Content uploaded by Carlos Becker Westphall
Author content
All content in this area was uploaded by Carlos Becker Westphall on May 14, 2024
Content may be subject to copyright.
Ad Hoc Networks
Available online 8 May 2024, 103541
In Press, Journal Pre-proof What’s this?
Survey paper
Hierarchical multistep approach for
intrusion detection and identification in IoT
and Fog computing-based environments ☆
Cristiano Antonio de Souza , Carlos Becker Westphall , Jean Douglas Valencio ,
Renato Bobsin Machado , Wesley dos R. Bezerra
Show more
Add to Mendeley
https://doi.org/10.1016/j.adhoc.2024.103541 Get rights and content
Abstract
Special security techniques, such as intrusion detection mechanisms, are indispensable
in modern computer systems. With the emergence of the Internet of Things they have
become even more important. It is important to detect and identify the attack in a
category so that countermeasures specific to the threat category can be resolved.
However, most existing multiclass detection approaches have some weaknesses,
mainly related to detecting specific categories of attacks and problems with false
positives. This article addresses this research problem and advances state-of-the-art,
bringing contributions to a two-stage detection architecture called DNNET-Ensemble,
combining binary and multiclass detection. While the benign traffic can be quickly
released on the first detection, the intrusive traffic can be subjected to a robust analysis
approach without causing delay issues. Additionally, we propose the DNNET binary
approach for the binary detection level, which can provide more accurate and faster
binary detection. We present the proposal of a federated strategy to train the neural
model of the DNNET method without sending data to the cloud, thus preserving the
privacy of local data. The proposed Hybrid Attribute Selection strategy can find an
optimal subset of attributes through a wrapper method with a lower training cost due
to pre-selection using a filter method. Furthermore, the proposed Soft-SMOTE
improvement allows operating with a balanced dataset with a minor training time
increase, even in scenarios where there are a large number of classes with a large
imbalance among them. Results obtained from experiments on renowned intrusion
datasets and laboratory experiments demonstrate that the approach can achieve
superior detection rates and false positive performance compared to other state-of-
the-art approaches.
Introduction
In recent years, great technological advances have been taking place. Computing
applications and the number of existing devices have experienced significant growth,
mainly with the popularization of the Internet of Things (IoT). Based on Cisco
projections, the total number of interconnected devices worldwide could reach a
staggering 500 billion by the year 2025 [1].
The proliferation of these small and accessible devices allowed the integration of
everyday objects with the Internet. The concept behind this integration is to bridge the
physical and digital worlds by establishing communication between objects, other
devices, data centers, and clouds. However, IoT devices often come with limited
resources, necessitating the transfer of the data they generate over the Internet to be
processed and stored in high-capacity computational centers. Cloud Computing [2]
addresses this need but faces latency issues due to the distance between IoT devices
and data centers [3].
To overcome this challenge, Fog Computing emerges as a viable solution by providing
services in close proximity to end devices [4]. It stores and processes information near
IoT devices, thereby reducing the volume of traffic sent to the cloud [5]. Moreover, Fog
Computing enables applications requiring real-time processing to achieve faster
response times.
Smart environments are susceptible to security threats and vulnerabilities. The
expansion of IoT increases the potential for vulnerabilities that malicious entities could
exploit to cause harm. Consequently, the implementation of robust security techniques
becomes imperative in contemporary computer systems.
Intrusion detection mechanisms are critical points of security, aiming to identify
attempted attacks by unauthorized users. Methods that only perform the detection
that an intrusion is occurring, that is, binary detection, are insufficient to provide
efficient security. The approach must be able to mitigate the invasion not to succeed
[6]. Therefore, it is essential to classify the attack in its category so that specific
countermeasures for the specific threat are carried out. Also, the classification of the
type or category of the attack is important for the decision of the person responsible
for the network. Based on identifying the category of a specific attack that occurs with
a specific frequency, the person responsible for the network can decide to implement
actions to correct the vulnerability exploited by the attack.
