![ANN Plot with 3 Input Neurons, 'Using Machine Learning to Secure IoT Systems' [18]](https://www.researchgate.net/profile/Rushit-Dave/publication/354068962/figure/fig1/AS:1060878581522432@1629944572033/ANN-Plot-with-3-Input-Neurons-Using-Machine-Learning-to-Secure-IoT-Systems-18_Q320.jpg)
![Cluster Node Diagram, 'Machine Learning Based IoT Intrusion Detection System: An MQTT Case Study' [24] difference between sensors to simulate different usage scenarios. The messages themselves are randomly generated. The camera feed was simulated using VLC media player which operates off of a UDP stream. To simulate a realistic scenario each of the network emulators dropped packets with 0.2%, 1% and 0.13%. During the four attack scenarios recording, the background normal operation was left in action. The operating systems of the different devices were Tiny Core Linux for the sensors, Ubuntu for the camera & camera feed server, and Kali Linux for the malicious users . Five-fold cross validation was used to evaluate each experiment.](https://www.researchgate.net/profile/Rushit-Dave/publication/354068962/figure/fig2/AS:1060878581510145@1629944572070/Cluster-Node-Diagram-Machine-Learning-Based-IoT-Intrusion-Detection-System-An-MQTT_Q320.jpg)
![Fog Layer computational flowchart [25]](https://www.researchgate.net/profile/Rushit-Dave/publication/354068962/figure/fig3/AS:1060878581510146@1629944572112/Fog-Layer-computational-flowchart-25_Q320.jpg)
![Comparison Graph 'ML Algorithm Comparison' [25]](https://www.researchgate.net/profile/Rushit-Dave/publication/354068962/figure/fig4/AS:1060878581514240@1629944572149/Comparison-Graph-ML-Algorithm-Comparison-25_Q320.jpg)
![Five-fold cross validation with the training set (a) and the testing set (b), 'Attack and Anomaly Detection in IoT Sensors in IoT Sites Using Machine Learning Approaches [26]](https://www.researchgate.net/profile/Rushit-Dave/publication/354068962/figure/fig5/AS:1060878581510147@1629944572184/Five-fold-cross-validation-with-the-training-set-a-and-the-testing-set-b-Attack-and_Q320.jpg)
Content uploaded by Rushit Dave
Author content
All content in this area was uploaded by Rushit Dave on Aug 26, 2021
Content may be subject to copyright.
An Analysis of IoT Cyber Security Driven by Machine
Learning
Sam Strecker1, Willem Van Haaften2, and Rushit Dave3
1University of Wisconsin- Eau Claire, Eau Claire, WI 54702, USA.
strecksh8883@uwec.edu
Abstract. Since the beginning of the Internet of Things (IoT), the number of IoT devices
connected to the internet has grown rapidly. However, many IoT devices lack the security
standards that non-IoT devices have. This means that billions of smart devices could be
used as part of a botnet attack or point of entry into a secured network. The potential to
exploit an IoT device makes the search to find suitable IoT security measures extremely
important. In order to fill this need, this study explores the use of machine learning in IoT
security measures. Upon reviewing recent developments of machine learning in IoT
security, it was found that the methods with the highest threat detection accuracy utilized
the Random Forest and K-Nearest Neighbor algorithms and the most efficient methods
utilized Software Defined Networks (SDN) and the fog layer of networks. In addition, the
methods which determine the type of IoT device one is when it connects to a network
primarily used the Random Forest algorithm. This study will take an in-depth look at the
use of machine learning algorithms to detect malicious and anomalous data within IoT
systems.
Keywords: Internet of Things, Machine Learning, Cybersecurity, Device Type Identification,
Anomaly Detection, Botnet Attacks
1
Introduction
Based on previous predictions made in 2018, an estimated 50 billion devices are currently
connected to the internet [1]. Most of the devices connected to the internet are not typical
computers, laptops, or smartphones, but instead are devices that are smartwatches, smart
refrigerators, thermostats, voice services, security cameras, and much more. These devices
have been given various technologies to communicate with the internet to provide better
functionality and efficiency for the end-user and they make up what is considered the
Internet of Things. One of the defining characteristics of the Internet of Things is the
interconnectivity between its devices. Gateway devices are responsible for collecting data
from surrounding sensor devices and transferring it to the internet. Both the gateway and
sensor devices must be secured, and measures need to be in place to prevent infected IoT
devices from spreading to other devices. In many cases, the use of machine learning
algorithms to secure IoT devices and networks has given promising results and could prove
to be extremely beneficial for IoT security.
In the year 2021, there will be an estimated 24 billion IoT devices connected to the
internet [2]. Like most other technologies, the Internet of Things can be exploited by hackers
and other deviants in order to weaken networks, deny service to one’s system, steal valuable
information, or conduct other malicious activities. As the amount of IoT devices have
grown, attacks that exploit vulnerable IoT devices have increased exponentially [3]. This
makes the security for the Internet of Things extremely important in order to protect the
essential systems that they are connected to, in addition to the information that runs through
them. Recently, the use of various machine learning techniques in the field of IoT security
has been explored with goals like, countering man-in-the-middle or selective forwarding
attacks [4]. Many of these techniques prove promising with high prediction accuracies, self-
learning models, real-time security, and increased efficiency.
Due to the advancements in technology, we can now utilize machine learning as a
practical tool in many programming scenarios, especially in areas like cybersecurity. Being
able to parse through millions of data points, virtually in real time, and progressively self-
learn is an incredible advantage when compared to previous methods like active storage
scans that were reactionary and costly that only minimized damage instead of preventing it
[5]. Machine learning has allowed security specialists to keep up with the ever-changing
landscape that makes up cyber security. This study will highlight the uses of machine
learning techniques and algorithms in IoT security including intrusion detection, identifying
IoT devices, preventative security measures, and how different machine learning techniques
compare to one another.
2
Background
The term “The Internet of Things” was created in 1999 by Kevin Ashton [6], who used the
phrase to describe the use of RFID technology in the supply chain for Procter & Gamble.
Nowadays, the term is used in a broader sense, describing every object, or thing, that
contains sensors, software, and other hardware which are used to connect to and
communicate with the internet. So far, numerous businesses, homes, cities, and other
organizations have deployed individual networks of IoT devices in order to accomplish
tasks and goals with greater efficiency such as, managing energy consumption, calling the
authorities in an emergency, or completing tasks at home with voice commands. One
promising usage of an IoT network as part of a city’s development can be found in the city
of Padova. They utilize IoT devices to monitor street lighting, carbon monoxide levels,
noise levels, and more [7]. Although these networks of IoT devices can improve our
standard of living, they, like most other technology, can be exploited by hackers and
criminals if they are not protected correctly.
The security of IoT devices is one of the most important problems for the Internet
of Things that needs to be addressed. New techniques to secure IoT devices are in constant
development in order to better protect against cyberattacks on IoT devices and networks,
which are equally ever-changing and evolving. However, developing security measures for
IoT devices has its own set of challenges. For one, many IoT devices operate under the
constraint of low power and, therefore, operate with a low computing power as well [8].
Raza et al. have done research about the use of the constrained application protocol (CoAP),
which could be a cost effective solution to protect the transfer of data for IoT systems that
are constrained by computing power making real-time security protection unachievable [9].
