1. Introduction
Internet of Things (IoT) is an interconnected system of devices that facilitate seamless information exchange between physical devices. These devices could be medical and healthcare devices, driverless vehicles, industrial robots, smart TVs, wearables and smart city infrastructures, and they can be remotely monitored and regulated [
1,
2]. IoT devices are expected to become more prevalent than mobile devices and will have access to the most sensitive information such as personal information [
3]. This will result in increasing attack surface area and probabilities of attacks will increase. For instance, ‘Mirai’ is a botnet that mounted a Distributed Denial of Service (DDoS) attack that left much of the network unapproachable [
4].
Due to the significance of IoT devices in our daily lives, it is crucial to develop IoT intelligent IDS capable of detecting both pre-known and zero-day attacks. As IoT devices are part of infrastructure, it makes them a target of cyber-attacks. Symantec reported a 600% increase in attacks against the IoT platforms in 2018 [
5], which means that attackers are aiming to exploit the connected nature of these devices.
Intrusion Detection System (IDS) technology has originally been developed for traditional networks, and therefore, the current techniques IDSs for IoT are insufficient to detect different types of attacks for the following reasons [
6]. First, the current IDS protect against known security threats, which means they are easily defeated by the new kinds of intrusions by attackers, as they can evade the traditional IDS [
7]. For instance, the increased volume of DDoS attacks uses techniques that spoof source IP addresses to hide attacks, so it becomes undetectable by the traditional IDS. Second, IoT specific features present a challenge for creating IDS. IoT devices are huge in number and need to host IDS agents; furthermore, low storage and computational capacity of IoT devices impose constraints on how IDS systems can be implemented. Third, another important issue is the characteristic associated with the IoT network design. In the traditional networks, the computer system is completely connected to specific computer nodes that are responsible for sending packets to the endpoints. In contrast, the IoT ecosystem communicates with numerous sensors and actuators to accomplish several monitoring and control tasks. IoT devices have significantly more varieties and type of networks than traditional networks. Therefore, applying traditional IDS detection system to IoT ecosystem is hard because of its specific features, such as limited resource, particular protocol stacks, and network requirements. For these reasons, an innovative hybrid IDS model has been proposed in this paper integrating SIDS and AIDS that can provide robust intrusion detection. Hybrid IDS is developed to counter the drawback of SIDS and AIDS, as it uses SIDS and AIDS to identify both zero-day and known attacks. The objective of the hybrid IDS is to overcome the limitations of the SIDS techniques and take advantage of the processing cost of the AIDS techniques. Therefore, HIDS has no negative impact on the node’s energy consumption. However, current IDSs are not adequate to detect various attacks against the IoT systems, and they require high consumption of memory and processing. In our approach, AIDS is utilized to distinguish zero-day attacks, while SIDS is utilized to recognize known attacks. The key idea of our approach is to consolidate the benefits of both SIDS and AIDS to create robust IDS. The technique for creating and joining a few classifiers to achieve high accuracy is called boosting. SIDS is developed based on the C5.0 Decision tree classifier. Decision Trees are considered one of the most popular classification techniques. The decision tree is made up of nodes that shape a rooted tree, meaning it is a directed tree with a node called a “root” that has no incoming edges. The C5.0 decision trees provide outputs, using one attribute at a time to distinguish the data. New data can be categorized by sets of criteria defined at the nodes [
8].
AIDS is developed based on a one-class Support Vector Machine (SVM). AIDS uses the known attack information and builds the profiles of normal behaviors of operations correctly. Our model contains the feature selection component for selecting suitable features, which can efficiently decrease the redundant and inappropriate features. Feature selection often leads to increased detection accuracy, reduced false alarm rate and reduced storage and computational capacity of IoT.
The main contributions of this paper are as follows:
Development of feature selection technique based on information gain principle to select IoT features that result in maximum difference of features amongst all the applications profiled.
Development of Hybrid Intrusion Detection System (HIDS) for IoT devices and gateways that uses a C5 classifier in the first stage and one class SVM in the second stage to create an effective ensemble architecture for improved accuracy. The experimental results show that the HIDS attains 99.97% accuracy of detection.
This paper is structured as follows. The background is provided in
Section 2. Related work is discussed in
Section 3. We present our approach to building models for the study in
Section 4. The experimental setup is presented in
Section 5. Lastly, the conclusion is presented in
Section 6.
2. Background
IoT is made up of smart devices that interconnect with one another. It permits the smart devices to gather and share information. IoT devices use a back-end cloud services for intensive processing to maintain remote control [
9]. Clients are able to gain access to this data and control their devices through a mobile application or web-based interface. With a large number of sensors and actuators connected to the Internet, it is important to gather raw data and apply data mining techniques to extract more interesting information about the devices to develop efficient IDSs.
