A Two-Layer Dimension Reduction and Two-Tier Classification Model for Anomaly-Based Intrusion Detection in IoT Backbone Networks
read more
Citations
A Survey of Machine and Deep Learning Methods for Internet of Things (IoT) Security
Network Intrusion Detection for IoT Security Based on Learning Techniques
Attack and anomaly detection in IoT sensors in IoT sites using machine learning approaches
Internet of Things security and forensics: Challenges and opportunities
References
Data Mining: Practical Machine Learning Tools and Techniques
The Internet of Things: A survey
Anomaly detection: A survey
The internet of things: a survey
Related Papers (5)
Distributed attack detection scheme using deep learning approach for Internet of Things
Frequently Asked Questions (22)
Q2. What are the future works mentioned in the paper "A two-layer dimension reduction and two- tier classification model for anomaly- based intrusion detection in iot backbone networks" ?
Future research includes exploring the potential of nonparametric methods such as dimension reduction module and fuzzy clustering to achieve a better classification against U2R, R2L and other attacks. Another interesting future work could be extension of the proposed model to detect intrusions at other layers of the IoT architecture such as application and support layers, as well as other protocols running in the network layer.
Q3. What is the supervised anomaly detection approach?
The supervised anomaly detection approach in [25] leverages both distance measure and density of clusters for intrusion detection.
Q4. What is the way to detect anomalous activity?
Existing intrusion detection and prevention models generally use statistical approaches [15] such as Hidden Markov Model (HMM) [15], Bayes theory [16], cluster analysis [17], signal processing [18] and distance measuring [19] to detect anomalous activities.
Q5. What is the CF-KNN version of TDTC?
The Naïve Bayes classifier is used to classify anomalous behavior, which is then refined to normal instances using the Certainty-Factor version of KNearest Neighbor (CF-KNN).
Q6. What is the certainty factor in the classification module?
The certainty-factor similarity measure in the classification module is based on the distribution proportion of classes in the training dataset to resolve imbalance data set issue.
Q7. What is the description of the model?
Despite a high accuracy rate in identifying normal behaviors and detecting simpler attacks such as DoS attacks and probe, the model performs poorly in detecting low frequency and distribution attacks such as R2L.
Q8. Why is the dimension reduction module deployed to addresslimitations?
The dimension reduction module is deployed to addresslimitations due to dimensionality that may lead to makingwrong decisions while increasing computational complexity of the classifier.
Q9. What is the performance of TDTC two dimension reduction module?
TDTC two dimension reduction module performance is an offline task, which is applied once to obtain the transform vectors for incoming samples.
Q10. How many new attack types are included in the training set?
Since the test set contains 17 new attack types not included in the training set, the authors can evaluate the effectiveness of TCTD in detecting unknown or uncommon attacks.
Q11. What is the correlation coefficient assessment of the final features?
TheCorrelation Coefficient assessments of the final features shows that the transferred features at two layers of dimension reduction module are mostly independent, since ρ=0.
Q12. What is the role of TDTC in detecting residual attacks?
TDTC also can be deployed as an auxiliary service for digital forensics in IoT ecosystem, such as those discussed in [56] to detect residual attack patterns of IoT network layer.>
Q13. What is the computational complexity of Nave Bayes classifier?
The computational complexity of Naïve Bayes classifier of the classification module is determined as 𝑂(𝑒 × 𝑓), where e is the count of samples in dataset and f represents number of features.
Q14. What is the way to detect DoS attacks in cloud environments?
Osanaiye et al. [13] proposed an ensemble-based multi-filter feature selection method to detect distributed DoS attacks in cloud environments using four filter methods to achieve an optimum selection over NSL-KDD dataset.
Q15. What is the smallest number of features in the original dataset?
Let X be an N-dimensional random vector in the original dataset, and the new feature space consists of lower Mdimensions (M is the number of new dataset features that are transformed) where (𝑀 < 𝑁).
Q16. What is the description of the supervised approach?
Casas et al. [22] proposed an unsupervised NIDS based on subspace clustering and outlier detection and demonstrated that their approach performs well against unknown attacks.
Q17. What is the way to determine which eigenvalues are more useful?
in TDTC, one may decide which eigenvalues are more useful; thus, the ideal feature mapping matrix 𝑊 can be concluded and used for linear transformation of training and test dataset.
Q18. What is the optimal projection matrix for the TDTC dataset?
The projection matrix 𝑊 is calculated to maximize SB – see Eq. 6, and minimize SW – see Eq. 7.SB= ∑ (μc - x̅)(μc - x̅) T c (Eq.6) SW= ∑ ∑ (xi - μc)(xi - μc)
Q19. What is the description of the supervised anomaly detection approach?
Zhaung et al [26] proposed a model based on random forest algorithm to discover anomaly patterns with a high accuracy yet low false negative rate.
Q20. What is the description of the approach?
Guo et al. [27] proposed a two-level intrusion detection approach which first detects misuse and then uses KNN algorithm to reduce false alarms.
Q21. How many features are used in TDTC?
Therefore at this level, due to LDA optimum transformation, the first classifier of TDTC is equipped with only four features instead of 35.
Q22. What is the result value of each feature?
The resultvalue of each feature is mapped into an integer number, to avoid any bias, as shown in Eq.13 for each continuousvalued 𝑧.