to its use of both packet-based and flow-based features and its
two-layer architecture and because it selects the most influential
features. Furthermore, the proposed system works mainly at the
network layer. Hence, it is application transparent and conse-
quently, can be used as a valuable security measure for E-IoT
applications.
B. Paper Layout
The rest of this article is organized as follows. The introduc-
tion is presented in Section I. Section II presents previous works
relevant to this study. The information introduced in that sec-
tion is later utilized in the comparative analysis of the proposed
system and other systems. The architecture and components of
the proposed IDS are described in Section III. The dataset used,
including the flow-based and packet-based features, is discussed
in Section IV. The experiments and the results are presented
in Section V. Section VI is a discussion of the results and the
research limitations. Finally, Section VII concludes this article,
along with suggestions for future research.
II. RELATED WORK
Intrusion detection has been the subject of a considerable
amount of published research. Particular attention has been
given to the deployment of different machine learning models to
achieve high detection accuracy. However, intrusion detection
for the IoT is still a challenge due to the data heterogeneity,
limited device capabilities, and the huge number of possible
applications. Therefore, an IDS for the IoT has to be a complete
system [13]. Artificial intelligence, such as machine learning,
has been used as a powerful tool to solve IoT security issues due
to its ability to cope with data heterogeneity and velocity.
Authorized licensed use limited to: UNIVERSITY TEKNOLOGI MALAYSIA. Downloaded on February 13,2023 at 02:58:30 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 19, NO. 1, JANUARY 2023
Pajouh et al. [14] presented a two-layer dimension reduction
and two-tier classification model for anomaly-based intrusion
detection in IoT backbone networks. Linear discriminant anal-
ysis (LDA) and principal component analysis (PCA) were used
for feature reduction. The system uses a naive Bayes classifier
to classify traffic, and then the normal traffic is passed through
a certainty-factor k-nearest neighbor (CF-KNN) classifier as an
additional check. The accuracy achieved was 84.86% with an
FPR of 4.86% measured using the NSL-KDD dataset. However,
the detection time was not reported.
Li et al. [15] proposed a two-stage IDS based on the Bat
algorithm (BAT) and artificial intelligence for software-defined
IoT networks. It is flow-based and can capture network flows
to detect attacks. The system was evaluated with the KDD Cup
1999 dataset and achieved a detection accuracy of 96.42% with
an FPR of 0.98%. The time overhead proportionally increased
with the number of flows, and reached almost 4.5 s for 5 × 104
flows.
In [16], the authors proposed an intrusion detection frame-
work with a dense random neural network (DnRaNN) for the
IoT. It had a detection accuracy of 99.14% and 99.05% for binary
class and multi-class classification, respectively. However, the
time overhead and the complexity of the proposed framework
were not measured.
Kamaldeep et al. [17] developed an IDS for the IoT cross-
layer called IoT-Sentry. The system achieved an accuracy of
99.46%, evaluated on a non-standard dataset, compared to its
competitors. IoT-Sentry uses only packet-based features and
guards against only a limited number of attacks. No details were
given of the time overhead.
Recently, in 2022, Saba et al. [18] proposed the deployment
of deep learning via a convolutional neural network (CNN)
for anomaly-based detection. This IDS can efficiently examine
all the traffic flowing across an IoT system. The model was
evaluated using the NID and BoT-IoT [19] datasets, attaining
accuracies of 99.51% and 92.85%, respectively. The study did
not consider feature optimization, and the detection time was
not reported.
As demonstrated by this literature review, intrusion detection
is an outstanding problem that is highly relevant to the current
IoT and cybersecurity research communities. Based on a careful
analysis of the relevant literature, we concluded that realizing
a balance of superior detection accuracy and reduced detection
time with a simple and implementable machine learning model
was still a valid challenge, and this motivated the current study.
Table IX briefly compares the performance of the IDSs described
in the literature review with the proposed system.
III. OVERVIEW OF THE PROPOSED SYSTEM
The aim of the proposed system is to provide additional
protection by utilizing two different machine learning classifiers:
1) one classifier operates with packet-extracted features; 2) the