In addition, not all IoT devices are of similar structure, which makes vulnerabilities and
bugs hard to track [8]. Dorri et al. have done research on the use of blockchaining, a
technique that has been used in conjunction with the cryptocurrency, Bitcoin [10]. They
have added blockchaining to an IoT system in order to create a security structure that will
encompass and protect a household’s list of IoT devices, but it would require each
household to operate their own private blockchain. Another set of security measures for
mobile devices and the cloud environment is the use of biometric authentication methods
using machine learning algorithms. The use of biometric authentication methods for mobile
devices connected to IoT networks greatly reduces the risk of information being stolen and
helps ensure that a person accessing some personal piece of information is the intended user
[11][12][13].
Ultimately, IoT cybersecurity is still lacking for today’s security landscape when
compared to other areas with exceptional security like anti-fraud systems for online
payments. IoT devices still face challenges in areas of security including Malware Detection
and Prevention, and Object Identification. So far, solutions to these areas have been
underdeveloped in the field of IoT systems [8]. In addition, the number of botnet attacks
using compromised IoT devices is increasing significantly. In September 2016, the website
of a computer security consulting firm was hit with 620 Gbps of traffic from an IoT botnet.
At the same time, an even bigger Distributed Denial of Service (DDoS) attack, using Mirai
malware, peaked at 1.1 Tbps and targeted the webhosting cloud service provider OVH [14].
Attacks like these are only getting more prevalent and, as the number of IoT devices
increase, the volumetric data of botnet attacks grow significantly, making it harder for web-
infrastructure and website-security companies like Cloudflare to mitigate attacks [15]. Due
to the growing prevalence of IoT attacks, there is a need to find security measures that will
protect IoT devices from being exploited. Thus, this study will explore the potential of using
machine learning algorithms to detect several types of cyber-attacks in IoT systems and
prevent them from taking hold over IoT devices.
3
Literature Review
3.1 ‘IoT Security Techniques Based on Machine Learning’
Researchers at XMU were concerned
about the grave reality that is our current
state of Internet of Things security. IoT
security is one of the more challenging
areas in cyber security to manage. With
the advancement of Machine Learning
and smart bot attacks, IoT devices must
choose a defensive policy and determine
the key attributes in the security protocols
for the compromise in dynamic networks
with and without fog layers [16].
Unsupervised learning has been widely
used to improve network security such
as authentication, access control, anti-
jamming offloading, and malware
Fig. 1 Computational Comparison, ‘IoT Security
Techniques Based on Machine Learning’[16]
detection. Supervised learning techniques like support vector machines (SVMs), naive
Bayes, K-nearest neighbor (K-NN), neural networks (NNs), deep NNs (DNNs), and random
forest can be used to identify the network traffic of IoT devices. For example, IoT devices
can use the algorithms stated above to detect network intrusion and spoofing attacks,
apply K-NNs in network intrusion and malware detection, and utilize NNs to detect network
intrusion and DoS attacks. Naive Bayes can also be utilized by IoT devices in intrusion
detection, and random forest can be used to detect malware. The researchers focused on a
Fig. 2 Network Diagram of Security Model ‘IoT Security Techniques Based on
Machine Learning’ [16]
couple different IoT attack models. DoS attack detection uses multivariate correlation
analysis to extract the geometrical correlations between network traffic features. This model
increases the detection accuracy by 3.05% to 95.2% compared to the triangle-area-based
nearest-neighbors approach using the KDD Cup 99 data set [16]. In a malware-detection
scheme an IoT device can apply Machine Learning to achieve the optimal offloading rate
without knowing the source generation and radio bandwidth model of the neighboring IoT
devices. The way this works is the IoT device estimates the detection accuracy gain,
detection latency, and energy consumption to evaluate the task completed in a given time
frame. This scheme improves the detection accuracy by 40%, reduces the detection latency
by 15%, and increases the accuracy of the mobile devices by 47% compared with offloading
strategies in a network consisting of 100 IoT devices. The researchers at XMU identified a
couple IoT attack models and learning based IoT security techniques. These include IoT
authentication, access control, malware detection, and secure offloading [15].
3.2 ‘Using Machine Learning to Secure IoT Systems’
Faced with solving the issue of detecting anomalous data in IoT systems, Cañedo and
Skjellum developed an approach for detecting anomalous data. In this study, Cañedo and
Skjellum chose to use an
ANN based on its
popularity and its usage to
monitor the state of IoT
devices [17]. The ANN
was used to analyze the
data that is collected from
sensor IoT devices and
sent to a gateway IoT
device in order to prevent
both man-in-the-middle
and denial of service
attacks. Using a testbed of
ten Arduino Uno devices
with temperature sensors
and Wi-Fi chips to serve
as edge devices, each
connected to a Raspberry
Pi Model 3, which would
serve as a gateway
device, a total of 4,000
normal temperature
Fig. 3. ANN Plot with 3 Input Neurons, ‘Using Machine Learning to
Secure IoT Systems’ [18]
recordings were collected. The ANN was trained using half of the collected data, which was
chosen at random, and then tested using the other half. The training included two input
neurons, device ID and temperature. In addition to the half of valid data, ten minutes worth
of invalid data was added to the testing set as well. Since the ANN was trained using only
valid data, its output neuron would produce a value close to 1.00000 if a value in the testing
set was valid, and a value above 1.00000 if a value in the testing set was invalid. This test
resulted in a correct prediction of validity over 99% of the time for all the testing data set.
Table 1 is an example of the input and outputs for the ANN with 2 input neurons, where we
can see that extraneous temperature values are considered invalid compared to the two valid
temperature values.
Table 1. ‘Using Machine Learning to Secure IoT Systems’ [18]
Device ID
Temperature Sensor Value
Baseline Validity
Prediction
15
225
Valid
1.00000 (Valid)
16
0
Invalid
1.21264 (Invalid)
8
254
Valid
1.00000 (Valid)
7
75
Invalid
1.21164 (Invalid)
After the conclusion of the initial results, the ANN was retrained with a third input neuron,
the delay between transmissions. However, when the ANN was trained using a data set
filled with only valid data, the ANN had difficulty making correct predictions. Based on
these findings, it was determined that the ANN should be trained using a data set filled with
both valid and invalid data. This time around, the ANN’s output neuron would produce a
value around 1.00000 for predicting a valid test value, but the output neuron would produce
a value around 0.0000 for predicting an invalid test value because of the inclusion of invalid
data in the training data set.
Table 2. ‘Using Machine Learning to Secure IoT Systems’ [18]
Device
ID
Temperature Sensor
Value
Delay (milliseconds)
Baseline
Validity
Prediction
14
232
1119
Valid
1.00002 (Valid)
16
0
951
Invalid
0.00030 (Invalid)
8
241
1543
Valid
1.00002 (Valid)
7
75
4137
Invalid
0.00031 (Invalid)
Table 2 is an example of the input and outputs for the ANN that was trained with 3 input
neurons and both valid and invalid data, where we can see that the valid sensor values from
the temperature sensors remained above an arbitrary value of 200 once more, and the delay
periods were reasonably close to 1000 milliseconds. Thus, these values were correctly
predicted as valid by the ANN with an output close to 1.00000. However, the invalid sensor
values, which were either well below the same arbitrary value of 200, well above a delay
time of 1000 milliseconds, or both, were correctly predicted as invalid by the ANN with an
output value nearing 0.0000. Figure 3 shows a visual representation of how the inputs are
handled and how the validity is changed by the weights of the plot. This new test resulted
in a correct prediction of validity over 99% of the time for all the testing data set once more.
