Intrusion Detection System of IoT Systems Using Artificial Neural Network

Rao Muhammad Ammar Mohammad Ali Qazi Fasi ur Rehman Manahil Fraz
Department of Electrical Department of Electrical Department of Electrical Department of Electrical
Engineering Engineering Engineering Engineering
Usman Institute of Usman Institute of Usman Institute of Usman Institute of
Technology Technology Technology Technology
16b-229- 16b-213- 16b-222- 16b-036-
el@students.uit.edu el@students.uit.edu el@students.uit.edu el@students.uit.edu

Abstract— An increasing number of endpoint devices in IoT geared towards IoT device networks or IoT attack traffic.
infrastructure, bringing in different protocols and Fortunately, however, IoT traffic is often distinct from
technology grows complexity and is raising unwanted that of other Internet connected devices (e.g. laptops and
vulnerabilities. Vulnerability in IoT endpoints makes a smart phones) [7]. For example, IoT devices often
backdoor for an attacker to exploit, disrupt the IoT system,
communicate with a small finite set of endpoints rather
or gather any confidential data from an organization.
Hajime and Mirai Botnets have been used to conduct than a large variety of web servers. IoT devices are also
distributed denial of service (DDoS) attacks on critical IoT more likely to have repetitive network traffic patterns,
systems. To handle such attacks development of adaptive
techniques are needed which can understand network such as regular network pings with small packets at fixed
behavior and can classify normal and abnormal traffic to time intervals for logging purposes. Building on this
detect anomalies. In this paper, we are going to demonstrate observation, we develop a machine learning pipeline that
how effectively a signature-less, cost-effective IDS can detect performs data collection, feature extraction, and binary
Dos attack in a real-time environment. To train our model classification for IoT traffic DoS detection. The features
we have generated an IoT specific data set for a real-time are designed to capitalize on IoT-specific network
environment. Results show raspberry pi acting as an IDS behaviors, while also leveraging network flow
device can automatically detect DoS attacks using Artificial
characteristics such as packet length, inter-packet
neural network.
intervals, and protocol.
I. INTRODUCTION
Given the lack of public datasets of IoT attack traffic, we
The proliferation of insecure IoT devices has resulted in generate classifier training data by after developing a real
a surge of IoT botnet attacks on Internet infrastructure. In time environment IoT smart device network. We set up a
October 2016, the Mirai botnet commanded 100,000 IoT local network comprised of a router, some popular IoT
devices (primarily CCTV cameras) to conduct a devices for benign traffic, and some adversarial devices
distributed denial of service (DDoS) attack against Dyn performing DoS attacks. Our classifier successfully
DNS infrastructure [4]. Many popular websites, identifies attack traffic with an accuracy higher than
including Github, Amazon, Netflix, Twitter, CNN, and 0.988. Our pipeline is designed to operate on network
Paypal, were rendered inaccessible for several hours. In middleboxes (e.g. routers, firewalls, or network switches)
January 2017, the Mirai source code was publicly to identify anomalous traffic and corresponding devices
released; DDoS attacks using Mirai-derived IoT botnets that may be part of an ongoing Dos attack. The pipeline
have since increased in frequency and severity [5]. This is flow-based, stateless, and protocol-agnostic; therefore,
growing threat motivates the development of new it is well suited for deployment on gateway routers or
techniques to identify and block attack traffic from IoT ISP-controlled switches. To our knowledge, this is the
botnets. Recent anomaly detection research has shown first network anomaly detection framework to focus on
the promise of machine learning (ML) for identifying IoT specific features, as well as the first to apply anomaly
malicious Internet traffic [6]. Yet, little effort has been detection specifically to IoT smart devices at the real time
made to engineer ML models with features specifically environment local network level.
 II. RELATED WORKS
noisy and incomplete data. ANN has been successfully
Petteri et al. [16] performed a study on the requirement employed in a broad spectrum of data-intensive
analysis of a benchmark dataset for Network and Host applications [10-11]. The neural network consists of an
Intrusions Detection System (NHIDS). The requirements input layer, number of hidden layers and an output layer.
were finalized based on the dataset features, overall Each layer has number of neurons. The information
composition, and systems used to produce the datasets. enters the neural network via the input layer, it is
Nine datasets starting from the traditional KDD CUP’99 processed in the hidden layers and the result can be
dataset to UNSW-NB15 were reviewed. The coexistence retrieved in the output layer. A typical neural network
of both Host-based and Network-based entities was rare model with a hidden layer is shown in Fig.1.
in a single dataset. According to this study, the real-world
network environment is difficult to replicate using the
test-bed Datasets
Kelton et al. [17] reviewed various machine learning
techniques suitable for intrusion detection in IoT
environment. The recent research works related to IoT
security were analyzed with a special concern on the
Intrusion Detection Systems using machine learning
approaches. In this review the protocols, intelligent
techniques like machine learning techniques and
precision obtained in the recent works were highlighted.
Finally, the research challenges and future directions for
IoT security were also emphasized.