Smart devices can be connected via a wired or wireless connection. The wireless connections pose security challenges, as many diverse wireless communication methods and protocols could be applied to interconnect IoT devices. These technologies include Low power Wireless Personal Area Networks (6LoWPAN), ZigBee, Bluetooth Low Energy (BLE), Z-Wave, and Near Field Communication (NFC) [
10].
Figure 1 shows the IoT system architecture with layers where attacks can occur. An IoT system can comprise three fundamental layers which are the perception layer, network layer, and application layer [
11]. The perception layer is the lowest layer of the conventional architecture of IoT. This layer consists of devices, sensors, actuators, and controllers. This layer’s fundamental task is to gather valuable information from IoT sensors systems. Network layer ensures the successful transmission of data while application layer is the highest layer that processes the data for visualization. This layer consists of various applications that essentially use the data provided by the underlying layers.
The data transfers among these levels takes place via following transmission channels:
Device to device (D2D): peer to peer communication between two devices while using communication technologies such as Bluetooth, ZigBee, and Wi-Fi are common in the IoT system.
Device to gateway: the gateway acts as a connection between the cloud and another node in IoT (e.g., controllers, sensors, and intelligent devices). All information to the data system is routed through the interconnected gateways. They have two main tasks: (i) to combine data from sensors and route it to the relevant data system; and (ii) to analyze data and, if a fault is detected, to initiate the recovery mechanism as per application’s security requirements.
Gateway to data systems: data sent from a gateway to a suitable data system.
Between data systems: information transmission within data centers or clouds.
IoT Threat Model
The rapid increase of the IoT adoption also increases the number of security threats that cybersecurity researchers must consider in order to devise a robust IDS. Several types of malicious activities try to attack the security and privacy of the IoT devices and potentially all smart devices on the publicly accessible Internet can be a target. The IoT is vulnerable against attacks for a number of reasons. Firstly, IoT devices are often unattended (e.g., sensors positioned in remote locations) and in this way, this makes it very easy for an attacker to gain access to them physically. Secondly, the greater part of the data communication is wireless, which makes it easier to eavesdrop. Lastly, the majority of the IoT devices have low storage capacities and limited processing capability. For example, additional security software could not be installed in the IoT devices.
Cybercriminals can interrupt or modify the behavior of smart devices using various hacking techniques [
12]. Some of the hacking techniques need physical access to smart devices, making an attack harder to achieve, although not impossible given the physically unsecured nature of many IoT devices. Other attacks could be completed over the network from a remote site.
Table 1 shows common attack types on attack smart devices.
An IoT botnet consisting of exposed IoT devices, such as electronic appliances, security systems, cars, thermostats and lights in private or commercial environments, speaker systems, alarm clocks, vending machines, and many other can be affected by the intrusion attacks. These intrusions permit a cybercriminal to control the sensors. Dissimilar to conventional botnets, affected IoT devices search to spread their malicious activity to an ever-increasing number of devices. A conventional botnet may comprise thousands of bots, but IoT botnet is bigger in scale, with a large number of attached devices [
20]. For example, a large DNS server company called Dyn was targeted by cyber attackers on October 21, 2016. This attack was actually launched by an extraordinarily large number of DNS lookup requests from tens of millions of IP addresses [
21]. The requests from the Botnet infected a large number of internet connected devices like printers, digital cameras, and other devices. This IoT botnet attack was caused by malicious software named Mirai. Due to Mirai infection, computers persistently browse the internet for devices that are vulnerable and use default username and password to access the system, infecting them with malicious software.
At Black Hat 2015, security researchers revealed how they attacked Chrysler Jeep Cherokee. While attacking the Jeep’s system of IoT devices and sensors, one could remotely control a Jeep as it drives down the highway [
22].
3. Related Work
In this section, a review of the existing IDS research for IoT is presented. Each research was categorized by considering the following characteristics: IDS placement strategy, detection method, and validation strategy.
Figure 2 shows the classification of IDS for IoT networks, while
Table 2 provides some recent related research.
In IDS placement strategies, IDS can be classified as distributed, centralized, or hybrid. In distributed placement, the IoT devices could be responsible for checking other IoT devices.
In the centralized IDS location, the IDS is placed in central devices, for instance, in the boundary switch or a nominated device. All the information that the IoT devices collect and then send to the network boundary switch passes through the boundary switch. Consequently, the IDS positioned in a boundary switch can check the packets switched between the IoT devices and the network. In spite of this, checking the net-work packets that pass through the boundary switch is not adequate to identify anomalies that affect the IoT devices.
