Distributed attack detection scheme using deep learning approach for Internet of Things

https://doi.org/10.1016/j.future.2017.08.043Get rights and content

Highlights

  • Deep learning has been proposed for cyber-attack detection in IoT using fog ecosystem.

  • We demonstrated that distributed attack detection at fog level is more scalable than centralized cloud for IoT applications.

  • It has also been shown that deep models have excelled shallow machine learning models in cyber-attack detection in accuracy.

  • In the future, other datasets and algorithms as well as network payload data will be investigated for comparisons and further enhancements.

Abstract

Cybersecurity continues to be a serious issue for any sector in the cyberspace as the number of security breaches is increasing from time to time. It is known that thousands of zero-day attacks are continuously emerging because of the addition of various protocols mainly from Internet of Things (IoT). Most of these attacks are small variants of previously known cyber-attacks. This indicates that even advanced mechanisms such as traditional machine learning systems face difficulty of detecting these small mutants of attacks over time. On the other hand, the success of deep learning (DL) in various big data fields has drawn several interests in cybersecurity fields. The application of DL has been practical because of the improvement in CPU and neural network algorithms aspects. The use of DL for attack detection in the cyberspace could be a resilient mechanism to small mutations or novel attacks because of its high-level feature extraction capability. The self-taught and compression capabilities of deep learning architectures are key mechanisms for hidden pattern discovery from the training data so that attacks are discriminated from benign traffic. This research is aimed at adopting a new approach, deep learning, to cybersecurity to enable the detection of attacks in social internet of things. The performance of the deep model is compared against traditional machine learning approach, and distributed attack detection is evaluated against the centralized detection system. The experiments have shown that our distributed attack detection system is superior to centralized detection systems using deep learning model. It has also been demonstrated that the deep model is more effective in attack detection than its shallow counter parts.

Introduction

As an emerging technology breakthroughs, IoT has enabled the collection, processing and communication of data in smart applications [1]. These novel features have attracted city designers and health professionals as IoT is gaining a massive application in the edge of networks for real time applications such as eHealth and smart cities [2]. However, the growth in the number, and sophistication of unknown cyber-attacks have cast a shadow on the adoption of these smart services. This emanates from the fact that the distribution and heterogeneity of IoT applications/services make the security of IoT complex and challenging [1], [3]. In addition, attack detections in IoT is radically different from the existing mechanisms because of the special service requirements of IoT which cannot be satisfied by the centralized cloud: low latency, resource limitations, distribution, scalability and mobility, to mention a few [4]. This means that neither cloud nor standalone attack detection solutions solve the security problems of IoT. Because of this, a currently emerged novel distributed intelligence, known as fog computing, should be investigated for bridging the gap. Fog computing is the extension of cloud computing towards the network edge to enable cloud-things service continuum. It is based on the principle that data processing and communication should be served closer to the data sources [5]. The principle helps in alleviating the problem of resource scarcity in IoT as costly storage, computation and control, and networking might be offloaded to nearby fog nodes. This in turn increases the effectiveness and efficiency of smart applications. Like any services, security mechanisms in IoT could be implemented and deployed at fog layer level, having fog nodes as a proxy, to offload expensive storage and computations from IoT devices. Thus, fog nodes provide a unique opportunity for IoT in deploying distributed and collaborative security mechanisms.

Though fog computing architecture can offer the necessary service requirements and distributed resources, robust security mechanisms are also needed resources to protect IoT devices. As preventive security schemes are always with the shortcomings design and implementation flaws, detective mechanisms such as attack detection are inevitable [6]. Attack detections can be either signature based or anomaly based schemes. The signature based solution matches the incoming traffic against the already known attack types in the database while anomaly based scheme caters for attack detection as a behavioral deviation from normal traffic. The former approach has been used widely because of its high accuracy of detection and low false alarm rate, but criticized for its incapability to capture novel attacks. Anomaly detection, on the other hand, detects new attacks though it lacks high accuracy. In both approaches, classical machine learning has been used extensively [7]. With the ever increasing in the attacker’s power and resources, traditional machine learning algorithms are incapable of detecting complex cyber breaches. Most of these attacks are the small variants of previously known cyber-attacks (around 99% mutations). It is evident that even the so called novel attacks (1%) depend on the previous logics and concepts [8]. This means that traditional machine learning systems fail to recognize this small mutation as it cannot extract abstract features to distinguish novel attacks or mutants from benign. The success of deep learning in big data areas can be adopted to combat cyber threats because mutations of attacks are like small changes in, for instance, image pixels. It means that deep learning in security learns the true face (attack or legitimate) of cyber data on even small variations or changes, indicating the resiliency of deep learning to small changes in network data by creating high level invariant representations of the training data. Though the application of DL has been mainly confined to big data areas, the recent results obtained on traffic classification, and intrusion detection systems in [9], [10], [11] indicate that it could have a novel application in identification of cybersecurity attacks.

