intrusion detection system to advance internet of things
TRANSCRIPT
Research ArticleIntrusion Detection System to Advance Internet of ThingsInfrastructure-Based Deep Learning Algorithms
Hasan Alkahtani1 and Theyazn H H Aldhyani 2
1College of Computer Science and Information Technology King Faisal University P O Box 400 Al-Ahsa Saudi Arabia2Community College of Abqaiq King Faisal University P O Box 400 Al-Ahsa Saudi Arabia
Correspondence should be addressed to eyazn H H Aldhyani taldhyanikfuedusa
Received 28 February 2021 Revised 23 March 2021 Accepted 17 April 2021 Published 7 July 2021
Academic Editor M Irfan Uddin
Copyright copy 2021 Hasan Alkahtani and eyazn H H Aldhyani is is an open access article distributed under the CreativeCommons Attribution License which permits unrestricted use distribution and reproduction in any medium provided theoriginal work is properly cited
Smart grids advanced information technology have become the favored intrusion targets due to the Internet of ings (IoT)using sensor devices to collect data from a smart grid environment ese data are sent to the cloud which is a huge network ofsuper servers that provides different services to different smart infrastructures such as smart homes and smart buildings esecan provide a large space for attackers to launch destructive cyberattackse novelty of this proposed research is the developmentof a robust framework system for detecting intrusions based on the IoTenvironment An IoTID20 dataset attack was employed todevelop the proposed system it is a newly generated dataset from the IoT infrastructure In this framework three advanced deeplearning algorithms were applied to classify the intrusion a convolution neural network (CNN) a long short-term memory(LSTM) and a hybrid convolution neural network with the long short-term memory (CNN-LSTM) model e complexity of thenetwork dataset was dimensionality reduced and to improve the proposed system the particle swarm optimizationmethod (PSO)was used to select relevant features from the network dataset e obtained features were processed using deep learning al-gorithms e experimental results showed that the proposed systems achieved accuracy as follows CNN 9660LSTM 9982 and CNN-LSTM 9880e proposed framework attained the desired performance on a new variable datasetand the system will be implemented in our university IoT environment e results of comparative predictions between theproposed framework and existing systems showed that the proposed system more efficiently and effectively enhanced the securityof the IoT environment from attacks e experimental results confirmed that the proposed framework based on deep learningalgorithms for an intrusion detection system can effectively detect real-world attacks and is capable of enhancing the security ofthe IoT environment
1 Introduction
Currently there are more than 25 billion devices connectedto the Internet worldwide three times as many humanbeings [1ndash3] e Internet of ings (IoT) is based oninterconnected smart devices and different services are usedto integrate them into a single networkis allows the smartdevices to gather sensitive information and carry out im-portant functions and these devices connect and commu-nicate with each other at high speeds and make decisionsaccording to indicator information e IoT environmentuses cloud services as a backend for processing informationand maintaining remote control Client users use mobile
applications or web services to access data and control thedevicese IoT infrastructure uses large numbers of sensorsto extract significant information and this information isanalyzed by artificial intelligence algorithms [4 5]
Intrusion detection systems (IDSs) are the technicalregulatory and administrative means used to prevent un-authorized use abuse and recovery of electronic informa-tion and communication systems and the information theycontain aimed at ensuring the availability and continuity ofthe work of the information systems and enhancing theprotection confidentiality and privacy of personal data bytaking all measures Cybersecurity is the practice ofdefending computers servers mobile devices electronic
HindawiComplexityVolume 2021 Article ID 5579851 18 pageshttpsdoiorg10115520215579851
systems networks and data frommalicious attacks It is alsoknown as information technology security [6ndash9] eseintrusions incorporate field of research control systems bycontrolling an alteration of the document system height-ening benefits making unapproved logins accessing sen-sitive records and using malware (eg infections Trojanhorses and worms) which can change the condition of thenetwork Network intrusions occur due to approachingpackets in the network system to perform behaviors such asdenial of service (DoS) attacks or even attempts to be splitinto the system DoS attacks are attempts to make PC assetsunapproachable by their planned clients for example landattacks ping of death (POD) and flood attacks Indicationsof intrusions incorporating abnormal outcomes while exe-cuting different client charges are exemplified by moderatesystem execution and sudden system crashes and changes inparts of information structures are bizarrely moderatesystem implementations (eg opening records or accessingsites)
Attackers exploit unknown vulnerabilities and bypassknown signatures e IoT environment is based on a smartgrid that uses sensor devices and these devices connect toeach other to pass information Figure 1 displays the worldpopulation and the number of sensor devices required forprotection from attackers With the exponential growth ofIoT use the IoT has become a smart object of attackersachieving their targetserefore using artificial intelligencebased on deep learning algorithms can detect unknownvulnerabilities using sensors devices [10]
Artificial intelligence is a kind of information-drivenapproach in which the first step is to understand the dataVarious types of data represent specific attack behaviorsincluding host behaviors and network activities Server logsreflect host behaviors and network traffic represents net-work behaviors ere are several types of attacks with eachhaving a particular pattern erefore it is important toselect suitable data sources to detect various attacks as perthe features of the threat One of the key features of a DoSattack for example is to send several packets in a very shorttime thus flow data are ideal for DoS attack detection Ahidden channel includes a data-leaking operation betweentwo different IP addresses and is best suited for session datadetection erefore the advance of deep learning algo-rithms can help detect these network behaviors [11 12]
Many studies have proposed the development of net-work security systems and artificial intelligence plays aprimary role in the area of cybersecurity based on IoT fordesigning an intelligent system for security in the IoT en-vironment e proposed research aimed to develop anintelligent model that could help secure the IoT structureand devices from threats Currently most companies andorganizations have undergone digital transformationsthrough IoT devices However this has created new com-plexities and vulnerabilities that once cybercriminals learnabout them can be quickly exploited Jokar et al [13] de-veloped classification algorithms to detect abnormal elec-tricity consumption Alseiari et al [14] used soft computingbased on clustering technology to monitor network traffic inadvanced metering infrastructure (AMI) Vijayanand et al
[15] applied a support vector machine (SVM) based on amulticlass to detect the IDS where decision tree algorithmsgave very powerful results compared with an SVM proposedby Jindal et al [16] Boumkheld et al [17] used a traditionalmachine learning algorithm over a naive Bayesian networkto test the ability of this algorithm to detect IDS Zigbee-based Q-learning was proposed by Jokar et al [18] to protectnetworks from intrusion who found it the best strategy formonitoring system attacks Hasan et al [19] proposed ahybrid convolution neural network (CNN) with long short-term memory (LSTM) to classify the characteristics ofelectricity information and the use of a hierarchy to selectsignificant features from intrusion detection networks wasproposed by Wang et al [20] CNN and LSTM algorithmshave been applied to detect attacks [21] Ullah et al [22]introduced a hybrid deep neural network to detect intrusionby combining a CNN and a gated recursive unit A particleswarm optimization (PSO) algorithm has been used to selectsignificant features from data and a developing system canautomatically perform the processes of selecting features andclassifications In Liu et alrsquos [23] research a CNN algorithmwas applied to identify attacks and it was noted that deeplearning based on the CNN improved the system Xiao et al[24] adopted an autoencoder to reduce the dimension of theintrusion detection data to decrease the interference of re-dundant features these features were processed using aCNN to classify the attacks Yang et al [25] used a CNN todetect intrusion for improved extraction of features acrosslayers and feature fusion has been used to obtain com-prehensive features Yang et al [26] developed a system tosecure the IoT in the healthcare environment it controlledtraffic and made the healthcare environment smarterFurthermore security methods have been developed for IoTsystems as described in [27ndash29] Other algorithms appliedas solutions for the security of DNP3 traffic include statisticalapproaches and machine learning [30 31] Keliris et al [32]used the support vector machine (SVM) algorithm forclassification intrusion and it was noted that the SVMperformed well It has been suggested that a detection systemusing machine learning techniques in power systems wouldbe feasible for detecting malicious states [33] Arrigntonet al introduced a machine learning algorithm based onanomaly based intrusion detection for the protection of IoTdevices Liu et al [34] developed an IDS using suppressedfuzzy clustering and principal component analysis (PCA)algorithms Kasinathan et al [35] developed a system sig-nature-based IDS for low-power wireless personal areanetwork (6LoWPAN)-based IoT networks this systemaimed to detect DoS attacks with the highest accuracyDanda et al [36] designed a host-based IDS for the securityof IoT network devices using rule-based detection
Cho et al [37] proposed machine leaning algorithms todetect the botnet attacks at hosts and network levels on theIoT environment e feature selection method was pre-sented to select the features of malicious attack behaviorsDiro and Chilamkurti [38] introduced the deep learning toclassify the intrusion from host level in IoT Cruz et al [39]proposed the intelligent mechanism model to detect theintrusion based on the decision making method moreover
2 Complexity
and developed recurrent neural network (RNN) to improvethe previous model [40]
Currently artificial intelligence based on machinelearning and deep learning algorithms for data-processingcapabilities provide the most effective value to the area ofcyber defense by uncovering patterns shapes and outliersthat indicate potential incidents even if these solutions donot align with known attack patterns [41] An IDS is acommonly used security tool for protecting and mitigatingthe IoTand its infrastructure from unseen and unpredictableintrusionsere are few studies on IDSs in the IoT based onartificial intelligence therefore developing a framework andachieving optimal results are the biggest challenges due tothe network data having imbalanced data Our target was todevelop a secure movable framework for securing large IoTnetworks Here we present advanced artificial intelligencesuch as deep learning models namely CNN LSTM andcombined CNN-LSTM algorithms We have significantlyexpanded the framework to integrate a deep learning al-gorithm to familiarize it with changing threats to the IoTnetwork for anomaly detection e main contributions ofthis study are as follows
(1) Use of advanced artificial intelligence algorithmssuch as CNN LSTM and a hybrid CNN-LSTM todevelop a system to detect intrusions into the IoTenvironment
(2) e proposed system was developed using IoTnetwork data that are not commonly used thisdataset was generated in 2020 and was the biggestchallenge for developing a robust framework
(3) e proposed system was compared with a researcharticle that developed these data It was noted thatthe results of our system were outperformed
2 Materials and Methods
Figure 2 displays the framework of the proposed system fordetecting IoT environment intrusions e proposed system
is composed by some phases to evaluate for obtaining thebest accuracy e components of the proposed system aredescribed in the following sections