other operates with flow-extracted features. Fig. 1 is an overview
of the proposed system.
As shown in Fig. 1, the system operation is divided into two
phases: 1) development; 2) deployment. During the development
ALANI AND AWAD: INTELLIGENT TWO-LAYER INTRUSION DETECTION SYSTEM FOR THE INTERNET OF THINGS
Fig. 1. Overview of the proposed IDS for the IoT. The bold blocks have been implemented in this study, while the green blocks are the core
modules of the proposed system.
phase, flow and packet features are separately extracted from the
original raw traffic data. Both feature datasets are preprocessed,
specifically to address the observations made while individually
examining them (Section IV). Then, a pipeline of classifiers is
trained using each dataset independently. Once the best classifier
has been identified for each dataset, it is deployed in the next
phase.
In the deployment phase, all incoming and outgoing packets at
a designated interface are captured. The raw traffic is then passed
to two units. The first unit extracts the significant packet-level
features. These are passed to the packet classifier, which assesses
whether each packet is malicious or benign. The other unit
collects each packet as part of a flow. When the flow is complete
or the flow collection timer has expired, the flow information
is passed to a flow-level feature extraction unit. From the flow
features, the flow classifier decides whether a flow is malicious
or benign. If a malicious packet or flow is detected, the system
signals a detection alert. This alert can be used to block the
source of the attack immediately.
Most of the previous works explored in Section II utilize
flow-based detection, which is commonly described in the lit-
erature [20], [21]. The proposed system utilizes both packet-
and flow-based features to improve the overall accuracy of
detection. Some attacks, specifically reconnaissance attacks,
such as port scanning and OS detection, do not use a complete
communication session. For example, port scanning attacks send
only one packet per port during the scanning process. This
makes it difficult to identify them based on flow features, as
Authorized licensed use limited to: UNIVERSITY TEKNOLOGI MALAYSIA. Downloaded on February 13,2023 at 02:58:30 UTC from IEEE Xplore. Restrictions apply.
685
the whole flow is just one packet. In similar attacks where flow
information is scarce, packet-level detection achieves higher
accuracy for a much faster detection time. These attacks are
especially important to prevent because they constitute the first
step of higher-risk attacks, such as botnets and remote code
execution.
Another design choice we made was to use classification
algorithms that do not use neural networks or deep learning.
Neural networks are resource-intensive in comparison to other
machine learning classifiers [22]. All blocks with thicker borders
in Fig. 1 have been implemented.
IV. DATASET
As the proposed system requires data in both packet-based
and flow-based formats, we selected the dataset “IoT network
intrusion dataset” presented in [23]. This dataset was created by
capturing raw network packets from actual IoT devices, includ-
ing actual attack traffic. The dataset consists of 42 packet capture
(pcap) files that include benign and attack packets. The types
of attack captured in the dataset are denial-of-service (DoS)
SYN-flooding, man-in-the-middle address resolution protocol
(ARP) spoofing, host scanning, port scanning, and Mirai botnet
attacks (host brute force, user datagram protocol (UDP) flood-
ing, hyper-text transfer protocol (HTTP) flooding, and ACK
flooding).
The dataset has 2 985 994 packets (1 229 718 malicious and
1 756 276 benign). Upon examination, we noticed that 949 284
of the packets were for the Mirai UDP flooding attack, so that
686
Algorithm 1: Packet-Based Dataset Preprocessing.
Input: Packet-based dataset (1 731 858 instances and 21
features)
Output: Balanced dataset with no missing data (1 259 982
instance and 21 features)
Array ← RawDataset
In (Array) label-encode icmp and arp features
In (Array) convert ip.f lags and tcp.f lags to decimal
In (Array) assign −1 to mutually exclusive features
Array ←
RandomU nderSampling_M ajorityClass(Array)
Dataset ← Array
attack type was seriously imbalanced. Hence, we decided to omit
two of the pcap files that hold Mirai UDP flooding attacks. This
left a final raw dataset with a total of 2 151 852 packets (419 994
malicious and 1 731 858 benign).
To fulfill the goals of this research, two datasets were needed
to train the two layers of the proposed system: 1) packet-based
dataset; 2) flow-based dataset. The packet-based dataset would
include features extracted at the packet level, which are to be
