With an increasing number of services connected to the internet, including cloud computing and Internet of Things (IoT) systems, the prevention of cyberattacks has become more challenging due to the high dimensionality of the network traffic data and access points. Recently, researchers have suggested deep learning (DL) algorithms to define intrusion features through training empirical data and learning anomaly patterns of attacks. However, due to the high dynamics and imbalanced nature of the data, the existing DL classifiers are not completely effective at distinguishing between abnormal and normal behavior line connections for modern networks. Therefore, it is important to design a self-adaptive model for an intrusion detection system (IDS) to improve the detection of attacks. Consequently, in this paper, a novel hybrid weighted deep belief network (HW-DBN) algorithm is proposed for building an efficient and reliable IDS (DeepIoT.IDS) model to detect existing and novel cyberattacks. The HW-DBN algorithm integrates an improved Gaussian–Bernoulli restricted Boltzmann machine (Deep GB-RBM) feature learning operator with a weighted deep neural networks (WDNN) classifier. The CICIDS2017 dataset is selected to evaluate the DeepIoT.IDS model as it contains multiple types of attacks, complex data patterns, noise values, and imbalanced classes. We have compared the performance of the DeepIoT.IDS model with three recent models. The results show the DeepIoT.IDS model outperforms the three other models by achieving a higher detection accuracy of 99.38% and 99.99% for web attack and bot attack scenarios, respectively. Furthermore, it can detect the occurrence of low-frequency attacks that are undetectable by other models.
Many services are found online using the internet, and this trend is increasing over time. The internet helps millions of automotive Internet of Things (IoT) endpoints in providing provide services. The new technology replacing traditional networks is the IoT networks, such as those of industrial machines, smart energy grids, building automation, and many personal assistance devices [
The 2020 Unit 42 IoT Threat Report is a survey of over 1.2 million IoT devices in the healthcare information technology industries in the United States. The report shows that these organizations are unsafe as their sensitive data is exposed to threats. The results of the survey show that 83% of devices used for medical imaging are running on outdated and unsecured operating systems [
Network intrusion detection systems (IDS) are essential tools for monitoring a network, tracking malicious activities, and identifying intrusions. They provide powerful defense systems against various threats and cyberattacks. IDS models are classified according to their detection mechanisms into anomaly-based and signature-based approaches [
One of the outstanding algorithms that researchers propose for building IDS models is the restricted Boltzmann machine (RBM) algorithm [
Consequently, this work proposes an efficient and reliable IoT-network intrusion detection (DeepIoT.IDS) model based on a novel hybrid weighted deep belief network (HW-DBN) algorithm. The HW-DBN algorithm consists of a deep Gaussian–Bernoulli type of RBM (deep GB-RBM) and weighted deep neural network (WDNN) algorithms. The HW-DBN algorithm comprises an initial unsupervised stage and is responsible for generating traffic features; then, the final supervised stage is responsible for classifying the traffic into normal or abnormal classes. We stack a series of deep GB-RBMs to construct feature learning to perform learning on the original network traffic data in the pre-training stage. Next, we use the feature weighted WDNN to optimize deep features and remove noise and redundant features, thereby improving the classification performance. The main contributions of this paper to the cybersecurity domain are as follows:
Enhancing an unsupervised DL (UDL) deep GB-RBM based on the GB-RBM algorithm to improve the extraction of network data features. Proposing a novel HW-DBN algorithm based on a DBN algorithm by integrating the deep GB-RBM with the WDNN to form an improved and continuous prediction hybrid DL (HDL) algorithm. The WDNN algorithm learns high-dimensional unlabeled data along with standard labeled data. Modeling an efficient and reliable IoT-network intrusion detection system (DeepIoT.IDS) based on a proposed HW-DBN algorithm for anomaly-based IDS. Demonstrating that the DeepIoT.IDS model is efficient and reliable in detecting sophisticated attacks by testing it using the CICIDS2017 dataset. The CICIDS2017 manifests a benchmark dataset for complex IoT environments.
