Intelligent Two-Layer Intrusion

Detection System for Internet

of Things Security
 Abstract

• The Internet of Things (IoT) has become an enabler paradigm for different applications, such as healthcare, education,
agriculture, smart homes, and recently, enterprise systems. Significant advances in IoT networks have been hindered by security
vulnerabilities and threats, which, if not addressed, can negatively impact the deployment and operation of IoT-enabled systems.

• This article addresses IoT security and presents an intelligent two-layer intrusion detection system for IoT. The system's
intelligence is driven by machine learning techniques for intrusion detection, with the two-layer architecture handling flow-based
and packet-based features.

• By selecting significant features, the time overhead is minimized without affecting detection accuracy. The uniqueness and
novelty of the proposed system emerge from combining machine learning and selection modules for flow-based and packet-based
features. The proposed intrusion detection works at the network layer, and hence, it is device and application transparent.

• In our experiments, the proposed system had an accuracy of 99.15% for packet-based features with a testing time of 0.357 μs.
The flow-based classifier had an accuracy of 99.66% with a testing time of 0.410 μs. A comparison demonstrated that the
proposed system outperformed other methods described in the literature. Thus, it is an accurate and lightweight tool for
detecting intrusions in IoT systems.
Introduction

• The Internet of Things (IoT) has evolved to become an enabler for various applications, including
healthcare, autonomous driving, education, agriculture, military, smart homes, and recently,
enterprise systems.

• An IoT network is beneficial because it can facilitate people’s interactions with real-world
applications.

• The development of IoT systems goes hand-in-hand with advances in technologies such as
sensing, actuating, cloud computing, and big data analytics and visualization.

• However, the different components and layers of an IoT network are vulnerable to various
security threats that could affect whatever application the IoT is used for.
Introduction…

• Therefore, security is a key concern for any real-world smart environment based on the
IoT model.

• Different approaches have been adopted to address these security threats.

• Limitations in the computing capabilities and storage of IoT devices have made it difficult
to deploy standard encryption techniques and common intrusion detection systems
(IDSs).

• Therefore, customized intrusion detection as a second line of defense has become

imperative for IoT systems.
Base Paper:-

M. M. Alani and A. I. Awad, "An Intelligent Two-Layer Intrusion

Detection System for the Internet of Things," in IEEE Transactions on
Industrial Informatics, vol. 19, no. 1, pp. 683-692, Jan. 2023, doi:
10.1109/TII.2022.3192035.

Objective:- The objective of this system is to develop a more accurate, efficient, and
scalable intrusion detection system for IoT networks.
Methodology:- This article addresses IoT security and presents an intelligent two-layer
intrusion detection system for IoT. The system's intelligence is driven by machine learning
techniques for intrusion detection, with the two-layer architecture handling flow-based and
packet-based features. By selecting significant features, the time overhead is minimized
without affecting detection accuracy.

Advantages:- It is more accurate in detecting malicious traffic. It is more scalable to large

networks.

Disadvantage:- It is more complex to implement than existing intrusion detection systems.

It requires more training data to train the classification layer..
Literature Review

M. B. Gorzałczany and F. Rudziński, "Intrusion Detection in Internet of

Things With MQTT Protocol—An Accurate and Interpretable Genetic-
Fuzzy Rule-Based Solution," in IEEE Internet of Things Journal, vol. 9,
no. 24, pp. 24843-24855, 15 Dec.15, 2022, doi:
10.1109/JIOT.2022.3194837.
Objective:- The objective of the proposed system is to develop an accurate and
interpretable intrusion detection system for IoT networks that use the MQTT protocol.
Methodology:- The genetic-fuzzy rule-based intrusion detection system for IoT with
MQTT protocol, extract features from the MQTT protocol, such as the topic name, payload,
and QoS level. It used a genetic algorithm to evolve a set of fuzzy rules that can be used to
classify network traffic as normal or malicious. Also used the fuzzy rules to classify the
network traffic as normal or malicious.

