International Journal of Advanced Engineering Research and Science (IJAERS) [Vol-5, Issue-6, Jun- 2018]

https://dx.doi.org/10.22161/ijaers.5.6.30 ISSN: 2349-6495(P) | 2456-1908(O)

Network Data Security for the Detection System

in the Internet of Things with Deep Learning
Approach
Kalubi Kalubi Deiu-merci1, Mayou2
1
Department of Computer Scences, Taiyuan University of Technology, Shanxi/Taiyuan
Email: [email protected]
2
Department of Computer Scences, Taiyuan University of Technology, Shanxi/Taiyuan
Email: [email protected]

Abstract— we thought to set up a system of I. INTRODUCTION

interconnection which allows sharing the communication By definition, it can be said that networked or
network of data without the intervention of a human being. interconnected systems often have a long list of
The Internet of Things system allows many devices to be interconnected data in parallel; this type of system
connected for a long time without human intervention, facilitates the rapid sharing of data as they are distributed
data storage is low and the level of data processing is and errors are easily reduced according to each connected
reduced, which was not the case with older solutions device. And these kinds of networks are also like a
proposed to secure the data for example: cyber-attack and mathematical regression that is linear because the solution
other systems. But other theories like for example: between the input variables and the output produced is
artificial intelligence, machine learning and deep learning often captured by nonlinear relations and this final solution
have a lot to show their ability and the real values of which is found from variables results represents the set of
heterogeneous data processing of different sizes and many many hidden layers of each predefined function. Our
researchers had to work on it. In the case of our work, we studies are very much about the analysis of a new domain
have used deep learning theories, to achieve a light data that is the Internet of Things with the presentation of
interconnection security solution; we also have TCP/IP architecture and neural networks. We then made the
protocol for data transmission control, algorithm drillers comparison on security issues and privacy between the
for classifications. In order to arrive at a good solution; field of deep learning and that of the Internet of Things.
First, we thought of a model for anomalies detection in This may be possible with the concepts of machine
Internet of Things and we think about the improvement of learning or deep learning because IoT generates a huge
architectures of the Internet of the existing objects already amount of heterogeneous data. And we note that with this
proposed a system with a light solution and especially research we fall into a multilayer architecture and the new
multilayer for an IoT network. Second, we analyzed technology of the Internet of Things for a unique system.
existing applications of machine learning, deep learning to And the algorithms we had to apply during this research
IoT, and cybersecurity. The recent hack of 2014 Jeep are to monitor network data interconnect and classify
Cherokee, iStan pacemaker, and a German steel plant are activities are application attacks for multiple layers of each
a few notable security breaches. Finally, from the architecture. And for our research we thought about using
evaluated metrics, we have proposed the best neural the KDD 99'Cup intrusion detection dataset that many
network design suitable for the IoT Intrusion Detection researchers who have been working on internet data
System. With an accuracy of 98.91% and False Alarm security consider as a combination of referential data. For
Rate of 0.76 %, this research outperformed the all the work related to our work are in part (2), the
performance results of existing methods over the KDD methodology used for our work is in part (3) and the last
Cup ’99 dataset. For this first time in the IoT research, the part focuses on the implementation and outcome of our
concepts of Gated Recurrent Neural Networks are applied work (4).
for the IoT security.
Keywords— data security; Internet of Things; deep Motivation
learning. In the world of IoT, the datasets are high-dimensional,
temporal and multi-modal. Deep Learning algorithms with
robust computation power are more suitable for complex