This paper is organized into six sections in which the related work of different types of ML and DL neural networks is presented in Section 2. The research background of RBM and DBN algorithms is illustrated in Section 3. The methods of this work are described in Section 4, including the improved RBM algorithm, the WDNN algorithm, the proposed HW-DBN algorithm, and the DeepIoT.IDS model. The implementation of the proposed DeepIoT.IDS model, the evaluation criteria, and the testing environment are used to check and evaluate the performance of the proposed model, and these are scrutinized in Section 5. Lastly, the conclusion and future work directions of this research are highlighted in Section 6.
The anomaly-based IDS epitomizes one of the best methods to detect significant attacks in a network. The IDS uses the ML algorithms as one of its essential components for performing classification tasks. Examples of these IDS models include artificial neural networks (ANN), decision trees (DT), expectation-maximization (EM), k-nearest neighbors (KNN), linear regression (LR), naïve Bayes (NB), random forests (RF), logistic regression (LR), and support vector machine (SVM) [
Many studies have attempted to analyze and compare anomaly-based ML-and DL-IDS models [
Fiore et al. [
In a nutshell, most DL/ML algorithms are proposed as anomaly-based IDS models, which discover anomalies by examining data patterns to distinguish data lines and determine normal and abnormal activities. However, some of the existing studies have lacked reliable and efficient validation as they use low-quality datasets. The datasets might suffer from several weaknesses and deficiencies, including outdated attack scenarios and versions that may not be a perfect representative of the existing network attacks, ignoring the complexity of IoT-like networks. Moreover, the conventional HDL algorithms do not provide sufficient training ability to detect modern attacks in realistic datasets. In contrast with those works, we propose a new model for intrusion detection called DeepIoT.IDS. The IDS model is based on a deep GB-RBM algorithm as feature learning of our raw data and then combined with a weighted DNN (WDNN) algorithm for classification to construct a novel HW-DBN algorithm. The HW-DBN algorithm is based on an improved RBMs (Deep GB-RBM) algorithm that is combined with a Weighted DNN (WDNN) algorithm to construct a novel DeepIoT.IDS model.
The basic RBM algorithm represents a neural network with directional connections of multiple hidden layers. A basic structure of the RBM is the
where
We can use the Gibbs sampling algorithm [
Similarly, the log-likelihood derivatives for the bias
The training of the RBM algorithm differs from the training of regular neural networks. The learning process used a contrastive divergence (CD) algorithm [
A deep belief network (DBN) algorithm is a greedy layer-wise technique that learns features from unlabeled data in a UL manner [
This section describes the main components of this work and presents the theoretical concepts behind the novel DeepIoT.IDS model, which detects intrusions by classifying network states into normal and several abnormal types of attack. This paper proposes a few improvements to the conventional training methods for CDBN to overcome the existing difficulties, based on the GB-RBM algorithm for extracting important features in the pre-training stage and DNN for the classification task.
Different types of RBM algorithms have a similar structure but different parameters, such as the Gaussian–Bernoulli RBM (GB-RBM) algorithm. RBM defines each neuron’s state as binary numbers, limiting their application in domain cybersecurity. One common approach to address this difficulty is to substitute the visible binary neurons with the Gaussian ones. The GB-RBM has several real values of the visible nodes
where in
where
where
The free energy
The improved RBMs are trained based on the contrastive divergence (CD) algorithm. The main aim of the CD algorithm is to find optimal parameters
This process is repeated for
From the above, we can calculate the
In general, learning in RBMs involves minimizing the mean square error given by:
and
and
The
We implement many steps with the above forms to get the optimal parameters
A weighted deep neural network (WDNN) is made up of densely connected or fully connected neural layers based on a cross-entropy loss function [
and
where
Then weight-categorical cross-entropy loss is calculated using
where
The conventional DBN has a multi-layer RBM for feature extraction and a backpropagation SL algorithm for classification, as shown in