Raza et al. used a hybrid, centralized, and distributed approach and placed IDS modules both in the border router and in the nominated nodes [
23]. They applied signature- and anomaly-based techniques to detect routing attacks, where an attacker provides nearby nodes with false routing data and then modifies the data that transmit through it.
Current works on IDS for IoT have three primary classes: Anomaly-based Intrusion Detection System (AIDS), Signature-based Intrusion Detection Systems (SIDS), and hybrid. In short, SIDS relies on pattern matching techniques for finding known attacks; these are also known as Knowledge-based Detection or Misuse Detection [
24]. In SIDS, matching methods are used to find a previous intrusion. In AIDS, a normal model of the behavior of a computer system is determined using machine learning, statistical-based or knowledge-based methods. Any significant deviation between the observed behavior and the model is regarded as an anomaly, which can be interpreted as an intrusion. The assumption for this group of techniques is that malicious behavior differs from typical user behavior, while the Hybrid IDS methodology combines SIDS with AIDS to improve the detection rate and decrease false alarms.
To validate the effectiveness of IDSs, researchers have used different techniques, such as theoretical, empirical, and hypothetical strategies, for validating their techniques.
Hoda et al. used AIDS based on a neural network for detecting Denial of Service attacks over the IoT networks. Their IDS approach was based on categorizing normal and abnormal patterns. The AIDS model was tested against a simulated IoT network [
25].
Diro et al. developed an IoT network attack detection system on the basis of distributed deep learning. Their work showed that distributed attack detection could identify IoT attacks better than a centralized strategy with 96% detection rate. Their approach was evaluated using NLS-KDD dataset. Even though this dataset is another version of the KDD data set, it still suffers from various issues reviewed by McHugh [
26]. We believe this dataset should not be used as an effective bench-mark dataset in the IoT, as this data was collected from the traditional network [
27]. This leads us to develop IDSs that take in consideration the specific requirement of IoT protocol such as Low-power Wireless Personal Area Networks (6LowPAN). Hence, intrusion detection system that is created for the IoT ecosystem should operate under rigorous settings of low processing ability, high speed connection, and big capacity data processing.
Rathore et al. proposed semi-supervised Fuzzy learning based distributed attack detection framework for IoT [
28]. The evaluation was done on the Network Security Laboratory - Knowledge Discovery in Databases (NSL-KDD) dataset and consequently suffers from the same dataset limitations as mentioned above.
Cho et al. proposed a methodology for checking packets that are passing through the border router for communication between physical and the network devices. Their methodology was based on the botnet attacks by checking the packet length [
29]. However, no information is presented about the technique can be employed to create normal behavior profiles. It is also not clear how the proposed IDS techniques would work on resource constraints nodes in the IoT.
Moustafa et al. proposed an ensemble of IDSs to detect abnormal activities, in specific botnet attacks against Domain Name System (DNS), Hyper Text Transfer Protocol (HTTP), and Message Queue Telemetry Transport (MQTT) [
30]. Their ensemble methods are based on the AdaBoost learning method and they used three machine learning techniques: Artificial Neural Networks (ANN), Decision Tree (DT), and Naive Bayes (NB) to evaluate their methodology [
30]. The proposed IDS results in significant overhead, which degrades its performance.
Hodo et al. used an Artificial Neural Network (ANN) to detect DDoS and DoS attacks against legitimate IoT network traffic. The proposed ANN model was tested with the use of a simulated IoT network. Hoda et al. proposed a threat analysis of IoT using ANN to detect DDoS/DoS attacks. A multi-level perceptron, a type of supervised ANN, was trained using internet packet traces, and then, the model was assessed on its ability to thwart (DDoS/DoS) attacks [
25]. Hoda et al. did not consider the effectiveness after the deployment of the proposed IDS in the IoT ecosystem on low capacity devices. According to their experimentation, the system achieved an accuracy of 99.4% for DDoS/DoS. However, no details of the dataset are provided.
Cervantes et al. proposed IDS for detecting sinkhole attacks on 6LoWPAN for the IoT. Their IDS approach applies a combination of anomaly detection and support vector machine (SVM). Each IDS agent trains the SVM, and executes a majority voting decision to mark the infected nodes [
31]. Their simulation results showed that their IDS achieve a sinkhole detection rate up to 92% on the fixed scenario and 75% in a mobile scenario. However, their approach has not been evaluated for other types of attacks in the IoT.
