A Machine Learning Security Framework For Iot Systems
A Machine Learning Security Framework For Iot Systems
A Machine Learning Security Framework For Iot Systems
ABSTRACT Internet of Things security is attracting a growing attention from both academic and industry
communities. Indeed, IoT devices are prone to various security attacks varying from Denial of Service
(DoS) to network intrusion and data leakage. This paper presents a novel machine learning (ML) based
security framework that automatically copes with the expanding security aspects related to IoT domain.
This framework leverages both Software Defined Networking (SDN) and Network Function Virtualization
(NFV) enablers for mitigating different threats. This AI framework combines monitoring agent and AI-
based reaction agent that use ML-Models divided into network patterns analysis, along with anomaly-
based intrusion detection in IoT systems. The framework exploits the supervised learning, distributed data
mining system and neural network for achieving its goals. Experiments results demonstrate the efficiency
of the proposed scheme. In particular, the distribution of the attacks using the data mining approach is
highly successful in detecting the attacks with high performance and low cost. Regarding our anomaly-
based intrusion detection system (IDS) for IoT, we have evaluated the experiment in a real Smart building
scenario using one-class SVM. The detection accuracy of anomalies achieved 99.71%. A feasibility study is
conducted to identify the current potential solutions to be adopted and to promote the research towards the
open challenges.
INDEX TERMS Internet of Things, security, artificial intelligence, SDN, NFV, orchestration and MANO.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
114066 VOLUME 8, 2020
M. Bagaa et al.: Machine Learning Security Framework for Iot Systems
IoT systems, softwarized networks seem to be the most com- • A unified AI security framework that is aligned with
pelling solution. Network softwarization is a recent promis- ETSI ZSM [7] vision by monitoring, detecting and pre-
ing trend aiming at radically advancing telecommunication venting cybersecurity threats in a closed-loop automa-
industries by embracing cloud computing technologies and tion, autonomous and harmonized way;
software models in network services [2]. • Implemention and validation of an AI security frame-
The main pillars behind this revolution are SDN and NFV. work for IoT that exploits machine learning tech-
On one hand, SDN introduces a new level of network pro- niques in order to deal with, not only knowledge-based
grammability by decoupling control and data plane. A log- intrusion detection through network patterns/signatures
ically centralized controller is in charge of supervising the recognition, but also anomaly-based intrusion detec-
network state and provides rules to the network elements tion based on deviations from the normal behavior of
for appropriately managing the traffic flows. On the other devices, whose reported data are observed by the moni-
hand, NFV leverages virtualization technologies to deploy toring capabilities of the framework;
network elements as software instances, thus allowing an • Three approaches have been suggested that leverage ML
increased level of flexibility and elasticity in service provi- techniques for detecting cybersecurity attacks based on
sioning. Furthermore, NFV can enable a remarkable reduc- the network patterns;
tion in CAPEX/OPEX costs by replacing dedicated expen- • The unified AI security framework is empowered with
sive hardware with commodity servers able to host software- abilities to identify new kind of cyberattacks (0-days
based network appliances. Although SDN and NFV are two attacks) in IoT, which could not be detected otherwise
separate paradigms, their joint use can further improve the by means of network pattern recognition;
potential security services offered by the network and meet • Leveraging SDN/NFV-based security management fea-
the broad range of increasing requirements imposed by novel tures to dynamically and efficiently mitigate the detected
IoT applications. The explosive number of expected IoT cyberattacks, according to the AI-based contextual deci-
devices, the widespread diffusion of location-based mobile sions inferred by the framework;
gaming applications, the tactile Internet applications are all
significant representatives of demanding scenarios which Besides, the SDN/NFV-based security management fea-
tures of the framework permit a dynamic and efficient mitiga-
expose a wide range of new vulnerabilities and security con-
tion of the detected cyberattacks, according to the AI-based
cerns. Leveraging the flexibility and scalability offered by
contextual decisions inferred by the framework.
the integration of SDN and NFV, the telco operators will
successfully be able to enforce the relevant security policies The rest of paper is organized as in the following.
in the IoT domain [3]. In this fervent context, several works In Section II, we provide a summary of related work in
have already investigated models to implement Security-as-a- the literature. The framework architecture and related tech-
nologies are described in Section III. Section IV presents
Service (SECaaS) [4], [5].
the performance evaluation results of the AI agents in the
Industrial and research communities are boosting great
efforts to implement similar models within the IoT network two approaches. Finally, Section V Concludes the work and
domain by leveraging SDN and NFV features. On the other highlights the open challenges.
hand, the fast growing number of IoT attacks demands for an
adaptive framework which can deal with unknown types of II. RELATED WORKS
attacks using different monitoring inputs. The new services The IoT security is a fervent research area which attracts
and features introduced into the IoT system exposes new a rising amount of attention from the research community.
and unseen types of vulnerabilities. In this context, machine There have been many works covering this important aspect.
learning is very compelling. State of the art AI algorithms For instance, authors in [8] have presented an IoT security
make use of machine learning to identify attacks as well as framework for smart infrastructures, such as smart homes and
adapt and respond to new potential cybersecurity risks by smart buildings. It employs continuous monitoring to capture
classifying attacks depending on their threat level. More- the sensor’s operational data in order to detect abnormal
over, when deep machine learning principles are incorporated behavior in IoT domain. This data is used to identify the
into the system, they can actually adapt over time, giving sensor and compare its behavior to ’’normal’’ behavior. If an
an edge to the network administrators over the cybercrimi- attack is detected, it classifies it according to the type of
nals [6]. Intrusion detection in IoT, unlike traditional infras- abnormality and takes relevant recovery actions, such as sen-
tructures, should consider not only network-systems metrics sor re-authentication, discarding the sensor’s data or changing
but also processes and measurements from the physical the network configuration. Although the results show that the
environment. system is able to provide high levels of accuracy in terms
This paper provides a complete framework that leverages of detecting the attacks, the possible mitigation actions are
machine learning (ML) techniques and 5G enabling technol- very limited and often causes service disruptions. Moreover,
ogy SDN, NFV and IoT controllers for efficiently and fast the platform does not provide E2E (End to End) security,
detecting and preventing cybersecurity attacks. The contribu- which is a must have as the attacks can target any layer of
tions of the paper are many fold: the IoT framework.