21 IoTID20 Dataset Attack For this experiment anIoTID20 dataset attack was conducted to test the proposedframework e IoTID20 dataset was collected from IoTdevices and interconnecting structures the IoTdevices wereconnected to or installed in a smart home environment suchas SKTNGU and EZVIZ Wi-Fi cameras to create theIoTID20 dataset Figure 3 shows the environment of theIoTID20 dataset the laptops tablets and smartphone de-vices were connected byWi-Fi to the smart home routereSKT NGU and EZVIZ Wi-Fi cameras were IoT victimdevices and all other devices in the testbed were theattacking devices
e newly developed IoTID20 dataset was adopted fromPcap files available online e dataset contained 80 featuresand two main label attacks and normal e IoTID20 datasetattack was generated in 2020 Figure 2 shows the IoT en-vironment of the generated IoTID20 dataset Table 1 displaysall the types of IoTID20 dataset attacks and the numbers offeatures for each class label are presented in Figure 4 isdataset was obtained from Kaggle httpssitesgooglecomviewiot-network-intrusion-datasethome
22 Particle SwarmOptimizationMethod Preprocessing is avery important stage for improving classification algorithmsIoT data have various types of formats and dimensionalitytherefore dimensionality reduction was necessary to selectsignificant features from the data e PSOmethod has beensuggested for handling important features from networkdatasets for detecting malicious attacks PSO is a population-based computation intelligence method suggested byEberhat and Kennedy [42] and it is an operative andrespected global search system [43] e PSO algorithm iscalled a reasonable algorithm because of its simple feature
50
40
30
20
10
02003 2008
6307 6721 6894 7347 783
2010 2015 2020
Iflection point
Tables laptops phones
Rapid adoption rate of digital infrastructure5X faster than electricity and telephony
~6 things online per personsensors smart objects devices clustered systems
World populationIoT
Figure 1 Projecting the ldquothingsrdquo behind the internet of things (IoT)
Complexity 3
coding global search computational reasonability fewerparameters and less demanding execution to address andselect important feature problems [44] PSO is used to findimportant features Figure 5 shows the particles swarmoptimization algorithm steps for selecting significant fea-tures from an intrusion network dataset PSO uses theprincipal space method for searching space using a subset ofprimary components that have explored and selected fea-tures For the PSO method particles are used to represent
solutions from the population in the search space particleswhich is called a swarm To generate the particles by distrib-uting 1 and 0 randomly in the particle if the principalcomponent is 1 the particle is chosen for another side and ifthe particle component is 0 then it is ignored Tomake the PSOmore powerful it works randomly and travels in the searchspace to search for an obtained optimal subset of features byupdating their position and velocity e place of particle i andits rapidity are shown in the following equations
IOTID20datasetattack
Preprocessing
PSO
21 Features
Deep learning
CNN model LSTM model
Evaluationperformance
of IDS
CNN- LSTMmodels
Figure 2 Generic framework of the proposed system
AI speaker
Security camera
Access point
Smart phone
Wireshark Laptop(wireshark and
attacking toolscript)
Figure 3 IoTID20 dataset testbed environment
Table 1 IoTID20 dataset attacks
Dos Mirai Mitm ScanSyn flooding Host brute force HTTP flooding UDP flooding ARP spoofing services Host port os
4 Complexity
xi xi1 xi2 xiD1113864 1113865 (1)
vxi vi1 vi2 viD1113864 1113865 (2)
where D indicates the search space of the particle Equation(3) was used to calculate the velocity and position for searchspace as follows
vt+1id wlowast v
tid + c1 lowast r1i lowast pid minus x
tid1113872 1113873
+ c2 lowast r2i lowast pgd minus xtid1113872 1113873
(3)
vt+1id v
tid + v
t+1id (4)
where d is the dimension in the search space t denotes theiteration in the process for search space w is the inertiaweight c1 and c2 are acceleration constants r1i and r2i arerandom values distributed in 0 and 1 and pid and pgdrepresent the pbest and gbest in dimension space in thesearch space e values of location and rapidity in eachparticle are updated until they obtain the best featuresenthe condition is stopped when the iteration reaches themaximum number and obtains satisfactory fitness values
e IoTID20 dataset was very big with around 6332562instances for improving the deep learning algorithms ePSO algorithm was proposed for handling dimensionalityreduction Twenty-one of the most significant features wereselected to develop the system e PSO method used po-sition and velocity for searching the best road to obtainappropriate features from the dataset We used Iteration 19gbest and the value of fitness was 90666351 whereas It-eration 20 was used for gbest and the value of fitness was90666351 e significant features obtained using the PSOmethod are presented in Table 2 (Algorithm 1)
23 Correlation Analysis Pearsonrsquos correlation coefficientmethod was applied to analyze the correlation between the
selected features and classes (normal and attacks) for ap-proving the significant subset feature as follows
R n 1113936(x times y) minus 1113936 x( 1113857 1113936 y( 1113857
n 1113936 x2
1113872 1113873 minus 1113936 x2
1113872 11138731113960 1113961 times n 1113936 y2
1113872 1113873 minus 1113936 y2
1113872 11138731113960 1113961times 100
(5)
where R is Pearsonrsquos correlation coefficient approach x istraining input values of the features y is input values ofclasses (normal and attack) and n is total number of inputvariables
Table 3 summaries Pearsonrsquos correlation coefficientmethod and it was employed to evaluate and examine theselected features by using the PSOmethod It is noted that all20 features have optimal correlation with normal classHowever the features namely Fwd_Bytsb_Avg andBwd_Bytsb_Avg have strongest relationship (R 100)with normal class Overall all the features have good rela-tionship with normal class
Table 4 shows Pearsonrsquos correlation coefficientmethod forfinding the relationship between the most significant featuresobtained from the PSO method with attack class It is notedthat the Fwd_PSH_Flags Fwd_Bytsb_Avg and Bwd_Pktsb_Avg features obtained R 100 whereas FIN_Flag_CntRST_Flag_Cnt CWE_Flag_Count and ECE_Flag_Cnt fea-tures have obtained R 990 We have approved that se-lected features by employing the PSO method wereappropriated for enhancing the intrusion detection system
24 Deep Learning Algorithms In this section the threeadvanced deep learning algorithms are presented CNNLSTM and CNN-LSTM
241 Convolution Neural Network Deep neural networksare part of artificial neural networks (ANNs) with multi-layers Over the last few decades ANNs have been
55124 59391 53073
121181
183554
55818 Normal
40073
2219235377
Mirai ack floodingMirai UDP floodingDoSMirai HTTP floodingScan port OS
NormalMirai brute forceScan host portMITM
Figure 4 Numbers of instances for each class of IoTID20 dataset
Complexity 5
considered to be some of the most powerful algorithms forhandling many real-time applications [45] Deep learningalgorithms use many deeper hidden layers to surpass clas-sical ANN methods [46 47] A convolutional neural net-work is one of the most popular deep neural networkalgorithms and it is named convolution by using mathe-matical linear operation between matrices Our proposedCNN comprised five main layers input convolutionpolling FC and output Figure 6 shows the structure of theCNN model used to develop the IoT cybersecurity system
To extract features from cybersecurity-based IoT dataconvolution layers were used e convolution layers hadmultiple convolution kernels composed of the weight of thekernels e convolution kernel is i the weight coefficient isindicated by wi and the deviation quantity is bi e inputconvolution layer is ximinus1 and the convolution layer wasprocessed using equation (5)
xi f wi otimes ximinus1 + bi( 1113857 (6)
IoTID20 datasetattack
Swarminitialization Fitness of particle Pbest
Fitness of particlegbest
Update velocity
Update position
Evaluate the subsetfeatures
NoYesObtained best subset
features
Figure 5 Particle swarm optimization algorithm steps for selecting subsets
Table 2 21 significant features obtained by using the PSO method
Totalfeatures Feature name
21Src_IP Fwd_Pkt_Len_Min Flow_Pktss Flow_IAT_Mean Flow_IAT_Min Fwd_IAT_Tot Fwd_IAT_Mean
Bwd_IAT_Mean 1 Bwd_IAT_Max Bwd_IAT_Min Fwd_PSH_Flags FIN_Flag_Cnt RST_Flag_Cnt CWE_Flag_CountECE_Flag_Cnt fwd_bytsb_avg bwd_pktsb_avg Init_Bwd_Win_Byts Active_Mean Idle_Max class
(1) Initialize parameters Xti is fitness N numbers of particles
(2) Initialize population Pi_besta while (number of generations or the stopping criterion is not met) (3) for (i 1 to N) (4) if fitness Xt
i gt fitness Pi_best(5) (6) then update Pi_best Xt
i
(7) if the fitness of Xti gt gbest then
(8) then update gbest Xti
(9)
(10) Update velocity vector(11) Update particle position(12) Next particle(13) (14) Next generation
ALGORITHM 1 PSO algorithm
6 Complexity
Tabl
e3
Correlatio
ncoeffi
cientbetweenfeatures
andno
rmal
class
Features
Normal
Normal
Normal
Normal
Normal
inNormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Src_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
064
Flow
_IAT_
Min
063
Fwd_
IAT_
Tot
080
Fwd_
IAT_
Mean
089
Bwd_
IAT_
Mean
062
Bwd_
IAT_
Max
062
Bwd_
IAT_
Min
062
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
058
Active_Mean
01
Idle_M
ax050
Complexity 7
Tabl
e4
Correlatio
ncoeffi
cientbetweenfeatures
andattack
class
Features
Atta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckSrc_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
050
Flow
_IAT_
Min
068
Fwd_
IAT_
Tot
069
Fwd_
IAT_
Mean
084
Bwd_
IAT_
Mean
063
Bwd_
IAT_
Max
063
Bwd_
IAT_
Min
063
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
053
Active_Mean
094
Idle_M
ax087
8 Complexity
where xi is the output convolution l i is the convolutionkernel otimes is the convolution operation and f(x) is theactivation function
e convolution kernel was used to pass the IoT trainingdata into max pooling for the extraction of the character-istics of the IoT network data e extracted features weretransferred into the output layer using the tanh function Itwas noted that the tanh function was an appropriate acti-vation function for designing the system
f(x) tanh(x) 2
1 + eminus 2x
minus 1 (7)
where tanh is the function and x is the training input data
Qj Max P0j P
1j P
2j P
3j P
tj1113872 1113873 (8)
where Qj is the output results from the IoT cybersecuritydataset j is the pooling region Max is the operation and Pt
j
is the element of the poolinge softmax function was used to calculate the proba-
bility distribution of an N-dimensional vector e mainpurpose of using softmax at the output layer was for themulticlass classification method used in machine learningalgorithms deep learning and data science e correctcalculation of the output probability helps determine theproper target class for the input dataset and the probabilitiesof the maximum values are increased using an exponentialelement e softmax equation is shown in the followingequation
Oi e
zi
1113936Mi1 e
zi (9)
where i and zi are the output from pervious layers Oi in-dicates the output of softmax function and M is the totalnumber of output nodes
242 Long Short-Term Memory Recurrent Neural Networke recurrent neural network (RNN) is an advanced arti-ficial intelligence algorithm used in many real-life applica-tions A traditional RNNwas applied to predict the temporaltraining data but it faced difficulties when handling gradient
explosion data To solve this issue the LSTM model wasproposed e LSTM model used a memory function toreplace the hidden RNN unit Figure 7 displays the structureof the LSTM model for detecting intrusions from the IoTnetwork dataset e LSTM model consisted of three im-portant gates the forget input and output gates [48]
e forget gate was used to find forgotten informationwhere ht is the input data and the interval number of theoutput gate is [0 1] where 0 indicates ldquocompletely dis-cardedrdquo and 1 indicates ldquocompletely retainedrdquo e currentstate is represented by ct as follows
ht sigma Wxt + Uhtminus1 + b(h)
1113872 1113873
ft sigma W(f)
+ Xt + U(f)
htminus1 + b(f)
1113872 1113873(10)
where ht is input training data and input to the previous cell ispresented by htminus1 e forget gate is indicated by ft thesignificant parameters of the LSTM are weight W(f) and b(f)
is biase input gate was used to update the information usingtwo functions namely sigma and tanhe sigma functionwasemployed to determine what information needed updatingwhereas the tanh function generated information for updating
it sigma W(i)
+ Xt + U(i)
htminus1 + b(i)
1113872 1113873
mt tanh W(m)
+ Xt + U(m)
htminus1 + b(m)
1113872 1113873
ct it middot mt + ft middot ctminus1
(11)