used for training and testing the packet layer. On the other hand,
the flow-level dataset would include flow-based features, which
are to be used in training and testing the flow layer. The following
sections discuss the extraction and preprocessing of these two
datasets.
A. Packet-Based Dataset
Features for all packets in the 40 pcap files selected were
extracted with the tshark tool [24]. The proposed system used 27
features based on the description document for the raw dataset.
After extraction, all host-specific features were removed, such as
the source and destination IP and media access control (MAC)
addresses. This was to ensure that the trained model can gener-
alize beyond its training dataset. A few empty features were also
removed. The resulting dataset comprises 2 151 852 instances,
each of which represents 21 features extracted from one packet.
As the research goal is to detect any type of attack, without
distinguishing the specific types, we chose to label the instances
only as “malicious” or “benign.” We did not use the specific
attack type as a label.
Upon examining the resulting dataset, we noted the following
observations.
1) The features “icmp” and “arp” are in text format.
2) The features “ip.flags” and “tcp.flags” are hexadecimal.
3) Some features have mutually exclusive values. Specif-
ically, all transmission control protocol (TCP)-related
features, such as “tcp.flags,” “tcp.checksum.status,” and
“tcp.len,” are missing in instances extracted from UDP
packets, and vice versa.
4) There is a noticeable imbalance between the malicious
class and the benign class, with 1 731 858 benign and
419 994 malicious instances.
To address the observations listed above, we developed the
preprocessing steps shown in Algorithm 1. The first step is to
Authorized licensed use limited to: UNIVERSITY TEKNOLOGI MALAYSIA. Downloaded on February 13,2023 at 02:58:30 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 19, NO. 1, JANUARY 2023
Algorithm 2: Flow-Based Dataset Preprocessing.
Input: Flow-based dataset (1 731 858 instances and 20
features)
Output: Balanced dataset with no absent data (1 259 982
instances and 14 features)
Array ← RawDataset
Array ← Remove_HostSpecif icF eatures(Array)
In (Array) label-encode
proto, service, conn_state, history features
Array ←
RandomOverSampling_M inorityClass(Array)
Dataset ← Array
perform label encoding on icmp and arp features. If a packet
is an Internet control messaging protocol (ICMP) packet, the
value of the icmp feature is set to 1, otherwise it is set to 0.
If the packet is an ARP packet, the value of the arp feature is
set to 1, otherwise it is set to 0. The second step is to convert
the ip.flags and tcp.flags features from hexadecimal to decimal.
For the mutually exclusive features, we set absent values to
−1. We chose −1 over 0 because 0 is a valid value for these
features. Hence, all UDP features will have a value of −1 for
each instance of a TCP packet. Similarly, all TCP features will
have a value of −1 for instances of UDP packets. The last step
reduces the imbalance between the two classes by randomly
undersampling benign packets, so that the final dataset contains
66.66% benign and 33.33% malicious instances. It comprises
1 259 982 instances (839 988 benign and 419 994 malicious),
and all values are populated.
B. Flow-Based Dataset
The same 40 pcap files that were used to build the packet-
based dataset were used for the flow-based dataset. Altogether,
20 flow features were extracted for all packets with the Zeek
tool [25], and these were stored in the conn.log file. As for
the packets, to ensure that the trained model can generalize
beyond its training dataset, all host-specific features were re-
moved, such as the source and destination IP addresses and flow
timestamps. Two empty features (local_orig and local_resp)
were also removed. The resulting dataset comprises 198 064
instances. Each instance represents 14 features extracted from
one network flow. As with the packets, we labeled the instances
as either “malicious” or “benign.”
Again, the resulting dataset was examined, and the following
observations were noted.
1) The features “proto,” “service,” “conn_state,” and “his-
tory” are in text format.
2) The number of benign instances was 86 719, while there
were 111 345 malicious instances.
To address the observations listed above, we developed the
preprocessing steps shown in Algorithm 2. The first step of pre-
processing is to remove host-specific features. The second step
performs label encoding on the proto, service, conn_state, and
history features. The final step reduces the imbalance between
the two classes by randomly oversampling benign packets, so
ALANI AND AWAD: INTELLIGENT TWO-LAYER INTRUSION DETECTION SYSTEM FOR THE INTERNET OF THINGS
