A background study on

security in IoT network.

Presented
By
AHMAD, Bello
20210310014
Internet of Things (IoT)
• IoT have provided great visibility, control, and opportunities in almost every field of life.

• Securing this devices is becoming very challenging as the industry develops and grows.

• This is largely due to;

• The heterogeneity of IoT architecture,
• The different types of accessed devices,
• Multiple approaches of communication, and
• The enormous volume of data being transmitted throughout the network.

2
 IoT network security
• Despite the availability of traditional security with encryption, authentication, access control, data
confidentiality, data privacy, IoT networks still have been subject to network attacks necessitating a
second line of defence mechanisms.

• Limited computational and storage resources in IoT systems put constraints on installing traditional
security software.

• Thus, Security solutions that can provide real time attack detection and mitigation are in demand to
protect IoT network infrastructure.

• Intrusion detection systems are introduced to detect different attacks and enhance network security,
privacy, and confidentiality (Morteza Behniafar, Alireza Nowroozi, 2020). .
3
 INTRUSION DETECTION SYSTEM (IDS)

• An intrusion detection system is typically either a software application or a hardware device that
monitors incoming and outgoing network traffic for signs of malicious activity or violations of security
policies. (Maniriho et al., 2020).

• It consist of ;
• Sensors
• Analysis system
• Reporting system

• IDSs has gained a significant consideration among the best security mechanisms for safeguarding the
cyber infrastructures against various cyber-attacks in the last decades.

4
IDS(Cont….)
How does an IDS works

• An IDS monitors the traffic on a computer network to detect any suspicious activity.

• It analyzes the data flowing through the network to look for patterns and signs of abnormal
behavior.

• The IDS compares the network activity to a set of predefined rules and patterns to identify any
activity that might indicate an attack or intrusion.

• If the IDS detects something that matches one of these rules or patterns, it sends an alert to the
system administrator.

• The system administrator can then investigate the alert and take action to prevent any damage or
further intrusion.
5
IDS (Cont..)

Network-based intrusion detection system (NIDS)

6
Classification of IDS
• Based on intrusive behaviors, intrusion detection is classified into;
• Network-based intrusion detection system (NIDS)
• Host-based intrusion detection system (HIDS)
• Protocol-based Intrusion Detection System (PIDS)
• Application Protocol-based Intrusion Detection System (APIDS)
• Hybrid Intrusion Detection System

• NIDS A network IDS monitors a complete protected network. The NIDS monitors all traffic flowing
to and from devices on the network, making determinations based on packet contents and metadata.

• HIDS A host-based IDS monitors the computer infrastructure on which it is installed. In other words,
it is deployed on a specific endpoint to protect it against internal and external threats.

7
 Classification of IDS (Cont…)
 Protocol-based Intrusion Detection System (PIDS): A protocol-based intrusion detection system is
usually installed on a web server. It monitors and analyzes the protocol between a user/device and the
server. A PIDS normally sits at the front end of a server and monitors the behavior and state of the
protocol.

 Application Protocol-based Intrusion Detection System (APIDS):An APIDS is a system or agent that
usually sits inside the server party. It tracks and interprets correspondence on application-specific
protocols. For example, this would monitor the SQL protocol to the middleware while transacting with
the web server.

 Hybrid Intrusion Detection System: A hybrid intrusion detection system combines two or more
intrusion detection approaches. Using this system, system or host agent data combined with network
information for a comprehensive view of the system(Thamilarasu & Chawla, 2019) . 8
 IDS based on detection technics
There are two main intrusion detection techniques used to detect attacks in network.
• Signature-based (misuse-based or knowledge-based)

• Anomaly-based (behavior-based) approaches.

Signature-based techniques depend on the existing threat knowledge to classify traffic as benign or
malicious, the problems with this approach is that
• It continuously updating the signature database which is time-consuming.

• computationally expensive.

• This approach cannot detect zero-day or unknown attacks because of the reliance on previously
known attack signatures Mahmoud, (2020b),

9
IDS based on detection technics (Cont…)
• An anomaly-based detection is a preferred approach because it looks at benign traffic patterns and
generates an alarm or blocks the traffic whenever an abnormal traffic pattern is detected.

• One of the benefits of using anomaly-based systems is that they are good at detecting zero-day and
unknown attacks but may generate high false-positive results. Maniriho et al., (2020)

• Anomaly-based IDS’s are one of the primary researchers focus on, their strong detection
capabilities of large-scale attacks such as DoS, DDoS, U2R, R2L, etc.

10
 Design of Anomaly-based IDS
• Anomaly-based intrusion detection systems based on machine learning approaches (Thamilarasu &
Chawla, 2019) have evolved since the last decade. The detection process starts from selecting the features
from the network data and classifying them based on the user-defined conditions or learning procedures.

• To design an effective network intrusion detection systems (NIDS), machine learning and deep learning
can provide great value and encourage building and training models by learning from network traffic
patterns and provide solutions to attacks.

• Instead of searching for known threats, an anomaly-based detection system utilizes machine learning to
11
train the detection system to recognize a normalized baseline.
 Anomaly-based IDS Model

• In order to positively identify attack traffic, the system must be taught to recognize normal
system activity.

• A free datasets in an offline mode is needed (since it is difficult to test proposals on real
networks and that datasets are a good solution for benchmarking) e.g KDD99, NSL-KDD,
UNSW-NB15, • CSE-CIC-IDS2018, IoTID20 etc.

• The network sniffers are used to collect network traffic data that will be stored in dataset, there
are free open source network sniffers to capture network traffic data such as Tcpdump,
Wireshark, Ettercap, Argus etc.

12
Anomaly-based IDS Model
Selection of Dataset

Pre-processing of Dataset

Feature Selection

Training the Model

Testing the Model

An anomaly-based detection Framework

13
 References
• Morteza Behniafar, Alireza Nowroozi, and H. R. S. (2020). A Survey of Anomaly Detection Approaches in Internet
of Things. The ICS INT’L JOURNAL OF INFORMATION SECURITY, 10(2), 79–92. http://www.isecure-journal.org

• P. Maniriho, E. Niyigaba, Z. Bizimana, V. Twiringiyimana, L. J. Mahoro and T. Ahmad, "Anomaly-based Intrusion

Detection Approach for IoT Networks Using Machine Learning," 2020 International Conference on Computer
Engineering, Network, and Intelligent Multimedia (CENIM), 2020, pp. 303-308,
doi:10.1109/CENIM51130.2020.9297958.

• Thamilarasu, G., & Chawla, S. (2019). Towards Deep-Learning-Driven Intrusion Detection for the Internet of Things.
Sensors 2019, 19, 1977; Www.Mdpi.Com/Journal/Sensors, 1–19. https://doi.org/10.3390/s19091977

• Ullah, I., & Mahmoud, Q. H. (2020a). A Scheme for Generating a Dataset for Anomalous Activity Detection in IoT
Networks. In Conference Proceedings - IEEE International Conference on Systems, Man and Cybernetics (Vols. 2020-
Octob, Issue May). Springer International Publishing. https://doi.org/10.1109/SMC42975.2020.9283220
14
Thank you for listening

15