When the cell state ctminus1 is the cell state from the previouscell which was used to update by using cell state ct the newinformation must be discarded and ft ctminus1 and it mt arecombined to obtain the next cell state as follows
ot sigma W(o)
+ Xt + htminus1 + b(o)
1113872 1113873
ht ot middot tanh ct( 1113857(12)
where ot is the output gate and the weight vector of theneural network is represented by W U and V e sigmafunction was used to find which information would be theoutput and tanh was employed to propose the cell state anddeclare the final output
Convolution Convolution Max pooling Convolution Convolution Max pooling Fully connected
Figure 6 Structure of the convolution neural network (CNN) model for classification of Internet of ings (IoT) intrusions
Complexity 9
243 Combined CNN-LSTM Network We proposedcombining two advanced deep learning algorithms todetect intrusion from an IoT network dataset A hybridmodel was designed to automatically detect the attacksand the structure of the proposed model is presented inFigure 8 e architecture was developed by combiningtwo deep learning models namely the CNN and LSTMnetworks whereas the CNN algorithm was used toprocess the significant features obtained from the PSOmethod with the size of 20 times 625783 to extract newcomplex features A convolutional layer size of threekernels was used to extract the complex features and tanhactivation was proposed to transfer the data A two-kernel max pool was used for dimension reduction andwe mapped the features to the LSTM model for the ex-traction of new time information After the LSTM timeinformation was extracted the fusion features were fullyconnected for use in the classification process esoftmax was proposed to detect attacks from the IoTnetwork data
3 Results
In this section results of the proposed formwork for de-tection intrusion are presented
31 Experiment Environment Setup e proposed researchwas completed using different software and hardware en-vironments Table 5 shows the requirements used to developthe proposed system It was noted that these requirementswere suitable for training the big data
Significant parameters used for the development of thedeep learning algorithm are presented in Table 6 e kernelconvolution was three and the dropout was 50 Moreoverthe experiment epochs were 10 due to the big dataWe used thetanh function for the activation function for both models
32 Evaluation Metrics Sensitivity specificity precision re-call and F1-score evaluation metrics were proposed to test andevaluate the framework e equations are defined as follows
Input does X(t) matter
h(tndash1)
X(t)
h(tndash1)
X(t)
W(i)
σ
σU(i)
W(o)
U(o)
i(t)
h(tndash1)
X(t)h(t)
W(c)
U(c)
σ
f (t)
h(tndash1)
X(t)
W(f)
U(f)
cprime(t)
c(t)
o(t)
c(tndash1)
tanh
tanh+
deg
deg
deg
New memory computer new memory
Forget should c(tndash1) be forgotten
Output how much c(t) should be exposed
Figure 7 Generic structure of the long short-term memory (LSTM) model for the classification of Internet of ings (IoT) intrusions
10 Complexity
accuracy TP + TN
FP + FN + TP + TN
specificity TN
TN + FPtimes 100
sensitivity TP
TP + FNtimes 100
recall TPTP + FN times 100
F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall
times 100QUOTE Sensivity TP
TP + FNtimes 100
(13)
where TP is true positive FP is false positive TN is truenegative and FN is false negative
33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method
e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion
matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11
To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models
From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the
80 times 625783The
Original Preprocessing
PSO method
Dimensionality reduction
Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783
20 times 625783
LSTM LSTM LSTM LSTM LSTM LSTM
Flatten
Fully connected
ClassificationNormal Attacks
Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model
Complexity 11
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
systems networks and data frommalicious attacks It is alsoknown as information technology security [6ndash9] eseintrusions incorporate field of research control systems bycontrolling an alteration of the document system height-ening benefits making unapproved logins accessing sen-sitive records and using malware (eg infections Trojanhorses and worms) which can change the condition of thenetwork Network intrusions occur due to approachingpackets in the network system to perform behaviors such asdenial of service (DoS) attacks or even attempts to be splitinto the system DoS attacks are attempts to make PC assetsunapproachable by their planned clients for example landattacks ping of death (POD) and flood attacks Indicationsof intrusions incorporating abnormal outcomes while exe-cuting different client charges are exemplified by moderatesystem execution and sudden system crashes and changes inparts of information structures are bizarrely moderatesystem implementations (eg opening records or accessingsites)
Attackers exploit unknown vulnerabilities and bypassknown signatures e IoT environment is based on a smartgrid that uses sensor devices and these devices connect toeach other to pass information Figure 1 displays the worldpopulation and the number of sensor devices required forprotection from attackers With the exponential growth ofIoT use the IoT has become a smart object of attackersachieving their targetserefore using artificial intelligencebased on deep learning algorithms can detect unknownvulnerabilities using sensors devices [10]
Artificial intelligence is a kind of information-drivenapproach in which the first step is to understand the dataVarious types of data represent specific attack behaviorsincluding host behaviors and network activities Server logsreflect host behaviors and network traffic represents net-work behaviors ere are several types of attacks with eachhaving a particular pattern erefore it is important toselect suitable data sources to detect various attacks as perthe features of the threat One of the key features of a DoSattack for example is to send several packets in a very shorttime thus flow data are ideal for DoS attack detection Ahidden channel includes a data-leaking operation betweentwo different IP addresses and is best suited for session datadetection erefore the advance of deep learning algo-rithms can help detect these network behaviors [11 12]
Many studies have proposed the development of net-work security systems and artificial intelligence plays aprimary role in the area of cybersecurity based on IoT fordesigning an intelligent system for security in the IoT en-vironment e proposed research aimed to develop anintelligent model that could help secure the IoT structureand devices from threats Currently most companies andorganizations have undergone digital transformationsthrough IoT devices However this has created new com-plexities and vulnerabilities that once cybercriminals learnabout them can be quickly exploited Jokar et al [13] de-veloped classification algorithms to detect abnormal elec-tricity consumption Alseiari et al [14] used soft computingbased on clustering technology to monitor network traffic inadvanced metering infrastructure (AMI) Vijayanand et al
[15] applied a support vector machine (SVM) based on amulticlass to detect the IDS where decision tree algorithmsgave very powerful results compared with an SVM proposedby Jindal et al [16] Boumkheld et al [17] used a traditionalmachine learning algorithm over a naive Bayesian networkto test the ability of this algorithm to detect IDS Zigbee-based Q-learning was proposed by Jokar et al [18] to protectnetworks from intrusion who found it the best strategy formonitoring system attacks Hasan et al [19] proposed ahybrid convolution neural network (CNN) with long short-term memory (LSTM) to classify the characteristics ofelectricity information and the use of a hierarchy to selectsignificant features from intrusion detection networks wasproposed by Wang et al [20] CNN and LSTM algorithmshave been applied to detect attacks [21] Ullah et al [22]introduced a hybrid deep neural network to detect intrusionby combining a CNN and a gated recursive unit A particleswarm optimization (PSO) algorithm has been used to selectsignificant features from data and a developing system canautomatically perform the processes of selecting features andclassifications In Liu et alrsquos [23] research a CNN algorithmwas applied to identify attacks and it was noted that deeplearning based on the CNN improved the system Xiao et al[24] adopted an autoencoder to reduce the dimension of theintrusion detection data to decrease the interference of re-dundant features these features were processed using aCNN to classify the attacks Yang et al [25] used a CNN todetect intrusion for improved extraction of features acrosslayers and feature fusion has been used to obtain com-prehensive features Yang et al [26] developed a system tosecure the IoT in the healthcare environment it controlledtraffic and made the healthcare environment smarterFurthermore security methods have been developed for IoTsystems as described in [27ndash29] Other algorithms appliedas solutions for the security of DNP3 traffic include statisticalapproaches and machine learning [30 31] Keliris et al [32]used the support vector machine (SVM) algorithm forclassification intrusion and it was noted that the SVMperformed well It has been suggested that a detection systemusing machine learning techniques in power systems wouldbe feasible for detecting malicious states [33] Arrigntonet al introduced a machine learning algorithm based onanomaly based intrusion detection for the protection of IoTdevices Liu et al [34] developed an IDS using suppressedfuzzy clustering and principal component analysis (PCA)algorithms Kasinathan et al [35] developed a system sig-nature-based IDS for low-power wireless personal areanetwork (6LoWPAN)-based IoT networks this systemaimed to detect DoS attacks with the highest accuracyDanda et al [36] designed a host-based IDS for the securityof IoT network devices using rule-based detection
Cho et al [37] proposed machine leaning algorithms todetect the botnet attacks at hosts and network levels on theIoT environment e feature selection method was pre-sented to select the features of malicious attack behaviorsDiro and Chilamkurti [38] introduced the deep learning toclassify the intrusion from host level in IoT Cruz et al [39]proposed the intelligent mechanism model to detect theintrusion based on the decision making method moreover
2 Complexity
and developed recurrent neural network (RNN) to improvethe previous model [40]
Currently artificial intelligence based on machinelearning and deep learning algorithms for data-processingcapabilities provide the most effective value to the area ofcyber defense by uncovering patterns shapes and outliersthat indicate potential incidents even if these solutions donot align with known attack patterns [41] An IDS is acommonly used security tool for protecting and mitigatingthe IoTand its infrastructure from unseen and unpredictableintrusionsere are few studies on IDSs in the IoT based onartificial intelligence therefore developing a framework andachieving optimal results are the biggest challenges due tothe network data having imbalanced data Our target was todevelop a secure movable framework for securing large IoTnetworks Here we present advanced artificial intelligencesuch as deep learning models namely CNN LSTM andcombined CNN-LSTM algorithms We have significantlyexpanded the framework to integrate a deep learning al-gorithm to familiarize it with changing threats to the IoTnetwork for anomaly detection e main contributions ofthis study are as follows
(1) Use of advanced artificial intelligence algorithmssuch as CNN LSTM and a hybrid CNN-LSTM todevelop a system to detect intrusions into the IoTenvironment
(2) e proposed system was developed using IoTnetwork data that are not commonly used thisdataset was generated in 2020 and was the biggestchallenge for developing a robust framework
(3) e proposed system was compared with a researcharticle that developed these data It was noted thatthe results of our system were outperformed
2 Materials and Methods
Figure 2 displays the framework of the proposed system fordetecting IoT environment intrusions e proposed system
is composed by some phases to evaluate for obtaining thebest accuracy e components of the proposed system aredescribed in the following sections
21 IoTID20 Dataset Attack For this experiment anIoTID20 dataset attack was conducted to test the proposedframework e IoTID20 dataset was collected from IoTdevices and interconnecting structures the IoTdevices wereconnected to or installed in a smart home environment suchas SKTNGU and EZVIZ Wi-Fi cameras to create theIoTID20 dataset Figure 3 shows the environment of theIoTID20 dataset the laptops tablets and smartphone de-vices were connected byWi-Fi to the smart home routereSKT NGU and EZVIZ Wi-Fi cameras were IoT victimdevices and all other devices in the testbed were theattacking devices