TABLE I
HARDWARE AND SOFTWARE FOR THE IMPLEMENTATION ENVIRONMENT
that the final dataset has 50% benign and 50% malicious in-
stances. It comprises 222 690 instances (111 345 benign and
111 345 malicious) and 14 features. All values are populated.
V. EXPERIMENTS AND RESULTS
Table I lists the hardware and software specifications of the
experimental environment.
A. Experimental Design
The experiments were implemented as follows.
1) After preprocessing both the packet-based and flow-based
datasets, we split each dataset randomly, with 66.66% as
a training subset and 33.33% as a testing subset.
2) We created a pipeline of five different classifiers for
each dataset to be trained using the training subset. The
five classifiers chosen were: 1) random forest (RF); 2)
Gaussian naive Bayes (GNB); 3) xgradient boost (XGB);
4) logistic regression (LR); 5) decision tree (DT). The
purpose of building this pipeline was to find the classifica-
tion algorithm that would provide the best performance in
comparison to the others. The pipeline was run separately
for the packet features and the flow features datasets.
3) The two pipelines of classifiers were trained, one with
the packet-based training subset and the other with the
flow-based training subset. Testing was done with the
corresponding testing subsets.
4) The best classifier in each pipeline was used to measure
feature importance based on recursive feature elimina-
tion (RFE). Algorithm 3 shows the RFE steps imple-
mented to reduce the number of features and improve
efficiency [26]. Feature importance can be measured as
the average decrease in impurity computed from all DTs
in the forest, without assuming that the data are linearly
separable [27]. This algorithm was chosen over other
dimensionality reduction algorithms for two reasons: a)
dimensionality reduction algorithms of a statistical na-
ture, such as PCA and LDA, are computationally in-
tensive, not only at the development stage but also at
the deployment stage, because these algorithms require
intensive preprocessing to produce the final features to
be fed into the classifier; b) RFE not only reduces the
number of features fed into the classifier (without any
additional preprocessing) but also reduces the number of
features to be captured at the data acquisition stage. This
helps in improving the overall efficiency.
Authorized licensed use limited to: UNIVERSITY TEKNOLOGI MALAYSIA. Downloaded on February 13,2023 at 02:58:30 UTC from IEEE Xplore. Restrictions apply.
687
5) The two pipelines of classifiers were retrained and
retested using the feature-reduced datasets, with a similar
66.66% and 33.33% training/testing random split. The
purpose of this stage was to measure the impact of feature
selection on the performance of the classifiers.
6) To ensure that the classifiers trained using the feature-
reduced dataset can generalize well beyond their training
dataset, we implemented ten-fold cross-validation. The
data were randomly split into ten subsets or folds. The
data then went through ten cycles of training followed
by testing. In each cycle, one of the ten subsets was
excluded from training and used instead for testing. Dur-
ing the ten cycles, each of the ten subsets was used
once for testing. Each cycle produced a classifier with
specific performance parameters. If these parameters have
a high variance, then the classifier suffers from overfitting
and cannot properly generalize within the dataset. If the
process produces a low variance, then the performance
parameters are reliable.
B. Packet-Based Classifier Results
The five classifiers were trained using 66.66% of the packet-
based dataset, as explained in Section V-A. Table II shows the
results of testing using the remaining 33.33% of the packet-based
dataset. XGB performed slightly better than the other classifiers,
with an accuracy of 0.9937, an F1 score of 0.9930, and a training
time of 14.41 s. Hence, it was the one we chose for the RFE
algorithm. Since the F1 score falls with less than nine features,
as shown in Fig. 2(a), to prevent the performance from dropping
significantly, we decided to use nine features. The selected
features are listed in Table III.
The next step was to test the nine-feature packet-based dataset
to ensure that its performance was comparable to that of the
full-feature dataset. Table IV shows that the performance metrics
of XGB, RF, LR, and DT were not significantly affected, while
the performance of GNB was noticeably worse.
Fig. 3 compares the performance metrics for the 21- and nine-
feature datasets. For the XGB and RF classifiers, performance
did not degrade with fewer features, as both accuracy and F1
688 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 19, NO. 1, JANUARY 2023

