Thesis network intrusion detection system

In this phase, data packets are assembled and transformed before feeding into the machine-learning module. Instead of requiring a dedicated host or specialized hardware, this module performs highly optimized data collection and transformation thereby enabling IIDs to be implemented on resource-constrained networks. The components of this phase are described below. This phase is responsible for mitigating the attack and initiating a proper response. The system uses two modules for facilitating mitigation response, i. The Handler component in this module is responsible for executing the mitigation response if flagged by the Actuator module.

The Actuator module is responsible for identifying the most suitable mitigation response in the event of an attack within the IoT network. The mitigation response can either send an alarm signal or shut down the communication in the network. When the Actuator module is aware of an appropriate mitigation response, it would activate the Handler module to execute the response or generate an alarm for the end-user. The Handler module is primarily a set of mitigation procedures hard-coded within IID program to execute a mitigation procedure as a proof of concept.

A mitigation procedure is invoked by the Actuator module in response to an intrusion, and is further executed by the Handler module. Once the mitigation response is executed successfully by the Handler module, it logs the type of attack and the mitigation response provided. In this section, we discuss the detection algorithm in detail. Specifically, we use deep learning, which is a subset of machine learning with increased flexibility and accuracy over classical learning algorithms.

We choose deep-learning technique, as it outperforms other solutions in multiple domains that are highly unstructured and form heterogeneous patterns. They also have an advantage over other machine-learning algorithms due to their ability to incrementally learn and extrapolate new features from a limited set of training data. Additionally, the thin and layered structure of sequential deep neural-network models makes them the best fit for being deployed over a low-powered and resource-constrained portable IoT device, still facilitating real-time anomaly detection. IDSs use behavioral categorization and response to classify malicious and benign communication.

No single message, or feature on a communication cycle can determine the behavior or the nature of the communication.

Both the qualitative and quantitative features of a communication cycle are required to be observed over a period of time to yield its behavioral characteristics. We propose the features presented in Table 1 to characterize these qualitative and quantitative aspects of wireless communication messages intercepted by the detection module in IoT systems. In a typical communication cycle between a distinct pair of sender and receiver nodes, the transmission and reception rates are expected to be similar.

These values are however different when the system is under an attack such as denial-of-service or sinkhole attack. Similarly, transmission-to-reception ratio is a reasonable indicator of spoofing and masquerading attacks when used in conjunction with activity duration.

Development of a Lab Experiment for Intrusion Detection System in Wireless Body Area Networks

Transmission mode determines the state and protocol of the communication. Based on the pre-trained behavior, IDS can distinguish if the message headers in a communication cycle have a known vulnerable transmission mode, an unintended sender or receiver through IP addresses , a malicious payload, or all of these.

To classify malicious and benign traffic, the proposed IDS thus gathers above features such as transmission-rate, reception-rate, transmission-to-reception ratio, duration, transmission mode, source-IP, destination-IP, and the data-value information from the network traffic. These features are selected in consideration of the computational capability, and the processing to performance ratio of portable low-powered, resource-constrained IoT devices.

During data preprocessing, IID calculates the probability distribution of the extracted meta-features as shown in Equation 1. The set of features represents a tuple of input data for the machine-learning algorithm. Consequently, each meta-feature set can be represented as a feature vector f v at a time instance n , generated as,.

The proposed IDS uses perceptual learning model for both data collection and feature extraction, as well as for anomaly detection. As described earlier, during the Network Connection phase, network traffic is intercepted, and raw features are extracted from the network packets. Consequently, the data collection and transformation module concatenates the set of primary features with the set of secondary features to create a tuple.

Essentially, each tuple is a set of raw features and the meta-features of a data-packet. A DBN is a model of un-directed connections between different layers, where each layer comprises n -number of neural nodes, while a DNN is a type of feed-forward neural network with many layers.

DNN can thus be created from a model pre-trained using unsupervised learning which is very fast in comparison to supervised learning. Figure 3. As shown in Figure 3 , the weights for all the hidden layers of this DBN model, denoted by w i , are obtained by performing unsupervised training. However, the parameters generated from this unsupervised training are only used for assigning the initial set of weights. For each network transaction, a binary-classification layer and label information a is added at the top layer of the DBN model to successfully construct a DNN.

Figure 4 shows that the DBN is augmented with binary-classification layer and label information to transform into a DNN. Now, this DNN model is trained with a bottom-up supervised learning approach using the label information a.

Development of a Lab Experiment for Intrusion Detection System in Wireless Body Area Networks

During the supervised learning process, each node in a DNN layer is assigned with a weight parameter which are manipulated by using the gradient descent methodology. The proposed deep-learning model uses supervised training and binary classification for identifying malicious activities. This feedback mechanism is used during retraining of the DNN, which enriches the feature extraction and labeling functionality of the detection system. However, if the extracted features are not sufficient to classify the network traffic, feedback is sent to the data collection and transmission module for retraining.

As mentioned earlier, these input features are represented as a tuple, formed from a combination of both the primary and secondary features. During the supervised training process, each tuple and its label information a is fed to the DNN where it passes through the first hidden encode layer and gets filtered out as the x most significant features. The x features are then passed into the second encode hidden layer where they get filtered into y features and the second encode layer feeds them into the third encode hidden layer.