e newly developed IoTID20 dataset was adopted fromPcap files available online e dataset contained 80 featuresand two main label attacks and normal e IoTID20 datasetattack was generated in 2020 Figure 2 shows the IoT en-vironment of the generated IoTID20 dataset Table 1 displaysall the types of IoTID20 dataset attacks and the numbers offeatures for each class label are presented in Figure 4 isdataset was obtained from Kaggle httpssitesgooglecomviewiot-network-intrusion-datasethome
22 Particle SwarmOptimizationMethod Preprocessing is avery important stage for improving classification algorithmsIoT data have various types of formats and dimensionalitytherefore dimensionality reduction was necessary to selectsignificant features from the data e PSOmethod has beensuggested for handling important features from networkdatasets for detecting malicious attacks PSO is a population-based computation intelligence method suggested byEberhat and Kennedy [42] and it is an operative andrespected global search system [43] e PSO algorithm iscalled a reasonable algorithm because of its simple feature
50
40
30
20
10
02003 2008
6307 6721 6894 7347 783
2010 2015 2020
Iflection point
Tables laptops phones
Rapid adoption rate of digital infrastructure5X faster than electricity and telephony
~6 things online per personsensors smart objects devices clustered systems
World populationIoT
Figure 1 Projecting the ldquothingsrdquo behind the internet of things (IoT)
Complexity 3
coding global search computational reasonability fewerparameters and less demanding execution to address andselect important feature problems [44] PSO is used to findimportant features Figure 5 shows the particles swarmoptimization algorithm steps for selecting significant fea-tures from an intrusion network dataset PSO uses theprincipal space method for searching space using a subset ofprimary components that have explored and selected fea-tures For the PSO method particles are used to represent
solutions from the population in the search space particleswhich is called a swarm To generate the particles by distrib-uting 1 and 0 randomly in the particle if the principalcomponent is 1 the particle is chosen for another side and ifthe particle component is 0 then it is ignored Tomake the PSOmore powerful it works randomly and travels in the searchspace to search for an obtained optimal subset of features byupdating their position and velocity e place of particle i andits rapidity are shown in the following equations
IOTID20datasetattack
Preprocessing
PSO
21 Features
Deep learning
CNN model LSTM model
Evaluationperformance
of IDS
CNN- LSTMmodels
Figure 2 Generic framework of the proposed system
AI speaker
Security camera
Access point
Smart phone
Wireshark Laptop(wireshark and
attacking toolscript)
Figure 3 IoTID20 dataset testbed environment
Table 1 IoTID20 dataset attacks
Dos Mirai Mitm ScanSyn flooding Host brute force HTTP flooding UDP flooding ARP spoofing services Host port os
4 Complexity
xi xi1 xi2 xiD1113864 1113865 (1)
vxi vi1 vi2 viD1113864 1113865 (2)
where D indicates the search space of the particle Equation(3) was used to calculate the velocity and position for searchspace as follows
vt+1id wlowast v
tid + c1 lowast r1i lowast pid minus x
tid1113872 1113873
+ c2 lowast r2i lowast pgd minus xtid1113872 1113873
(3)
vt+1id v
tid + v
t+1id (4)
where d is the dimension in the search space t denotes theiteration in the process for search space w is the inertiaweight c1 and c2 are acceleration constants r1i and r2i arerandom values distributed in 0 and 1 and pid and pgdrepresent the pbest and gbest in dimension space in thesearch space e values of location and rapidity in eachparticle are updated until they obtain the best featuresenthe condition is stopped when the iteration reaches themaximum number and obtains satisfactory fitness values
e IoTID20 dataset was very big with around 6332562instances for improving the deep learning algorithms ePSO algorithm was proposed for handling dimensionalityreduction Twenty-one of the most significant features wereselected to develop the system e PSO method used po-sition and velocity for searching the best road to obtainappropriate features from the dataset We used Iteration 19gbest and the value of fitness was 90666351 whereas It-eration 20 was used for gbest and the value of fitness was90666351 e significant features obtained using the PSOmethod are presented in Table 2 (Algorithm 1)
23 Correlation Analysis Pearsonrsquos correlation coefficientmethod was applied to analyze the correlation between the
selected features and classes (normal and attacks) for ap-proving the significant subset feature as follows
R n 1113936(x times y) minus 1113936 x( 1113857 1113936 y( 1113857
n 1113936 x2
1113872 1113873 minus 1113936 x2
1113872 11138731113960 1113961 times n 1113936 y2
1113872 1113873 minus 1113936 y2
1113872 11138731113960 1113961times 100
(5)
where R is Pearsonrsquos correlation coefficient approach x istraining input values of the features y is input values ofclasses (normal and attack) and n is total number of inputvariables
Table 3 summaries Pearsonrsquos correlation coefficientmethod and it was employed to evaluate and examine theselected features by using the PSOmethod It is noted that all20 features have optimal correlation with normal classHowever the features namely Fwd_Bytsb_Avg andBwd_Bytsb_Avg have strongest relationship (R 100)with normal class Overall all the features have good rela-tionship with normal class
Table 4 shows Pearsonrsquos correlation coefficientmethod forfinding the relationship between the most significant featuresobtained from the PSO method with attack class It is notedthat the Fwd_PSH_Flags Fwd_Bytsb_Avg and Bwd_Pktsb_Avg features obtained R 100 whereas FIN_Flag_CntRST_Flag_Cnt CWE_Flag_Count and ECE_Flag_Cnt fea-tures have obtained R 990 We have approved that se-lected features by employing the PSO method wereappropriated for enhancing the intrusion detection system
24 Deep Learning Algorithms In this section the threeadvanced deep learning algorithms are presented CNNLSTM and CNN-LSTM
241 Convolution Neural Network Deep neural networksare part of artificial neural networks (ANNs) with multi-layers Over the last few decades ANNs have been
55124 59391 53073
121181
183554
55818 Normal
40073
2219235377
Mirai ack floodingMirai UDP floodingDoSMirai HTTP floodingScan port OS
NormalMirai brute forceScan host portMITM
Figure 4 Numbers of instances for each class of IoTID20 dataset
Complexity 5
considered to be some of the most powerful algorithms forhandling many real-time applications [45] Deep learningalgorithms use many deeper hidden layers to surpass clas-sical ANN methods [46 47] A convolutional neural net-work is one of the most popular deep neural networkalgorithms and it is named convolution by using mathe-matical linear operation between matrices Our proposedCNN comprised five main layers input convolutionpolling FC and output Figure 6 shows the structure of theCNN model used to develop the IoT cybersecurity system
To extract features from cybersecurity-based IoT dataconvolution layers were used e convolution layers hadmultiple convolution kernels composed of the weight of thekernels e convolution kernel is i the weight coefficient isindicated by wi and the deviation quantity is bi e inputconvolution layer is ximinus1 and the convolution layer wasprocessed using equation (5)
xi f wi otimes ximinus1 + bi( 1113857 (6)
IoTID20 datasetattack
Swarminitialization Fitness of particle Pbest
Fitness of particlegbest
Update velocity
Update position
Evaluate the subsetfeatures
NoYesObtained best subset
features
Figure 5 Particle swarm optimization algorithm steps for selecting subsets
Table 2 21 significant features obtained by using the PSO method
Totalfeatures Feature name
21Src_IP Fwd_Pkt_Len_Min Flow_Pktss Flow_IAT_Mean Flow_IAT_Min Fwd_IAT_Tot Fwd_IAT_Mean
Bwd_IAT_Mean 1 Bwd_IAT_Max Bwd_IAT_Min Fwd_PSH_Flags FIN_Flag_Cnt RST_Flag_Cnt CWE_Flag_CountECE_Flag_Cnt fwd_bytsb_avg bwd_pktsb_avg Init_Bwd_Win_Byts Active_Mean Idle_Max class
(1) Initialize parameters Xti is fitness N numbers of particles
(2) Initialize population Pi_besta while (number of generations or the stopping criterion is not met) (3) for (i 1 to N) (4) if fitness Xt
i gt fitness Pi_best(5) (6) then update Pi_best Xt
i
(7) if the fitness of Xti gt gbest then
(8) then update gbest Xti
(9)
(10) Update velocity vector(11) Update particle position(12) Next particle(13) (14) Next generation
ALGORITHM 1 PSO algorithm
6 Complexity
Tabl
e3
Correlatio
ncoeffi
cientbetweenfeatures
andno
rmal
class
Features
Normal
Normal
Normal
Normal
Normal
inNormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Src_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
064
Flow
_IAT_
Min
063
Fwd_
IAT_
Tot
080
Fwd_
IAT_
Mean
089
Bwd_
IAT_
Mean
062
Bwd_
IAT_
Max
062
Bwd_
IAT_
Min
062
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
058
Active_Mean
01
Idle_M
ax050
Complexity 7
Tabl
e4
Correlatio
ncoeffi
cientbetweenfeatures
andattack
class
Features
Atta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckSrc_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
050
Flow
_IAT_
Min
068
Fwd_
IAT_
Tot
069
Fwd_
IAT_
Mean
084
Bwd_
IAT_
Mean
063
Bwd_
IAT_
Max
063
Bwd_
IAT_
Min
063
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
053
Active_Mean
094
Idle_M
ax087
8 Complexity
where xi is the output convolution l i is the convolutionkernel otimes is the convolution operation and f(x) is theactivation function
e convolution kernel was used to pass the IoT trainingdata into max pooling for the extraction of the character-istics of the IoT network data e extracted features weretransferred into the output layer using the tanh function Itwas noted that the tanh function was an appropriate acti-vation function for designing the system
f(x) tanh(x) 2
1 + eminus 2x
minus 1 (7)
where tanh is the function and x is the training input data
Qj Max P0j P
1j P
2j P
3j P
tj1113872 1113873 (8)
where Qj is the output results from the IoT cybersecuritydataset j is the pooling region Max is the operation and Pt
j
is the element of the poolinge softmax function was used to calculate the proba-
bility distribution of an N-dimensional vector e mainpurpose of using softmax at the output layer was for themulticlass classification method used in machine learningalgorithms deep learning and data science e correctcalculation of the output probability helps determine theproper target class for the input dataset and the probabilitiesof the maximum values are increased using an exponentialelement e softmax equation is shown in the followingequation
Oi e
zi
1113936Mi1 e
zi (9)
where i and zi are the output from pervious layers Oi in-dicates the output of softmax function and M is the totalnumber of output nodes
242 Long Short-Term Memory Recurrent Neural Networke recurrent neural network (RNN) is an advanced arti-ficial intelligence algorithm used in many real-life applica-tions A traditional RNNwas applied to predict the temporaltraining data but it faced difficulties when handling gradient
explosion data To solve this issue the LSTM model wasproposed e LSTM model used a memory function toreplace the hidden RNN unit Figure 7 displays the structureof the LSTM model for detecting intrusions from the IoTnetwork dataset e LSTM model consisted of three im-portant gates the forget input and output gates [48]
e forget gate was used to find forgotten informationwhere ht is the input data and the interval number of theoutput gate is [0 1] where 0 indicates ldquocompletely dis-cardedrdquo and 1 indicates ldquocompletely retainedrdquo e currentstate is represented by ct as follows
ht sigma Wxt + Uhtminus1 + b(h)
1113872 1113873
ft sigma W(f)
+ Xt + U(f)
htminus1 + b(f)
1113872 1113873(10)
where ht is input training data and input to the previous cell ispresented by htminus1 e forget gate is indicated by ft thesignificant parameters of the LSTM are weight W(f) and b(f)
is biase input gate was used to update the information usingtwo functions namely sigma and tanhe sigma functionwasemployed to determine what information needed updatingwhereas the tanh function generated information for updating
it sigma W(i)
+ Xt + U(i)
htminus1 + b(i)
1113872 1113873
mt tanh W(m)
+ Xt + U(m)
htminus1 + b(m)
1113872 1113873
ct it middot mt + ft middot ctminus1
(11)
When the cell state ctminus1 is the cell state from the previouscell which was used to update by using cell state ct the newinformation must be discarded and ft ctminus1 and it mt arecombined to obtain the next cell state as follows
ot sigma W(o)
+ Xt + htminus1 + b(o)
1113872 1113873
ht ot middot tanh ct( 1113857(12)
where ot is the output gate and the weight vector of theneural network is represented by W U and V e sigmafunction was used to find which information would be theoutput and tanh was employed to propose the cell state anddeclare the final output