In conclusion, this study developed a method that could successfully detect
anomalous data, which shows promise towards preventing man-in-the-middle or denial of
service attacks in IoT systems. However, this article has a few limitations, which may have
skewed the results to look more promising. First, the second iteration of this experiment,
which used 3 input neurons, was only tested with 360 points of data, which is a relatively
small amount of data to test the ANN with. In addition, Artificial Neural Networks generally
take a longer time for training compared to other machine learning algorithms [19], which
would make them less favorable to other machine learning algorithms such as Random
Forest or Naïve Bayes.
3.3 ‘Detection of Unauthorized IoT Devices Using Machine Learning Techniques’
As the usage of IoT devices in the modern workplace expands, so does the potential of an
IoT device, that is infected with malware, connecting to and infecting an organization’s
network. This could occur from an attacker who is trying to gain entry to an organization’s
main systems, or an employee, who has brought their own already compromised IoT device,
unaware of its status, and connects said device to their workplace’s network. In order to
prevent this potential breach of an organization’s network, Meidan et al. have conducted a
study that aims to limit what types of IoT devices are allowed to connect to an organization’s
network via a whitelist and use machine learning to determine whether a connecting device
should be allowed access to an organization’s network. Their study chose to use the Random
Forest supervised machine learning algorithm based on its resistance to bias when using a
large number of trees, 500 in this case, and its usage in other studies [20].
Table 3. ‘Detection of Unauthorized IoT Devices Using Machine Learning Techniques[21]
Device Type
Number
of
Models
Number
of
Devices
Number of
Sessions
Recorded
Correctly Predicted as
Unknown based on 1
Session
Correctly Predicted
as Known based on
1 Session
Baby
Monitor
1
1
51,578
0.96
0.98
Motion
Sensor
1
2
3,834
1
0.98
Smart
Fridge
1
1
1,018,921
0.97
0.97
Security
Camera
2
3
14,394
0.98
0.98
Smoke
Detector
1
1
369
0.97
0.97
Smart
Socket
1
2
2,808,876
0.98
0.97
Thermostat
1
1
19,015
0.86
0.95
Smart TV
2
2
144,205
0.93
0.96
Smartwatch
3
4
4,391
0.81
0.93
Using the testbed of IoT devices shown in Table 3, each device is connected to a central
switch, and in turn a Wi-Fi router, the traffic data of each device is captured over a period
of several months by port mirroring it onto a separate, local server in the form of pcap files.
These pcap files are run through a feature extractor, which splits the pcap files into the
individual TCP sessions, extracts the features of each session, and constructs a set of feature
vectors, which are merged into a dataset. This dataset was split chronologically into three
parts: the first part was used to train the classifier using the Random Forest algorithm, the
second part was used to optimize the threshold through which the classifier would identify
a device, and the third part was used to test the accuracy of the classifier. This sequence was
conducted nine different times, where each time one of the possible device types was left
out of the training dataset and was considered as the unknown device type for the testing
phase. Using this method, the classifier achieved an average accuracy of 94% for
correctly identifying unknown devices and 97% for correctly identifying known, whitelisted
devices based on the results found in Table 3. In order to improve upon the classification
accuracies of some devices, the classifier was changed so that it would examine 20 sessions
at a time, instead of just one, and select the device that was predicted most often across
those 20 sessions. This brought the average accuracies up to 96% for identifying unknown
devices and 99% for identifying known devices. In conclusion, this system could prove very
beneficial for securing an organization’s network when combined with a security
information and event management system that can isolate and block connections from
unauthorized devices. Although this study proved effective at detecting unauthorized
devices, it is limited to identifying devices according to the nine categories it used, such as
smartwatch or security camera, and does not differentiate devices by their manufacturer or
their model.
3.4 ‘ProfilloT: A Machine Learning Approach for IoT Device Identification Based on
Network Traffic’
Median et al. conducted a similar study to the one above, which shares many aspects with
the study seen above, but with the added goal of distinguishing IoT devices from non-IoT
devices and a difference in the machine learning algorithms that were used. This study uses
a similar testbed to the one seen above, but this time with the addition of several non-IoT
device types, including a PC, a laptop, and two types of smartphones.
i
i
i
The data collected in this
study was also done in a
similar manner, which
includes recording the pcap
files from a Wi-Fi access
point, extracting the features
for each session, constructing a
dataset of feature vectors for
every session, and then
chronologically partitioning
the dataset into three parts: one
for training, one for
optimization, and one for
testing. However, in this setup,
there is no device that would
be considered as ‘unknown,’
thus each session is classified
as one device type or another.
As shown in Figure 3, given a
multitude of consecutive
sessions, Sd, and their feature vectors, the device type, di, that the sessions originate from is
determined by checking whether the majority of a number of consecutive sessions, s *, have
a probability, p s, of belonging to said device, above the optimized threshold, tr*, of said
device. The number of consecutive sessions needed, si*, is determined when the classifier is
fed the optimization data set, such that the device can usually be predicted with a minimum
number of consecutive sessions. Thus, the algorithm begins checking the given sessions
with the device that needs the lowest number of consecutive sessions and works its way
across the rest of the devices in ascending order for said value. The values of s * for each
device type can be seen in Table 4.
Table 4 ‘ProfilloT: A Machine Learning Approach for IoT Device Identification Based on
Network Traffic’ [22]
Printer
Security
Camera
Fridge
Motion
Sensor
Baby
Monitor
Thermo
stat
TV
Smart
watch
Socket
tr*
0.35
0.5
0.2
0.2
0.3
0.2
0.1
0.8
0.25
s*
11
1
3
3
9
45
23
77
1
Acc.
1.00
0.99
1.00
1.00
0.97
1.00
0.98
0.98
1.00
Given the addition of non-IoT device types, the classifier was evaluated based on its ability
to distinguish between IoT and non-IoT devices first. In this case, the classification accuracy
for PCs and smartphones was extremely close to 100%. Then, the classifier was evaluated
Algorithm 2: IoT Device Classification
procedure CLASSIFYDEVICE(𝐶, 𝑆𝑑)
Sort C by ascending 𝑠∗
𝑖
for (𝐶𝑖 , 𝑡𝑟∗, 𝑠∗) in C do
𝑖 𝑖
𝑎 ← 1
𝑛 ← 0
while 𝑎 + 𝑠∗ − 1 <= |𝑆𝑑| do
𝑖
for 𝑠𝑒𝑠𝑠 in {𝑆𝑑[𝑎], … , 𝑆𝑑[𝑎 + 𝑠∗ − 1]} do
𝑖
𝑝𝑠 ← CLASSIFY(𝐶𝑖, 𝑠𝑒𝑠𝑠)
𝑖
if 𝑝𝑠 ≥ 𝑡𝑟∗ then
𝑖 𝑖
𝑛 ← 𝑛 + 1
𝑖
return 𝑑𝑖
else
𝑎 ← 𝑎 + 1
return ‘unknown’
if 𝑛 > 𝑠∗/2 then
Fig. 4. Algorithm for Classifying Sessions of IoT Devices.