Ganesh et al. [18] proposed an approach for ANN based

Intrusion Detection System with less number of features.
Important features from KDD Cup’99 dataset were Fig.1. Neural Network Model
selected by using Mutual Information based feature
selection method. The performance of Mutual
Information with ANN was compared with Support There are ‘n’ numbers of inputs available for a single
Vector with ANN and Mutation Information approach neuron in this network and each input is associated with
outperformed without any false positive and less negative a weight on it. ‘x0’ is the bias value which is added to the
rates. Though there are many advantages in this method, input of the activation function. Let x1, x2, x3, …….xn
it requires more computation in terms of number epochs are the inputs to a neuron and let w1, w2, w3, …….wn
to obtain the accuracy. are weights, let ‘b’ is the bias and then ‘a’ is the out of the
neuron which is calculated using the equation (1).
Mohammad et al. [19] assessed the challenges of IoT
security by considering various machine learning
techniques in smart cities. Taxonomy of machine
learning algorithms and the issues and challenges
regarding the data analytics of machine learning
algorithms were also discussed. They suggested some
machine learning algorithms like ANN that are useful for
the IoT security and fraud detection.
where, f is the activation function which is used to get the
Alex et al. [20] suggested that the IDS to analyze the data output of that layer and feed it as an input to the next layer
packets and to detect malicious shell code. In their work, [12]. Artificial Neural Network is made up of nodes and
integer values were obtained by converting the byte level corresponding weights which typically require learning
data retrieved from the data transmission of the nodes and based on the given patterns. Some examples of learning
fed into the ANN. Their best classifier identified 100% of patterns include supervised learning and unsupervised
malicious file contents in the test set. This ANN model is learning. In supervised learning, the output has been
useful for anomaly detection. labelled and so the network has a known expected
answer. The Back-propagation algorithm and Multilayer
III.ARTIFICIAL NEURAL NETWORKS Perceptron (MLP) belong to this category [13]. In
unsupervised learning, the neural network analyses the
A set of processing units also called as neurons are input patterns and extract the features based on the
interconnected according to the specified topology is characteristics of the given input. The Self-Organizing
termed as an Artificial Neural Network (ANN). It has the Map is an example of this unsupervised learning [14]
ability to learn by example and generalizes from limited,
Multilayer Perceptron different techniques, we finally exported the optimized
model for real time deployment.
Multilayer Perceptron Multilayer Perceptron is the
widely used neural network model. It is based on V.EXPERIMENTAL SCENARIO
supervised learning technique which uses the historical
data as input to generate a labeled output. In Multilayer A: Experimental Setup
Perceptron, a set of input and its corresponding output are We set up a experimental IoT smart device network to
trained to learn the relationship between those input and collect realistic normal and malicious IoT device traffic
the output. In the training phase, the parameters like (Fig. 1b). We configured a Raspberry Pi v4 as a WiFi
weights and biases are adjusted, so that the error is access point to act as a middlebox using linux terminal.
minimized. This trained MLP model is used in the testing We then connected a M5 Stack Camera, weather station
phase to classify the test dataset. module consisting of Dht 11 and Home automation
module to the Raspberry Pi’s WiFi network. To collect
MLP is a feed forward neural network which involves normal traffic, we interacted with all three IoT devices
forward and backward pass. The signal flow moves for 10 minutes and recorded pcap files, logging all
through the hidden layer from the input layer to the output packets sent during that time period. We performed many
layer. The result of the output layer is measured against interactions that would occur during regular smart device
the labels and the error is calculated. In order to minimize use, including streaming video from the M5 camera ,