www.ijaers.com Page | 208

International Journal of Advanced Engineering Research and Science (IJAERS) [Vol-5, Issue-6, Jun- 2018]
https://dx.doi.org/10.22161/ijaers.5.6.30 ISSN: 2349-6495(P) | 2456-1908(O)
IoT datasets compared to legacy machine learning are passed into a fine tuning layer consisting of a Logistic
techniques. The application of deep learning to the IoT Regression classifier (trained with 10 epochs) with multi-
domain, particularly in IoT security is still in the initial class soft-max. The proposed solution was evaluated using
stages of research and has a great potential to find insights the KDD Cup ’99 dataset. The authors claimed a detection
from the IoT data. With smart use of deep learning rate of 97.90% and a false negative rate of 2.47%. This is
algorithms, we believe that IoT solutions can be optimized. an improvement over results claimed by authors of similar
For example, recurrent neural networks in deep learning papers.
have the capability to learn from previous time-steps of the Similarly, Tang et al. [19] also propose a method to
input data. The data at each time-step is processed and monitor network flow data. The paper lacked details about
stored and given as input to the next time-step. The its exact algorithms but does present an evaluation using
algorithm at the next time step utilizes the previous the NSL-KDD dataset, which the authors claim gave an
information stored to process the information. Though the accuracy of 75.75% using six basic features. Kang and
neural network structures are complex, the hyper- Kang [20] proposed the use of an unsupervised DBN to
parameters can be tuned to obtain light-weight train parameters to initialise the DNN, which yielded
functionality for IoT solutions. This hypothesis motivated improved classification results (exact details of the
us to apply deep learning concepts to IoT network security. approach are not clear). Their evaluation shows improved
Problem statement performance in terms of classification errors. You et al.
The goal of this thesis is to analyze and answer the [16] propose an automatic security auditing tool for short
following research questions: messages (SMS). Their method is based upon the RNN
 What are the security and privacy issues relevant model. The authors claimed that their evaluations resulted
to the IoT environment? in an accuracy rate of 92.7%, thus improving existing
 Does GRU better than the other machine learning classification methods (e.g. SVM and Naive Bayes). In
approaches for Intrusion Detection on the IoT? addition, there is other relevant work, including the DDoS
 Does a separate GRU based IDS for each network detection system proposed by Niyaz et al. [21]. They
layer perform better than the all layer GRU? propose a deep learning-based DDoS detection system for
a software defined network (SDN). Evaluation is
Contribution performed using custom generated traffic traces. The
This research can be extended by applying the algorithms authors claim to have achieved binary classification
on GPU environment on real-time IoT data. Though there accuracy of 99.82% and 8-class classification accuracy of
are various deep learning algorithms such as deep neural 95.65%. However, we feel that drawing comparisons with
networks, auto encoders, convolutional neural networks this paper would be unfair due to the contextual difference
and recurrent neural networks, the research problem of the dataset. Specifically, benchmark KDD datasets
requires an algorithm that can learn from historical data. cover different distinct categories of attack, whereas the
Therefore, we have selected the family of recurrent neural dataset used in this paper focuses on subcategories of the
networks for the research. Considering the need of same attack
building smart and lightweight solutions for the IoT
network, we have performed the experiments with only the III. METHODOLOGY
Gated Recurrent-Unit (GRU) algorithm while the vanilla We designed an innovative architecture for an IoT home
RNN and LSTM are ignored. We have modified the data network that would reduce the size of the datasets for the
by dividing it into various layers such that the same IDS classifier. We have selected the KDD Cup 1999
procedure can be applied in an IoT network. Intrusion Detection Dataset for the experiments and
proposed an intelligent solution which satisfies the key
II. RELATED WORKS requirements of the IoT solutions. We have performed the
There are also several existing works in this area. In this feature engineering using a Random Forest classifier and
section, we will discuss the most recent work that uses selected those features with high importance. We
methods and architectures. We were motivated and performed a rigorous data analysis and prepared the data in
inspired from this work" Cyber-Physical-Social Based the required format before it was used as an input to the
Security Architecture for Future Internet of Things" model.
because after taking a lot of time to study and read this Proposed Multi-Layer architecture for IoT network
work, we found tremendous benefits from doing our Out of various security measures, we have selected
research in this area. Alrawashdeh and Purdy [18] network security as the use case to prove the defined
proposed using a RBM with one hidden layer to perform features are apt for an IoT network. In a regular wireless
unsupervised feature reduction. The weights are passed to system, the Intrusion Detection System (IDS) monitors the
another RBM to produce a DBN. The pre-trained weights network data using either a “Signature-based approach” or
www.ijaers.com Page | 209
International Journal of Advanced Engineering Research and Science (IJAERS) [Vol-5, Issue-6, Jun- 2018]
https://dx.doi.org/10.22161/ijaers.5.6.30 ISSN: 2349-6495(P) | 2456-1908(O)
an “Anomaly-based approach”. The IDS mounted at a
point in the network obtains 27 all the network data and
classifies the data into “normal” or “attack”. Other than
traditional approaches, Machine Learning (ML) algorithms
are applied to a dataset and classification is performed
through supervised learning. However, this legacy
approach may not be suitable for smart IoT network
systems due to their heterogeneity. The security solutions
for intrusion detection should be light-weight, multi-
layered and have a good amount of longevity. Hence, we Figure: Feature Importance graph for Application Layer
developed a multi-layered architecture and applied light- IDS
weight machine learning algorithms which can work with DataLoading and pre-processing
better performance for longer periods of the time. An IoT Functions defined for Data Loading and Data Pre-
system contains various devices which are placed at processing DataLoading - Loads the csv data into the
different locations with long distances between them. The system DataPreprocessing - Performs below operations on
number of devices involved in IoT systems is higher when the loaded dataset.
compared to a regular wireless or wired system. A single  Dropping the Duplicates.
IDS system must have the memory capacity to process the  Dividing the dataset into features set and the labels
network data among all the devices and must be set.
responsive in a short amount of time. In this case, the  Converting catergoial data into numerical data.
performance will be poor in the IoT network due to the  Encoding the normal as '1' and abnormal as '0'.
high number of devices and the large distance between the  Converting input data into float which is requried in
devices. Each IDS placed at a TCP/IP layer monitors only the future stage of building in the network.
the data obtained from the devices that belong to that  Adding another column to the labels set - kind of one
layer. We chose this architecture as the main architecture hot encoding
of our work because this architecture has many advantages i.e normal = '1' is represented as '1 0'
and uses a multilayer system that is a potential system in abnormal = '0' is represented as '0 1'
today's world. This is required so that the softmax entropy function can
efficiently calculate the accuracy.Loading the data into the
system And applying the data preprocessing and feature
selection for the dataset. Divinding into train and test
datasets, performing the above operations are required
before training and testing the model.
 Normalizing the Input Features and Hyper
Parameters: Here we are not restricting the input
size, therefore it batch_size is given as "None",
weights and biases are initialized in random using
tf.random_normal function. Sizes are defined
appropritately as per the logic, the biases output
Fig. Multi-Layer architecture for IoT network either '1 0' or '0 1'
 Building the Model: Before bulding the model, we
IV. EVALUATION AND RESULTS have to reshape the inputs in to 3D tensors of size
Feature Selection from 2D tensors of size. We can specify a loss
We have explained well in the above step-by-step chapters function just as easily. Loss indicates how bad the
of this research and the random forest classification model's prediction was on a single example; we try to
algorithm used to select the main important features of all minimize that while training across all the examples.
the classifiers one by one and Intersecting graphical results Here, our loss function is the cross-entropy between
for each classifier's characteristics are presented. The the target and the softmax activation function applied
"Protocol Type" feature has been selected in all intrusion to the model's prediction.
detection layers.
Evaluation Metrics
Compared to this part, we make a simple comparison of
the following values: the precision of the training, the