‘ProfilloT: A Machine Learning Approach for IoT Device
Identification Based on Network Traffic’ [22]
on its ability to classify the different IoT devices, in which the classifier achieved an
accuracy of 99.281%. The resulting accuracies for each device type can be seen in Table 4.
Since the current classifier accuracy did not fully reach 100%, the minimum number of
consecutive sessions needed was reevaluated and the updated classifiers were reevaluated
with the testing data set. It was determined that in order to approach an accuracy of 100%,
the minimum number of consecutive sessions needed should be four and a third times higher
than what was originally determined. In conclusion, this study demonstrates the ability to
accurately identify both IoT and non-IoT device types based on their initial network traffic
when connecting to a gateway device.
3.5 ‘Machine Learning DDoS Detection for Consumer Internet of Things Devices’
With the goal of finding the best machine learning algorithm for detecting Distributed
Denial of Service (DDoS) attacks in IoT network traffic, Doshi, Apthorpe, and Feamster
compare the effectiveness of multiple machine learning algorithms for detecting DDoS
attacks. This study chose to compare the effectiveness of K-Nearest Neighbors (KNN),
Support Vector Machine (SVM) with Linear Kernel, Decision Tree (DT), Random Forest
(RF), and a Neural Network (NN) at detecting anomalous data and abnormal behavior in
IoT systems based on their uses in previous studies on network intrusion detection systems
(NIDS) in non-IoT systems.
For the experiment, the testbed included a Raspberry Pi v3, which served as a
gateway device, and three IoT devices that would simulate normal traffic: a YI Home
Camera, a Belkin WeMo Smart Switch, and a Withings Blood Pressure Monitor, the last of
which was connected via Bluetooth to an Android Phone, which was then connected to the
gateway device. Ten minutes of data was created through normal interaction with the three
devices, resulting in 32,290 packets of normal data. Then, DoS attacks were conducted on
a Kali Linux virtual machine to target an Apache Web Server, resulting in 459,565 packets
of malicious data, which were merged with the normal packets of data. All of the data was
separated by the device from which it originated, after which features of the data, such as
packet size or the interval between packets, were extracted. This study chose to use multiple
different features from two different categories, stateless and stateful features. The stateless
features, packet size, inter-packet interval, and protocol, could all be collected without
having to divide the incoming stream of traffic, which makes stateless features less intensive
in terms of performance. However, the stateful features, like bandwidth and the repetition
of destination IP addresses, needed the incoming stream of traffic to be divided based on
the traffic’s device origin, and then further divided into time windows in order to be
collected. The separation and analysis of the traffic data can be seen in Figure 5.
Table 5 ‘Machine Learning DDoS Detection for Consumer Internet of Things Devices’ [23]
KNN
SVM
DT
RF
NN
Recall (Normal)
0.993
0.870
0.993
0.998
0.989
F1 (Normal)
0.995
0.927
0.994
0.998
0.986
Accuracy
0.999
0.991
0.999
0.999
0.999
Only Stateless Features (F1 Normal)
0.967
0.920
0.977
0.981
0.939
Stateless and Stateful Features (F1 Normal)
0.995
0.921
0.995
0.998
0.989
Four of the five classifiers were constructed using the Scikit-learn Python library, and the
last, the neural network, was created using the Keras library. Then, 85% of the total traffic
data was used to train the various machine learning algorithms and the remaining amount
was used to test the resulting classifiers. As a result, it was found that all the algorithms
achieved higher scores for the various metrics, as seen in Table 5, except for SVM, which
had much lower Recall and F1 scores for normal data. The study concluded that in addition
to SVM performing the worst, the best performers were DT and KNN. However, based on
the provided table, Table 5, the classifier with the highest performance across all the
different metrics seems to be the Random Forest algorithm.
Fig. 5. Analysis of Network Packet Flow Features, ‘Machine Learning DDoS Detection for
Consumer Internet of Things Devices’ [23]
One of the important realizations of this experiment was the discovery that
stateless features were more beneficial to classification than stateful features. The
differences in performance for each machine learning algorithm can also be seen in the
bottom two columns of Table 5, which demonstrates how the use of only stateless features
will diminish each of the classifiers’ F1 scores for normal data when identifying normal and
malicious data. However, the performance of the Random Forest classifier when using only
stateless features outperforms each of the other classifiers, which reinforces the idea that
Random Forest is the best performing algorithm of the five that were tested.
In conclusion, this study found that a machine learning classifier could analyze
incoming traffic data using the data’s characteristics at a flow-based level to distinguish
between normal and attack data in a gateway IoT device. Based on the results for the metrics
of evaluation, it appears that the Random Forest algorithm is the best fit for detecting
incoming attacks. However, it should be noted that due to the overwhelming amount of
attack data used in this experiment, a classifier which identifies every piece of data as
malicious would achieve an accuracy of 93%.
3.6 ‘Machine Learning Based IoT Intrusion Detection System: An MQTT Case Study’
Researchers at Abertay University investigated the MQTT (Message Queuing Telemetry
Transport) protocol. They evaluated the effectiveness of six Machine Learning (ML)
techniques to detect MQTT-based attacks. There were three abstraction levels of features
assessed, namely,
packet-based, uni-
directional flow,
and bidirectional
flow features. The
network consisted
of 12 MQTT
sensors, a broker,
a machine to
simulate camera
feed, and an
attacker. During
normal operation,
all 12 sensors send
randomized
messages using
the Publish
MQTT command.
The length of the
messages is the
Fig. 6 Cluster Node Diagram, ‘Machine Learning Based IoT Intrusion
Detection System: An MQTT Case Study’ [24]
difference between sensors to simulate different usage scenarios. The messages themselves
are randomly generated. The camera feed was simulated using VLC media player which
operates off of a UDP stream. To simulate a realistic scenario each of the network emulators
dropped packets with 0.2%, 1% and 0.13%. During the four attack scenarios recording, the
background normal operation was left in action. The operating systems of the different
devices were Tiny Core Linux for the sensors, Ubuntu for the camera & camera feed server,
and Kali Linux for the malicious users . Five-fold cross validation was used to evaluate each
experiment.
Table 6. ‘Machine Learning Based IoT Intrusion Detection System: An MQTT Case Study’ [24]
File
Name
Pcap
file
size
# of
Benign
# of
Attack
# of Uni-
flow
Benign
# of Uni-flow
Attack
# of Uni-
flow
Benign
# of Uni-
flow
Attack
Normal
192.5
MB
105623
0
0
171836
0
86008
0
Scan_A
16.2
MB
70768
40624
115600
39797
5786
19907
Scan_s
UI
41.3
MB
210819
22436
34409
22436
17230
22434
spaarta
3.4 GB
947177
19728942
154175
28232
77202
14116
The metrics used for evaluation were overall accuracy, as defined in equation such that
True Positive (TP) represents the attack instances correctly classified, True Negative (TN)
represents the benign instances correctly classified, Positive (P) represents the number of
attack instances and Negative (N) represents the total number of benign instances. At the
end of the experiment flow-based features were better suited to discriminate between
benign and MQTT-based attacks due to their similar characteristics. The weighted average
rose from ∼ 75.31% for packet-based features to ∼ 93.77% and ∼ 98.85% for
unidirectional and bidirectional flow features. While the weighted average precision rose
from ∼ 72.37% for packet-based features to ∼ 97.19% and
∼ 99.04% for unidirectional and bidirectional flow features. These were all based on the k-
NN algorithm as it had the best overall result.