The flexibility of SDN have been leveraged in the works intended to cope with not only anomalous-based IDS [21],
[9], [10] by defining SDN-based security frameworks. The but also knowledge-based IDS, by checking continuously
extra functionalities offered by SDN technology enable the signatures and patterns of previously known vulnerabilities
integration of new security tools, such as fine grained rout- and attacks [22]. In this regard, most of the research work
ing manipulations, traffic filtering and the use of secure done so far has been focused on the incident detection phase.
network channels to transfer sensitive data. While in the Our framework aims to cover also the reaction stage, once the
NFV scope, several research papers focused on evaluating attack has been identified.
the performance and feasibility of running virtual security We strongly believe that an ideal solution would guarantee
appliances on the edge using containers [11], [12] such as an End-to-End security thanks to the global network vision
Intrusion Detection Systems (IDS) and firewalls. Although of the SDN controller, and a proper security policy definition
this lighter virtualization technology showed great efficiency, and refinement using AI. This relevant security policy would
it turned out to be challenging accounting for the resource- be enforced thanks to the advanced functionalities offered
constrained IoT devices. Indeed, the high amount of traffic by virtual network security appliances hosted on the cloud.
can yield to high energy and CPU consumption, thus affecting Therefore, we introduce our novel AI-based security frame-
the device’s usability. An alternative approach to secure the work for IoT systems.
IoT systems is to use machine learning techniques. Different
solutions that leverage SDN technology and ML techniques III. PROPOSED FRAMEWORK
for enabling network intrusion detection systems have been A. BACKGROUND ON TECHNOLOGIES
suggested in [13]. The work also describes the implemen-
1) SOFTWARE DEFINED NETWORKING (SDN)
tation challenges related to the implementation of network
SDN is a relatively new paradigm that aims to decouple the
intrusion detection systems.
control plane from the data plane for increasing the network
Authors in [14] have proposed a solution that predicts the
flexibility and programmability, as well as the manageabil-
city buses location using a deep learning approach. In the
ity, allowing external application to control the network’s
proposed solution, Long–Short Term Memory (LSTM) based
behavior in an easy and efficient way. SDN offers novel
neural network has been considered for predicting the loca-
capabilities to adapt on-the-fly the network flows according
tions and data rate. Authors in [15] have presented a solution
to the dynamic application requests. The three main com-
that leverages block-chain for managing scalable IoT sys-
ponents of SDN-enabled network are: switches, controllers,
tems. Authors in [16] have suggested a solution that secures
and communication interfaces, where the SDN controller is
the communications between IoT devices and the MEC.
a centralized entity that enforces the cognitive decisions in
The proposed solution adopts a learning method to identify
the switches, maintains the state of the whole system, e.g. it
candidates for service composition and delivery. Authors in
decides on the traffic routing by updating relevant flow rules
[17] have investigated the use of Artificial Neural Networks
on the switches.
in order to detect abnormal network traffic going from the
The adoption of SDN in IoT (SDN-enabled IoT systems)
gateway to the edge devices [18]. In their approach, they used
is considered an essential element in the success and fea-
temperature sensors as edge devices and a Raspberry Pi as
sibility of future IoT systems. Leveraging SDN through its
an IoT gateway. The system collects multiple data samples
intelligence in routing the traffic and optimizing the network
from the edge devices and stores them in a database on the
utilization are key enabling functions to manage the massive
gateway. Then, they split these inputs into training and testing
amounts of data flow in IoT networks and eliminate bottle-
data. Once the neural network has been trained using the
necks [23]. This integration can be implemented at different
training data, the testing data is used to evaluate the accuracy
levels of the IoT network, such as the access (where the data
of the model. Although the results show an improved level
is generated), core and cloud networks (where the data is
of security in terms of anomaly detection, the capability of
processed and served), which enables IoT traffic management
this system was hindered by the limited resources on the
from end-to-end.
IoT gateway affecting the user experience and the lifespan of
Moreover, SDN can be also leveraged to provide advanced
the device negatively in the process. An intrusion detection
security mechanisms for IoT systems. For example, traffic
system running on top of connected vehicles has been sug-
isolation between different tenants, centralized security mon-
gested in [19]. The suggested framework adapts deep belief
itoring using the global vision of the network and traffic drop-
and decision tree machine learning mechanisms for detecting
ping at the edge, keeping the malicious traffic from spreading
different attacks.
all over the network.
AI can leverage Intrusion detection systems (IDS) for
IoT, thereby detecting anomalous behaviors based on met-
rics coming from both, network-systems as well as physical 2) NETWORK FUNCTION VIRTUALIZATION
measurements reported by IoT devices. Mehta et al. [20] Network Function Virtualization (NFV) refers to the adop-
provide an AI-based IDS method for IoT that exploits the tion of virtualization technologies in network environments.
relationship between a set of given time-series of sensor data Unlike traditional network equipment, NFV decouples the
for detecting anomalies. Nonetheless, our AI framework is software from the hardware, bringing value-added features
and notable capital and operating expenditures gains. The of relevant security protocols in order to mitigate a certain
ETSI (European Telecommunications Standards Institute) type of attack either by labeling the network traffic or defining
has been leading the standardization of this approach, defin- access control policies. Indeed, different ML techniques can
ing novel architecture that enables the aforementioned advan- address a variety of IoT attacks. For example, neural networks
tages. can be used to detect network intrusion [27] and DoS attacks
The ETSI NFV architecture identifies three main building and K-NN in malware detections [28].
blocks: 1) Supervised Learning: In supervised algorithms,
1) Virtualization Infrastructure: This layer includes all the inner relations of the data may not be known, but
the hardware and virtualization technologies neces- the output of the model is. Usually, the training of this
sary to provide the desired resource abstractions for model requires a set of data to ’’learn’’ and other to test
the deployment of Virtualized Network Functions and evaluate the dirved model. A common example in
(VNFs). This includes storage, compute and network- the security landscape is matching an attack pattern to
ing resources, which are usually managed by a cloud a set of already known attacks.