Convolution Convolution Max pooling Convolution Convolution Max pooling Fully connected
Figure 6 Structure of the convolution neural network (CNN) model for classification of Internet of ings (IoT) intrusions
Complexity 9
243 Combined CNN-LSTM Network We proposedcombining two advanced deep learning algorithms todetect intrusion from an IoT network dataset A hybridmodel was designed to automatically detect the attacksand the structure of the proposed model is presented inFigure 8 e architecture was developed by combiningtwo deep learning models namely the CNN and LSTMnetworks whereas the CNN algorithm was used toprocess the significant features obtained from the PSOmethod with the size of 20 times 625783 to extract newcomplex features A convolutional layer size of threekernels was used to extract the complex features and tanhactivation was proposed to transfer the data A two-kernel max pool was used for dimension reduction andwe mapped the features to the LSTM model for the ex-traction of new time information After the LSTM timeinformation was extracted the fusion features were fullyconnected for use in the classification process esoftmax was proposed to detect attacks from the IoTnetwork data
3 Results
In this section results of the proposed formwork for de-tection intrusion are presented
31 Experiment Environment Setup e proposed researchwas completed using different software and hardware en-vironments Table 5 shows the requirements used to developthe proposed system It was noted that these requirementswere suitable for training the big data
Significant parameters used for the development of thedeep learning algorithm are presented in Table 6 e kernelconvolution was three and the dropout was 50 Moreoverthe experiment epochs were 10 due to the big dataWe used thetanh function for the activation function for both models
32 Evaluation Metrics Sensitivity specificity precision re-call and F1-score evaluation metrics were proposed to test andevaluate the framework e equations are defined as follows
Input does X(t) matter
h(tndash1)
X(t)
h(tndash1)
X(t)
W(i)
σ
σU(i)
W(o)
U(o)
i(t)
h(tndash1)
X(t)h(t)
W(c)
U(c)
σ
f (t)
h(tndash1)
X(t)
W(f)
U(f)
cprime(t)
c(t)
o(t)
c(tndash1)
tanh
tanh+
deg
deg
deg
New memory computer new memory
Forget should c(tndash1) be forgotten
Output how much c(t) should be exposed
Figure 7 Generic structure of the long short-term memory (LSTM) model for the classification of Internet of ings (IoT) intrusions
10 Complexity
accuracy TP + TN
FP + FN + TP + TN
specificity TN
TN + FPtimes 100
sensitivity TP
TP + FNtimes 100
recall TPTP + FN times 100
F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall
times 100QUOTE Sensivity TP
TP + FNtimes 100
(13)
where TP is true positive FP is false positive TN is truenegative and FN is false negative
33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method
e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion
matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11
To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models
From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the
80 times 625783The
Original Preprocessing
PSO method
Dimensionality reduction
Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783
20 times 625783
LSTM LSTM LSTM LSTM LSTM LSTM
Flatten
Fully connected
ClassificationNormal Attacks
Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model
Complexity 11
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
and developed recurrent neural network (RNN) to improvethe previous model [40]
Currently artificial intelligence based on machinelearning and deep learning algorithms for data-processingcapabilities provide the most effective value to the area ofcyber defense by uncovering patterns shapes and outliersthat indicate potential incidents even if these solutions donot align with known attack patterns [41] An IDS is acommonly used security tool for protecting and mitigatingthe IoTand its infrastructure from unseen and unpredictableintrusionsere are few studies on IDSs in the IoT based onartificial intelligence therefore developing a framework andachieving optimal results are the biggest challenges due tothe network data having imbalanced data Our target was todevelop a secure movable framework for securing large IoTnetworks Here we present advanced artificial intelligencesuch as deep learning models namely CNN LSTM andcombined CNN-LSTM algorithms We have significantlyexpanded the framework to integrate a deep learning al-gorithm to familiarize it with changing threats to the IoTnetwork for anomaly detection e main contributions ofthis study are as follows
(1) Use of advanced artificial intelligence algorithmssuch as CNN LSTM and a hybrid CNN-LSTM todevelop a system to detect intrusions into the IoTenvironment
(2) e proposed system was developed using IoTnetwork data that are not commonly used thisdataset was generated in 2020 and was the biggestchallenge for developing a robust framework
(3) e proposed system was compared with a researcharticle that developed these data It was noted thatthe results of our system were outperformed
2 Materials and Methods
Figure 2 displays the framework of the proposed system fordetecting IoT environment intrusions e proposed system
is composed by some phases to evaluate for obtaining thebest accuracy e components of the proposed system aredescribed in the following sections
21 IoTID20 Dataset Attack For this experiment anIoTID20 dataset attack was conducted to test the proposedframework e IoTID20 dataset was collected from IoTdevices and interconnecting structures the IoTdevices wereconnected to or installed in a smart home environment suchas SKTNGU and EZVIZ Wi-Fi cameras to create theIoTID20 dataset Figure 3 shows the environment of theIoTID20 dataset the laptops tablets and smartphone de-vices were connected byWi-Fi to the smart home routereSKT NGU and EZVIZ Wi-Fi cameras were IoT victimdevices and all other devices in the testbed were theattacking devices
e newly developed IoTID20 dataset was adopted fromPcap files available online e dataset contained 80 featuresand two main label attacks and normal e IoTID20 datasetattack was generated in 2020 Figure 2 shows the IoT en-vironment of the generated IoTID20 dataset Table 1 displaysall the types of IoTID20 dataset attacks and the numbers offeatures for each class label are presented in Figure 4 isdataset was obtained from Kaggle httpssitesgooglecomviewiot-network-intrusion-datasethome
22 Particle SwarmOptimizationMethod Preprocessing is avery important stage for improving classification algorithmsIoT data have various types of formats and dimensionalitytherefore dimensionality reduction was necessary to selectsignificant features from the data e PSOmethod has beensuggested for handling important features from networkdatasets for detecting malicious attacks PSO is a population-based computation intelligence method suggested byEberhat and Kennedy [42] and it is an operative andrespected global search system [43] e PSO algorithm iscalled a reasonable algorithm because of its simple feature
50
40
30
20
10
02003 2008
6307 6721 6894 7347 783
2010 2015 2020
Iflection point
Tables laptops phones
Rapid adoption rate of digital infrastructure5X faster than electricity and telephony
~6 things online per personsensors smart objects devices clustered systems
World populationIoT
Figure 1 Projecting the ldquothingsrdquo behind the internet of things (IoT)
Complexity 3
coding global search computational reasonability fewerparameters and less demanding execution to address andselect important feature problems [44] PSO is used to findimportant features Figure 5 shows the particles swarmoptimization algorithm steps for selecting significant fea-tures from an intrusion network dataset PSO uses theprincipal space method for searching space using a subset ofprimary components that have explored and selected fea-tures For the PSO method particles are used to represent
solutions from the population in the search space particleswhich is called a swarm To generate the particles by distrib-uting 1 and 0 randomly in the particle if the principalcomponent is 1 the particle is chosen for another side and ifthe particle component is 0 then it is ignored Tomake the PSOmore powerful it works randomly and travels in the searchspace to search for an obtained optimal subset of features byupdating their position and velocity e place of particle i andits rapidity are shown in the following equations
IOTID20datasetattack
Preprocessing
PSO
21 Features
Deep learning
CNN model LSTM model
Evaluationperformance
of IDS
CNN- LSTMmodels
Figure 2 Generic framework of the proposed system
AI speaker
Security camera
Access point
Smart phone
Wireshark Laptop(wireshark and
attacking toolscript)
Figure 3 IoTID20 dataset testbed environment
Table 1 IoTID20 dataset attacks
Dos Mirai Mitm ScanSyn flooding Host brute force HTTP flooding UDP flooding ARP spoofing services Host port os
4 Complexity
xi xi1 xi2 xiD1113864 1113865 (1)
vxi vi1 vi2 viD1113864 1113865 (2)
where D indicates the search space of the particle Equation(3) was used to calculate the velocity and position for searchspace as follows
vt+1id wlowast v
tid + c1 lowast r1i lowast pid minus x
tid1113872 1113873
+ c2 lowast r2i lowast pgd minus xtid1113872 1113873
(3)
vt+1id v
tid + v
t+1id (4)
where d is the dimension in the search space t denotes theiteration in the process for search space w is the inertiaweight c1 and c2 are acceleration constants r1i and r2i arerandom values distributed in 0 and 1 and pid and pgdrepresent the pbest and gbest in dimension space in thesearch space e values of location and rapidity in eachparticle are updated until they obtain the best featuresenthe condition is stopped when the iteration reaches themaximum number and obtains satisfactory fitness values
e IoTID20 dataset was very big with around 6332562instances for improving the deep learning algorithms ePSO algorithm was proposed for handling dimensionalityreduction Twenty-one of the most significant features wereselected to develop the system e PSO method used po-sition and velocity for searching the best road to obtainappropriate features from the dataset We used Iteration 19gbest and the value of fitness was 90666351 whereas It-eration 20 was used for gbest and the value of fitness was90666351 e significant features obtained using the PSOmethod are presented in Table 2 (Algorithm 1)
23 Correlation Analysis Pearsonrsquos correlation coefficientmethod was applied to analyze the correlation between the
selected features and classes (normal and attacks) for ap-proving the significant subset feature as follows
R n 1113936(x times y) minus 1113936 x( 1113857 1113936 y( 1113857
n 1113936 x2
1113872 1113873 minus 1113936 x2
1113872 11138731113960 1113961 times n 1113936 y2
1113872 1113873 minus 1113936 y2
1113872 11138731113960 1113961times 100
(5)
where R is Pearsonrsquos correlation coefficient approach x istraining input values of the features y is input values ofclasses (normal and attack) and n is total number of inputvariables
Table 3 summaries Pearsonrsquos correlation coefficientmethod and it was employed to evaluate and examine theselected features by using the PSOmethod It is noted that all20 features have optimal correlation with normal classHowever the features namely Fwd_Bytsb_Avg andBwd_Bytsb_Avg have strongest relationship (R 100)with normal class Overall all the features have good rela-tionship with normal class
Table 4 shows Pearsonrsquos correlation coefficientmethod forfinding the relationship between the most significant featuresobtained from the PSO method with attack class It is notedthat the Fwd_PSH_Flags Fwd_Bytsb_Avg and Bwd_Pktsb_Avg features obtained R 100 whereas FIN_Flag_CntRST_Flag_Cnt CWE_Flag_Count and ECE_Flag_Cnt fea-tures have obtained R 990 We have approved that se-lected features by employing the PSO method wereappropriated for enhancing the intrusion detection system
24 Deep Learning Algorithms In this section the threeadvanced deep learning algorithms are presented CNNLSTM and CNN-LSTM
241 Convolution Neural Network Deep neural networksare part of artificial neural networks (ANNs) with multi-layers Over the last few decades ANNs have been
55124 59391 53073
121181
183554
55818 Normal
40073
2219235377
Mirai ack floodingMirai UDP floodingDoSMirai HTTP floodingScan port OS
NormalMirai brute forceScan host portMITM
Figure 4 Numbers of instances for each class of IoTID20 dataset
Complexity 5
considered to be some of the most powerful algorithms forhandling many real-time applications [45] Deep learningalgorithms use many deeper hidden layers to surpass clas-sical ANN methods [46 47] A convolutional neural net-work is one of the most popular deep neural networkalgorithms and it is named convolution by using mathe-matical linear operation between matrices Our proposedCNN comprised five main layers input convolutionpolling FC and output Figure 6 shows the structure of theCNN model used to develop the IoT cybersecurity system