3.7 ‘AD-IoT: Anomaly Detection of IoT Cyber Attacks Smart City Using Machine
Learning’
Researchers Ibrahim Alrashdi,
Ali Alqazzaz, Esam Aloufi,
Raed Alharthi, Mohamed
Zohdy, Hua Ming set out to
create an anomaly detection
system for IoT devices based
upon select machine learning
algorithms like Decision Tree,
K-Nearest Neighbor, and
Random Forest. Current
intrusion detection systems are
not designed for smart devices
applications so AD-IoT in the
fog layer can help significantly.
The AD-IoT system design
model consisted of dozens of Fig. 7 Network Layer Diagram [25]
Fig. 8 Fog Layer computational flowchart [25]
components involving a
large amount of IoT devices
connected to distributed fog
layers. By watching the fog
layer opposed to the local
network, or server side, it is
closest to the IoT sensor
saving alert time and
network computing
resources. This assumption
does rely on networks
having a private gateway.
The master fog node can
intelligently monitor all the communication among the network traffic data. The system is
based on ensemble methods, which are improved with the use of Random Forest and Extra
Tree algorithms. The researchers used the UNSW-NB15 dataset and split it among nodes
using ExtraTreeClassifiers to reduce the importance selection to 12 features. The
researchers placed the data from the UNSW-NB15 data set onto a Pandas framework which
breaks down the data into more manageable and efficient metrics. This allows them to read,
split, convert, and normalize the data efficiently. The number of false positives in current
IoT security also needs improvement with demonstrations with a confusion matrix using
current technologies. They used a table to break down specific attacks that leverage IoT
devices as it requires
or works better with
botnets. After each
model was trained for
the specific attack
type different
machine learning
algorithms like
Decision Tree, K-
Nearest Neighbor,
and Random Forest
were used to optimize
each step to increase
efficiency and lower Fig. 9 Comparison Graph 'ML Algorithm Comparison' [25]
total time of detection. The binary performance classification was as follows, in the Rain
Forest model the precision for normal was 99% with a recall rate of 99% while Attack mode
had a precision of 79% with a recall rate of 97%. They used the UNSW-NB15, KDD99,
Fig. 10. Five-fold cross validation with the training set (a)
and the testing set (b), ‘Attack and Anomaly Detection in
IoT Sensors in IoT Sites Using Machine Learning
Approaches [26]
and NSL-KDD datasets to train their models. In conclusion the test was highly successful
on the datasets they used and should scale with larger datasets or real world.
3.8 ‘Attack and Anomaly Detection in IoT Sensor in IoT Sites Using Machine
Learning Approaches’
In addition to DDoS attacks, there are numerous other types of cyber-attacks and anomalous
data which may be leveraged against IoT devices. Hasan, Islam, Zarif, and Hashem address
the need for a safe IoT system that can identify intrusions and recover quickly. To help
develop a solution, they proposed the use of a machine learning classifier and aimed to
compare the effectiveness of five different machine learning algorithms in intrusion
detection, which were Logistic Regression (LR), SVM, Decision Tree, RF, and ANN.
For their experiment, they used an open-source dataset from kaggle, which created
a virtual IoT environment using Distributed Smart Space Orchestration System, in which
there were 347,935 instances of
normal data and 10,017 instances
of anomalous data. Of the
anomalous data, there were eight
distinct types of attack data: denial
of service, data type probing,
malicious control, malicious
operation, scan, spying, and wrong
setup. The data from the open-
source dataset was then
preprocessed, in which missing or
unexpected values from the
dataset’s ‘Accessed Node Type’
and ‘Value’ columns were given
meaningful values. Then, when the
feature vectors were being
generated, the nominal categorical
data from the dataset, which
includes features like source address
or destination address, was turned
into feature vectors using label
encoding, which maintains the
number of features. After
preprocessing the data and
developing feature vectors from the
data, the set of resulting feature
vectors was split into a training set, which consisted of 80% of the data and a testing set,
which held the remaining 20%.
Every machine learning algorithm was given the training data set to develop their
own classifier, and then each classifier was given the testing data set and then evaluated
based on how the classifiers could differentiate between both normal and attack data and
between the eight classes of attack data using several different metrics of evaluation. While
the classifiers were given the training and testing data sets, they were cross validated using
five various sample sizes in both cases, which can be seen in Figure 10. In the two smallest
sample sizes of the testing data set, the accuracies of the DT and ANN classifiers were poor,
as was RF to a lesser extent. However, in the larger sample sizes, the accuracies of DT,
ANN, and RF outperformed SVM and LR. SVM and LR were also outperformed by the
other algorithms for each fold of cross-validation during training as well. After evaluating
the five classifiers, it was found that Random Forest was the best algorithm compared to
the others. RF and DT had the fewest misclassifications, and RF’s standard deviation during
the testing data set was slightly better than that of DT and ANN. In conclusion, although
RF, DT, and ANN could all sufficiently classify both normal and attack data given a large
enough sample size, it was determined that RF is the best of the chosen algorithms for
classifying normal and attack data in an IoT network.
3.9 ‘Cyber forensics framework for big data analytics in IoT environment using
machine learning’
Researchers Gurpal Singh Chhabra & Varinder Pal Singh & Maninder Singh Et created a
generalized forensic framework that uses Google’s programming model, MapReduce as the
backbone for
traffic translation,
extraction, and
analysis of
dynamic traffic
features. They used
open-source tools
like Hadoop, Hive,
and Mahout and R.
Also, comparative
analysis of globally
accepted machine
learning models of
P2P malware
analysis in mocked
real-time is Fig. 11 Hadoop Cluster Network [27]
presented. Dataset from CAIDA was used and executed in parallel to validate the proposed
model. The forensic performance metrics of the model shows the results having a sensitivity
of 99%. For creating an environment suite, they used the HDFS’s Hadoop architecture with
the standard MapReduce Programming. The Hadoop infrastructure is able to handle
abnormal conditions and HDFS’s multi-cluster architecture is fault tolerant. It creates a
replica of every bit of user’s data, on a different machine of the cluster. So, if a machine
were to crash the work done to the data doesn’t get affected, as multiple copies of each
block of data is stored on multiple nodes. While the whole forensics analysis architecture is
divided into four major modules, Data collector and information generator, features
analytics and extraction module, designing machine learning models, analyzing models on
various efficiency matrices. The researchers then used a tool called DunpCap as it had
better performance due to the LINPAC's low-level abstraction feature, especially working
with big data. Along with Dumpcap, Tshark was used to extract the fields from the
traffic/data in the comma-separated format, because it provides many options to manipulate
and clean the output, in various forms. The researchers used the traffic sniffer module
Dumpcap
Table 7. ‘Comparative analysis of machine learning models for cyber forensic framework’ [27]
Model
Name
FNR,
MR
TR
(%)
Sensitivity/
Recall
Specificity
(SPC)
Precis
-ion
Type-I
Error Rate
Type-II Error
Rate
Decision
Tree
.022
.992
.977
.999
.999
.0002
.022
Ada
BOOST
.011
.996
.977
.999
.999
.0002
.011
Accur
-acy
1.000
.997
1.000
1.000
.971
.987
1.000
Random
Forest
.008
.997
.992
.999
.99940
.0003
.008
SVM
.217
.777
.783
.771
.77141
.229
.217
Linear
Model
.030
.975
.970
.978
.95575
.022
.030
Neural
Net
0.000
.667
1.000
.666
.00015
.333
0.000
on Ubuntu 15X, with different ring buffer options, to then capture successive network
traffic and used Tshark for extracting the fields of each packet in three different modes that
included single, parallel, and remote parallel mode. For remote parallel mode, the
researchers used the three nodes they set up earlier. The extraction is automated with
MapReduce shell scripts and the observation based on the packet count The Evidence
Traffic Collector and Information Generator starts with sniffing the traffic using Dumpcap
and then features are extracted using Tshark. There were three methods used and compared
in the proposed approach. The first method is the sequential execution of the script, on a
single machine. In the
second method, execution is
done on a single machine in
parallel and third one is by
Map-Reduce script on a
multi-node cluster of
Hadoop. The researchers
also tested the performance
regression or gains from
altering memory size and
network bandwidth of the
framework. They also tried
3 different database types
MySQL, PostgreSQL, and
Fig. 12 Dataset comparison 'Performance of Proposed Multi-node
Approach using HDFS' [27] Sqoop + Hive. The time
differences were all within
0.02ms of each other so the results were inconclusive. The main concern was improper
network setups that didn’t support the constraints needed for the data flow of the framework.