Patil and Modi [
33] designed a virtual environment monitoring system to prevent intrusions in IoT. This system used predefined signature database for known attacks and it applies anomaly-based detection for unknown attacks.
Table 3 shows the IDS techniques and datasets covered by this paper and previous research papers.
4. Proposed Hybrid Model for IDS
Hybrid IDS has been proposed to overcome the shortcomings of SIDS and AIDS, as it brings together SIDS and AIDS to identify both unknown and known attacks. Novel techniques were used to combine the results of SIDS and AIDS. In our methodology, AIDS was utilized to recognize zero-day attacks, while SIDS was utilized to distinguish well-known attacks. Boosting method was used to combine the classifiers and to decrease the bias of the combined model. The Hybrid IDS has two stages; the SIDS stage and AIDS stage, as shown in
Figure 3. AIDS aims to profile the normal nodes activity and would raise a malicious alarm when the difference between normal requests exceeds the predefined threshold for a given observation. Nodes’ profiles were created by employing records that were recognized as benign actions. Next, it observed the behavior of the traffic and matches the new records with the built profiles and attempts to identify abnormalities. If any malicious request was identified, the system will save it in the signature database. The main purpose of storing the malicious pattern in the database was to achieve protection against the similar attacks in upcoming malicious activity. In other words, the SIDS will have an appropriate history of previously known attacks.
4.1. Feature Selection
The IoT ecosystem is made up of smart devices with limited processing power, memory, energy, and communication range. One main issue among many others with IDSs is dealing with many irrelevant features, which can cause overhead on the system. It is well known that redundant, irrelevant features often lead to low detection rate. Therefore, the purpose of the feature selection is to identify significant features which can be used in the IDS to detect various attacks efficiently [
38].
With the extracted labels, the features are analyzed for both normal and abnormal behaviors to determine the most relevant features. We applied an information gain method for feature selection. The information gain methods had a fast execution time and this technique extracted the best performing feature set for the particular type of model. In literature, information gain was regularly applied to assess how well each distinct attribute separates the given data set. The overall entropy “I” of a given dataset “S” is described as [
39]:
where, “
” refers to the total number of classes and
denotes the portion of instances that belongs to class
. The decrease in entropy or information gain is calculated for every feature according to:
where
values of
and
are the instances of a set.
4.2. Building Classification Models
Once the selected features are identified, we ran experiments using Hybrid IDS to evaluate their capability to distinguish malicious activities from normal activities. Our Hybrid IDS model involved two phases, namely SIDS and AIDS.
4.3. Stage One: SIDS Stage
In the SIDS phase, C5 decision tree classifier was used to create a decision tree [
40]. Once a decision tree is created, it can be applied to detect other samples with varying success depending on how well it models the dataset. The tree can then be applied as a rule set for detecting whether a test sample is malware or benign software.
Unknown traffic was handled through pattern matching to determine whether it represents normal or abnormal activities. If the request matches with an attack signature from the database, it raises an alarm that it is a malicious sample. If it did not match, it will go to AIDS, which is the next stage of the framework as shown in
Figure 3, as AIDS is designed to detect unknown attacks, such as a zero-day attack.
4.4. Stage Two: AIDS Stage
In order to effectively recognize unknown attacks, the output of SIDS-stage is used to train AIDS to recognize abnormal activities. AIDS, being trained using benign samples, should be able to separate activities which do not appear to be normal, i.e., unusual behaviors exhibited by malware type software. To train AIDS, One-Class SVM is used, which learns the attributes of benign samples without using any information from the other class. Such a classifier can identify normal activities with far more success as normal class training data are easily available. In contrast, zero-day attacks are rare. Hence, we may have few instances of training datasets for zero-day attacks or even none.
Therefore, in the second stage, normal behavior is identified, and anything outside the normal behavior is classified as a zero-day attack. One-class classification techniques aim to build classification models when the malware class is unavailable, poorly sampled, or not well identified. The unique circumstances constrain the learning of efficient classifiers by describing class boundary just with the information of the normal class. In contrast to the traditional multi-class classification paradigm, in one-class classification, normal behavior is well described by examples in the training data, while the unknown malware has no example.
4.5. Stage Three: Stacking of the Two Stages
SIDS and AIDS have correlative qualities and shortcomings; thus, we propose to build up a hybrid method utilizing an ensemble of both approaches. In machine learning, ensemble techniques are used to enhance prediction accuracy. Although many ensemble methods have been proposed, this is a difficult task to find an appropriate ensemble configuration for detecting the zero-day attack. A C5 classifier was used as a first stage and a one class SVM was used as the second stage to create an ensemble of classifiers to improve accuracy for IDS.