To extract features from cybersecurity-based IoT dataconvolution layers were used e convolution layers hadmultiple convolution kernels composed of the weight of thekernels e convolution kernel is i the weight coefficient isindicated by wi and the deviation quantity is bi e inputconvolution layer is ximinus1 and the convolution layer wasprocessed using equation (5)
xi f wi otimes ximinus1 + bi( 1113857 (6)
IoTID20 datasetattack
Swarminitialization Fitness of particle Pbest
Fitness of particlegbest
Update velocity
Update position
Evaluate the subsetfeatures
NoYesObtained best subset
features
Figure 5 Particle swarm optimization algorithm steps for selecting subsets
Table 2 21 significant features obtained by using the PSO method
Totalfeatures Feature name
21Src_IP Fwd_Pkt_Len_Min Flow_Pktss Flow_IAT_Mean Flow_IAT_Min Fwd_IAT_Tot Fwd_IAT_Mean
Bwd_IAT_Mean 1 Bwd_IAT_Max Bwd_IAT_Min Fwd_PSH_Flags FIN_Flag_Cnt RST_Flag_Cnt CWE_Flag_CountECE_Flag_Cnt fwd_bytsb_avg bwd_pktsb_avg Init_Bwd_Win_Byts Active_Mean Idle_Max class
(1) Initialize parameters Xti is fitness N numbers of particles
(2) Initialize population Pi_besta while (number of generations or the stopping criterion is not met) (3) for (i 1 to N) (4) if fitness Xt
i gt fitness Pi_best(5) (6) then update Pi_best Xt
i
(7) if the fitness of Xti gt gbest then
(8) then update gbest Xti
(9)
(10) Update velocity vector(11) Update particle position(12) Next particle(13) (14) Next generation
ALGORITHM 1 PSO algorithm
6 Complexity
Tabl
e3
Correlatio
ncoeffi
cientbetweenfeatures
andno
rmal
class
Features
Normal
Normal
Normal
Normal
Normal
inNormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Src_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
064
Flow
_IAT_
Min
063
Fwd_
IAT_
Tot
080
Fwd_
IAT_
Mean
089
Bwd_
IAT_
Mean
062
Bwd_
IAT_
Max
062
Bwd_
IAT_
Min
062
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
058
Active_Mean
01
Idle_M
ax050
Complexity 7
Tabl
e4
Correlatio
ncoeffi
cientbetweenfeatures
andattack
class
Features
Atta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckSrc_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
050
Flow
_IAT_
Min
068
Fwd_
IAT_
Tot
069
Fwd_
IAT_
Mean
084
Bwd_
IAT_
Mean
063
Bwd_
IAT_
Max
063
Bwd_
IAT_
Min
063
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
053
Active_Mean
094
Idle_M
ax087
8 Complexity
where xi is the output convolution l i is the convolutionkernel otimes is the convolution operation and f(x) is theactivation function
e convolution kernel was used to pass the IoT trainingdata into max pooling for the extraction of the character-istics of the IoT network data e extracted features weretransferred into the output layer using the tanh function Itwas noted that the tanh function was an appropriate acti-vation function for designing the system
f(x) tanh(x) 2
1 + eminus 2x
minus 1 (7)
where tanh is the function and x is the training input data
Qj Max P0j P
1j P
2j P
3j P
tj1113872 1113873 (8)
where Qj is the output results from the IoT cybersecuritydataset j is the pooling region Max is the operation and Pt
j
is the element of the poolinge softmax function was used to calculate the proba-
bility distribution of an N-dimensional vector e mainpurpose of using softmax at the output layer was for themulticlass classification method used in machine learningalgorithms deep learning and data science e correctcalculation of the output probability helps determine theproper target class for the input dataset and the probabilitiesof the maximum values are increased using an exponentialelement e softmax equation is shown in the followingequation
Oi e
zi
1113936Mi1 e
zi (9)
where i and zi are the output from pervious layers Oi in-dicates the output of softmax function and M is the totalnumber of output nodes
242 Long Short-Term Memory Recurrent Neural Networke recurrent neural network (RNN) is an advanced arti-ficial intelligence algorithm used in many real-life applica-tions A traditional RNNwas applied to predict the temporaltraining data but it faced difficulties when handling gradient
explosion data To solve this issue the LSTM model wasproposed e LSTM model used a memory function toreplace the hidden RNN unit Figure 7 displays the structureof the LSTM model for detecting intrusions from the IoTnetwork dataset e LSTM model consisted of three im-portant gates the forget input and output gates [48]
e forget gate was used to find forgotten informationwhere ht is the input data and the interval number of theoutput gate is [0 1] where 0 indicates ldquocompletely dis-cardedrdquo and 1 indicates ldquocompletely retainedrdquo e currentstate is represented by ct as follows
ht sigma Wxt + Uhtminus1 + b(h)
1113872 1113873
ft sigma W(f)
+ Xt + U(f)
htminus1 + b(f)
1113872 1113873(10)
where ht is input training data and input to the previous cell ispresented by htminus1 e forget gate is indicated by ft thesignificant parameters of the LSTM are weight W(f) and b(f)
is biase input gate was used to update the information usingtwo functions namely sigma and tanhe sigma functionwasemployed to determine what information needed updatingwhereas the tanh function generated information for updating
it sigma W(i)
+ Xt + U(i)
htminus1 + b(i)
1113872 1113873
mt tanh W(m)
+ Xt + U(m)
htminus1 + b(m)
1113872 1113873
ct it middot mt + ft middot ctminus1
(11)
When the cell state ctminus1 is the cell state from the previouscell which was used to update by using cell state ct the newinformation must be discarded and ft ctminus1 and it mt arecombined to obtain the next cell state as follows
ot sigma W(o)
+ Xt + htminus1 + b(o)
1113872 1113873
ht ot middot tanh ct( 1113857(12)
where ot is the output gate and the weight vector of theneural network is represented by W U and V e sigmafunction was used to find which information would be theoutput and tanh was employed to propose the cell state anddeclare the final output
Convolution Convolution Max pooling Convolution Convolution Max pooling Fully connected
Figure 6 Structure of the convolution neural network (CNN) model for classification of Internet of ings (IoT) intrusions
Complexity 9
243 Combined CNN-LSTM Network We proposedcombining two advanced deep learning algorithms todetect intrusion from an IoT network dataset A hybridmodel was designed to automatically detect the attacksand the structure of the proposed model is presented inFigure 8 e architecture was developed by combiningtwo deep learning models namely the CNN and LSTMnetworks whereas the CNN algorithm was used toprocess the significant features obtained from the PSOmethod with the size of 20 times 625783 to extract newcomplex features A convolutional layer size of threekernels was used to extract the complex features and tanhactivation was proposed to transfer the data A two-kernel max pool was used for dimension reduction andwe mapped the features to the LSTM model for the ex-traction of new time information After the LSTM timeinformation was extracted the fusion features were fullyconnected for use in the classification process esoftmax was proposed to detect attacks from the IoTnetwork data
3 Results
In this section results of the proposed formwork for de-tection intrusion are presented
31 Experiment Environment Setup e proposed researchwas completed using different software and hardware en-vironments Table 5 shows the requirements used to developthe proposed system It was noted that these requirementswere suitable for training the big data
Significant parameters used for the development of thedeep learning algorithm are presented in Table 6 e kernelconvolution was three and the dropout was 50 Moreoverthe experiment epochs were 10 due to the big dataWe used thetanh function for the activation function for both models
32 Evaluation Metrics Sensitivity specificity precision re-call and F1-score evaluation metrics were proposed to test andevaluate the framework e equations are defined as follows
Input does X(t) matter
h(tndash1)
X(t)
h(tndash1)
X(t)
W(i)
σ
σU(i)
W(o)
U(o)
i(t)
h(tndash1)
X(t)h(t)
W(c)
U(c)
σ
f (t)
h(tndash1)
X(t)
W(f)
U(f)
cprime(t)
c(t)
o(t)
c(tndash1)
tanh
tanh+
deg
deg
deg
New memory computer new memory
Forget should c(tndash1) be forgotten
Output how much c(t) should be exposed
Figure 7 Generic structure of the long short-term memory (LSTM) model for the classification of Internet of ings (IoT) intrusions
10 Complexity
accuracy TP + TN
FP + FN + TP + TN
specificity TN
TN + FPtimes 100
sensitivity TP
TP + FNtimes 100
recall TPTP + FN times 100
F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall
times 100QUOTE Sensivity TP
TP + FNtimes 100
(13)
where TP is true positive FP is false positive TN is truenegative and FN is false negative
33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method
e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion
matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11
To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models
From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the
80 times 625783The
Original Preprocessing
PSO method
Dimensionality reduction
Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783
20 times 625783
LSTM LSTM LSTM LSTM LSTM LSTM
Flatten
Fully connected
ClassificationNormal Attacks
Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model
Complexity 11
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
coding global search computational reasonability fewerparameters and less demanding execution to address andselect important feature problems [44] PSO is used to findimportant features Figure 5 shows the particles swarmoptimization algorithm steps for selecting significant fea-tures from an intrusion network dataset PSO uses theprincipal space method for searching space using a subset ofprimary components that have explored and selected fea-tures For the PSO method particles are used to represent
solutions from the population in the search space particleswhich is called a swarm To generate the particles by distrib-uting 1 and 0 randomly in the particle if the principalcomponent is 1 the particle is chosen for another side and ifthe particle component is 0 then it is ignored Tomake the PSOmore powerful it works randomly and travels in the searchspace to search for an obtained optimal subset of features byupdating their position and velocity e place of particle i andits rapidity are shown in the following equations
IOTID20datasetattack
Preprocessing
PSO
21 Features
Deep learning
CNN model LSTM model
Evaluationperformance
of IDS
CNN- LSTMmodels
Figure 2 Generic framework of the proposed system
AI speaker
Security camera
Access point
Smart phone
Wireshark Laptop(wireshark and
attacking toolscript)
Figure 3 IoTID20 dataset testbed environment
Table 1 IoTID20 dataset attacks
Dos Mirai Mitm ScanSyn flooding Host brute force HTTP flooding UDP flooding ARP spoofing services Host port os
4 Complexity
xi xi1 xi2 xiD1113864 1113865 (1)
vxi vi1 vi2 viD1113864 1113865 (2)
where D indicates the search space of the particle Equation(3) was used to calculate the velocity and position for searchspace as follows
vt+1id wlowast v
tid + c1 lowast r1i lowast pid minus x
tid1113872 1113873
+ c2 lowast r2i lowast pgd minus xtid1113872 1113873
(3)
vt+1id v
tid + v
t+1id (4)
where d is the dimension in the search space t denotes theiteration in the process for search space w is the inertiaweight c1 and c2 are acceleration constants r1i and r2i arerandom values distributed in 0 and 1 and pid and pgdrepresent the pbest and gbest in dimension space in thesearch space e values of location and rapidity in eachparticle are updated until they obtain the best featuresenthe condition is stopped when the iteration reaches themaximum number and obtains satisfactory fitness values
e IoTID20 dataset was very big with around 6332562instances for improving the deep learning algorithms ePSO algorithm was proposed for handling dimensionalityreduction Twenty-one of the most significant features wereselected to develop the system e PSO method used po-sition and velocity for searching the best road to obtainappropriate features from the dataset We used Iteration 19gbest and the value of fitness was 90666351 whereas It-eration 20 was used for gbest and the value of fitness was90666351 e significant features obtained using the PSOmethod are presented in Table 2 (Algorithm 1)
23 Correlation Analysis Pearsonrsquos correlation coefficientmethod was applied to analyze the correlation between the
selected features and classes (normal and attacks) for ap-proving the significant subset feature as follows
R n 1113936(x times y) minus 1113936 x( 1113857 1113936 y( 1113857
n 1113936 x2
1113872 1113873 minus 1113936 x2
1113872 11138731113960 1113961 times n 1113936 y2