Motivations. Most intrusion detection approaches primarily focus on anomaly-based
methods for binary detection (attack or non-attack) [7], [8], [9], [10], [11]. However,
binary methods are not able to identify the specific type or category of attack. On the
other hand, the existing multiclass detection approaches that aim to classify attacks
into specific categories present lower accuracy rates compared to binary methods [12],
[13], [14], [15]. This is primarily attributed to the challenges in identifying specific
types of attacks [12], [16], [17]. Additionally, these approaches present problems related
to normal traffic identification rates [18], [19], [20]. This metric is extremely important
as it indicates how much of the normal traffic is being identified. If this result is not
close to 100% this indicates that a high number of benign traffic may be mistakenly
blocked. This is a big problem and, in some cases, harms the functioning of the
network.
Attack detection difficulties are often related to the imbalance of existing training data.
Some works used oversampling techniques to balance the data [21]. Oversampling is
used to balance the database and avoid discriminatory behavior for classes with more
significant examples. The objective is to improve the accuracy of attacks that have
fewer training instances. However, applying oversampling strategy in extremely
unbalanced scenarios with many classes will create a very large number of synthetic
registers, which increases the cost of training and can downgrade the machine learning
model’s performance. Furthermore, the IoT and Fog computing environments restrict
the design of robust approaches due to the resource constraints present in these
environments.
Some works have tried to filter the best traffic characteristics with wrapper attribute
selection techniques, where classification methods are embedded in the selector.
Comparatively, wrapper methods get higher quality attribute sets for detection than
filter methods. However, wrapper approaches demand more processing and generate
higher computational costs, which can be prohibitive when dealing large amounts of
data. Therefore, in many cases, the techniques used in the detection, attribute selection,
and class balancing approaches can make the approaches cost high to operate in the
Fog-IoT environment.
This article advances in the state of the art, bringing as contributions a hierarchical
architecture of multistep detection combining binary detection and multiclass
detection. While the benign traffic can be quickly released on the first detection in the
fog, the intrusive traffic can be subjected to a robust analysis in the cloud without
causing delay issues. We propose the DNNET binary approach for the binary detection
level, which can provide faster binary detection than the DNNKNN approach [22]. We
present the proposal of a federated strategy to train the neural model of the DNNET
method without sending data to the cloud, thus preserving the privacy of local data.
The proposed Hybrid Attribute Selection strategy can find an optimal subset of
attributes through a wrapper method having a lower training cost due to pre-selection
with a filter method. Furthermore, the proposed Soft-SMOTE improvement allows
operating with a balanced dataset without generating a relevant increase in training
time, even in scenarios with a large number of classes and a large imbalance among
them. Therefore, we have advanced state of the art by providing a complete behavior-
based and false-positive resistant approach called DNNET-Ensemble for detecting and
identifying intrusions in fog computing and IoT environments.
The results obtained from experiments with the NSL-KDD and IoTID20 intrusion
datasets demonstrated that the approach achieved superior performance over other
classical Machine Learning (ML) techniques and state-of-art approaches. The proposed
approach obtained superior average balanced accuracy, precision, and recall rates than
classical machine learning and state-of-art approaches. As a result, itself proved
superior to other approaches regarding identifying benign traffic, indicating a low rate
of false positives and requiring a fewer computational cost.
This article consists of an expanded version of the previous study [23]. In this extended
version, we enhance the analysis of the state of the art by incorporating recent works.
We utilize the available space to provide more in-depth details about the architecture
and the proposed approach. Additionally, we introduce the proposal for a federated
training strategy to generate the neural model that forms the DNNET approach.
Furthermore, it’s crucial to emphasize that we present a more comprehensive
evaluation section, featuring new experiments to assess the federated training strategy,
the evaluation of the approach through experiments in a laboratory environment, and a
complexity analysis.
Contributions. The main contributions of this work are as follows:
• Proposal of a multi-step approach called DNNET-Ensemble for intrusion detection
and identification;
• Improvements of the binary approach proposed in [22];
• Proposal of a federated strategy to train the neural model of the DNNET method;
• Proposal of the soft-SMOTE strategy for class balancing with resource constraints;
• Proposal of the Hybrid Attribute Selection strategy to reduce the cost of wrapper
attribute selection approaches;
• Detection and identification results superior to classical machine learning methods
and state-of-art approaches.
The remainder of this paper is organized as follows. Section 2 presents the main threats
involving the work context. Section 3 presents recent works related to intrusion
detection, which are analyzed and compared. Section 4 presents a detailed description
of the proposed approach. The experimental setup and results of a performance
comparison between the proposed approach and other methods are given in Section 5.