The third hidden encode layer takes the y features as input from the previous layer and filters two outputs. It also acts as a soft-max layer that fine tunes the results to classify the attack into categories. The result is passed to the output layer representing the classification as malicious and benign traffic.

Output layer does not perform any filtration but ingests the output from the third hidden layer and yields the classification result. Thus, the rest of the hidden layers i. Each layer of the DNN thus feeds onto this data, and maps it to a numerical value. The mapped values are normalized to 0 and 1, where benign network traffic is represented by the value 0 and malign network traffic is represented by the value 1. The DNN thus develops a binary classifier for anomaly detection.

"A Machine Learning Approach to Network Intrusion Detection System Usin" by Ilemona S. Atawodi

We retrofit the DNN model for training, and testing the predictions. The proposed IDS is trained and tested against the testing dataset. Figure 6 details the training mechanism used for the proposed DNN model.

Neural nodes in each DNN layer calculates an output using an activation function and generates a filtered result. In this work, we use a rectified linear unit ReLU activation function for developing this system. ReLU function is defined as:. Here, the negative values in the matrix x are set to zero while other values remain constant.

Each hidden layer links to the next hidden layer by using linear-combinations of outputs and feeds the filtered output generated by the ReLU activation function to the next layer. Each feature vector f v represents the probability in the Byte-representation of meta-features generated from a single data-packet, and a is the binary label information attached to each data-packet.

In the training phase, the input feature f v enters the DNN through the external nodes that are present at the bottom of the DNN. Consequently, these weight vectors are modified as more data passes through DNN layers with each cycle in supervised training.


The machine-learning algorithm assigns a cost function, cumulative cost function, and an optimization function [ 32 ] to manipulate our detection model. We assign a cost function for each layer of the proposed DNN as formulated in Equation 5 , defined as the mean square error function between the prediction value and the output, as,.

The hypothesis function h w f v is responsible for manipulating weights w on every node in each DNN layer as illustrated in Equation 6 , the cumulative cost function for a single set of training data k , is defined as,. We implement the DNN using Keras, an open-source neural-network library written in Python and test using the open Cooja network simulator developed in Contiki operating system [ 33 ]. We use Keras library because of its light-weight, modularity, and easy extensibility, and create a Sequential Deep-Learning model, constructed as a linear stack of DNN layers.

In addition, Keras library is fast and can process large amounts of data easily. It automatically distributes the work over different processing threads with the machine, without the need for providing optimization or distributed processing parameters as in the case of other machine-learning libraries.

  • Towards Deep-Learning-Driven Intrusion Detection for the Internet of Things.
  • Simulation of network intrusion detection system with GPenSim;
  • Random Forest-Based Intrusion Detection System (IDS);

Hence, Keras enables implementation of the anomaly-based IDS on a low-powered resource-constrained Raspberry Pi, with a raw processing speed of approximately MHz and a volatile memory of megabytes. The implementation consists of three stages: input data collection and preprocessing, creation and training of DNN classifier, and testing. Input data collection and preprocessing is used to generate an IoT network-traffic dataset as an input for the anomaly-detection process ADP. Creation, and training of the DNN classifier are the core sub-processes in the ADP and the detection process in general.

Training assigns weights to each classifier node to filter a certain type of input and matures the binary classifier. The IoT simulation dataset consists of 5 million network transactions represented as features from the six sensors distributed in a smart home network simulation. We use Scapy, an open-source network penetration testing framework, to extract these features by stripping down each network packet.

The 5 million network transactions were pruned out by the input data-preprocessing program to make the input dataset of 59, readings. It is important to note that these network simulations were gathered from two separate simulations, i. Each network transaction in the second network simulation was marked as malicious as the entire network was affected by the malicious activities occurring within the network.

In our experimentation, in the dataset of 59, transactions, a total of 31, network transactions were malicious while the rest of 28, network transactions were benign. As mentioned earlier, we used Python-based Keras machine-learning library for the implementation of the deep-learning algorithm. During classification stage, training dataset are read, stored in a data frame and converted into a matrix. Furthermore, these datasets are bifurcated into the training and testing datasets, where the training dataset comprised of 18, benign network transactions and 20, malicious network transactions, while the testing dataset comprised of benign network transactions and 10, malicious network transactions.

The system was initially tested using the labeled testing dataset consisting of 19, i. After the initial training of DNN using labeled training dataset comprising of 39, i. Thereafter, the deep-learning model is compiled and fitted with runs, i.

Consequently, in every test, the results of the classifier are normalized to a binary value. We simulate and evaluate the performance of our proposed detection system against various attacks on IoT networks such as the sinkhole attack, distributed denial-of-service DDoS attack, blackhole attack, opportunistic service attack and wormhole attack.

Blackhole Attack: In a blackhole attack, the malicious device falsely advertises shortest route to destination and then silently drops all packets on its path creating a blackhole in the network. Opportunistic Service Attack: In an opportunistic service attack, the malicious device increases its trust value by providing highly dependable services at first and then later resorts to providing inferior service for its own profit. Sinkhole Attack: In a sinkhole attack, the malicious node may announce beneficial route or falsified path to attract all nodes to redirect their packets through it, acting as a sink.

Wormhole Attack: In a wormhole tunnel attack, pair of attacker devices collude with each other through a virtual private connection. The network packets received by the victim device is first forwarded through the wormhole, and replayed later, resulting in non-optimized routes.