platform. 2) Unsupervised Learning: Unlike supervised learn-
2) Virtual Network Functions: The core idea of NFV ing approach, in unsupervised learning technique,
deals with replacing dedicated hardware equipment the model is unknown, meaning that the data does not
with software-based instances of network functions, have to be labeled. Relevant types of models try to
i.e., the VNFs. They can be deployed and managed over find a correlation between the data and classify it into
multiple environments, providing scalable and cost- different groups.
effective network functions. 3) Reinforcement Learning: Reinforcement learning
3) Management and Orchestration: The NFV manage- focuses on studying the problems and techniques that
ment and orchestration (MANO) block interacts with try to improve its model. It has a unique model training
both the infrastructure and VNF layers in the ETSI method, it uses trial and error and reward functions.
NFV architecture. It is responsible for the management It monitors the results of its output and calculates
of the global resource allocation that includes: instan- a value called ’’value function’’ using the reward.
tiating, configuring and monitoring VNFs. According to this value, the model knows the accuracy
Introducing virtualized network resources into the IoT of its decision and adapts itself accordingly.
ecosystem brings multiple value-added features, accounting
for their heterogeneity and rapid growth. When coupled with B. FRAMEWORK OVERVIEW
SDN, NFV can not only, provide advanced virtual mon- To cope with the different security problems associated with
itoring tools, such as Intrusion Detection Systems (IDSs) IoT systems, we propose a security framework combining
and Deep Packet Inspectors (DPIs), but also provision, and SDN, NFV and ML, depicted in Figure 1. While Figure 1(a)
configure on-demand and scalable network security appli- shows the components and their interactions in the pro-
ances, such as firewalls and authentication systems, in order posed security framework, Figure 1(b) shows the closed-
to cope with the attacks detected by the monitoring agents loop automation proposed in this paper from monitoring and
[24], [25]. Moreover, offloading the extra processing induced detection to attack mitigation. The proposed system provides
by security from these resource-constrained IoT devices to comprehensive security by integrating the countermeasures
virtual instances [26] saves energy and improves efficiency and enablers discussed in the previous subsections. This
leaving more headroom to other useful applications. The framework allows the enforcement of security policies, from
aforementioned flexibility and advanced security features of their design to their deployment and maintenance.
NFV are lacking in current out-the-shelf IoT security hard- As depicted in Figure 1(a), the framework consists of
ware. Although NFV is not aiming to completely replace two main layers: i) Security Orchestration Plane; i) Security
current IoT solutions, its complementary value added features Enforcement Plane. In what follow, we will describe these
turned out to be very compelling and revolutionizing in the two planes, as well as their inter and intra communications
IoT security landscape. for ensuring the closed loop automation for detecting and
mitigating different threats.
3) MACHINE LEARNING TECHNIQUE
Machine learning (ML) is a field of artificial intelligence that 1) SECURITY ENFORCEMENT PLANE
integrates a set of techniques and algorithms to provide intel- The communication between the IoT devices and end-users
ligence to computers and smart devices. ML techniques, such happens thanks to different VNFs deployed on different
as supervised learning, unsupervised learning, and reinforce- clouds and edges and physical network functions (PNFs). The
ment learning, have been widely adopted in the network secu- communication between these network functions (i.e., VNFs
rity landscape. It is employed in order to accurately detect and PNFs), IoT devices and end-users happens via legacy
and define the specific security policies to enforce in the data network or SDN-based network. In IoT domain, we distin-
plane. The challenge is to fine-tune the different parameters guish between two types of attacks, which are internal and
external attacks. While the latter is launched at the end-user controllers to enable the deployment of appropriate security
(i.e., external) network towards the IoT domain (i.e., internal) functionalities.
network, the former happens due to malicious and intruder
IoT devices. The latter generates attacks either towards other c: INFRASTRUCTURE BLOCK
legitimate IoT devices and/or the external network. Mainly, comprises all the physical machines capable of providing
the attacks would be mitigated at the level of: i) The IoT computing, storage, and networking capabilities to build an
devices by leveraging IoT controllers; ii) The network level Infrastructures as a Service (IaaS) layer by leveraging appro-
by leveraging SDN controllers; iii) The cloud/MEC level by priate virtualization technologies. This plane also includes the
leveraging NFV orchestrator. network elements responsible for traffic forwarding, follow-
The security properties defined by the framework should ing the SDN controller’s rules, and a distributed set of security
be appropriately enforced within the IoT domain, by deploy- probes for data collection to support the monitoring services.
ing security VNFs and configuring the connectivity via SDN
networking. The security enforcement plane is designed to d: MONITORING AGENTS
be fully compliant with SDN/NFV standards, as specified by
are mainly responsible for reporting network traffic and IoT
ETSI NFV and ONF (Open Networking Foundation) SDN
behaviors for detecting different attacks. The detection mech-
specifications, respectively. The envisaged security enforce-
anism, in the proposed framework, can be either using net-
ment countermeasures will involve three logical blocks as
work patterns or IoT misbehavior. They will be aware of all
depicted in Fig. 1(a).
the traffic flowing through the network thanks to the traffic
mirroring done through SDN. Each monitoring agent sends
a: VNF BLOCK
the logs containing the description of the relevant suspicious
activities to the AI-based reaction agent hosted in the Security
accounts for the VNFs deployed over the virtualization infras-
Orchestration Plane.
tructure to enforce security using different network services.
Specific attention will be addressed to the provisioning of
advanced security VNFs (such as virtual firewall, IDS/IPS, e: IoT DOMAIN
etc.) that should be able to provide the protection and threat stands for the SDN-enabled network of physical devices vary-
countermeasures requested by the security policies. ing from security cameras, temperature sensors, home appli-
ances to any other smart devices exchanging data. Accounting
for the high vulnerability of these devices, our framework
b: CONTROL AND MANAGEMENT BLOCK aims to enforce the security policies in this domain in order
considers the components required to manage both SDN and to ensure data privacy and integrity.