TABLE II
INITIAL RESULTS OF PACKET-BASED CLASSIFIER TESTING

Fig. 2. F1 score plotted against the number of features. (a) Number of packet-based features. (b) Number of flow-based features.

Fig. 3. Comparison of accuracy and F1 score for the classifiers with 21- and nine-feature packet-based datasets.

TABLE III classifiers when applied to the nine-feature packet-based dataset.

FEATURES USED FROM PACKET-BASED AND FLOW-BASED DATASETS
As the table shows, the performance of XGB, RF, and DT are
consistent with the previously obtained results. In addition, all
the classifiers had a low standard deviation. This proves that the
classifiers can generalize well beyond their training dataset.

C. Flow-Based Classifier Results

score remained above 99%. Furthermore, Fig. 4 shows that the
training and testing times witnessed a noticeable improvement
compared to the 21-feature dataset.
For the ten-fold cross-validation, Table V shows the means
and standard deviations of the accuracy and F1 score for the five
The selected five classifiers were trained using 66.66% of
the flow-based dataset, as explained in Section V-A. Table VI
shows the results of testing using the remaining 33.33% of the
dataset. RF performed slightly better than the other classifiers,
with an accuracy of 0.9973, an F1 score of 0.9974, and a training
time of 7.88 s. Therefore, we chose it for the RFE algorithm to
select a low number of features to improve the efficiency of

Authorized licensed use limited to: UNIVERSITY TEKNOLOGI MALAYSIA. Downloaded on February 13,2023 at 02:58:30 UTC from IEEE Xplore. Restrictions apply.
ALANI AND AWAD: INTELLIGENT TWO-LAYER INTRUSION DETECTION SYSTEM FOR THE INTERNET OF THINGS 689

TABLE IV
RESULTS OF NINE-FEATURE PACKET-BASED CLASSIFIER TESTING

Fig. 4. Time overhead measured for training and testing processes for 21- and nine-feature packet-based datasets. (a) Training times. (b) Testing
times.

TABLE V
RESULTS OF TEN-FOLD CROSS-VALIDATION OF THE NINE-FEATURE PACKET-BASED DATASET

TABLE VI
INITIAL RESULTS OF FLOW-BASED CLASSIFIER TESTING

TABLE VII
RESULTS OF FIVE-FEATURE FLOW-BASED CLASSIFIER TESTING

the system. Since the F1 score falls with less than five features,
as shown in Fig. 2(b), to prevent the performance from drop-
ping significantly, we decided to use five features, as listed in
Table III.
We then tested the five-feature flow-based dataset to ensure
that its performance was comparable to that of the full-feature
dataset. Table VII shows that the performance metrics of XGB,
RF, and DT were not significantly affected, while the perfor-
mance of LR and GNB was noticeably better.
Fig. 5 compares the performance metrics for the 14- and five-
feature datasets. For the XGB and RF classifiers, performance
did not degrade with fewer features, as the accuracy and F1

Authorized licensed use limited to: UNIVERSITY TEKNOLOGI MALAYSIA. Downloaded on February 13,2023 at 02:58:30 UTC from IEEE Xplore. Restrictions apply.
690 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 19, NO. 1, JANUARY 2023

Fig. 5. Comparison of accuracy and F1 score for the classifiers with 14- and five-feature flow-based datasets.

Fig. 6. Time overhead measured for training and testing processes for 14- and five-feature flow-based datasets. (a) Training times.
(b) Testing times.

TABLE VIII
RESULTS OF TEN-FOLD CROSS-VALIDATION OF THE FIVE-FEATURE FLOW-BASED DATASET

score remained above 99%. Furthermore, Fig. 6 indicates that the
training and testing times were significantly shorter compared
to the 14-feature dataset.
For the ten-fold cross-validation, Table VIII shows the mean
and standard deviation of the accuracy and F1 score for the five
classifiers when applied to the five-feature flow-based dataset.
As shown in the table, the performance of XGB, RF, and DT
is consistent with the results previously obtained. In addition,
all the classifiers had a low standard deviation. This proves that
these classifiers can generalize well beyond the training dataset.
D. Classifier Selection
From the results of the classifier pipeline for the nine-feature
packet-based dataset (Table IV) and the five-feature flow-based
dataset (Table VII), notice that the difference in accuracy and F1
score between RF and XGB is minimal. However, as one of our
research goals is to produce an efficient system, we consequently
used XGB, as it has the best combination of high accuracy and
low testing time.
For this classifier, the measured FPR was 0.96% for the
packet-based classifier (Table IX), whereas the FNR was
0.61%. The flow-based classifier had a lower FPR of 0.26%
and a lower FNR of 0.40%. These low rates indicate that, in
comparison to previous approaches, both classifiers performed
very well with a low number of features extracted from captured
traffic.
Figs. 7 and 8 show the confusion matrix plots for the
XGB classifier using nine-feature packet-based dataset and
five-feature flow-based dataset, respectively.