Finally, Section 6 concludes our paper.
Section snippets
Attacker model
This approach considers the context of intelligent environments based on fog
computing and IoT. Security in these environments is paramount, as sensitive
information is usually transported. Furthermore, many systems are critical and need to
be guaranteed uninterrupted operation.
However, intelligent environments based on fog computing and IoT are not free from
threats [24]. As can be seen in Fig. 1, these environments are subject to external attacks
from the Internet [25], [26]. A dangerous…
Related works
In this section, state of the art on intrusion detection in computer systems is addressed.
To establish a comprehensive perspective of the current status, we conducted a
literature review on the topic.We conducted searches across the IEEE, ACM Digital
Library, Elsevier, and Springer databases to identify relevant studies. The articles
identified during this review are discussed and compared within this section. Table 1
presents a comparative analysis of the works found in state of the art. This …
Proposed approach
This section introduces a novel proposal for the analysis and monitoring of computer
networks. The approach is founded on anomaly detection and targets the identification
and categorization of intrusions, making it a multiclass classification problem. The
ability to identify the specific class of an attack is an important ally in the process of
implementing countermeasures to prevent the intrusion from succeeding. There is a
wide range of classic machine learning models capable of multi-class…
Evaluation
This section presents the methodology defined for the evaluation of the proposal. The
proposed approach and machine learning methods were evaluated through
experiments with the IoTID20 [57] and NSL-KDD [58] datasets. The objective when
using multiple datasets is to validate whether the detection approach is capable of
working in different scenarios. Therefore, the NSLKDD database was chosen because it
is already consolidated and has several works for comparison. The IoTID20 database
was used…
Conclusions and future works
The growth of the Internet of Things (IoT) and computing applications has increased
the likelihood of vulnerabilities existing, which can be used by malicious entities to
cause damage. Security techniques are essential in modern computer systems. It is
important to detect and identify the attack in a category so that countermeasures
specific to the threat category can be taken.
This work proposes a multi-step hierarchical approach for detecting and identifying
intrusions in Fog Computing and IoT …
CRediT authorship contribution statement
Cristiano Antonio de Souza: Conceptualization, Investigation, Methodology, Software,
Writing – original draft, Writing – review & editing. Carlos Becker Westphall:
Conceptualization, Supervision, Writing – review & editing. Jean Douglas Valencio:
Conceptualization, Investigation, Methodology, Software. Renato Bobsin Machado:
Conceptualization, Supervision, Writing – review & editing. Wesley dos R. Bezerra:
Conceptualization, Validation, Writing – review & editing.…
Declaration of competing interest
The authors declare that they have no known competing financial interests or personal
relationships that could have appeared to influence the work reported in this paper.…
Acknowledgment
The authors sincerely thank the Federal University of Santa Catarina (UFSC). Also, this
study was partially funded by the Fundação de Amparo à Pesquisa e Inovação do Estado
de Santa Catarina (FAPESC) and by the Coordenação de Aperfeiçoamento de Pessoal de
Nível Superior - Brasil (CAPES) - Financial Code 001.…
Cristiano Antonio de Souza is a Ph.D. student in Computer Science at the Federal
University of Santa Catarina (UFSC). Participates in research groups: Research Group
on Information Security, Networks and Systems (CNPq-UFSC); and Computational
Security Research Group (CNPq-UNIOESTE). His research interests focus on security,
intrusion detection and prevention, IoT, fog computing, and machine learning.…
References (84)
Marín-TorderaE. et al.
Do we all really know what a fog node is? Current trends towards an open
definition
Comput. Commun. (2017)
AlmianiM. et al.
Deep recurrent neural network for IoT intrusion detection system
Simul. Model. Pract. Theory (2020)
DiroA.A. et al.
Distributed attack detection scheme using deep learning approach for
Internet of Things
Future Gener. Comput. Syst. (2018)
IeracitanoC. et al.
A novel statistical analysis and autoencoder driven intelligent intrusion
detection approach
Neurocomputing (2020)
MoustafaN. et al.
DAD: A Distributed Anomaly Detection system using ensemble one-class
statistical learning in edge networks
Future Gener. Comput. Syst. (2021)
de SouzaC.A. et al.
Hybrid approach to intrusion detection in fog-based IoT environments
Comput. Netw. (2020)
AversanoL. et al.