NFV environments. To this objective, it includes the ETSI
MANO stack modules and SDN controllers. Since NFV is 2) SECURITY ORCHESTRATION PLANE
usually combined with SDN to programmatically adjust the This plane is responsible for the run-time configuration of the
network according to the resources and policies, tight interac- security policies and their context-aware refinement based on
tion is expected between the NFV orchestrator and the SDN up-to-date monitoring data. It is an innovative layer of our
FIGURE 2. Overview of the interactions between the components of the AI-based Security Framework for IoT Systems.
architecture and responsible for enforcing relevant security L1, L2,L3,L4,L5- corresponds to a pre-defined security pol-
policies into the IoT domain by making the relevant requests icy), would be identified and sent to the security orchestrator.
to the Security Enforcement Plane. This includes instanti- As depicted in Figure 1(b), AI based reaction agent
ating, configuring and monitoring different virtual security uses different Machine learning Algorithms, including J48,
enablers in order to cope with the current attack. Byes Net, RandomForest, Hoeffding, support vector machine
The main interactions can be seen in the diagram depicted (SVM) and deep learning, for detecting different attacks
in Figure 2 that summarizes the different interactions between related IoT behaviors and/or network patterns. More infor-
the component of our framework. As depicted in Figures 1(b) mation about the implementation of this component would
and 2, a closed loop automation mechanism is proposed be provided in section IV.
in this paper starting from the monitoring agent, AI based
reaction agent to the security orchestrator. The latter miti- b: SECURITY ORCHESTRATOR
gates the threats via IoT controller, SDN controller and NFV This component is one part of the closed-loop automation
Orchestrator, respectively. that is accountable for enforcing the security policies defined
by the AI Reaction Agent. It interacts with the Control and
a: AI-BASED REACTION AGENT Management Block in order to enforce the relevant security
This component is responsible for dictating the mitigation policies using SDN and NFV in the IoT domain. As depicted
actions to be taken by the Security Orchestrator. As depicted in the third block in Figure 2, the security orchestrator pro-
in Figure 1(b) and the first block in Figure 2, this component ceeds either by instantiating, configuring and then monitoring
uses the data collected from the network and IoT domains virtual security appliances or manipulating the malicious traf-
thanks to the monitoring agent. This component uses a trained fic using SDN or even taking direct actions on the IoT devices
machine learning models based on network patterns and themselves, such as turning off a compromised device. The
IoT behaviors for detecting threats. These machine learning Security Orchestrator also houses a System Model database
models will be able to dictate the appropriate security policy which contains all the information related to the data plane
template that should be sent to the security orchestrator. and enforced policies, such as the reaction agent requests,
As depicted in Figure 1(b) and second block in Figure 2, SDN controllers and switches, current running VNFs along
the security threats are detected based on IoT behaviors with their configuration and IoT device related information
and/or network patterns. Then, the threat level (Each level - as well.
C. IMPLEMENTATION TOOLS agent will make use of multiple machine learning techniques
In this sub-section, we carry out an assessment study for the in order to mitigate a given threat.
potential implementation of our proposed solution. To this
aim, we provide an overview of the envisioned open source A. NETWORK PATTERNS ANALYSIS
projects that are used for enabling the suggested framework. The evaluation of an intrusion system is a primordial step
towards proving the efficiency of the framework. There are
1) ONOS SDN CONTROLLER several data sets widely used for this purpose, such as DARPA
ONOS (Open Network Operating System) is an open source [29], KDD99 [30] and DEFCON [31]. We build IDS based
project that aims to create an SDN operating system for on NSL KDD dataset that contains more than twenty attacks,
communications and service providers. It is well known such as Neptune-dos, pod-dos, smurfdos, buffer-overflow,
for its high performance, scalability and high availability. rootkit, satan, teardrop, etc. The NSL KDD is an improve-
It uses standard protocols, such as OpenFlow and NetConf ment of the original dataset Kdd99 that suffers from signif-
in order to expose advanced traffic manipulation functions icant problems that may lead to inefficient evaluation of an
through its applications. These applications provide a high IDS. Based on a work done on [32] the new NSL KDD dataset
level of abstractions while giving detailed information about solved several serious problems, in which it eliminates about
the network, such as existing nodes, the number of packets 77 of redundant records. For this reason, to design our AI-
of a certain traffic and existing links, making application based reaction agent, we have used NSL KDD dataset.
development much simpler. In order to perform the evaluation of the IDS based on
NSL-KDD dataset, we use a pre-processing and visualization
2) ETSI OPEN SOURCE MANO (OSM) data mining tool called Weka. Weka is used to perform clas-
sification of the training sample. The KDD dataset contains
OSM is an NFV Orchestrator that was officially launched
125943 connection and 41 features, in which each sample
at the World Mobile Congress (WMC) in 2016, founded by
belongs to one of the following attacks: Denial of Service
Mirantis, Telefnica, BT, Canonical, Intel, RIFT.io, Telekom
Attack (DoS), User to Root Attack (U2R), Remote to Local
Austria Group, and Telenor. It is compliant with the ETSI
Attack (R2L), and Probing Attack.
NFV MANO reference architecture and offers support for
The variety of attributes nature makes the learning not
multi-cloud and SDN vendors support (OpenStack, AWS,
possible for some machine learning algorithms. When an
ONOS, Opendaylight..). It is comprised of three basic com-
attribute is continuous, it makes the model building difficult.
ponents:
Hence, the preprocessing step is primordial before build-
• The Service Orchestrator (SO): responsible for end-to- ing classification patterns in order to maximize the predic-
end service orchestration and provisioning, it offers a tive accuracy [33]. In particular, a discretization method is
web interface and a catalog which holds the different employed to tackle this limitation. The discretization is a data
NFV descriptors. mining technique that aims to reduce the number of values
• The Resource Orchestrator (RO): is used to provide ser- of a continuous variable by grouping them into intervals.
vices over a particular IaaS provider in a given location. In literature, there are two discretization types that can be
It interacts directly with the VIM in order to instantiate applied [34]:
virtual resources
• Static variable discretization: The discretization is per-
• The VNF Configuration and Abstraction (VCA): per-
formed one variable independently of other variables.
forms the initial VNF configuration and constant moni-
• Dynamic variable discretization: All attributes (variable)
toring using Juju Charms LXD containers.
are simultaneously discretized.