Advantages:- It is more interpretable, meaning that the fuzzy rules can be easily understood
by humans.

Disadvantage:- It requires more training data to train the genetic algorithm..

Literature Review Contd…

J. Wu, Y. Wang, H. Dai, C. Xu and K. B. Kent, "Adaptive Bi-

Recommendation and Self-Improving Network for Heterogeneous
Domain Adaptation-Assisted IoT Intrusion Detection," in IEEE Internet
of Things Journal, vol. 10, no. 15, pp. 13205-13220, 1 Aug.1, 2023, doi:
10.1109/JIOT.2023.3262458..
Objective:- To develop an adaptive recommendation system for IoT intrusion detection.
Creating a self-improving network for IoT intrusion detection. Addressing the challenges of
detecting intrusions in heterogeneous IoT domains. Enhancing the overall effectiveness of
IoT intrusion detection..
Methodology:- This paper focuses on detecting intrusions and security threats within IoT
networks. This involves applying intrusion detection algorithm like Adaptive Bi-
Recommendation. It is a self-improving network and follows heterogeneous domain
adaptation.

Advantages:- The adaptive and self-improving nature of the proposed system leads to more
effective intrusion detection.

Disadvantage:- There are ethical concerns regarding transparency, accountability, and

potential biases in the recommendation and decision-making processes.
Literature Review Contd…

M. Eskandari, Z. H. Janjua, M. Vecchio and F. Antonelli, "Passban IDS:

An Intelligent Anomaly-Based Intrusion Detection System for IoT Edge
Devices," in IEEE Internet of Things Journal, vol. 7, no. 8, pp. 6882-
6897, Aug. 2020, doi: 10.1109/JIOT.2020.2970501.

Objective:- The objective of Passban IDS is to detect malicious traffic on IoT edge devices
in a timely and efficient manner.
Methodology:- Passban IDS is an intelligent anomaly-based intrusion detection system for
IoT edge devices. It consists of two main components: Feature extraction: Passban IDS
extracts a set of features from the network traffic data, such as the packet size, the packet
arrival rate, and the flow duration. Anomaly detection: Passban IDS uses a machine learning
algorithm to detect anomalies in the network traffic data. The machine learning algorithm is
trained on a dataset of normal and malicious network traffic..

Advantages:- It is more efficient in terms of computational resources. .

Disadvantage:- Passban IDS is still under development, and working on improving its
performance and scalability.
Literature Review Contd…

M. Fouda, R. Ksantini and W. Elmedany, "A Novel Intrusion Detection

System for Internet of Healthcare Things Based on Deep Subclasses
Dispersion Information," in IEEE Internet of Things Journal, vol. 10,
no. 10, pp. 8395-8407, 15 May15, 2023, doi: 10.1109/JIOT.2022.3230694.

Objective:- The objective of the proposed system is to develop a more accurate, efficient,
and scalable intrusion detection system for IoHT networks.

.
Methodology:- The proposed novel intrusion detection system for the Internet of
Healthcare Things (IoHT) based on deep subclasses dispersion information extract features
from the IoHT network traffic data, such as the packet size, the packet arrival rate, and the
flow duration. Use a deep clustering algorithm to generate subclasses from the normal IoHT
network traffic data. Extract deep subclasses dispersion information from the normal and
malicious IoHT network traffic data. Use a one-class support vector machine (OSVM)
classifier to classify the IoHT network traffic as normal or malicious based on the deep
subclasses dispersion information.

Advantages:- It is more accurate, robust, and scalable than existing intrusion detection
systems.

Disadvantage:-Handling sensitive healthcare data poses significant privacy and security

concerns.
EXISTING SYSTEM

• The Internet of Things (IoT) and its applications are becoming ubiquitous in our life. However, the open deployment environment and
the limited resources of IoT devices make them vulnerable to cyber threats.