The HW-DBN has the advantage of classifying based on extracted features fed from the proposed deep GB-RBM algorithm. We pre-train the first and second layers of the HW-DBN algorithm during the pre-training phase and then extract the features from the last layer and feed them into the training algorithm at the classification stage of the WDNN to further minimize the prediction error. The algorithm HW-DBN comprises three hidden layers of the deep GB-RBM for the UDL technique with two hidden layers of WDNN backpropagation for the SDL technique at the other end, as shown in
01 | Construct GB-RBM; |
02 | Set input Data: |
03 | |
04 | |
05 | |
06 | |
07 | Compute hidden units |
08 | Compute visible units |
09 | Compute loss function |
10 | Compute gradient to the parameters: |
11 | Calculate |
12 | Calculate |
13 | Update the parameters |
14 | |
15 | |
16 | |
17 | |
18 | |
19 | |
20 | |
21 | |
22 | |
23 | Compute gradient using Nadam algorithm to |
24 | Update the parameters |
25 | |
26 | |
27 | |
28 |
During the training phase, the WDNN of the HW-DBN algorithm classifies labeled and unlabeled network traffic instances to build the optimized classification model. The false positive alarms are reduced based on the weight of classes using gradient computing, which is a Nesterov-accelerated adaptive moment estimation algorithm [
The DeepIoT.IDS model consists of four phases: data pre-processing, UDL pre-training, SDL classification, and evaluation. The first two phases represent the initial data-processing stage, and the last two phases represent the final decision stage. The DeepIoT.IDS model starts with the data pre-processing phase that performs statistical analysis on the CICIDS2017 dataset to discover defects, missing data, and noise. It then converts the dataset to raw data in a specific format and normalizes it by the min-max normalization method, also known as deviation standardization. We need to normalize the dataset to meet the standard conditions of the HW-DBN’s input dataset. This normalization makes a linear modification to the original data and maps the result to become a value between [0, 1]. It is represented as
Then the initial stage employs the deep GB-RBM algorithm to extract network traffic features. This phase generates low presentation features from high dimension data to increase the detection rate for low-frequency attacks. In order to classify the connections of lines to different classes, the deep GB-RBM algorithm provides an abstract feature space to distinguish between attacks and normal traffics of the network. At each layer of the deep GB-RBM, the algorithm minimizes the errors arising from reconstructing the input features. The original unlabeled features are inputs to the first layer, and the output-compressed features are inputs to the second layer.
The proposed DeepIoT.IDS uses the HW-DBN algorithm to build its HDL classification model. Thus, the DeepIoT.IDS model operates according to UDL and SDL techniques. The termination condition of the UDL technique is represented by the
In this work, we propose a DeepIoT.IDS model that integrates a deep Gaussian–Bernoulli type of RBM (Deep GB-RBM) with a WDNN of the HW-DBN algorithm for efficient and reliable IoT network IDS. In this section, we show the implementation results and evaluation of the DeepIoT.IDS model. We evaluate the DeepIoT.IDS model based on 78 features of realistic and new benchmark datasets.
This work utilizes the CICIDS2017 benchmark dataset that represents BENIGN and modern network traffic attacks [ Canadian Institute for Cybersecurity
The BENIGN class has 168,186 samples, and other rarer classes have 2153 samples. The infiltration dataset has two classes, which are BENIGN with 288,566 samples and bot with 36 samples. Redundant instances may lead to the problem of imbalanced class distribution, which is known to bias a machine learning classifier towards the majority class [
Dataset | Class No. | Type of class | Instance No. | IR |
---|---|---|---|---|
DDOS | 2-classes | DDoS | 128027 | 1.3102 |
BENIGN | 97718 | |||
PortScan | 2-classes | PortScan | 158930 | 1.2461 |
BENIGN | 127537 | |||
Bot | 2-classes | BENIGN | 189067 | 96.168 |
Bot | 1966 | |||
Infiltration | 2-classes | BENIGN | 288566 | 8015.7 |
Bot | 36 | |||
Web attacks | 4-classes | BENIGN | 168186 | ∗ |
Brute Force | 1507 | 111.97 | ||
XSS | 652 | 257.95 | ||
SQL Injection | 21 | 800.85 | ||
Patator | 3-classes | BENIGN | 432074 | ∗ |
FTP-Patator | 7938 | 44.364 | ||
SSH-Patator | 5897 | 73.270 | ||
DoS, Heartbleed | 5-classes | BENIGN | 440031 | ∗ |