Authorized licensed use limited to: UNIVERSITY TEKNOLOGI MALAYSIA. Downloaded on February 13,2023 at 02:58:30 UTC from IEEE Xplore. Restrictions apply.
ALANI AND AWAD: INTELLIGENT TWO-LAYER INTRUSION DETECTION SYSTEM FOR THE INTERNET OF THINGS
TABLE IX
COMPARISON OF THE PROPOSED SYSTEM WITH STATE-OF-THE-ART APPROACHES
Fig. 7. Confusion matrix for XGB classifier using the packet-based
nine features.
Fig. 8. Confusion matrix for XGB classifier using the flow-based five
features.
VI. DISCUSSION AND COMPARATIVE ANALYSIS
Many research studies have tried addressing intrusion detec-
tion in IoT devices. These studies, as we explained in Section II,
have mostly focused on high accuracy while ignoring barriers
to deployment in real-world applications. This study presents a
novel two-layer solution that is designed to harvest the benefits of
packet- and flow-level features. Using only the features selected
by RFE produced a noticeable reduction in training time. The
advantage of using RFE over other dimensionality reduction
solutions is that fewer features need to be captured and extracted
in the data acquisition phase of a real-time deployment. This
Authorized licensed use limited to: UNIVERSITY TEKNOLOGI MALAYSIA. Downloaded on February 13,2023 at 02:58:30 UTC from IEEE Xplore. Restrictions apply.
691
improves efficiency and reduces processing overhead, which are
important for the resource-constrained environment of the IoT.
Table IX compares the performance metrics for our proposed
system with those for related approaches. The table confirms that
our proposed system outperforms related approaches in terms
of accuracy and testing time. In addition, our proposed system
delivers a noticeable reduction in the FPR and FNR. At the
packet level, the FPR was 0.96%, and the FNR was 0.61%,
whereas at the flow-level, the FPR was only 0.26% and the FNR
only 0.40%.
As Section II suggests, most previous works rely on flow-
based features to detect intrusion. That works well if the attacker
exchanges a reasonable amount of information with the target.
However, other types of attack, such as port scanning, ping
sweep, and OS fingerprinting, are better detected using packet-
based features. This is because the attacker targets different
ports using different packets, which makes it impossible to
follow a network flow. Hence, the combination of flow-based and
packet-based features used in our system ensures that different
types of attacks can be detected.
Another advantage of our proposed system over other sys-
tems is that it utilizes XGB as a classification algorithm. This
algorithm requires noticeably less intensive processing in com-
parison to other deep learning algorithms [22]. XGB was chosen
not only for its high performance but also due to the processing
limitations of the deployment environment.
VII. CONCLUSION
In this article, we presented a novel two-layer IoT IDS based
on machine learning. The proposed system examines features
extracted from packets as well as from network flows. Combin-
ing these two defenses provides the maximum possible protec-
tion. In testing, the proposed system had a very high accuracy
of 99.15% at the packet level and 99.66% at the flow level.
This high accuracy was combined with noticeable efficiency
improvements, namely, detection times of 0.357 µs at the packet
level and 0.410 µs at the flow level. For the packet-based
classifier, the FPR was only 0.96% and the FNR was 0.61%.
For the flow-based classifier, the FPR was only 0.26%, while the
FNR was 0.40%. These metrics show that the proposed system
outperforms previous approaches. Our future work will focus
on the decentralized implementation of the proposed two-layer
system in the edge to offload some of the processing from IoT
devices.
692 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 19, NO. 1, JANUARY 2023

REFERENCES [19] N. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull, “Towards