www.ijaers.com Page | 210

International Journal of Advanced Engineering Research and Science (IJAERS) [Vol-5, Issue-6, Jun- 2018]
https://dx.doi.org/10.22161/ijaers.5.6.30 ISSN: 2349-6495(P) | 2456-1908(O)
rhythms of learning and for a good understanding on the layer IDS secnds
behavior of the model according to the change of these Network 6 98.706 30.05
hyper-parameters in relation to the time steps, after testing layer IDS secnds
the performance of each class of IDS classifier by adding
the hyper-parameters of the GRU algorithm. We Comparison of the classifiers performance with
performed a similar type of experiments for all IDS existing work
classifiers (all layers, the application layer, the transport We are at the end of our research. We performed
layer, and other layer classifiers such as: for the network). additional analysis and reported that we compared the
And we are much interspersed with the results of the results with existing research performed by machine
following classifications with their performance. learning algorithms on intrusion detection classification, as
Classifier performance results with application layer: shown in Table. We can see that our search has exceeded
With this experience we have achieved the best training the performance of all existing jobs. We intend to continue
accuracy with time steps of "40"; which is our complete in this area of research in the future time.
result of this layer. The confusion matrix of the optimized Algorithm Precision Recal Accuracy FAR
(time-steps = 40, learning rate – 0.01) and the (%) l (%) (%) (%)
corresponding plot for the Application-Layer IDS can be DIR, 74.33 78.55 78.55 75.00
analyzed in Table PAYLOAD
SRC_PORT 95.43 96.32 96.32 95.74
Time- Train Precision Recall F-1 Far GNNN[22] 87.08 59.12 93.05 12.46
Steps Accuracy Score FNN[22] 92.47 86.89 97.35 2.65
10 98.694 0.9994 0.99 0.9977 0.0022 RBNN[22] 69.56 69.83 93.05 6.95
20 98.833 0.9943 0.3296 0.9922 0.0077 K-Mean- 98 98.68 93.55 47.9
30 96.71 0.9996 0.9952 0.9418 0.05812 KNN[27]
GRU 95.72 98.65 97.06 10.01
40 98.706 0.9967 0.9902 0.9983 0.0016
RNN[20]
All layer 98.811 98.42 99.97 0.02
IDS
Application 99.67 99.02 99.83 0.0016
layer IDS
True-Negatives 77305
Transport 99.81 99.10 99.1 0.1
False-Positives 44
layer IDS 9
False-Negatives 795
Network 99.67 99.38 99.83 0.16
True-Positives 22768 layer IDS

