Title | A Two-Level Hybrid Model for Anomalous Activity Detection in IoT Networks |
Publication Type | Conference Paper |
Year of Publication | 2019 |
Authors | Ullah, Imtiaz, Mahmoud, Qusay H. |
Conference Name | 2019 16th IEEE Annual Consumer Communications Networking Conference (CCNC) |
Keywords | anomaly detection, anomaly detection system, CICIDS2017 dataset, compositionality, cybersecurity, edited nearest neighbors, feature extraction, flow-based anomaly detection, flow-based features extraction, flow-based intrusion detection, Human Behavior, Internet of Things, Intrusion detection, IoT networks, level-1 model, level-2 model precision, machine learning, malicious activity detection, Metrics, nearest neighbour methods, network traffic, pattern classification, Protocols, pubcrawl, recursive feature elimination, Resiliency, sampling methods, security of data, synthetic minority over-sampling technique, telecommunication traffic, Training, two-level hybrid anomalous activity detection, UNSW-15 dataset, vulnerabilities, vulnerability detection |
Abstract | In this paper we propose a two-level hybrid anomalous activity detection model for intrusion detection in IoT networks. The level-1 model uses flow-based anomaly detection, which is capable of classifying the network traffic as normal or anomalous. The flow-based features are extracted from the CICIDS2017 and UNSW-15 datasets. If an anomaly activity is detected then the flow is forwarded to the level-2 model to find the category of the anomaly by deeply examining the contents of the packet. The level-2 model uses Recursive Feature Elimination (RFE) to select significant features and Synthetic Minority Over-Sampling Technique (SMOTE) for oversampling and Edited Nearest Neighbors (ENN) for cleaning the CICIDS2017 and UNSW-15 datasets. Our proposed model precision, recall and F score for level-1 were measured 100% for the CICIDS2017 dataset and 99% for the UNSW-15 dataset, while the level-2 model precision, recall, and F score were measured at 100 % for the CICIDS2017 dataset and 97 % for the UNSW-15 dataset. The predictor we introduce in this paper provides a solid framework for the development of malicious activity detection in IoT networks. |
DOI | 10.1109/CCNC.2019.8651782 |
Citation Key | ullah_two-level_2019 |