the development of realistic botnet dataset in the Internet of Things for
[1] B. Ali and A. I. Awad, “Cyber and physical security vulnerability as- network forensic analytics: BoT-IoT dataset,” Future Gener. Comput. Syst.,
sessment for IoT-based smart homes,” Sensors, vol. 18, no. 3, 2018, vol. 100, pp. 779–796, 2019. [Online]. Available: https://doi.org/10.1016/
Art. no. 817. [Online]. Available: https://doi.org/10.3390/s18030817 j.future.2019.05.041
[2] S. Ahmad and D. Kim, “A multi-device multi-tasks management and [20] A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras, and B. Stiller,
orchestration architecture for the design of enterprise IoT applications,” “An overview of IP flow-based intrusion detection,” IEEE Commun. Surv.
Future Gener. Comput. Syst., vol. 106, pp. 482–500, 2020. [Online]. Tut., vol. 12, no. 3, pp. 343–356, Jul.–Sep. 2010. [Online]. Available: https:
Available: https://doi.org/10.1016/j.future.2019.11.030 //doi.org/10.1109/SURV.2010.032210.00054
[3] M. Mamdouh, A. I. Awad, A. A. Khalaf, and H. F. Hamed, “Authentication [21] A. F. AlEroud and G. Karabatis, “Queryable semantics to detect cyber-
and identity management of IoHT devices: Achievements, challenges, attacks: A flow-based detection approach,” IEEE Trans. Syst., Man, Cy-
and future directions,” Comput. Secur., vol. 111, 2021, Art. no. 102491. bern. Syst., vol. 48, no. 2, pp. 207–223, Feb. 2018. [Online]. Available:
[Online]. Available: https://doi.org/10.1016/j.cose.2021.102491 https://doi.org/10.1109/TSMC.2016.2600405
[4] M. F. Elrawy, A. I. Awad, and H. F. Hamed, “Intrusion detection systems for [22] A. Géron, Hands-On Machine Learning With Scikit-Learn, Keras, and
IoT-based smart environments: A survey,” J. Cloud Comput., vol. 7, no. 1, TensorFlow: Concepts, Tools, and Techniques to Build Intelligent Systems.
pp. 1–20, 2018. [Online]. Available: https://doi.org/10.1186/s13677-018- Sebastopol, CA, USA: O’Reilly Media, Inc., 2019.
0123-6 [23] H. Kang, D. H. Ahn, G. M. Lee, J. D. Yoo, K. H. Park, and H. K. Kim, “IoT
[5] A. I. Awad and J. Abawajy, Security and Privacy in the Internet of Things: network intrusion dataset,” 2019. [Online]. Available: https://doi.org/10.
Architectures, Techniques, and Applications, 1st ed. Hoboken, NJ, USA: 21227/q70p-q449
Wiley, 2021. [24] tshark(1). Mar. 2022, Accessed: Mar. 9, 2022. [Online]. Available: https:
[6] M. Hassaballah, M. A. Hameed, A. I. Awad, and K. Muhammad, “A novel //www.wireshark.org/docs/man-pages/tshark.html
image steganography method for industrial Internet of Things security,” [25] The zeek network security monitor. Mar. 2022, Accessed: Mar. 30, 2022.
IEEE Trans. Ind. Informat., vol. 17, no. 11, pp. 7743–7751, Nov. 2021. [Online]. Available: https://zeek.org
[Online]. Available: https://doi.org/10.1109/TII.2021.3053595 [26] M. M. Alani, “Implementation-oriented feature selection in UNSW-NB15
[7] Q.-D. Ngo, H.-T. Nguyen, V.-H. Le, and D.-H. Nguyen, “A survey of IoT intrusion detection dataset,” in Proc. Int. Conf. Intell. Syst. Des. Appl.,
malware and detection methods based on static features,” ICT Exp., vol. 6, 2022, pp. 548–558.
no. 4, pp. 280–286, 2020. [Online]. Available: https://doi.org/10.1016/j. [27] S. Raschka, Y. Liu, and V. Mirjalili, Mach. Learn. With PyTorch and Scikit-
icte.2020.04.005 Learn. Birmingham, U.K.: Packt Publishing, 2022.
[8] M. M. Alani, “Detection of reconnaissance attacks on IoT devices using
deep neural networks,” in Advances in Nature-Inspired Cyber Security
and Resilience, S. K. Shandilya, N. Wagner, V. Gupta, and A. K. Na- Mohammed M. Alani (Senior Member, IEEE)
gar, Eds., Cham, Switzerland:Springer International Publishing, 2022, received the Ph.D. in computer engineering
pp. 9–27. from College of Engineering, Nahrain Universi-
[9] A. A. Cook, G. Mısırlı, and Z. Fan, “Anomaly detection for IoT ety, Iraq, in 2007, with a specialization in net-
time-series data: A survey,” IEEE Internet Things J., vol. 7, no. 7, work security.
pp. 6481–6494, Jul. 2020. [Online]. Available: https://doi.org/10.1109/ He was a Professor and a Cybersecurity Ex-
JIOT.2019.2958185 pert in many countries around the world. His
[10] N. Lu, D. Li, W. Shi, P. Vijayakumar, F. Piccialli, and V. Chang, “An experience includes serving as VP of Academic
efficient combined deep neural network based malware detection frame- Affairs in the United Arab Emirates, network