V. CONCLUSIONS
Comparing the results of all classifiers and their layers
Our studies are very much about the analysis of a new
The optimized results of all the IDS classifiers are
domain that is the Internet of Things with the presentation
compared and it was found that the performance of the
of architecture and neural networks. This research focused
All-Layers IDS classifiers is inferior to the Individual layer
on the processing of IoT elements where processing power
IDS classifiers in terms of training accuracy and training
is low with data size that is not as huge. This inter-
time. The light-weight algorithms, when used in a
disciplinary research is novel in a way that, it has applied
multilayer architecture, perform better which is suitable for
deep learning methods for IoT security. We have proposed
an IoT system. The comparison of the results can be found
light-weight architecture for an Intrusion Detection System
in Table.
(IDS) in an IoT network. Based on TCP/IP layer
architecture and the attack types at each layer, we have
Feature IDS Type Number Training Training
suggested placing IDS classifiers at each layer. This has
Selection of Accuracy Time
reduced the data set size at each classifier and improved
Method features
the performance in terms of accuracy, recall, training time
Random All Layer 12 98.9 50.04
and false alarm rate. We have applied deep learning
Forest IDS secnds
algorithms to classify the data at each IDS classifier. This
Classifier Application 6 98.7 20.54 approach has achieved outstanding results with better
layer IDS secnds results than existing work in the literature. Moreover, we
Transport 6 99.469 18,85 have used the full KDD 99’cup 22% data set for the
www.ijaers.com Page | 211
International Journal of Advanced Engineering Research and Science (IJAERS) [Vol-5, Issue-6, Jun- 2018]
https://dx.doi.org/10.22161/ijaers.5.6.30 ISSN: 2349-6495(P) | 2456-1908(O)
experiments, unlike previous research work.The training large-scale web QoS prediction scheme for the
time of Transport Layer IDS, Application Layer IDS and Industrial Internet of Things based on a kernel machine
Network Layer IDS is almost half of the All Layer IDS learning algorithm. Computer Networks. Vol. 101. Pp.
which is important for dynamic IoT networks. The 81-89.
accuracy and false alarm rate of All-Layer IDS is 98.91% [4] Hasan, M. A. M., Nasser, M., Ahmad, S., & Molla, K. I.
and 0.76% respectively which outperformed all other (2016). Feature Selection for Intrusion Detection Using
existing IDS classifiers in literature. As the IoT deals with Random Forest. Journal of Information Security. Vol.
user's personal data and industry's information, it is crucial 7(03). Pp. 129.
to implement robust solutions to protect from security [5] Li, Y., & Guo, L. (2007). An active learning based
threats. This can be possible with the concepts of machine TCM-KNN algorithm for supervised network intrusion
learning and deep learning as IoT generate a humongous detection. Computers & security. Vol. 26(7). Pp. 459-
amount of heterogeneous data. We have applied Gated- 467.
Recurrent-Unit neural networks to the dataset. However, [6] Breiman, L., 2001. Random forests. Machine Learning.
there are many improvised versions of recurrent neural Vol. 45 (1). Pp. 5–32.
networks such as Dynamic RNN, Bi-Directional RNN [7] Dua, S., & Du, X. (2016). Data mining and machine
which can achieve better performances than basic GRU learning in cybersecurity. CRC press.
cells. One can also build a hybrid network using [8] Alpaydin, E. (2014). Introduction to machine learning.
convolutional neural networks and recurrent neural MIT press
networks to deal with multi-modal data. And here we are [9] Lichodzijewski, P., Zincir-Heywood, A., & Heywood,
at the end and this research that was focused on data M. (2002). Host-based intrusion detection using self-
security; we say here that our goal was achieved given the organizing maps. Hawaii, USA. Vol. 2. Pp. 1-29
end result which was satisfactory. We say that our research [10] S. Harris. (2015). “All in one CISSP Exam Guide,”
