Visible to the public A Two-Level Hybrid Model for Anomalous Activity Detection in IoT Networks

TitleA Two-Level Hybrid Model for Anomalous Activity Detection in IoT Networks
Publication TypeConference Paper
Year of Publication2019
AuthorsUllah, Imtiaz, Mahmoud, Qusay H.
Conference Name2019 16th IEEE Annual Consumer Communications Networking Conference (CCNC)
Keywordsanomaly detection, anomaly detection system, CICIDS2017 dataset, compositionality, cybersecurity, edited nearest neighbors, feature extraction, flow-based anomaly detection, flow-based features extraction, flow-based intrusion detection, Human Behavior, Internet of Things, Intrusion detection, IoT networks, level-1 model, level-2 model precision, machine learning, malicious activity detection, Metrics, nearest neighbour methods, network traffic, pattern classification, Protocols, pubcrawl, recursive feature elimination, Resiliency, sampling methods, security of data, synthetic minority over-sampling technique, telecommunication traffic, Training, two-level hybrid anomalous activity detection, UNSW-15 dataset, vulnerabilities, vulnerability detection
AbstractIn this paper we propose a two-level hybrid anomalous activity detection model for intrusion detection in IoT networks. The level-1 model uses flow-based anomaly detection, which is capable of classifying the network traffic as normal or anomalous. The flow-based features are extracted from the CICIDS2017 and UNSW-15 datasets. If an anomaly activity is detected then the flow is forwarded to the level-2 model to find the category of the anomaly by deeply examining the contents of the packet. The level-2 model uses Recursive Feature Elimination (RFE) to select significant features and Synthetic Minority Over-Sampling Technique (SMOTE) for oversampling and Edited Nearest Neighbors (ENN) for cleaning the CICIDS2017 and UNSW-15 datasets. Our proposed model precision, recall and F score for level-1 were measured 100% for the CICIDS2017 dataset and 99% for the UNSW-15 dataset, while the level-2 model precision, recall, and F score were measured at 100 % for the CICIDS2017 dataset and 97 % for the UNSW-15 dataset. The predictor we introduce in this paper provides a solid framework for the development of malicious activity detection in IoT networks.
Citation Keyullah_two-level_2019