1113872 1113873 minus 1113936 y2
1113872 11138731113960 1113961times 100
(5)
where R is Pearsonrsquos correlation coefficient approach x istraining input values of the features y is input values ofclasses (normal and attack) and n is total number of inputvariables
Table 3 summaries Pearsonrsquos correlation coefficientmethod and it was employed to evaluate and examine theselected features by using the PSOmethod It is noted that all20 features have optimal correlation with normal classHowever the features namely Fwd_Bytsb_Avg andBwd_Bytsb_Avg have strongest relationship (R 100)with normal class Overall all the features have good rela-tionship with normal class
Table 4 shows Pearsonrsquos correlation coefficientmethod forfinding the relationship between the most significant featuresobtained from the PSO method with attack class It is notedthat the Fwd_PSH_Flags Fwd_Bytsb_Avg and Bwd_Pktsb_Avg features obtained R 100 whereas FIN_Flag_CntRST_Flag_Cnt CWE_Flag_Count and ECE_Flag_Cnt fea-tures have obtained R 990 We have approved that se-lected features by employing the PSO method wereappropriated for enhancing the intrusion detection system
24 Deep Learning Algorithms In this section the threeadvanced deep learning algorithms are presented CNNLSTM and CNN-LSTM
241 Convolution Neural Network Deep neural networksare part of artificial neural networks (ANNs) with multi-layers Over the last few decades ANNs have been
55124 59391 53073
121181
183554
55818 Normal
40073
2219235377
Mirai ack floodingMirai UDP floodingDoSMirai HTTP floodingScan port OS
NormalMirai brute forceScan host portMITM
Figure 4 Numbers of instances for each class of IoTID20 dataset
Complexity 5
considered to be some of the most powerful algorithms forhandling many real-time applications [45] Deep learningalgorithms use many deeper hidden layers to surpass clas-sical ANN methods [46 47] A convolutional neural net-work is one of the most popular deep neural networkalgorithms and it is named convolution by using mathe-matical linear operation between matrices Our proposedCNN comprised five main layers input convolutionpolling FC and output Figure 6 shows the structure of theCNN model used to develop the IoT cybersecurity system
To extract features from cybersecurity-based IoT dataconvolution layers were used e convolution layers hadmultiple convolution kernels composed of the weight of thekernels e convolution kernel is i the weight coefficient isindicated by wi and the deviation quantity is bi e inputconvolution layer is ximinus1 and the convolution layer wasprocessed using equation (5)
xi f wi otimes ximinus1 + bi( 1113857 (6)
IoTID20 datasetattack
Swarminitialization Fitness of particle Pbest
Fitness of particlegbest
Update velocity
Update position
Evaluate the subsetfeatures
NoYesObtained best subset
features
Figure 5 Particle swarm optimization algorithm steps for selecting subsets
Table 2 21 significant features obtained by using the PSO method
Totalfeatures Feature name
21Src_IP Fwd_Pkt_Len_Min Flow_Pktss Flow_IAT_Mean Flow_IAT_Min Fwd_IAT_Tot Fwd_IAT_Mean
Bwd_IAT_Mean 1 Bwd_IAT_Max Bwd_IAT_Min Fwd_PSH_Flags FIN_Flag_Cnt RST_Flag_Cnt CWE_Flag_CountECE_Flag_Cnt fwd_bytsb_avg bwd_pktsb_avg Init_Bwd_Win_Byts Active_Mean Idle_Max class
(1) Initialize parameters Xti is fitness N numbers of particles
(2) Initialize population Pi_besta while (number of generations or the stopping criterion is not met) (3) for (i 1 to N) (4) if fitness Xt
i gt fitness Pi_best(5) (6) then update Pi_best Xt
i
(7) if the fitness of Xti gt gbest then
(8) then update gbest Xti
(9)
(10) Update velocity vector(11) Update particle position(12) Next particle(13) (14) Next generation
ALGORITHM 1 PSO algorithm
6 Complexity
Tabl
e3
Correlatio
ncoeffi
cientbetweenfeatures
andno
rmal
class
Features
Normal
Normal
Normal
Normal
Normal
inNormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Src_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
064
Flow
_IAT_
Min
063
Fwd_
IAT_
Tot
080
Fwd_
IAT_
Mean
089
Bwd_
IAT_
Mean
062
Bwd_
IAT_
Max
062
Bwd_
IAT_
Min
062
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
058
Active_Mean
01
Idle_M
ax050
Complexity 7
Tabl
e4
Correlatio
ncoeffi
cientbetweenfeatures
andattack
class
Features
Atta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckSrc_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
050
Flow
_IAT_
Min
068
Fwd_
IAT_
Tot
069
Fwd_
IAT_
Mean
084
Bwd_
IAT_
Mean
063
Bwd_
IAT_
Max
063
Bwd_
IAT_
Min
063
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
053
Active_Mean
094
Idle_M
ax087
8 Complexity
where xi is the output convolution l i is the convolutionkernel otimes is the convolution operation and f(x) is theactivation function
e convolution kernel was used to pass the IoT trainingdata into max pooling for the extraction of the character-istics of the IoT network data e extracted features weretransferred into the output layer using the tanh function Itwas noted that the tanh function was an appropriate acti-vation function for designing the system
f(x) tanh(x) 2
1 + eminus 2x
minus 1 (7)
where tanh is the function and x is the training input data
Qj Max P0j P
1j P
2j P
3j P
tj1113872 1113873 (8)
where Qj is the output results from the IoT cybersecuritydataset j is the pooling region Max is the operation and Pt
j
is the element of the poolinge softmax function was used to calculate the proba-
bility distribution of an N-dimensional vector e mainpurpose of using softmax at the output layer was for themulticlass classification method used in machine learningalgorithms deep learning and data science e correctcalculation of the output probability helps determine theproper target class for the input dataset and the probabilitiesof the maximum values are increased using an exponentialelement e softmax equation is shown in the followingequation
Oi e
zi
1113936Mi1 e
zi (9)
where i and zi are the output from pervious layers Oi in-dicates the output of softmax function and M is the totalnumber of output nodes
242 Long Short-Term Memory Recurrent Neural Networke recurrent neural network (RNN) is an advanced arti-ficial intelligence algorithm used in many real-life applica-tions A traditional RNNwas applied to predict the temporaltraining data but it faced difficulties when handling gradient
explosion data To solve this issue the LSTM model wasproposed e LSTM model used a memory function toreplace the hidden RNN unit Figure 7 displays the structureof the LSTM model for detecting intrusions from the IoTnetwork dataset e LSTM model consisted of three im-portant gates the forget input and output gates [48]
e forget gate was used to find forgotten informationwhere ht is the input data and the interval number of theoutput gate is [0 1] where 0 indicates ldquocompletely dis-cardedrdquo and 1 indicates ldquocompletely retainedrdquo e currentstate is represented by ct as follows
ht sigma Wxt + Uhtminus1 + b(h)
1113872 1113873
ft sigma W(f)
+ Xt + U(f)
htminus1 + b(f)
1113872 1113873(10)
where ht is input training data and input to the previous cell ispresented by htminus1 e forget gate is indicated by ft thesignificant parameters of the LSTM are weight W(f) and b(f)
is biase input gate was used to update the information usingtwo functions namely sigma and tanhe sigma functionwasemployed to determine what information needed updatingwhereas the tanh function generated information for updating
it sigma W(i)
+ Xt + U(i)
htminus1 + b(i)
1113872 1113873
mt tanh W(m)
+ Xt + U(m)
htminus1 + b(m)
1113872 1113873
ct it middot mt + ft middot ctminus1
(11)
When the cell state ctminus1 is the cell state from the previouscell which was used to update by using cell state ct the newinformation must be discarded and ft ctminus1 and it mt arecombined to obtain the next cell state as follows
ot sigma W(o)
+ Xt + htminus1 + b(o)
1113872 1113873
ht ot middot tanh ct( 1113857(12)
where ot is the output gate and the weight vector of theneural network is represented by W U and V e sigmafunction was used to find which information would be theoutput and tanh was employed to propose the cell state anddeclare the final output
Convolution Convolution Max pooling Convolution Convolution Max pooling Fully connected
Figure 6 Structure of the convolution neural network (CNN) model for classification of Internet of ings (IoT) intrusions
Complexity 9
243 Combined CNN-LSTM Network We proposedcombining two advanced deep learning algorithms todetect intrusion from an IoT network dataset A hybridmodel was designed to automatically detect the attacksand the structure of the proposed model is presented inFigure 8 e architecture was developed by combiningtwo deep learning models namely the CNN and LSTMnetworks whereas the CNN algorithm was used toprocess the significant features obtained from the PSOmethod with the size of 20 times 625783 to extract newcomplex features A convolutional layer size of threekernels was used to extract the complex features and tanhactivation was proposed to transfer the data A two-kernel max pool was used for dimension reduction andwe mapped the features to the LSTM model for the ex-traction of new time information After the LSTM timeinformation was extracted the fusion features were fullyconnected for use in the classification process esoftmax was proposed to detect attacks from the IoTnetwork data
3 Results
In this section results of the proposed formwork for de-tection intrusion are presented
31 Experiment Environment Setup e proposed researchwas completed using different software and hardware en-vironments Table 5 shows the requirements used to developthe proposed system It was noted that these requirementswere suitable for training the big data
Significant parameters used for the development of thedeep learning algorithm are presented in Table 6 e kernelconvolution was three and the dropout was 50 Moreoverthe experiment epochs were 10 due to the big dataWe used thetanh function for the activation function for both models
32 Evaluation Metrics Sensitivity specificity precision re-call and F1-score evaluation metrics were proposed to test andevaluate the framework e equations are defined as follows
Input does X(t) matter
h(tndash1)
X(t)
h(tndash1)
X(t)
W(i)
σ
σU(i)
W(o)
U(o)
i(t)
h(tndash1)
X(t)h(t)
W(c)
U(c)
σ
f (t)
h(tndash1)
X(t)
W(f)
U(f)
cprime(t)
c(t)
o(t)
c(tndash1)
tanh
tanh+
deg
deg
deg
New memory computer new memory
Forget should c(tndash1) be forgotten
Output how much c(t) should be exposed
Figure 7 Generic structure of the long short-term memory (LSTM) model for the classification of Internet of ings (IoT) intrusions
10 Complexity
accuracy TP + TN
FP + FN + TP + TN
specificity TN
TN + FPtimes 100
sensitivity TP
TP + FNtimes 100
recall TPTP + FN times 100
F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall
times 100QUOTE Sensivity TP
TP + FNtimes 100
(13)
where TP is true positive FP is false positive TN is truenegative and FN is false negative
33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method
e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion
matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11
To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models
From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the
80 times 625783The
Original Preprocessing
PSO method
Dimensionality reduction
Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783
20 times 625783
LSTM LSTM LSTM LSTM LSTM LSTM
Flatten
Fully connected
ClassificationNormal Attacks
Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model
Complexity 11
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
xi xi1 xi2 xiD1113864 1113865 (1)
vxi vi1 vi2 viD1113864 1113865 (2)
where D indicates the search space of the particle Equation(3) was used to calculate the velocity and position for searchspace as follows
vt+1id wlowast v
tid + c1 lowast r1i lowast pid minus x
tid1113872 1113873
+ c2 lowast r2i lowast pgd minus xtid1113872 1113873
(3)
vt+1id v
tid + v
t+1id (4)
where d is the dimension in the search space t denotes theiteration in the process for search space w is the inertiaweight c1 and c2 are acceleration constants r1i and r2i arerandom values distributed in 0 and 1 and pid and pgdrepresent the pbest and gbest in dimension space in thesearch space e values of location and rapidity in eachparticle are updated until they obtain the best featuresenthe condition is stopped when the iteration reaches themaximum number and obtains satisfactory fitness values
e IoTID20 dataset was very big with around 6332562instances for improving the deep learning algorithms ePSO algorithm was proposed for handling dimensionalityreduction Twenty-one of the most significant features wereselected to develop the system e PSO method used po-sition and velocity for searching the best road to obtainappropriate features from the dataset We used Iteration 19gbest and the value of fitness was 90666351 whereas It-eration 20 was used for gbest and the value of fitness was90666351 e significant features obtained using the PSOmethod are presented in Table 2 (Algorithm 1)