A systematic review on Deep Learning approaches for IoT security
Comp. Sci. Rev. (2021)
AhmadR. et al.
Machine learning approaches to IoT security: A systematic literature review
Internet Things (2021)
WangS. et al.
Res-TranBiLSTM: An intelligent approach for intrusion detection in the
Internet of Things
Comput. Netw. (2023)
HabibaM. et al.
Edge intelligence for network intrusion prevention in IoT ecosystem
Comput. Electr. Eng. (2023)
View more references
Cited by (0)
Cristiano Antonio de Souza is a Ph.D. student in Computer Science at
the Federal University of Santa Catarina (UFSC). Participates in
research groups: Research Group on Information Security, Networks
and Systems (CNPq-UFSC); and Computational Security Research
Group (CNPq-UNIOESTE). His research interests focus on security,
intrusion detection and prevention, IoT, fog computing, and machine
learning.
Carlos Becker Westphall is Full Professor (since 1993) at the Federal
University of Santa Catarina - Brazil, where he acts as the leader of
the Network and Management Laboratory and also coordinates
some projects funded by the Brazilian National Research Council
(CNPq). Editorial board member of periodicals and technical
program and/or organizing committee member of conferences.
Jean Douglas Gomes Valencio bachelor in Computer Science (2014-
2018) and Master’s in Electrical and Computer Engineering from the
State University of Western Paraná. In the research area, he develops
projects and activities at the Computational Security Research
Laboratory (LapSec), Information Security, Networks and Systems
with activities being developed with the CNPq-UFSC Research Group,
with a focus on computational intelligence applied to intrusion
detection on computer networks.
Renato Bobsin Machado is currently a professor and researcher at
the State University of Western Paraná, working in the Graduate
Program in Electrical and Computer Engineering (PGEEC).
Coordinates the Laboratory for Research in Computational Security
(LaPSeC) and participates in research groups: Research Group on
Information Security, Networks and Systems (CNPq-UFSC); and
Computational Security Research Group (CNPq-UNIOESTE).
Wesley dos Reis Bezerra is currently a professor at the Federal
Institute of Santa Catarina, Campus Rio do Sul, and Ph.D. candidate
at PPGCC, UFSC.He obtained his Master’s in Engineering and
Knowledge Management from EGC, UFSC. He holds a Bachelor of
Information Systems from INE, UFSC, and a Bachelor in Business
Administration from Estácio de Sá University.
This document is the results of the research project funded by the Fundação de Amparo à Pesquisa e
Inovação do Estado de Santa Catarina (FAPESC) and by the Coordenação de Aperfeiçoamento de
Pessoal de Nível Superior - Brasil (CAPES).
View full text
© 2024 Elsevier B.V. All rights reserved.
Special issue on Selected Best Papers
from the 41st Brazilian Symposium on
Computer Networks and Distributed
Systems (SBRC 2023)
Edited by Carlos Kamienski, Stenio Fernandes,
Eduardo Cerqueira, Dave Cavalcanti, Marco Di Felice
View special issue
A dependable hybrid machine learning
model for network intrusion detection
Journal of Information Security and Applications, Vol…
Md. Alamin Talukder, …, Mohammad Ali Moni
Predicting the air temperature of a
building zone by detecting different…
configurations using a switched system
identification technique
Journal of Building Engineering, Volume 31, 2020, Art…
Balsam Ajib, …, Stéphane Lecoeuche
Design and implementation of a deep
neural network approach for intrusion…
detection systems
e-Prime - Advances in Electrical Engineering, Electro…
Edosa Osa, …, Usiholo Iruansi
Show 2 more articles
About ScienceDirect Remote access Shopping cart Advertise Contact and support Terms and conditions Privacy policy
Cookies are used by this site. Cookie Settings
All content on this site: Copyright © 2024 Elsevier B.V., its licensors, and contributors. All rights are reserved, including those for text and data mining, AI training, and similar technologies. For all
open access content, the Creative Commons licensing terms apply.
Article preview
Abstract
Introduction
Section snippets
References (84)
a a b
b a
Share Cite
Access through your organization
Check access to the full text by signing in through your organization.
Access through your institution
☆
Part of special issue
Recommended articles
Purchase PDF
Access through+your institution
My Account
Sign in
Journals & Books
Search…