DoS Hulk | 231073 | 1.9042 | ||
DoS GoldenEye | 10293 | 42.750 | ||
DoS slowloris | 5796 | 75.919 | ||
DoS Slowhttptest | 5499 | 80.021 | ||
Heartbleed | 11 | 40002.8 |
The CICIDS2017 includes several imbalanced benchmark multi-class datasets, as defined in
We cannot visually and easily interpret most real data; therefore, we must rely upon more quantitative metrics to evaluate a model and determine which classes are easy for a model to use. This entails the use of recommended metrics for the evaluation of the DeepIoT.IDS model by utilizing performance metrics like accuracy, precision, sensitivity (recall), F_Score, training time, and prediction time, as follows [ Accuracy is the ratio of correct predictions for both TP and TN prediction of attacks compared with the total number of tested cases:
Precision (true positive rate) is used to measure the proportion of positives that are correctly identified:
Recall (sensitivity) measures the number of correct classifications penalized by the number of missed entries identified:
F_Score is a measure to find a balance between precision and recall:
Testing time describes how much time an approach has taken to predict the whole dataset as either normal or attack:
We quantify true positive (TP) measures as the number of attacks appropriately determined as attacks. In contrast, we define false positive (FP) measures as the number of normal connections wrongly determined as attack connections. In addition to that, we define true negative (TN) measures as the number of normal connections accurately determined as normal. Finally, we define the false negative (FN) measures as the number of attack connections wrongly determined as normal [
We conducted the experimental tests of the DeepIoT.IDS models using TensorFlow 1.2 version NVIDIA 1080 on a desktop with a 2.0 GHz Intel Core i3 CPU, 4 GB RAM, and 64-bit Ubuntu16.06 operating system. The test considered a case in which the proposed model detects an anomaly in the computer network system. The test benchmarks consisted of three DL models–BB-RBM, BB-DBN, and deep AE–and our proposed DeepIoT.IDS model. We selected these other models due to their similarity to our DeepIoT.IDS model. The experimental setting included a deep GB-RBM consisting of three layers, 100 hidden neurons, and 78 visible neurons. We selected the ReLU function as the model’s activation function and randomly set the initial weights of the 78 hidden neurons. We used five epochs to train the model and divided the dataset into 70% training set and 30% testing set [
No. | Model | Classes | Precision | Recall | F_Score | Support |
---|---|---|---|---|---|---|
1. | BB-RBM | BENIGN | 0.99 | 1.00 | 0.99 | 55527 |
Brute Force | 0.00 | 0.00 | 0.00 | 485 | ||
XSS | 0.00 | 0.00 | 0.00 | 200 | ||
SQL Injection | 0.00 | 0.00 | 0.00 | 9 | ||
2. | BB-DBN | BENIGN | 0.99 | 1.00 | 0.99 | 55527 |
Brute Force | 0.00 | 0.00 | 0.00 | 485 | ||
XSS | 0.00 | 0.00 | 0.00 | 200 | ||
SQL Injection | 0.00 | 0.00 | 0.00 | 9 | ||
3. | Deep AE | BENIGN | 0.99 | 1.00 | 0.99 | 55527 |
Brute Force | 0.95 | 0.16 | 0.28 | 485 | ||
XSS | 0.40 | 0.00 | 0.00 | 200 | ||
SQL Injection | 0.00 | 0.00 | 0.00 | 9 | ||
4. | DeepIoT.IDS | BENIGN | 1.00 | 1.00 | 1.00 | 55527 |
Brute Force | 0.60 | 0.91 | 0.73 | 485 | ||
XSS | 0.40 | 0.01 | 0.02 | 200 | ||
SQL Injection | 1.00 | 0.56 | 0.67 | 9 |
As shown in
No. | Model | Accuracy | G-Mean | Iteration of FL | Testing time (ms) |
---|---|---|---|---|---|
Web attack scenarios | |||||
1. | BB-RBM | 0.9874 | 0.1110 | 100 | 980.07 |
2. | BB-DBN | 0.9874 | 0.1110 | 100 | 2735.98 |
3. | Deep AE | 0.9890 | 0.3610 | 100 | 498.37 |
4. | DeepIoT.IDS | 0.9938 | 0.9940 | 5 | 363.94 |
Bot attack scenarios | |||||
1. | BB-RBM | 0.9874 | 0.0001 | 3 | 126.37 |
2. | BB-DBN | 0.9998 | 0.9573 | 20 | 338.78 |
3. | Deep AE | 0.9998 | 0.0112 | 1000 | 2.63 |
4. | DeepIoT.IDS | 0.9999 | 0.9574 | 5 | 265.39 |
The bot attack scenarios only included two classes of attack, BENIGN, and bot, as shown in the evaluation phase of
Subsequently, the benchmarking analysis compared the newly developed model with the existing ones, which confirmed the superiority of the DeepIoT.IDS model. A two-stage deep feature extraction and learning algorithms support the DeepIoT.IDS model to enable it to detect existing and newly discovered intrusion attacks. The model achieves higher accuracy and G-mean by constructing features from a huge amount of data for a set of refined training features. The results confirm that the model is less vulnerable to multi-type and unbalanced attacks than other DL models.