In addition to the discretization, we also grouped the
IV. AI-BASED REACTION AGENT IMPLEMENTATION AND
attacks in a way to only have the main attack categories
PERFORMANCE EVALUATION
(DDoS, Probe, U2R, R2L).
This section provides the experiment setup and the evalu-
ation analysis of AI based reaction agent (detailed in sub- 1) Performance comparison measurements: The evalua-
section III). AI based reaction agent detects the threats by: i) tion of the intrusion detection system is a fundamental
Analysing the network patterns as presented in subsection IV- problem, and it is important to select the metrics that
A. A knowledge-based intrusion detection framework is pro- can describe the strength of the IDS [35]. The per-
posed for detecting different network attacks; ii) Analysing formance of an IDS is beyond the classification rate
the anomaly behaviors in the IoT system as explained in sub- separately. We evaluate our system based on model
section IV-B. In this subsection, the cyber-attacks are detected accuracy, detection rate, precision and Cost Per Exam-
based on the analysis of anomaly behaviors in the IoT system. ple (CPE). The following metrics employed together
We have used supervised learning algorithms in order are essential when measuring the performances.
to accurately classify the level of the attacks and correctly 5 5
1 XX
choose the appropriate security templates. Using the relevant CPE = CM (i, j) + C(i, j) (1)
inputs from the monitoring agents, the AI-based reaction N
i=1 j=1
TABLE 1. Cost Matrix for NSL-KDD dataset [36]. TABLE 3. Back-propagation evaluation metrics.
[43], [45], [46], Ensemble-DNN [44], Support Vector hand, temperatures are in the same interval in all rooms,
Machine based Dimensionality Reduction [47]. so the same model could work for all of them. We could
also use the first room for training while the others for
B. ANOMALY-BASED INTRUSION DETECTION testing.
This part describes the implementation and evaluation carried 2) datasets:
out in order to demonstrate the feasibility and accuracy of our • Single value data-set (SV): A simple data set for
AI framework to detect cyber-attacks based on the analysis the generated values, it represents only the cap-
of anomaly behaviors (uncommon sensor data values) in IoT tured value and the time as features.
system. The proposed AI framework leverages the tempo- • Previous five values (P5V): This approach captures
spatial correlation between different sensor data for detect- the temporal correlation between the measured
ing the threats. Uncommon sensorized values indicate that sensor data. Since the temperature is contextual,
the IoT device reporting the values might be under attack, this data set includes context of previous values
e.g. infected by some malware, or being impersonated a with features in different datasets from the single
through man-inthe-middle. Concretely, our IA-based frame- value data-set [date, value]. In order to keep things
work detects the IoT devices malfunctioning, and enforce a clear and limit criteria, we have used only the
reaction countermeasure accordingly. Although it is out of the room 1 dataset. This dataset includes the 5 previous
scope of this paper, for the sake of completeness, it is worth values for each value [date, value, value prece-
mentioning that our framework when deployed in the smart dent, value 2nd precedent, value 5th precedent].
building testbed scenario, enforces a mitigation plan that 1) We have also noticed that there is a strong corre-
re-configures the vAAA (virtual authentication agent), 2) lation between these values.
enables a vChannelProtection to establish secure DTLs com- • Previous different three values (PD3V): Similar to
munications, 3) enforces new traffic filtering rules with SDN the previous approach, this approach leverages the
to drop malicious traffic, and 4) optionally turns-off and/or time correlation between the gathered sensor data.
flashes the IoT device. These reaction countermeasures are This approach aims to prevent the repetition by
being implemented and evaluated in the scope of Anastacia considering only the last three different values each
EU project [26], [48], [49], and are beyond the scope of time [date, value, value different precedent, 2nd
this paper, which focuses on evaluating the machine learning different precedent, 3rd different precedent]
mechanisms to detect the cyber-attacks in IoT systems. • Cross rooms: Since there is a correlation in the
1) Data Collection: The dataset adopted in our work sensing data in all the rooms, in this approach,
obtained from real sensor data of four different rooms we have considered this correlation by combin-
in our smart building testbed. We observed the mea- ing the room values for detecting the anomalies.
surements of temperature and CO2 for each room every By leeveraging this dataset, we combine the rooms
2 minutes for a duration of one month. The dataset is values which mght improve the accuracy, cossing
described with the attributes (ID, Room, SensorVal- the 4 rooms ends up with the data set below: [date,
ueCO2, SensorValue Temperature, Class (Optional)) room 1, room 2, room 3, room 4, label].
and it contains measurements of 67876 samples consid- 3) One class-SVM model: In order to construct a model
erd as normal values. We have built a model per sensor able to well recognize anomalies in the dataset, we tar-
that includes co2 and temperature. Fig. 3 depicts the get the one-class support vector machine, which was
distribution of sensor data per room. We notice that implemented and adapted using the library of python
the co2 values are different for each room on the other Scikit-learn. Our proposed anomaly-based IDS model
TABLE 6. Temperture training using OC-SVM results. 3) Backpropagation technique, in which we performed
several preprocessing techniques, such as the dis-
cretization. The obtained results are very promising,
in which the evaluation metrics allowed us to well eval-
uate the framework and take in consideration the effect
of wrongly classified attacks. On the other hand, our
framework integrates an IDS for anomaly detection in
TABLE 7. CO2 training using OC-SVM results. sensor data adopting One-Class SVM achieved higher
than 98% of detection accuracy for most of data set
combinations proposed.