Deep learning (DL) has been the breakthroughs of artificial intelligence tasks in the fields of image processing, pattern recognition and computer vision. Deep networks have obtained a momentum of unprecedented improvement in accuracy of classification and predictions in these complex tasks. Deep learning is inspired by the human brain’s ability to learn from experience instinctively. Like our brain’s capability of processing raw data derived from our neuron inputs and learning the high-level features on its own, deep learning enables raw data to be fed into deep neural network, which learns to classify the instances on which it has been trained [12], [13]. DL has been improved over classical machine learning usually due to the current development in both hardware resources such as GPU, and powerful algorithms like deep neural networks. The massive generation of training data has also a tremendous contribution for the current success of deep learning as it has been witnessed in giant companies such as Google and Facebook [14], [15]. The main benefit of deep learning is the absence of manual feature engineering, unsupervised pre-training and compression capabilities which enable the application of deep learning feasible even in resource constraint networks [16]. It means that the capability of DL to self-learning results in higher accuracy and faster processing. This research is aimed at adopting a novel distributed attack detection using deep learning to enable the detection of existing or novel attacks in IoT.

The contributions of our research area:

  • To design and implement deep learning based distributed attack detection mechanism, which reflects the underlying distribution features of IoT

  • To demonstrate the effectiveness of deep learning in attack detection systems in comparison to traditional machine learning in distributed IoT applications

  • To compare the performance of parallel and distributed network attack detection scheme using parameters sharing with a centralized approach without parameters sharing in IoT.

Section snippets

Related work

Though research works in the application of deep learning have currently flourished in domains like pattern recognition, image processing and text processing, there are a few promising researches works around cybersecurity using deep learning approach.

One of the applications of deep learning in cybersecurity is the work of [9] on NSL-KDD dataset. This work has used self-taught deep learning scheme in which unsupervised feature learning has been employed on training data using sparse-auto

Cybersecurity in social IoT

The advancements in technologies of hardware have enabled a massive number of IoT devices to be connected to the Internet. Smart city applications are by far the quickest and deeply affected areas of public services by social internet of things as this technological breakthrough is helping cities to manage effectively infrastructures such as water, power, transport, and so on. Typically, the integration of social IoTs and ICT for innovative, smart city design is to create a data-driven approach

Overview of deep learning

Deep Learning has been the state of the art for training stability and generalization, and achieved significant scalability on big data. It extracts complex and nonlinear hierarchical features of training data of high dimension to build a model which transforms inputs to outputs (e.g. classification). Multi-layer deep networks are the most prevalent forms of deep learning algorithms. The output of each previous layer and a bias are computed by a nonlinear activation function f to form weighted

Our approach

The fog nodes are responsible for training models and hosting attack detection systems at the edge of the distributed fog network since they are closer to the smart infrastructures supported by social internet of things. The coordinating master node should be in place for collaborative parameter sharing and optimization. In addition to giving the autonomy of local attack detection using local training and parameter optimization, the benefits of this approach are the acceleration of data

Dataset, algorithm and metrics

KDDCUP99 [27], ISCX [28] and NSL-KDD [24] are the most commonly used datasets in the intrusion detection research. We used NSL-KDD intrusion dataset which is available in csv format for model validation and evaluations. The NSL-KDD intrusion dataset not only reflects the traffic compositions and intrusions, but are also it is modifiable, extensible, and reproducible. The dataset composes of the attacks shown in Table 1, and identified as a key attack in IoT/Fog computing [1], [2], [3], [4], [5]

Experimental environment

As a first attempt towards exploring the performance of our model, we used the 2-class (normal and attack) and 4-class (normal, DoS, Probe, R2L.U2R) categories. In performance measure, unseen test data are chosen to represent zero-day attack detections. Our experiment has two objectives. The first one is to compare the result of our distributed attack detection with a centralized system. This experiment has been conducted by deploying the deep learning model on a single node for centralized

Results and discussions

In the evaluation process, classification accuracy and other metrics were used to show the effectiveness of our scheme compared to shallow models in distributed IoT at fog level. The comparison of distributed training to centralized approach in accuracy is also one of our evaluation criteria. Table 5 compares the accuracy of the deep and shallow models, while Fig. 3 shows the accuracy difference between centralization and distribution.