Therefore, in the algorithms tested the most accurate and precise were Decision Tree and
Ada BOOST. In conclusion the Hadoop framework was effective but smaller scale
networks commonly found in homes resulted in less accurate results and more latency.
3.10 ‘Fast Authentication and Progressive Authorization in Large-Scale IoT: How to
Leverage AI for Security Enhancement’
Performance of Proposed Multi-node Approach using HDFSResearchers He Fang, Angie
Qi, and Xianbin Wang aimed to Leverage the functionality of an optimal nonlinear
classifier, such as a support vector machine (SVM) based algorithm. Using a SVM offloads
the work and allows you to not use physical keys. Physical keys require more resources and
are prone to attacks. Firstly, they used a kernel machine-learning-based physical layer
authentication scheme to defend against spoofing attacks through tracking the
Fig. 13 Authentication Model 'Holistic authentication and authorization based
on trust management and online ML' [28]
communication link and hardware-related features in time-varying environments. This
developed a physical-layer authentication scheme based on leveraging machine learning to
improve the spoofing detection accuracy. To detect cyber-attacks the researchers designed
a watermarking algorithm based on a deep learning long short-term memory structure for
dynamic authentication, which enables IoT devices to extract vital information identifying
if they are malicious or not from their generated signal and to dynamically watermark these
features into transmitting signals. First, the measurements of selected features are obtained
by channel probing. In order to convert these measurements into binary sequences,
researchers developed a new quantization technique based on the SVM to derive an optimal
nonlinear boundary at the base station. Different from the received signal strength (RSS)-
based quantization technique, the optimal nonlinear classifier reduces wrong decisions
through diminishing the measurements near the boundary. The base station then sends the
optimal nonlinear boundary to the IoT device so that highly similar binary sequences will
be acquired on both sides because of the amplified channel reciprocity. Hash functions
could be used for verification so that an identical seed is obtained, and then the same PRC
is generated for authentication between each IoT device and the base station. Explicitly, the
seed generated by the base station and IoT device are concealed from any other devices
because of the unique and unpredictable features of the communication link used. In this
scheme, the AI technique facilitates the security enhancement through training a nonlinear
Fig. 14 Attack Prevention Model 'Lightweight SVM authentication scheme' [28]
classifier at the base station, which is equipped with high computing and storage capabilities
as well as continuous energy supply.
In conclusion, game theory may also be utilized for defending against insider
attacks through modeling the behaviors of attackers. Comparison results between the
physical layer key generation scheme of and the developed lightweight authentication
scheme. Authentication schemes Physical layer key generation scheme Lightweight
authentication scheme Characteristic Static and one-time Continuous Key/seed
transmission.
4
Discussion and Analysis
Overview and Analysis of the Articles under Literature Review
Article
Methodologies
Results
Pros
Cons
[16]
Train 6 different models
based upon precompiled
datasets to determine the
most accurate algorithm.
Detection Accuracy
of 95.2% with DWF.
Light weight
algorithms for
less
computational
power required
Precision was
still below
90%
[18]
Collect data from
temperature sensors and
transfer it to a gateway
Correctly predicts
validity over 99% of
the time for both
Correctly
identifies
anomalous data
Conducted
using a
device. Then, train and test
an ANN using said data, first
with two input neurons and
then 3.
models with 2 and 3
input neurons
for both delay
time and value.
relatively
small dataset.
‘
[21]
Collect data from 9 different
IoT devices running
normally and transfer it to a
gateway device. Then copy
the data and extract a set of
feature vectors from the
sessions. Then, train,
optimize, and test a classifier
using RF with the data.
Correctly identifies a
session’s device of
origin when known
99% of the time and
correctly identifies a
session as unknown
96% of the time
using a window of 20
sessions.
Capable of
preventing
unauthorized
device types
from entering an
organization’s
network.
Accuracies
nearing 100%
require up to
110 sessions
for some
device types.
[22]
Collect data from multiple
IoT and non-IoT devices
running normally and
transfer it to a gateway
device. Then copy the data
and extract a set of feature
vectors from the sessions.
Then, train, optimize, and
test several classifiers using
RF, XGBoost, and GBM
with the data.
Accuracies
nearing 100%
require a
number of
consecutive
sessions 4.33
times higher
than
previously
determined
Correctly identifies a
session’s device of
origin 99.281% of
the time using the
first optimized
number of
consecutive sessions.
Capable of
identifying what
type of device
one is based on
its network
traffic
[23]
Collect data from three
different IoT devices and
add data from a simulated
DoS attack to the dataset.
Then, extract feature vectors
and train and test the five
classifiers with the data.
Can help
prevent DoS
attacks by
correctly
identifying
anomalous data
from DoS
attacks and may
work similarly
when using only
stateless
features with RF
All five of the
classifiers reached
over 99% accuracies,
but RF performed the
best both with and
without stateful
features.
The amount of
data from the
DoS attacks
are over 10
times higher
than the
amount of
normal data
[27]
Leveraged a Message
Queuing Telemetry
Transport system to mass
collect data from multiple
sensors at once.
99.04% accuracy for
uni-directional and
bi-directional
features.
Results could
accurately tell
benign vs
malicious traffic
Requires
large amounts
of data
throughput.
[25]
Utilized fog layer computing
to modify intrusion detection
Random Forest had
an accuracy of 99%
with attack mode at
Takes pre-
existing
weathered
Requires
complex
systems to be adapted to IoT
devices.
79% with a recall
rate of 97%.
solutions to save
on dev time.
network to be
setup.
[26]
Using a simulated dataset,
extract feature vectors from
said dataset and train and
test five classifiers with the
data to identify whether its
normal or attack, as well as
the type of attack.
ANN, RF, and DT
reached over 99%
accuracies, but RF
performed the best.
Not only
identifies
normal vs attack
data, but can
also determine
what type of
attack is
occurring.
The dataset
was obtained
through a
virtual
simulation
and may not
represent real
world data.
[27]
Hadoop Cluster based
analysis of data nodes to
identify malicious IoT
devices.