In the following, we describe some additional research
challenges that are envisaged to be addressed by our security
framework. Firstly, we are tackling the challenge of defin-
consists of four phases. Firstly, the dataset is prepro- ing standardized interfaces to ease the interactions among
cessed and cleaned. The second step consists of data the envisioned framework modules, including common lan-
discretization, which consists of transforming the time- guages to specify the IoT security policies needed to react
series from continuous values to discrete intervals. The according to the AI-based decisions. Secondly, as the IoT
latest phase applies the learning algorithm gird search landscape is continuously evolving, the AI-system will need
step is applied for classification. For the temperature to be autonomously reconfigured in order to deal with addi-
dataset, we split the first room values for training and tional emerging (and potentially unknown) IoT cyber-attacks,
the second one for the testing. Based on the observation which do not follow previous network/systems signatures
that there is a spatial correlation only for temperature and patterns. Thirdly, another challenge deals with machine
data, we omit to test the model generated of CO2 data learning methods and algorithms that can be used by the
with another room. For this reason, we evaluate the reaction agent in order to dynamically planning the best
learning models based on the detection accuracy 33% countermeasure(s) to enforce according to different con-
from the training dataset. texts. Finally, we also remark that ensuring a certain level
4) Results and comparison: The results obtained from of security involves additional resource consumption and
temperature values show that the SV and P5V perform potential performance degradation; therefore, the trade-off
better than the other features combination in terms of between security requirements and Quality of Service should
detection accuracy where 98.86% of detection accuracy be deeply examined within the reaction module.
is achieved. However in the CO2 case p5V data set
achieved 99.24%. REFERENCES
[1] A. Souri, A. Hussien, M. Hoseyninezhad, and M. Norouzi,
V. CONCLUDING REMARKS AND OPEN RESEARCH ‘‘A systematic review of IoT communication strategies for
an efficient smart environment,’’ Trans. Emerg. Telecommun.
CHALLENGES Technol., Aug. 2019. Art. no. e3736. [Online]. Available: https://
IoT systems are expected to revolutionize our everyday life onlinelibrary.wiley.com/action/showCitFormats?doi=10.1002%2Fett.3736
in the near future. Among the potential value-added features, [2] T. Taleb, ‘‘Toward carrier cloud: Potential, challenges, and solutions,’’
the provisioning of on-demand security measures represents a IEEE Wireless Commun., vol. 21, no. 3, pp. 80–91, Jun. 2014.
[3] S. Lal, T. Taleb, and A. Dutta, ‘‘NFV: Security threats and best practices,’’
breakthrough in facing the explosion of cybersecurity attacks. IEEE Commun. Mag., vol. 55, no. 8, pp. 211–217, Aug. 2017.
In this paper, we have investigated the most common threats [4] V. Varadharajan and U. Tupakula, ‘‘Security as a service model for
to IoT systems. Then, we have provided a list of promising cloud environment,’’ IEEE Trans. Netw. Service Manage., vol. 11, no. 1,
technologies and designed a security framework to integrate pp. 60–75, Mar. 2014.
[5] Y. Khettab, M. Bagaa, D. L. C. Dutra, T. Taleb, and N. Toumi, ‘‘Virtual
them in a comprehensive way. Indeed, we strongly believe security as a service for 5G verticals,’’ in Proc. IEEE Wireless Commun.
that the joint use of SDN, NFV and machine learning solu- Netw. Conf. (WCNC), Apr. 2018, pp. 1–6.
tions can enable a holistic security system able to enforce [6] X. Wang, C. Wang, X. Li, V. C. M. Leung, and T. Taleb, ‘‘Federated deep
the requested security policies. We have also provided a reinforcement learning for Internet of Things with decentralized cooper-
ative edge caching,’’ IEEE Internet Things J., early access, Apr. 9, 2020,
study that proves the feasibility of our AI-based security doi: 10.1109/JIOT.2020.2986803.
framework, which combines both, knowledge-based intru- [7] Zero-Touch Network and Service Management (ZSM); Reference Architec-
sion detection and anomaly-based intrusion detection. On one ture, Standard ETSI GS ZSM 002, V1.1.1, Aug. 2019.
hand, regarding knowledge based detection, three different [8] J. Pacheco and S. Hariri, ‘‘IoT security framework for smart cyber infras-
tructures,’’ in Proc. IEEE 1st Int. Workshops Found. Appl. Self* Syst.
systems used for the evaluation of framework based on NSL (FAS*W), Sep. 2016, pp. 242–247.
KDD dataset: [9] K. S. Sahoo, B. Sahoo, and A. Panda, ‘‘A secured SDN framework for IoT,’’
in Proc. Int. Conf. Man Mach. Interfacing (MAMI), Dec. 2015, pp. 1–4.
1) System based classification algorithm,
[10] C. Gonzalez, S. M. Charfadine, O. Flauzac, and F. Nolot, ‘‘SDN-based
2) Distributed attack rule-association based JRip algo- security framework for the IoT in distributed grid,’’ in Proc. Int. Multidis-
rithm, and, ciplinary Conf. Comput. Energy Sci. (SpliTech), Jul. 2016, pp. 1–5.
[11] A. Boudi, I. Farris, M. Bagaa, and T. Taleb, ‘‘Assessing lightweight vir- [32] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, ‘‘A detailed analysis
tualization for security-as-a-service at the network edge,’’ IEICE Trans. of the KDD CUP 99 data set,’’ in Proc. IEEE Symp. Comput. Intell. Secur.
Commun., vol. E102.B, no. 5, pp. 970–977, 2019. Defense Appl., Jul. 2009, pp. 1–6.
[12] R. Morabito, V. Cozzolino, A. Y. Ding, N. Beijar, and J. Ott, ‘‘Consolidate [33] M. Hacibeyoğlu and M. H. Ibrahim, ‘‘Comparison of the effect of unsu-
IoT edge computing with lightweight virtualization,’’ IEEE Netw., vol. 32, pervised and supervised discretization methods on classification process,’’
no. 1, pp. 102–111, Jan. 2018. Int. J. Intell. Syst. Appl. Eng., vol. 4, no. 1, pp. 105–108, Dec. 2016.
[13] N. Sultana, N. Chilamkurti, W. Peng, and R. Alhadad, ‘‘Survey on [34] J. Han, J. Pei, and M. Kamber, Data Mining: Concepts and Techniques.