has positive results and exceeded the capacity levels of all McGraw-Hill. Vol. 7. Pp. 145-467
existing work. We will continue to deepen our knowledge [11] A. A. Shah, M. S. H. Kiyhal, M.D. Awan. 2015.
and the suggestions of everyone are welcome. “Analysis of Machine Learning Techniques for
Intrusion Detection System: A Review,” International
ACKNOWLEDGEMENT Journal of Computer Applications, Vol. 119. Pp. 19-23.
In terms of gratitude, I first thank my God and my family Article (CrossRef Link)
(my father and mother) for this life that gave me. This [12] S. Juma, Z. Muda, M. A. Mohamed, W. Yassin. (2015).
research is the result of enormous support from my dear “Machine learning techniques for intrusion detection
teacher MAYAO. I am thankful for his humble and simple system: a review,” Journal of Theoretical and Applied
personality, I would like to thank him with all my heart for Information Technology. Vol. 72. Pp. 422-429
all the sacrifices, directions, understanding and advice [13] Hanahan D, Weinberg RA. (2011). Hallmarks of cancer:
despite the language that does not allow us to the next generation. Vol. 144. Pp. 646–74.
communicate well but my teacher was always present for [14] Polley M-YC, Freidlin B, Korn EL, Conley BA,
me. I thank all the teachers of my department and those Abrams JS, McShane LM. (2013). Statistical and
who taught me the Chinese language for their support and practical considerations for clinical evaluation of
encouragement. I am also grateful to all the friends who predictive biomarkers. J Natl Cancer Inst. Vol. 105. Pp.
helped me a lot and motivated me to reach my goal, 1677–83.
especially I would like to thank Jean Marie Cimula and [15] Kim, J., & Kim, H. (2015, August). Applying Recurrent
Miguel Kakanakou for their love, motivation and Neural Network to Intrusion Detection with Hessian
encouragement. I think that the man must have the hard Free Optimization. In International Workshop on
spirit to support the realities of life and the determination Information Security Applications. Vol. 3. Pp. 357-369.
to accomplish his goals. Springer, Cham.
[16] L. You, Y. Li, Y. Wang, J. Zhang, and Y. Yang. (2016).
REFERENCES “A deep learningbased RNNs model for automatic
[1] Xu, K., Wang, X., Wei, W., Song, H., & Mao, B. (2016). security audit of short messages,”International
Toward software defined smart home. IEEE Symposium on Communications and Information
Communications Magazine. Vol. 54(5), pp. 116-122 Technologies (ISCIT). Qingdao, China: IEEE. Vol.
[2] Pan, G., Qi, G., Zhang, W., Li, S., Wu, Z., & Yang, L. T. 16488389. Pp. 225–229.
(2013).Trace analysis and mining for smart cities: issues, [17] Tesauro, G., Touretzky, D., & Leen, T. (1993)
methods, and applications. IEEE Communications Comparing the Prediction Accuracy of Artificial Neural
Magazine. Vol. 51(6). Pp.120- 126. Networks and Other Statistical Models for Breast
[3] Luo, X., Liu, J., Zhang, D., & Chang, X. (2016). A
www.ijaers.com Page | 212
 International Journal of Advanced Engineering Research and Science (IJAERS) [Vol-5, Issue-6, Jun- 2018]
https://dx.doi.org/10.22161/ijaers.5.6.30 ISSN: 2349-6495(P) | 2456-1908(O)
Cancer Survival. Advances in Neural Information
Processing Systems, Vol. 7. Pp. 1063--1067. The MIT
Press.
[18] K. Alrawashdeh and C. Purdy. (2016). “Toward an
Online Anomaly Intrusion Detection System Based on
Deep Learning,”IEEE International Conference on
Machine Learning and Applications (ICMLA).
Anaheim, California, USA: IEEE. Pp. 195–200.
[19] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi,
and M. Ghogho. (2016). “Deep learning approach for
network intrusion detection in software defined
networking,”International Conference on Wireless
Networks and Mobile Communications (WINCOM). Pp.
258–263.
[20] M.-J. Kang and J.-w. Kang. (2016). “Intrusion
Detection System Using Deep Neural Network for In-
Vehicle Network Security”. Vol. 11. Pp. e0155781.
[21] Q. Niyaz, W. Sun, and A. Y. Javaid. 2016. “A deep
learning based ddos detection system in software-
defined networking (SDN)”. Vol. abs/1611.07400.
[Online]. Available: http://arxiv.org/abs/1611.0740

www.ijaers.com Page | 213