the error, the weights and bias are adjusted in the turning the lights of home automation on and off ,
backward pass. The error is minimized in all iteration and collecting temperature and humidity measurements from
finally it will be closer to the approximate output. the Dht11 sensor in weather station. We then filtered out
Determining the optimal number of hidden layers and the all non-IoT traffic from the pcap recordings, including
hidden units in each layer is also a challenging issue. It is background traffic from the Android phone. Collecting
difficult to determine the optimal hidden units than the DoS traffic was more challenging. To avoid
hidden layer. Based on empirical method, the optimum the security risks and complexity of running the real
number of hidden units suitable for the MLP can be Mirai botnet code, we simulated the three most common
assigned [15]. classes of DoS attacks a Mirai-infected device will run: a
TCP SYN flood, a UDP flood, and a ICMP flood. We
IV.ANOMALY DETECTION PIPELINE used a Kali Linux virtual machine running on a laptop as
the DoS source, and we used on of the smart device as the
In this portion, we present an Artificial Neural Network DoS victim. We connected both devices via WiFi to our
based DoS detection framework for IoT network traffic. Raspberry Pi 4 access point. The DoS source then
Our anomaly detection pipeline has four steps. targeted the victim’s IP address with each class of DoS
1) Traffic Capture: attack for approximately 1.5 minutes each. The access
The traffic capture process sniffs the Time, duration point recorded PCAPs of the attack traffic using the
source and destination IP address, Protocol, Length and Wireshark. The TCP SYN Flood, UDP Flood and ICMP
flag of all IP packets sent from the smart devices and Dos Flood were simulated using Kali Linux’s hping3 utility
attack data using Kali Linux. [21]. We then combined the DoS traffic with the normal
2) Data preprocessing: traffic, spoofing source IP addresses, MAC addresses,
To prepare dataset for training and testing of neural and packet send times to make it appear as if the IoT
network, raw data was processed. The features were devices simultaneously produced normal traffic and
extracted and engineered. The string values were conducted DoS attacks. Each of the three IoT-devices
converted to numerical values and normalized to get them appeared to execute each of the three DoS attack classes
in a range. once within 10-minute internal. The attacks occurred in
3) Training a random order for a random duration ranging uniformly
After preparing dataset it was divided into two parts, 75% from 90 to 110 seconds each. Thus, we collected roughly
for training and 25% for testing phase. the parameters like 300 seconds (5 minutes) of attack traffic per device. The
weights and biases are adjusted, so that the error is distribution of attacks between devices was independent.
minimized. Purpose was to get optimized weights after This process produced a dataset of 491,855 packets,
the process of stochastic steepest gradient. Back comprised of 459,565 malicious packets and 32,290
propagation algorithm was used to achieve the optimized benign packets.
model.
4) Model Evaluation: B. Feature Engineering
After training comes the step of testing our trained model We explore two classes of features and analyze why they
and evaluate the model for improvement. Different things are relevant to differentiating normal and attack IoT
can be tried to improve the model, size of data used was traffic. Stateless features can be derived from flow-
increased, associated parameters were tuned and we tried independent characteristics of individual packets. These
different suitable activation functions. After trying features are generated without splitting the incoming
traffic stream by IP source. Thus, these features are the
most lightweight. Stateful features capture how network
traffic evolves over time. There is inherent overhead in

generating these features as we split the network traffic

into streams by device and divide the per-device streams
into time windows. The time windows serve as a simple
time-series representation of the devices’ evolving
network behavior. These features require aggregating
statistics over multiple packets in a time window; the
middlebox performing classification must retain state,
but the amount of state can be limited by using short (e.g.
10-second) time windows.