SDN based network intrusion detection system using machine learn- Amsterdam, The Netherlands: Elsevier, 2011.
ing approaches,’’ Peer-to-Peer Netw. Appl., vol. 12, no. 2, pp. 493–501, [35] G. Gu, P. Fogla, D. Dagon, W. Lee, and B. Skorić, ‘‘Measuring intrusion
Mar. 2019. detection capability: An information-theoretic approach,’’ in Proc. ACM
[14] S. Zafar, S. Jangsher, O. Bouachir, M. Aloqaily, and J. B. Othman, Symp. Inf., Comput. Commun. Secur. (ASIACCS). New York, NY, USA:
‘‘QoS enhancement with deep learning-based interference prediction ACM, 2006, pp. 90–101.
in mobile IoT,’’ Comput. Commun., vol. 148, pp. 86–97, Dec. 2019. [36] C. Elkan, ‘‘Results of the KDD’99 classifier learning,’’ ACM SIGKDD
[Online]. Available: http://www.sciencedirect.com/science/article/ Explor. Newslett., vol. 1, no. 2, pp. 63–64, 2000.
pii/S0140366419306620 [37] P. Akshaya, ‘‘Intrusion detection system using machine learning
approach,’’ Int. J. Eng. Comput. Sci., vol. 5, no. 10, Oct. 2016.
[15] L. Tseng, L. Wong, S. Otoum, M. Aloqaily, and J. B. Othman, ‘‘Blockchain
[38] M. A. Ambusaidi, X. He, P. Nanda, and Z. Tan, ‘‘Building an intrusion
for managing heterogeneous Internet of Things: A perspective architec-
detection system using a filter-based feature selection algorithm,’’ IEEE
ture,’’ IEEE Netw., vol. 34, no. 1, pp. 16–23, Jan. 2020.
Trans. Comput., vol. 65, no. 10, pp. 2986–2998, Oct. 2016.
[16] I. Al Ridhawi, S. Otoum, M. Aloqaily, Y. Jararweh, and T. Baker, [39] N. Moustafa, G. Creech, and J. Slay, ‘‘Big data analytics for intrusion
‘‘Providing secure and reliable communication for next generation detection system: Statistical decision-making using finite Dirichlet mix-
networks in smart cities,’’ Sustain. Cities Soc., vol. 56, May 2020, ture models,’’ in Data Analytics and Decision Support for Cybersecurity.
Art. no. 102080. [Online]. Available: http://www.sciencedirect.com/ Springer, 2017, pp. 127–156.
science/article/pii/S2210670720300676 [40] C.-F. Tsai and C.-Y. Lin, ‘‘A triangle area based nearest neighbors approach
[17] J. Canedo and A. Skjellum, ‘‘Using machine learning to secure IoT sys- to intrusion detection,’’ Pattern Recognit., vol. 43, no. 1, pp. 222–229,
tems,’’ in Proc. 14th Annu. Conf. Privacy, Secur. Trust (PST), Dec. 2016, Jan. 2010.
pp. 219–222. [41] M. Z. Alom, V. Bontupalli, and T. M. Taha, ‘‘Intrusion detection using
[18] X. Wang, Y. Han, V. C. M. Leung, D. Niyato, X. Yan, and X. Chen, deep belief networks,’’ in Proc. Nat. Aerosp. Electron. Conf. (NAECON),
‘‘Convergence of edge computing and deep learning: A comprehensive Jun. 2015, pp. 339–344.
survey,’’ IEEE Commun. Surveys Tuts., early access, Jan. 30, 2020, [42] C. Yin, Y. Zhu, J. Fei, and X. He, ‘‘A deep learning approach for intru-
doi: 10.1109/COMST.2020.2970550. sion detection using recurrent neural networks,’’ IEEE Access, vol. 5,
[19] M. Aloqaily, S. Otoum, I. A. Ridhawi, and Y. Jararweh, ‘‘An intru- pp. 21954–21961, 2017.
sion detection system for connected vehicles in smart cities,’’ Ad Hoc [43] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho,
Netw., vol. 90, Jul. 2019, Art. no. 101842. [Online]. Available: http:// ‘‘Deep learning approach for network intrusion detection in software
www.sciencedirect.com/science/article/pii/S1570870519301131 defined networking,’’ in Proc. Int. Conf. Wireless Netw. Mobile Commun.
[20] A. Molina Zarca, J. B. Bernabe, R. Trapero, D. Rivera, J. Villalobos, (WINCOM), Oct. 2016, pp. 258–263.
A. Skarmeta, S. Bianchi, A. Zafeiropoulos, and P. Gouvas, ‘‘Security man- [44] S. A. Ludwig, ‘‘Intrusion detection of multiple attack classes using a deep
agement architecture for NFV/SDN-aware IoT systems,’’ IEEE Internet neural net ensemble,’’ in Proc. IEEE Symp. Ser. Comput. Intell. (SSCI),
Things J., vol. 6, no. 5, pp. 8005–8020, Oct. 2019. Nov. 2017, pp. 1–7.
[21] V. Chandola, A. Banerjee, and V. Kumar, ‘‘Anomaly detection: A survey,’’ [45] M. AL-Hawawreh, N. Moustafa, and E. Sitnikova, ‘‘Identification of
ACM Comput. Surv., vol. 41, no. 3, p. 15, 2009. malicious activities in industrial Internet of Things based on deep learning
[22] B. B. Zarpelāo, R. S Miani, C. T. Kawakani, and S. C. de Alvarenga, models,’’ J. Inf. Secur. Appl., vol. 41, pp. 1–11, Aug. 2018.
‘‘A survey of intrusion detection in Internet of Things,’’ J. Netw. Comput. [46] N. Shone, T. N. Ngoc, V. D. Phai, and Q. Shi, ‘‘A deep learning approach to
Appl., vol. 84, pp. 25–37, Apr. 2017. network intrusion detection,’’ IEEE Trans. Emerg. Topics Comput. Intell.,
[23] A. Molina Zarca, J. Bernal Bernabe, I. Farris, Y. Khettab, T. Taleb, and vol. 2, no. 1, pp. 41–50, Feb. 2018.
