A Two-Level Hybrid Model for Anomalous Activity Detection in IoT Networks

2019 16th IEEE Annual Consumer Communications & Networking Conference (CCNC) Pub Date : 2019-01-01 DOI:10.1109/CCNC.2019.8651782

I. Ullah, Q. Mahmoud

{"title":"A Two-Level Hybrid Model for Anomalous Activity Detection in IoT Networks","authors":"I. Ullah, Q. Mahmoud","doi":"10.1109/CCNC.2019.8651782","DOIUrl":null,"url":null,"abstract":"In this paper we propose a two-level hybrid anomalous activity detection model for intrusion detection in IoT networks. The level-1 model uses flow-based anomaly detection, which is capable of classifying the network traffic as normal or anomalous. The flow-based features are extracted from the CICIDS2017 and UNSW-15 datasets. If an anomaly activity is detected then the flow is forwarded to the level-2 model to find the category of the anomaly by deeply examining the contents of the packet. The level-2 model uses Recursive Feature Elimination (RFE) to select significant features and Synthetic Minority Over-Sampling Technique (SMOTE) for oversampling and Edited Nearest Neighbors (ENN) for cleaning the CICIDS2017 and UNSW-15 datasets. Our proposed model precision, recall and F score for level-1 were measured 100% for the CICIDS2017 dataset and 99% for the UNSW-15 dataset, while the level-2 model precision, recall, and F score were measured at 100 % for the CICIDS2017 dataset and 97 % for the UNSW-15 dataset. The predictor we introduce in this paper provides a solid framework for the development of malicious activity detection in IoT networks.","PeriodicalId":285899,"journal":{"name":"2019 16th IEEE Annual Consumer Communications & Networking Conference (CCNC)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"49","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 16th IEEE Annual Consumer Communications & Networking Conference (CCNC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CCNC.2019.8651782","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 49

Abstract

In this paper we propose a two-level hybrid anomalous activity detection model for intrusion detection in IoT networks. The level-1 model uses flow-based anomaly detection, which is capable of classifying the network traffic as normal or anomalous. The flow-based features are extracted from the CICIDS2017 and UNSW-15 datasets. If an anomaly activity is detected then the flow is forwarded to the level-2 model to find the category of the anomaly by deeply examining the contents of the packet. The level-2 model uses Recursive Feature Elimination (RFE) to select significant features and Synthetic Minority Over-Sampling Technique (SMOTE) for oversampling and Edited Nearest Neighbors (ENN) for cleaning the CICIDS2017 and UNSW-15 datasets. Our proposed model precision, recall and F score for level-1 were measured 100% for the CICIDS2017 dataset and 99% for the UNSW-15 dataset, while the level-2 model precision, recall, and F score were measured at 100 % for the CICIDS2017 dataset and 97 % for the UNSW-15 dataset. The predictor we introduce in this paper provides a solid framework for the development of malicious activity detection in IoT networks.

查看原文本刊更多论文

物联网网络异常活动检测的两级混合模型

本文提出了一种用于物联网网络入侵检测的两级混合异常活动检测模型。level-1模型采用基于流的异常检测，能够对网络流量进行正常和异常的分类。基于流量的特征提取自CICIDS2017和UNSW-15数据集。如果检测到异常活动，则将流转发到第2级模型，通过深入检查数据包的内容来查找异常的类别。二级模型使用递归特征消除(RFE)来选择显著特征，使用合成少数过采样技术(SMOTE)进行过采样，使用编辑近邻(ENN)来清洗CICIDS2017和unws -15数据集。CICIDS2017数据集的一级模型精度、召回率和F分数为100%，UNSW-15数据集为99%，而CICIDS2017数据集的二级模型精度、召回率和F分数为100%，UNSW-15数据集的二级模型精度、召回率和F分数为97%。我们在本文中介绍的预测器为物联网网络中恶意活动检测的开发提供了坚实的框架。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 16th IEEE Annual Consumer Communications & Networking Conference (CCNC)

自引率

0.00%

发文量