work in 5G environment,” Comput. Netw., vol. 189, 2021, Art. no. 107932. and security consultancies in the Middle East,
[Online]. Available: https://doi.org/10.1016/j.comnet.2021.107932 and Cybersecurity Program Manager in Toronto
[11] P. Illy, G. Kaddoum, K. Kaur, and S. Garg, “ML-based IDPS enhance- Canada. He is currently a Cybersecurity Professor with Seneca College,
ment with complementary features for home IoT networks,” IEEE Trans. Toronto, ON, Canada, and a Research Fellow with Ryerson University,
Netw. Service Manag., vol. 19, no. 2, pp. 772–783, Jun. 2022. [Online]. Toronto. He has authored or coauthored four books in different areas
Available: https://doi.org/10.1109/TNSM.2022.3141942 of networking and cybersecurity along with many research papers pub-
[12] M. M. Alani and A. I. Awad, “AdStop: Efficient flow-based mobile lished in highly ranked journals and conferences. His current research
adware detection using machine learning,” Comput. Secur., vol. 117, 2022, interests include applications of ML in cybersecurity and ML security.
Art. no. 102718. [Online]. Available: https://doi.org/10.1016/j.cose.2022. Dr. Alani is a Senior Member of the Association for Computing
102718 Machinery (ACM).
[13] E. Benkhelifa, T. Welsh, and W. Hamouda, “A critical review of practices
and challenges in intrusion detection systems for IoT: Toward univer-
Ali Ismail Awad (Senior Member, IEEE) re-
sal and resilient systems,” IEEE Commun. Surv. Tut., vol. 20, no. 4,
ceived the Ph.D. degree in computer science
pp. 3496–3509, Oct.–Dec. 2018. [Online]. Available: https://doi.org/10.
from Kyushu University, Fukuoka, Japan, in
1109/COMST.2018.2844742
2012. He is currently an Associate Profes-
[14] H. H. Pajouh, R. Javidan, R. Khayami, A. Dehghantanha, and K.-K. R.
sor with the College of Information Technology
Choo, “A two-layer dimension reduction and two-tier classification model
(CIT), United Arab Emirates University (UAEU),
for anomaly-based intrusion detection in IoT backbone networks,” IEEE
Al Ain, United Arab Emirates. He is also an As-
Trans. Emerg. Topics Comput., vol. 7, no. 2, pp. 314–323, Apr.–Jun. 2019.
sociate Professor (Docent) with the Department
[Online]. Available: https://doi.org/10.1109/TETC.2016.2633228
of Computer Science, Electrical and Space
[15] J. Li, Z. Zhao, R. Li, and H. Zhang, “AI-based two-stage intrusion detection
Engineering, Luleå University of Technology,
for software defined IoT networks,” IEEE Internet Things J., vol. 6, no. 2,
Luleå, Sweden, where he also served as a co-
pp. 2093–2102, Apr. 2019. [Online]. Available: https://doi.org/10.1109/
ordinator of the Master Program in Information Security from 2017 to
JIOT.2018.2883344
2020. He is an Associate Professor with the Electrical Engineering
[16] S. Latif et al., “Intrusion detection framework for the Internet of Things
Department, Faculty of Engineering, Al-Azhar University at Qena, Qena,
using a dense random neural network,” IEEE Trans. Ind. Informat., vol. 18,
Egypt. He is also a Visiting Researcher with the University of Plymouth,
no. 9, pp. 6435–6444, Sep. 2022. [Online]. Available: https://doi.org/10.
Plymouth, U.K.
1109/TII.2021.3130248
He has edited or coedited eight books and authored or coauthored
[17] Kamaldeep, M. Malik, M. Dutta, and J. Granjal, “IoT-Sentry: A cross-
several journal articles and conference papers in these areas. His
layer-based intrusion detection system in standardized Internet of Things,”
research interests include cybersecurity, network security, Internet of
IEEE Sensors J., vol. 21, no. 24, pp. 28066–28076, Dec. 2021. [Online].
Things security, and image analysis with biometrics and medical imag-
Available: https://doi.org/10.1109/JSEN.2021.3124886
ing applications.
[18] T. Saba, A. Rehman, T. Sadad, H. Kolivand, and S. A. Bahaj, “Anomaly-
Dr. Awad is an Editorial Board Member of the Future Generation Com-
based intrusion detection system for IoT networks through deep learning
puter Systems Journal, Computers and Security Journal, the Internet
model,” Comput. Elect. Eng., vol. 99, 2022, Art. no. 107810. [Online].
of Things, Engineering Cyber Physical Human Systems Journal, and
Available: https://doi.org/10.1016/j.compeleceng.2022.107810
Health Information Science and Systems Journal.

Authorized licensed use limited to: UNIVERSITY TEKNOLOGI MALAYSIA. Downloaded on February 13,2023 at 02:58:30 UTC from IEEE Xplore. Restrictions apply.