• In this paper, we investigate intrusion detection techniques to mitigate attacks that exploit IoT security vulnerabilities. W

• e propose a machine learning-based two-layer hierarchical intrusion detection mechanism that can effectively detect intrusions in IoT
networks while satisfying the IoT resource constraints. Specifically, the proposed model effectively utilizes the resources in the fog
layer of the IoT network by efficiently deploying multi-layered feedforward neural networks in the fog-cloud infrastructure for
detecting network attacks.

• With a fog layer into the picture, analysis is dynamically distributed across the fog and cloud layer thus enabling real-time analytics of
traffic data closer to IoT devices and end-users. We have performed extensive experiments using two publicly available datasets to test
the proposed approach.
Disadvantages

• Disadvantage of a dimension reduction model and classifier for anomaly-based intrusion

detection in the Internet of Things is that it may not be effective in detecting novel or
previously unknown attacks.

• Since the model is trained on a set of known attacks, it may not be able to identify new and
emerging types of attacks.

• If the training data is insufficient or biased, the model may not be able to accurately classify
intrusions.

• Finally, the dimension reduction process may lead to a loss of information, which could
impact the accuracy of the model.
Problem Statement

• Traditional power systems are very complex, and their analysis and control primarily
depend on physical modeling and numerical calculations.

• The current power system uses old infrastructure, which adds more uncertainties to the
modern smart grid systems.

• Because the communication network builds on power systems, very large volumes of data
with high variability must be handled; this is still a challenge of smart grids.
Objectives

• To detect the network attacks and natural connections.

• To avoid cyber attacks on smart grid.

• To monitor or measure processes, communicate data back to operation centers.

• To share data among devices and systems.

• To process, analyze, and help operators access and apply the data coming from digital
technologies throughout the grid.
Problem Statement…

• Although numerous data-driven methods have been proposed to deal with the problems
of smart grids, there are still many severe challenges.

• The main issue in the development of a smart grid is not located at the physical support
but mainly in ensuring security, which has become a major concern for the cyber security
research community.
Proposed System

• In this paper, a network attack detection model of smart grid based on XGBoost is proposed.

• It maps the information attack identification problem in the smart grid to a multi-class classification
problem.

• In the attack dataset, first fill in the missing values based on the average filling method in pre-processing
stage, then based on the k-means-smote algorithm, the data is oversampled to obtain a balanced data set,
which reduces the false-positive rate of the model’s identification of information attacks.

• In order to reduce the complexity of the model and shorten the training time of the model, the maximum
correlation-minimum redundant feature selection method is used to reduce the original feature set.

• Finally, an XGBoost integrated classifier is constructed to identify the information attacks and alerts the
authorities via IoT.
Advantages

• Advantage of an intelligent two-layer intrusion detection system for Internet of Things

• security is that it can provide a high level of security by detecting both known and unknown threats.

• The system can use a combination of signature-based detection

• which identifies known threats based on predefined patterns, and anomaly-based detection, which identifies abnormal network behavior that
may be indicative of a new or unknown attack.

• Another advantage is that the two-layer approach can help to reduce false positives and false negatives by combining the strengths of both
detection methods.
Requirement Analysis

• Tool Used - Jupyter Notebook:

• The Jupyter Notebook is an original web application for creating and sharing computational
documents.

• Jupyter Notebook is used for providing an environment wherein you can run your code, look at the
outcome, visualize the data, and can analyze the result without leaving the environment.

• Language Used - Python Programming:

• Python is a high-level, general-purpose programming language.

• Its design philosophy emphasizes code readability with the use of significant indentation.

• It supports multiple programming paradigms, including structured, object-oriented and functional

programming.
Architecture

Train Data Normalization Pre-processing Model Training

Evaluation
Dataset

Test Data Normalization Pre-processing Model Testing

Attack
Alerting
Detection

Natural Attacked
Design Phase

Dataset
Pre-processing
Normalization
Training
Testing
Project Design
Dataset

• The proposed system has two layers, each layer has its own capability.

• In order to facilitate this purpose, two groups of data are created based on the original NSL-KDD training data during the data preparation process.