All three database
types MySQL,
PostgreSQL, Sqop
+Hive were within
0.02ms of one
another
Performance
throughput
increased by 4x
with the
advanced
dataset in the
Hadoop Cluster
Requires a
Hadoop
cluster to be
properly set
up and
configured.
[28]
Uses a SVM as to not us
Hash functions can
Precise, fast,
and relatively
light weight
because of the
SVM.
Requires
proprietary
watermarks in
network
packets.
physical keys. A physical-
be used to speed up
layer authentication scheme
identification and
using ML to improve
game theory could be
spoofing detection,
used to increase
accuracy.
The article, ‘Using Machine Learning to Secure IoT Systems’ [18], has put forth a
promising system which demonstrates the capability of correctly identifying anomalous
data using an ANN. This would provide a solution for both detecting denial of service and
man-in-the-middle attacks and allows for an entire IoT network to monitor incoming data
to check for compromised IoT edge devices. The article, ‘Machine Learning DDoS
Detection for Consumer Internet of Things’ [23], has also developed a system that can
correctly identify anomalous data, but has also chosen to compare the effectiveness of
several different machine learning algorithms for detecting anomalous data. This study not
only established that the Random Forest algorithm performed the best of the five
algorithms, but also established that Random Forest performed the best when it used only
stateless features. The use of only stateless features would make the analysis of the traffic
data less cost intensive when using both stateless and stateful features, however doing so
has shown a reduction in the accuracies of each of the five classifiers. ‘Attack and Anomaly
Detection in IoT Sensors in IoT Sites using Machine Learning Approaches’ [26] takes
anomalous data detection a step further by not only differentiating between normal and
attack data, but also by classifying attack data according to what type of cyber-attack it may
be. This study concluded that the Random Forest algorithm performed the best of the five
algorithms that were compared, and that the use of this data classification method would
not only help detect attack data but would also assist its users by identifying what type of
attack is being conducted as well. The article, ‘Detection of Unauthorized IoT Devices
Using Machine Learning Techniques’ [21] has developed a method which can determine
what device type an IoT device is when it requests access to some network through the use
of network traffic analysis using the machine learning algorithm, Random Forest. This
method was able to identify all nine device types that it used with a near 100% accuracy
using a maximum of 110 sessions, thus this method presents a solution for preventing
untrusted devices from connecting to an organization’s network if used in conjunction with
a security information and event management service. The article, ‘ProfilloT: A Machine
Learning Approach for IoT Device Identification Based on Network Traffic Analysis’ [22],
conducts a very similar experiment, but instead, includes non-IoT devices to identify and
does not consider any device type as unknown during classification. This method provides
a solution for filtering out non-IoT traffic while also classifying the remaining IoT traffic
by device type. In the article ‘IoT Security Techniques Based on Machine Learning’ [16]
they compared 6 different commonly used algorithms. They concluded, like many others,
that Random Forest is the best choice. The article ‘Machine Learning Based IoT Intrusion
Detection System: an MQTT Case Study’ [24] uses 12 Message Queuing Telemetry
Transport (MQTT) sensors in a network of IoT sensors. It acts as a uni, bi, and packet based
flow gate. This allows granular packet inspection that resulted in a final accuracy of
malicious intrusions at 99.04%. Like MQTT sensors, ‘AD-IoT: Anomaly Detection of IoT
Cyber Attacks Smart City Using Machine Learning’ [25] uses a cloud, fog, and IoT layer
to offload network volumetric load from the local network containing the IoT sensors. Using
Random Forest paired with K-Nearest Neighbor as well as the Panda framework to organize
the data the researchers were able to obtain an accuracy of 97%. While accuracy is one of
the largest factors to consider in IoT cyber security speed is also a large concern. In ‘Fast
Authentication and Progressive Authorization in Large-Scale IoT: How to Leverage AI for
Security Enhancement’ the main priority was to develop a framework to support faster
authentication. The researchers did so by watermarking authentic network packets which
expedited the authentication process significantly. The largest drawback is the use of
priority packet monitoring, which can be costly to implement’.[28] Finally, ‘Cyber
forensics framework for big data analytics in IoT environment using machine learning’ [27]
utilized a Hadoop infrastructure as well but also included a MapReduce program to allow
sensitivities of 99% for the incoming data. AdaBoost showed strong results of precision and
accuracy at 4x the typical rate.
5
Limitations
First, the classifiers in the article in 3.2 used a relatively small dataset compared to some of
the other articles in this study. The classifier with two input neurons trained and tested with
4,000 data samples and the classifier with three input neurons in the article in 3.2 was only
tested with 360 pieces of data. While the classifiers did produce high accuracies for the
given dataset, they may not hold up against a dataset of a larger size. Since the article in 3.8
utilized a digital dataset, the results of the experiment may differ from the results of a similar
experiment conducted using real world data, especially considering how DoS attacks flood
systems with large amounts of data. However, by including the large quantity of data from
DoS attacks, it should be noted that a baseline prediction algorithm which classifies every
piece of data as anomalous would have a high accuracy as noted in the article in 3.5, which
may make the application of the machine learning classifiers less ingenuous. The
classification of IoT device types in articles in 3.3 and 3.4 sometimes require a large number
of sessions in order to achieve an accuracy that is close to 100%, and during these sessions
a malicious IoT device might be able to accomplish its goal of attacking the network.
The dataset that was used for most papers including 3.1, 3.5, 3.7, 3.6, and 3.9 was
the UNSW-NB15 dataset. Inside the dataset are nine different types of attack methods:
Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode and
Worms [16]. Unfortunately, this dataset was constructed is extremely outdated, as it was
constructed in 2015. In addition, the complete lack of botnet attacks all together in the
UNSW-NB15 dataset should be enough to turn researchers away, as this is the most popular
attack method utilizing IoT devices. Additional attack methods currently being exploited in
the real world include traffic analysis, side-channel attacks, replay attacks, man-in-the-
middle attacks, and protocol attacks, all of which are not included in the UNSW-NB15 and
KDD99, and NSL-KDD datasets. Finally, IoT devices are required to be securely
authenticated using a symmetric-key protocol, however, these techniques are vulnerable to
key-hashing attacks and come with significant computational power overhead. OAuth 2.0
protocol is the most commonly used security method for current IoT devices but suffers
from cross-site-recovery-forgery (CSRF) attacks and may eventually become overloaded
as the number of devices per user grows as Oauth 2.0 requires manual authentication from
a user. Due to these reasons, Physical Unclonable Functions (PUF) have emerged as an
alternative which exploit manufacturing process variations to generate a unique and device-
specific identity for a physical system like a mac address [16]. PUF implementations are
simpler than memory-based solutions as they use less energy and don’t require as much
area on the die than expensive cryptographic ASIC hardware such as algorithms like
SHA512 or AES-256.
6
Conclusion
This study has discussed the uses of machine learning algorithms in IoT security by
reviewing several articles which conducted various methods and techniques in order to find
solutions for some of the problems in IoT security. From the beginning, this study
highlighted the enormity of the Internet of Things, as well as its potential to be exploited.