A. Skarmeta, ‘‘Enhancing IoT security through network softwarization [47] B. Subba, S. Biswas, and S. Karmakar, ‘‘Enhancing performance of
and virtual security appliances,’’ Int. J. Netw. Manage., vol. 28, no. 5, anomaly based intrusion detection systems through dimensionality reduc-
Sep. 2018, Art. no. e2038. tion using principal component analysis,’’ in Proc. IEEE Int. Conf. Adv.
Netw. Telecommun. Syst. (ANTS), Nov. 2016, pp. 1–6.
[24] S. Lal, A. Kalliola, I. Oliver, K. Ahola, and T. Taleb, ‘‘Securing VNF
[48] A. M. Zarca, D. Garcia-Carrillo, J. B. Bernabe, J. Ortiz, R. Marin-Perez,
communication in NFVI,’’ in Proc. IEEE Conf. Standards Commun. Netw.
and A. Skarmeta, ‘‘Managing AAA in NFV/SDN-enabled IoT scenarios,’’
(CSCN), Sep. 2017, pp. 187–192.
in Proc. Global Internet Things Summit (GIoTS), Jun. 2018, pp. 1–7.
[25] S. Lal, S. Ravidas, I. Oliver, and T. Taleb, ‘‘Assuring virtual network [49] A. M. Zarca, J. B. Bernabe, A. Skarmeta, and J. M. A. Calero, ‘‘Vir-
function image integrity and host sealing in telco cloue,’’ in Proc. IEEE tual IoT HoneyNets to mitigate cyberattacks in SDN/NFV-enabled IoT
Int. Conf. Commun. (ICC), May 2017, pp. 1–6. networks,’’ IEEE J. Sel. Areas Commun., early access, Apr. 8, 2020,
[26] I. Farris, J. B. Bernabe, N. Toumi, D. Garcia-Carrillo, T. Taleb, doi: 10.1109/JSAC.2020.2986621.
A. Skarmeta, and B. Sahlin, ‘‘Towards provisioning of SDN/NFV-based
security enablers for integrated protection of IoT systems,’’ in Proc. IEEE
Conf. Standards Commun. Netw. (CSCN), Sep. 2017, pp. 169–174.
[27] A. L. Buczak and E. Guven, ‘‘A survey of data mining and machine
learning methods for cyber security intrusion detection,’’ IEEE Commun. MILOUD BAGAA (Member, IEEE) received the
Surveys Tuts., vol. 18, no. 2, pp. 1153–1176, 2nd Quart., 2016. Engineering, master’s, and Ph.D. degrees from
[28] J. W. Branch, C. Giannella, B. Szymanski, R. Wolff, and H. Kargupta, ‘‘In- the University of Science and Technology Houari
network outlier detection in wireless sensor networks,’’ Knowl. Inf. Syst., Boumediene, Algiers, Algeria, in 2005, 2008, and
vol. 34, no. 1, pp. 23–54, Jan. 2013. 2014, respectively. From 2009 to 2015, he was a
[29] R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das, ‘‘The 1999 Researcher with the Research Center on Scientific
DARPA off-line intrusion detection evaluation,’’ Comput. Netw., vol. 34, and Technical Information, Algiers. From 2015 to
no. 4, pp. 579–595, Oct. 2000. 2016, he was with the Norwegian University of
[30] U. Fayyad, K. Shim, P. Bradley, and S. Sarawagi, ACM SIGKDD Explo- Science and Technology, Trondheim, Norway. He
rations Newsletter, vol. 2, no. 2. New York, NY, USA: Association for is currently a Senior Researcher with Aalto Uni-
Computing Machinery, 2000. versity. His research interests include wireless sensor networks, the Internet
[31] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, ‘‘Toward devel- of Things, 5G wireless communication, security, and networking modeling.
oping a systematic approach to generate benchmark datasets for intrusion From 2015 to 2016, he received the Postdoctoral Fellowship from the Euro-
detection,’’ Comput. Secur., vol. 31, no. 3, pp. 357–374, May 2012. pean Research Consortium for Informatics and Mathematics.
TARIK TALEB (Senior Member, IEEE) received ANTONIO SKARMETA (Member, IEEE) received
the B.E. degree (Hons.) in information engineering the B.S. (Hons.) in computer science from the
and the M.Sc. and Ph.D. degrees in information University of Murcia, Spain, the M.S. degree in
sciences from GSIS, Tohoku University, Sendai, computer science from the University of Granada,
Japan, in 2001, 2003, and 2005, respectively. He is and the Ph.D. degree in computer science from
currently a Professor with the School of Electrical the University of Murcia. Since 2009, he has
Engineering, Aalto University, Espoo, Finland. He been a Full Professor with the Computer Science
is a member of the IEEE Communications Soci- Department, University of Murcia. He has worked
ety Standardization Program Development Board. on different research projects in the national and
In an attempt to bridge the gap between academia international area in the networking, security, and
and industry, he founded the IEEE-Workshop on Telecommunications Stan- the IoT area, like Euro6IX, ENABLE, DAIDALOS, SWIFT, SEMIRAMIS,
dards: From Research to Standards, a successful event that was recognized SMARTIE, SOCIOTAL, IoT6 ANASTACIA, and CyberSec4Europe. His
with the Best Workshop Award by the IEEE Communication Society (Com- main interests are in the integration of security services, identity, the IoT and
SoC). Based on the success of this workshop, he has also founded and smart cities. He has been head of the research group ANTS since its creation
has been the Steering Committee Chair of the IEEE Conference on Stan- in 1995. He has published over 200 international articles and being member
dards for Communications and Networking. He is the General Chair of of several program committees.
the 2019 edition of the IEEE Wireless Communications and Networking
Conference to be held in Marrakech, Morocco. He is/was on the Editorial
Board of the IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS, the IEEE
Wireless Communications Magazine, the IEEE Journal on Internet of Things,
the IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, the IEEE Communica-
tions Surveys and Tutorials, and a number of Wiley Journals. He is the IEEE
Communications Society (ComSoc) Distinguished Lecturer.