• The first group contains all instances and classes, while the second group has only R2L, U2R, and Normal instances.
 Preprocessing

• To perform data analysis on training data, data pre-processing is first implemented by assigning numerical label tags

• from [Normal, DoS, Probe, R2L, U2R] to [0, 1, 2, 3, 4] respectively.

• Then, one-hot encoding has been performed on those categorical features.

• One-hot encoding is a powerful tool used to maintain predictive information from converting a categorical feature to numerical features.

• However, it assumes zero relationships from each value in the category.

Normalization Stage

• In order to help the proposed framework to converge and achieve its objectives we performed scaling of the data into a specific
range [0,1] using the Min-Max transformation,

• where Max denotes the maximum value and Min denotes minimum value from the original set for each value xi of the feature j.
Training, Testing Stages

• For training purpose of the proposed attack detection system, XG Boost algorithm is used.

• In order to test the proposed XG Boost model, we process each row of the test dataset by the training the XG Boost using truncated backpropagation.

• Then, classify the result rows as natural or attack.

UML Diagram
IntrusionDetectionSystem
-dataProcessor: DataProcessor
-modelTrainer:
XGBoostModelTrainer
-dataAnalyzer: DataAnalyzer
-alertNotifier: AlertNotifier

DataProcessor XGBoostModelTrainer
-preprocessData() -trainModel()
-oversampleData() -featureSelection()
-fillMissingValues()

DataAnalyzer
-performAnalysis()
-oneHotEncoding()
-normalizeData()

AlertNotifier
-notifyAuthorities()
Result
 Conclusion

• As the traditional electric grid system transitions to a smart grid system

• the conventional power system methods present limitations in processing and analyzing the massive amounts of data that is now a norm with a smart
grid.

• Thus, AI techniques are being developed and applied to many applications in smart grid systems with promising results.

• In this project, a novel deep learning energy exchange framework for smart grids is proposed.

• This framework includes a deep learning-based scheme using XG Boost algorithm.

• Through performance evaluations using Smart Grid dataset, demonstrated the efficiency of the proposed framework.
References

1) M. M. Alani and A. I. Awad, "An Intelligent Two-Layer Intrusion Detection System for the Internet of
Things," in IEEE Transactions on Industrial Informatics, vol. 19, no. 1, pp. 683-692, Jan. 2023, doi:
10.1109/TII.2022.3192035.

2) M. B. Gorzałczany and F. Rudziński, "Intrusion Detection in Internet of Things With MQTT Protocol—An
Accurate and Interpretable Genetic-Fuzzy Rule-Based Solution," in IEEE Internet of Things Journal, vol. 9,
no. 24, pp. 24843-24855, 15 Dec.15, 2022, doi: 10.1109/JIOT.2022.3194837.

3) J. Wu, Y. Wang, H. Dai, C. Xu and K. B. Kent, "Adaptive Bi-Recommendation and Self-Improving Network
for Heterogeneous Domain Adaptation-Assisted IoT Intrusion Detection," in IEEE Internet of Things Journal,
vol. 10, no. 15, pp. 13205-13220, 1 Aug.1, 2023, doi: 10.1109/JIOT.2023.3262458.
References…

4) M. Eskandari, Z. H. Janjua, M. Vecchio and F. Antonelli, "Passban IDS: An Intelligent

Anomaly-Based Intrusion Detection System for IoT Edge Devices," in IEEE Internet of
Things Journal, vol. 7, no. 8, pp. 6882-6897, Aug. 2020, doi:
10.1109/JIOT.2020.2970501.

5) M. Fouda, R. Ksantini and W. Elmedany, "A Novel Intrusion Detection System for
Internet of Healthcare Things Based on Deep Subclasses Dispersion Information," in
IEEE Internet of Things Journal, vol. 10, no. 10, pp. 8395-8407, 15 May15, 2023, doi:
10.1109/JIOT.2022.3230694.
Thank You…