Then, it began to focus on the individual cases in which the use of machine learning may
benefit IoT security including its use for malware and intrusion detection and the
identification of unknown IoT devices. Many of these methods that were featured either
concluded that Random Forest was the best machine learning algorithm for their methods
or were using Random Forest on its own from the get-go. However, others found that by
using multiple machine learning algorithms the accuracy and precision would improve. One
algorithm’s weaknesses would be complimented by the other algorithm, which produced
higher accuracies than a single algorithm could achieve on its own. The use of KNN and
Euclidean gave an accuracy of around 93% and a precision close to 86%, but when KNN
was paired with Dynamic Time Warping (DTW), the accuracy rose to 96% and precision
was 91% [5]. In comparison to a single algorithm being utilized like Random Forest which
plummets to an accuracy of 86% and abysmal precision rates in the 82% range.
References
1. Davis, G. (2018). 2020: Life with 50 billion connected devices. 2018 IEEE International
Conference on Consumer Electronics (ICCE). doi:10.1109/icce.2018.8326056
2. Bull, P., Austin, R., Popov, E., Sharma, M., & Watson, R. (2016). Flow Based Security for
IoT Devices Using an SDN Gateway. 2016 IEEE 4th International Conference on Future
Internet of Things and Cloud (FiCloud). doi:10.1109/ficloud.2016.30
3. Kolias, C., Kambourakis, G., Stavrou, A., & Voas, J. (2017). DDoS in the IoT: Mirai and
Other Botnets. Computer, 50(7), 80–84. doi:10.1109/mc.2017.201
4. Mamdouh, M., I. Elrukhsi, M. A., & Khattab, A. (2018). Securing the Internet of Things
and Wireless Sensor Networks via Machine Learning: A Survey. 2018 International
Conference on Computer and Applications (ICCA). doi:10.1109/comapp.2018.8460440
5. Azmoodeh, A., Dehghantanha, A., Conti, M. et al. Detecting crypto-ransomware in IoT
networks based on energy consumption footprint. J Ambient Intell Human Computer 9,
1141–1152 (2018).
6. Ashton, Kevin. "That ‘internet of things’ thing." RFID journal 22.7 (2009): 97-114.
7. Cenedese, A., Zanella, A., Vangelista, L., & Zorzi, M. (2014). Padova Smart City: An urban
Internet of Things experimentation. Proceeding of IEEE International Symposium on a
World of Wireless, Mobile and Multimedia Networks 2014.
doi:10.1109/wowmom.2014.6918931
8. Zhang, Z.-K., Cho, M. C. Y., Wang, C.-W., Hsu, C.-W., Chen, C.-K., & Shieh, S. (2014).
IoT Security: Ongoing Challenges and Research Opportunities. 2014 IEEE 7th International
Conference on Service-Oriented Computing and Applications. doi:10.1109/soca.2014.58
9. Raza, S., Shafagh, H., Hewage, K., Hummen, R., & Voigt, T. (2013). Lithe: Lightweight
Secure CoAP for the Internet of Things. IEEE Sensors Journal, 13(10), 3711–3720.
doi:10.1109/jsen.2013.2277656
10. Dorri, Ali, Salil S. Kanhere, and Raja Jurdak. "Blockchain in internet of things: challenges
and solutions." arXiv preprint arXiv:1608.05187 (2016).
11. Gunn, Dylan J. et al. “Touch-Based Active Cloud Authentication Using Traditional
Machine Learning and LSTM on a Distributed Tensorflow Framework.” Int. J. Comput.
Intell. Appl. 18 (2019): 1950022:1-1950022:16.
12. Mason, J., Dave, R., Chatterjee, P., Graham-Allen, I., Esterline, A., & Roy, K. (2020,
December). An Investigation of Biometric Authentication in the Healthcare Environment.
Array, 8, 100042. doi:10.1016/j.array.2020.100042
13. J. Shelton et al., "Palm Print Authentication on a Cloud Platform," 2018 International
Conference on Advances in Big Data, Computing and D
14. Kolias, C., Kambourakis, G., Stavrou, A., & Voas, J. (2017). DDoS in the IoT: Mirai and
Other Botnets. Computer, 50(7), 80–84. doi:10.1109/mc.2017.201
15. T. Kelley and E. Furey, "Getting Prepared for the Next Botnet Attack: Detecting
Algorithmically Generated Domains in Botnet Command and Control," 2018 29th Irish
Signals and Systems Conference (ISSC), Belfast, 2018, pp. 1-6, doi:
10.1109/ISSC.2018.8585344.
16. L. Xiao, X. Wan, X. Lu, Y. Zhang and D. Wu, "IoT Security Techniques Based on Machine
Learning: How Do IoT Devices Use AI to Enhance Security?," in IEEE Signal Processing
Magazine, vol. 35, no. 5, pp. 41-49, Sept. 2018, doi: 10.1109/MSP.2018.2825478.
17. Kotenko, I., Saenko, I., Skorik, F., & Bushuev, S. (2015). Neural network approach to
forecast the state of the Internet of Things elements. 2015 XVIII International Conference
on Soft Computing and Measurements (SCM). doi:10.1109/scm.2015.7190434
18. Canedo, J., & Skjellum, A. (2016). Using machine learning to secure IoT systems. 2016
14th Annual Conference on Privacy, Security and Trust (PST).
doi:10.1109/pst.2016.7906930
19. Moh, M., & Raju, R. (2018). Machine Learning Techniques for Security of Internet of
Things (IoT) and Fog Computing Systems. 2018 International Conference on High
Performance Computing & Simulation (HPCS). doi:10.1109/hpcs.2018.00116
20. Buczak, Anna L., and Erhan Guven. "A survey of data mining and machine learning
methods for cyber security intrusion detection." IEEE Communications surveys & tutorials
18.2 (2015): 1153-1176.
21. Meidan, Yair, et al. "Detection of unauthorized iot devices using machine learning
techniques." arXiv preprint arXiv:1709.04647 (2017).
22. Meidan, Yair, et al. "ProfilIoT: a machine learning approach for IoT device identification
based on network traffic analysis." Proceedings of the symposium on applied computing.
2017.
23. Doshi, R., Apthorpe, N., & Feamster, N. (2018). Machine Learning DDoS Detection for
Consumer Internet of Things Devices. 2018 IEEE Security and Privacy Workshops (SPW).
doi:10.1109/spw.2018.00013
24. Hindy, Hanan, et al. "Machine Learning Based IoT Intrusion Detection System: An MQTT
Case Study." arXiv preprint arXiv:2006.15340 (2020).doi:10.1016/j.iot.2019.100059
25. Alrashdi, Ibrahim, et al. "Ad-iot: Anomaly detection of iot cyberattacks in smart city using
machine learning." 2019 IEEE 9th Annual Computing and Communication Workshop and
Conference (CCWC). IEEE, 2019.
26. Hasan, M., Milon Islam, M., Islam, I., & Hashem, M. M. A. (2019). Attack and Anomaly
Detection in IoT Sensors in IoT Sites Using Machine Learning Approaches. Internet of
Things, 100059.
27. Chhabra, Gurpal Singh, Varinder Pal Singh, and Maninder Singh. "Cyber forensics
framework for big data analytics in IoT environment using machine learning." Multimedia
Tools and Applications 79.23 (2020): 15881-15900.
28. Fang, He, Angie Qi, and Xianbin Wang. "Fast Authentication and Progressive
Authorization in Large-Scale IoT: How to Leverage AI for Security Enhancement." IEEE
Network 34.3 (2020): 24-29.