Flowchart:

From the above matrix we can see that among the

121,306 data packets of the testing dataset, there are
31507 packets which are True Positive (TP), 460 packets
are False Negative (FN) , 271 packets are False Positive
(FP) and 89068 are True Negative (TN). So, we can
check the accuracy rate by comparing these results.

Normal behavior of Network in 5th minute:

V RESULT AND OUTPUT

The pre-processed dataset was fed into the Multilayer

Perceptron (MLP) Neural Network which has four
layers including two hidden layers with 10 neuron each,
input layer and an output layer. Since MLP is a
supervised learning technique, it has training as well as
testing phases, in our dataset 121,306 packets have been
used to test the data model. The MLP model classified
the data packets by sending one for the attack data (1)
and zero for normal data packets (0).
Testing phase Confusion Matrix
 UDP DOS attack Network behavior

DOS NETWORK BEHAVIOR:

TCP DOS attack Network behavior:

ICMP DOS attack Network behavior: VI FUTURE WORK

• This IoT Intrusion detection system can be

converted into intrusion prevention system.
• This machine learning model can be trained
with different type of attack data so that it also
detects or prevent them.
• To deal with more complex scenarios and for
behavior analysis of massive networks, deep
learning techniques can be adopted.
• Better GUI or desktop application can be
developed with more features and ease of use,
• Cloud based IoT IDS/IPS can be developed to
manage it remotely.