The experiment result has demonstrated double

Conclusion and future work

We proposed a distributed deep learning based IoT/Fog network attack detection system. The experiment has shown the successful adoption of artificial intelligence to cybersecurity, and designed and implemented the system for attack detection in distributed architecture of IoT applications such as smart cities. The evaluation process has employed accuracy, the detection rate, false alarm rate, etc. as performance metrics to show the effectiveness of deep models over shallow models. The

Acknowledgment

This work was supported by La Trobe University ’s research enhancement scheme fund.

Abebe Abeshu Diro is currently a Ph.D. candidate in the Department of IT Computer Science and IT, La Trobe University, Australia. He received his M.Sc. degree in Computer Science from Addis Ababa University, Ethiopia in 2010. He worked at Wollega University from 2007 to 2013 as a Director of ICT Development, and Lecturer in Computer Science. His research interests include Software Defined Networking, Internet of Things, Cybersecurity, Advanced Networking, Machine Learning, and Big Data.

References (31)

  • ShiraviAli et al.

    Toward developing a systematic approach to generate benchmark datasets for intrusion detection

    Comput. Secur.

    (2012)
  • Securing the Internet of Things: A Proposed Framework, 2016,...
  • IbrahimM.

    Octopus: An edge-fog mutual authentication scheme

    J. Netw. Secur.

    (2016)
  • I. Stojemovic, S. Wen, The fog computing paradigm: Scenarios and security issues, in: IEEE Federated Conference on...
  • AlrawaisA. et al.

    Fog computing for the internet of things: Security and privacy issues

    IEEE Internet Comput.

    (2017)
  • S. Yi, Z. Qin, Q. Li, Security and privacy issues of fog computing: A survey, in: International Conference on Wireless...
  • V.L.L. Thing, IEEE 802.11 network anomaly detection and attack classification: A deep learning approach, in: 2017 IEEE...
  • KoliasC. et al.

    Intrusion detection in 802.11 networks: Empirical evaluation of threats and a public dataset

    IEEE Commun. Surv. Tutor.

    (2016)
  • Guy Caspi, Introducing Deep Learning: Boosting Cybersecurity With An Artificial Brain,...
  • Quamar Niyaz, Weiqing Sun, Ahmad, Y. Javaid, Mansoor. Alam, Deep learning approach for network intrusion detection...
  • KangM.-J. et al.

    Intrusion detection system using deep neural network for in-vehicle network security

    PLoS One

    (2016)
  • LiY. et al.

    A hybrid malicious code detection method based on deep learning

    Int. J. Secur. Appl.

    (2015)
  • Yoshua Bengio, Pascal Lamblin, Greedy layer-wise training of deep networks, in: Advances in neural …Nr. 1, S. 2007, pp....
  • Li Deng, A tutorial survey of architectures, algorithms, and applications for deep learning, in: APSIPA Transactions on...
  • Yann Lecun, Bottou Leon, Bengio Yoshua, Haffner Patrick, Gradient based learning applied to document recognition, in:...
  • Cited by (691)

    View all citing articles on Scopus

    Abebe Abeshu Diro is currently a Ph.D. candidate in the Department of IT Computer Science and IT, La Trobe University, Australia. He received his M.Sc. degree in Computer Science from Addis Ababa University, Ethiopia in 2010. He worked at Wollega University from 2007 to 2013 as a Director of ICT Development, and Lecturer in Computer Science. His research interests include Software Defined Networking, Internet of Things, Cybersecurity, Advanced Networking, Machine Learning, and Big Data.

    Naveen Chilamkurti is currently the Cybersecurity Program Coordinator, Computer Science and Information Technology, La Trobe University, Melbourne, VIC, Australia. He obtained his Ph.D. degree from La Trobe University. His current research areas include intelligent transport systems (ITS), Smart grid computing, vehicular communications, Vehicular cloud, Cybersecurity, wireless multimedia, wireless sensor networks, and Mobile security.

    View full text