Anomaly IDSs (AIDS) in general have several limitations, including low accuracy and high false alarms. Signature-based IDS models could detect traditional intrusions, and AIDS could detect novel attacks. Furthermore, developing a real-time detection, anomaly-based IDS for IoT networks is very demanding. This is because such an IDS would need to distinguish a normal behavior first and then detect malicious behavior to produce more realistic results. Subsequently, we summarize the limitations of the present work as follows: (i) additional classification models should be tested to provide a more comprehensive evaluation of the results, (ii) given that the proposed DeepIoT.IDS model relies on all available features. A feature reduction approach might limit the computational cost and time complexity of the training and testing processes, and (iii) other evaluation criteria and testing datasets should be considered to further the analysis of the proposed model.
This paper proposes a novel hybrid weighted deep belief network (HW-DBN) algorithm that integrates a deep Gaussian–Bernoulli type of RBM (deep GB-RBM) algorithm with a weighted deep neural network (WDNN) algorithm. The HW-DBN algorithm deploys the deep GB-RBM for unsupervised deep learning (UDL) and WDNN backpropagation for supervised deep learning (SDL) to manifest a hybrid deep learning (HDL) approach. The HW-DBN algorithm is incorporated within a DeepIoT.IDS model to deal with the problem of intrusion detection in IoT networks efficiently and reliably. The DeepIoT.IDS model’s operating regime covers both processing and decision stages. The processing stage includes pre-processing and pre-training phases, while the decision stage involves the classification and evaluation phases. We tested the DeepIoT.IDS model by utilizing the CICIDS2017 benchmark datasets. The CICIDS2017 dataset is suitable to represent IoT environments because it has complex anomaly patterns, novel attacks, and highly imbalanced classes. We conducted extensive experiments on web attack and bot attack scenarios to evaluate the performance of the model. The web attack scenarios comprise multi-class detection of BENIGN, brute force, XSS, and SQL injection attacks, while the bot attack scenarios comprise signal-class detection of BENIGN and bot attacks. In the first set of scenarios, the results show that the DeepIoT.IDS model achieved the highest accuracy (99.38%) and the highest G-mean (99.40%) compared with the BB-RBM DBN, GB-RBM DBN, and deep AE models. Furthermore, it performed with a lower number of epochs to get the required results and the best execution time of 363.941 ms. In the second set of scenarios, the results show that the DeepIoT.IDS model also achieved the highest accuracy (99.99%) and the highest G-mean (95.74%) compared with the other three models. Furthermore, it performed with the second lowest number of epochs to get the required results but with the second highest execution time of 265.39 ms. The results, therefore, demonstrate the robustness and efficiency of the DeepIoT.IDS model to represent a future benchmark for constructing IDS based on deep learning algorithms in the research community of network and security. Future work may consider developing a real-time AIDS that improves the overall performance of IoT networks. Such an AIDS model would be more realistic and would need to quickly detect normal behaviors in order to trace and eliminate malicious behaviors.
This work was partially funded by the Industry Grant Scheme from Jaycorp Berhad in cooperation withUNITAR International University. The authors would like to thank INSFORNET, the Center for Advanced Computing Technology (C-ACT) at Universiti Teknikal Malaysia Melaka (UTeM), and the Center of Intelligent and Autonomous Systems (CIAS) at Universiti Tun Hussein Onn Malaysia (UTHM) for supporting this work.