VII CONCLUSION

In this Final year project, we demonstrated a new

and much more effective technique to detect Dos
attack accurately. We used Artificial Neural
Network for behavior analysis of an IoT network
so that it can distinguish between normal and
abnormal traffic from IoT smart devices and DoS
attack source. We wanted our Intrusion detection
system to be deployed in any real-time
environment and to train our model accordingly
we developed an IoT-specific dataset from smart
devices that we made and these included a M5
stack camera surveillance project, a weather
station, and a home automation module. After
Now for the PCAP files of dos, when the attack of
extensive and repeated training, validation, and
different protocol happens as shown in the above three
testing we had our model’s accuracy higher than
diagrams i.e. for TCP, UDP and ICMP, these packets
99% in a real-time IoT Smart device network.
flow or passes through the network in more than one and
These preliminary results motivate additional
a half minute. The difference in the normal behavior and
research into machine learning anomaly
the DOS behavior is that in normal behavior there were
detection to protect networks from insecure IoT
multiple IPs that was sending data packets in different
devices.
time frames but in DOS behavior there is only one IP
which is continually sending the massive amount of data
within short duration.
In the above graphs We have showed the behavior of
three DOS attacks, in TCP DOS attack it can be seen
clearly that most of the packets are of TCP protocol and
same goes for other two protocols
 REFERENCES with anomaly detection,” in Computer Network Security,
V. Gorodetsky, L. Popyack, and V. Skormin, Eds. Berlin,
[1] (2016) Unlocking the potential of the Heidelberg: Springer Berlin Heidelberg, 2003, pp. 171–
internet of things. McKinsey & Company. 182.
[Online]. Available: http://www.mckinsey.com/ [13] S. N. Shirazi, A. Gouglidis, K. N. Syeda, S.
business-functions/digital-mckinsey/our-insights/ Simpson,
the-internet-of-things-the-value-of-digitizing-the- A. Mauthe, I. M. Stephanakis, and D. Hutchison,
physical-world “Evaluation
[2] (2015) Internet of things research study. Hewlett of anomaly detection techniques for scada
PackardEnterprise.[Online].Available: communication
http://h20195.www2.hpe. resilience,” in 2016 Resilience Week (RWS), Aug 2016,
com/V4/getpdf.aspx/4aa5-4759enw pp.
[3] (2016) Internet of things (iot) security and privacy 140–145.
recommendations. [14] M. Miettinen, S. Marchal, I. Hafeez, N. Asokan, A.
BITAG. [Online]. Available: https://www.bitag.org/ Sadeghi,
report-internet-of-things-security-privacy- and S. Tarkoma, “Iot sentinel: Automated device-type
recommendations. identification for security enforcement in iot,” CoRR, vol.
php abs/1611.04880, 2016. [Online]. Available:
[4] S. Hilton. (2016) Dyn analysis summary of friday http://arxiv.org/
october abs/1611.04880
21 attack. Dyn. [Online]. Available: [15] A. Sivanathan, D. Sherratt, H. H. Gharakheili, and
https://dyn.com/blog/ A. V.
dyn-analysis-summary-of-friday-october-21-attack/ Vijay Sivaraman, “Low-cost flow-based security
[5] (2016) Threat advisory: Mirai botnet. Akamai. solutions for
[Online]. Available: https://www.akamai.com/ smart-home iot devices,” 2016.
us/en/multimedia/documents/state-of-the-internet/ [16] S. Hao, N. A. Syed, N. Feamster, A. G. Gray, and S.
akamai-mirai-botnet-threat-advisory.pdf Krasser,
[6] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly “Detecting spammers with snare: Spatio-temporal
detection: networklevel
A survey,” ACM computing surveys (CSUR), vol. 41.3: automatic reputation engine,” USENIX security
15, symposium,
2009. vol. 9, 2000.
[7] N. Apthorpe, D. Reisman, and N. Feamster, “A smart [17] (2017) Yi home camera. [Online]. Available:
home https://www.
is no castle: Privacy vulnerabilities of encrypted iot yitechnology.com/yi-home-camera
traffic,” [18] (2017) Wemo insight smart plug. [Online].
2016. Available:
[8] L. Ertoz, E. Eilertson, A. Lazarevic, P.-N. Tan, V. http://www.belkin.com/us/F7C029-Belkin/p/P-F7C029/
Kumar, [19] (2017) Wireless blood pressure monitor. [Online].
J. Srivastava, and P. Dokas, “Minds minnesota intrusion Available:
detection https://health.nokia.com/us/en/blood-pressure-monitor
system,” In Data Mining: Next Generation Challenges [20] (2017) Goldeneye code repository. [Online].
and Future Directions, 2004. Available:
[9] E. Eskin, W. Lee, and W. Stolfo, “Modeling system https://github.com/jseidl/GoldenEye
call for [21] (2017) hping3 package description. [Online].
intrusion detection using dynamic window sizes,” 2001. Available:
[10] M. Qin and K. Hwang, “Frequent episode rules for http://tools.kali.org/information-gathering/hping3
internet [22] (2017) Scikit learn: Machine learning in python.
anomaly detection,” 2004. [Online].
[11] D. Barbard, J. Couto, S. Jajodia, and N. Wu, “Adam: Available: http://scikit-learn.org/stable/
A [23] F. Chollet et al., “Keras,”
testbed for exploring the use of data mining in intrusion https://github.com/fchollet/keras,
detection,” SIGMOD, vol. 30:4, 2001. 2015.
[12] J. Bigham, D. Gamez, and N. Lu, “Safeguarding [24] N. Apthorpe, D. Reisman, and N. Feamster,
scada systems “Closing the
blinds: Four strategies for protecting smart home privacy
from
network observers,” Workshop on Technology and
Consumer
Protection (ConPro), 2017.