23 Correlation Analysis Pearsonrsquos correlation coefficientmethod was applied to analyze the correlation between the
selected features and classes (normal and attacks) for ap-proving the significant subset feature as follows
R n 1113936(x times y) minus 1113936 x( 1113857 1113936 y( 1113857
n 1113936 x2
1113872 1113873 minus 1113936 x2
1113872 11138731113960 1113961 times n 1113936 y2
1113872 1113873 minus 1113936 y2
1113872 11138731113960 1113961times 100
(5)
where R is Pearsonrsquos correlation coefficient approach x istraining input values of the features y is input values ofclasses (normal and attack) and n is total number of inputvariables
Table 3 summaries Pearsonrsquos correlation coefficientmethod and it was employed to evaluate and examine theselected features by using the PSOmethod It is noted that all20 features have optimal correlation with normal classHowever the features namely Fwd_Bytsb_Avg andBwd_Bytsb_Avg have strongest relationship (R 100)with normal class Overall all the features have good rela-tionship with normal class
Table 4 shows Pearsonrsquos correlation coefficientmethod forfinding the relationship between the most significant featuresobtained from the PSO method with attack class It is notedthat the Fwd_PSH_Flags Fwd_Bytsb_Avg and Bwd_Pktsb_Avg features obtained R 100 whereas FIN_Flag_CntRST_Flag_Cnt CWE_Flag_Count and ECE_Flag_Cnt fea-tures have obtained R 990 We have approved that se-lected features by employing the PSO method wereappropriated for enhancing the intrusion detection system
24 Deep Learning Algorithms In this section the threeadvanced deep learning algorithms are presented CNNLSTM and CNN-LSTM
241 Convolution Neural Network Deep neural networksare part of artificial neural networks (ANNs) with multi-layers Over the last few decades ANNs have been
55124 59391 53073
121181
183554
55818 Normal
40073
2219235377
Mirai ack floodingMirai UDP floodingDoSMirai HTTP floodingScan port OS
NormalMirai brute forceScan host portMITM
Figure 4 Numbers of instances for each class of IoTID20 dataset
Complexity 5
considered to be some of the most powerful algorithms forhandling many real-time applications [45] Deep learningalgorithms use many deeper hidden layers to surpass clas-sical ANN methods [46 47] A convolutional neural net-work is one of the most popular deep neural networkalgorithms and it is named convolution by using mathe-matical linear operation between matrices Our proposedCNN comprised five main layers input convolutionpolling FC and output Figure 6 shows the structure of theCNN model used to develop the IoT cybersecurity system
To extract features from cybersecurity-based IoT dataconvolution layers were used e convolution layers hadmultiple convolution kernels composed of the weight of thekernels e convolution kernel is i the weight coefficient isindicated by wi and the deviation quantity is bi e inputconvolution layer is ximinus1 and the convolution layer wasprocessed using equation (5)
xi f wi otimes ximinus1 + bi( 1113857 (6)
IoTID20 datasetattack
Swarminitialization Fitness of particle Pbest
Fitness of particlegbest
Update velocity
Update position
Evaluate the subsetfeatures
NoYesObtained best subset
features
Figure 5 Particle swarm optimization algorithm steps for selecting subsets
Table 2 21 significant features obtained by using the PSO method
Totalfeatures Feature name
21Src_IP Fwd_Pkt_Len_Min Flow_Pktss Flow_IAT_Mean Flow_IAT_Min Fwd_IAT_Tot Fwd_IAT_Mean
Bwd_IAT_Mean 1 Bwd_IAT_Max Bwd_IAT_Min Fwd_PSH_Flags FIN_Flag_Cnt RST_Flag_Cnt CWE_Flag_CountECE_Flag_Cnt fwd_bytsb_avg bwd_pktsb_avg Init_Bwd_Win_Byts Active_Mean Idle_Max class
(1) Initialize parameters Xti is fitness N numbers of particles
(2) Initialize population Pi_besta while (number of generations or the stopping criterion is not met) (3) for (i 1 to N) (4) if fitness Xt
i gt fitness Pi_best(5) (6) then update Pi_best Xt
i
(7) if the fitness of Xti gt gbest then
(8) then update gbest Xti
(9)
(10) Update velocity vector(11) Update particle position(12) Next particle(13) (14) Next generation
ALGORITHM 1 PSO algorithm
6 Complexity
Tabl
e3
Correlatio
ncoeffi
cientbetweenfeatures
andno
rmal
class
Features
Normal
Normal
Normal
Normal
Normal
inNormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Src_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
064
Flow
_IAT_
Min
063
Fwd_
IAT_
Tot
080
Fwd_
IAT_
Mean
089
Bwd_
IAT_
Mean
062
Bwd_
IAT_
Max
062
Bwd_
IAT_
Min
062
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
058
Active_Mean
01
Idle_M
ax050
Complexity 7
Tabl
e4
Correlatio
ncoeffi
cientbetweenfeatures
andattack
class
Features
Atta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckSrc_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
050
Flow
_IAT_
Min
068
Fwd_
IAT_
Tot
069
Fwd_
IAT_
Mean
084
Bwd_
IAT_
Mean
063
Bwd_
IAT_
Max
063
Bwd_
IAT_
Min
063
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
053
Active_Mean
094
Idle_M
ax087
8 Complexity
where xi is the output convolution l i is the convolutionkernel otimes is the convolution operation and f(x) is theactivation function
e convolution kernel was used to pass the IoT trainingdata into max pooling for the extraction of the character-istics of the IoT network data e extracted features weretransferred into the output layer using the tanh function Itwas noted that the tanh function was an appropriate acti-vation function for designing the system
f(x) tanh(x) 2
1 + eminus 2x
minus 1 (7)
where tanh is the function and x is the training input data
Qj Max P0j P
1j P
2j P
3j P
tj1113872 1113873 (8)
where Qj is the output results from the IoT cybersecuritydataset j is the pooling region Max is the operation and Pt
j
is the element of the poolinge softmax function was used to calculate the proba-
bility distribution of an N-dimensional vector e mainpurpose of using softmax at the output layer was for themulticlass classification method used in machine learningalgorithms deep learning and data science e correctcalculation of the output probability helps determine theproper target class for the input dataset and the probabilitiesof the maximum values are increased using an exponentialelement e softmax equation is shown in the followingequation
Oi e
zi
1113936Mi1 e
zi (9)
where i and zi are the output from pervious layers Oi in-dicates the output of softmax function and M is the totalnumber of output nodes
242 Long Short-Term Memory Recurrent Neural Networke recurrent neural network (RNN) is an advanced arti-ficial intelligence algorithm used in many real-life applica-tions A traditional RNNwas applied to predict the temporaltraining data but it faced difficulties when handling gradient
explosion data To solve this issue the LSTM model wasproposed e LSTM model used a memory function toreplace the hidden RNN unit Figure 7 displays the structureof the LSTM model for detecting intrusions from the IoTnetwork dataset e LSTM model consisted of three im-portant gates the forget input and output gates [48]
e forget gate was used to find forgotten informationwhere ht is the input data and the interval number of theoutput gate is [0 1] where 0 indicates ldquocompletely dis-cardedrdquo and 1 indicates ldquocompletely retainedrdquo e currentstate is represented by ct as follows
ht sigma Wxt + Uhtminus1 + b(h)
1113872 1113873
ft sigma W(f)
+ Xt + U(f)
htminus1 + b(f)
1113872 1113873(10)
where ht is input training data and input to the previous cell ispresented by htminus1 e forget gate is indicated by ft thesignificant parameters of the LSTM are weight W(f) and b(f)
is biase input gate was used to update the information usingtwo functions namely sigma and tanhe sigma functionwasemployed to determine what information needed updatingwhereas the tanh function generated information for updating
it sigma W(i)
+ Xt + U(i)
htminus1 + b(i)
1113872 1113873
mt tanh W(m)
+ Xt + U(m)
htminus1 + b(m)
1113872 1113873
ct it middot mt + ft middot ctminus1
(11)
When the cell state ctminus1 is the cell state from the previouscell which was used to update by using cell state ct the newinformation must be discarded and ft ctminus1 and it mt arecombined to obtain the next cell state as follows
ot sigma W(o)
+ Xt + htminus1 + b(o)
1113872 1113873
ht ot middot tanh ct( 1113857(12)
where ot is the output gate and the weight vector of theneural network is represented by W U and V e sigmafunction was used to find which information would be theoutput and tanh was employed to propose the cell state anddeclare the final output
Convolution Convolution Max pooling Convolution Convolution Max pooling Fully connected
Figure 6 Structure of the convolution neural network (CNN) model for classification of Internet of ings (IoT) intrusions
Complexity 9
243 Combined CNN-LSTM Network We proposedcombining two advanced deep learning algorithms todetect intrusion from an IoT network dataset A hybridmodel was designed to automatically detect the attacksand the structure of the proposed model is presented inFigure 8 e architecture was developed by combiningtwo deep learning models namely the CNN and LSTMnetworks whereas the CNN algorithm was used toprocess the significant features obtained from the PSOmethod with the size of 20 times 625783 to extract newcomplex features A convolutional layer size of threekernels was used to extract the complex features and tanhactivation was proposed to transfer the data A two-kernel max pool was used for dimension reduction andwe mapped the features to the LSTM model for the ex-traction of new time information After the LSTM timeinformation was extracted the fusion features were fullyconnected for use in the classification process esoftmax was proposed to detect attacks from the IoTnetwork data
3 Results
In this section results of the proposed formwork for de-tection intrusion are presented
31 Experiment Environment Setup e proposed researchwas completed using different software and hardware en-vironments Table 5 shows the requirements used to developthe proposed system It was noted that these requirementswere suitable for training the big data
Significant parameters used for the development of thedeep learning algorithm are presented in Table 6 e kernelconvolution was three and the dropout was 50 Moreoverthe experiment epochs were 10 due to the big dataWe used thetanh function for the activation function for both models
32 Evaluation Metrics Sensitivity specificity precision re-call and F1-score evaluation metrics were proposed to test andevaluate the framework e equations are defined as follows
Input does X(t) matter
h(tndash1)
X(t)
h(tndash1)
X(t)
W(i)
σ
σU(i)
W(o)
U(o)
i(t)
h(tndash1)
X(t)h(t)
W(c)
U(c)
σ
f (t)
h(tndash1)
X(t)
W(f)
U(f)
cprime(t)
c(t)
o(t)
c(tndash1)
tanh
tanh+
deg
deg
deg
New memory computer new memory
Forget should c(tndash1) be forgotten
Output how much c(t) should be exposed
Figure 7 Generic structure of the long short-term memory (LSTM) model for the classification of Internet of ings (IoT) intrusions
10 Complexity
accuracy TP + TN
FP + FN + TP + TN
specificity TN
TN + FPtimes 100
sensitivity TP
TP + FNtimes 100
recall TPTP + FN times 100
F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall
times 100QUOTE Sensivity TP
TP + FNtimes 100
(13)
where TP is true positive FP is false positive TN is truenegative and FN is false negative
33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method
e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion
matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11
To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models
From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the
80 times 625783The
Original Preprocessing
PSO method
Dimensionality reduction
Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783
20 times 625783
LSTM LSTM LSTM LSTM LSTM LSTM
Flatten
Fully connected
ClassificationNormal Attacks
Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model
Complexity 11
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
considered to be some of the most powerful algorithms forhandling many real-time applications [45] Deep learningalgorithms use many deeper hidden layers to surpass clas-sical ANN methods [46 47] A convolutional neural net-work is one of the most popular deep neural networkalgorithms and it is named convolution by using mathe-matical linear operation between matrices Our proposedCNN comprised five main layers input convolutionpolling FC and output Figure 6 shows the structure of theCNN model used to develop the IoT cybersecurity system
To extract features from cybersecurity-based IoT dataconvolution layers were used e convolution layers hadmultiple convolution kernels composed of the weight of thekernels e convolution kernel is i the weight coefficient isindicated by wi and the deviation quantity is bi e inputconvolution layer is ximinus1 and the convolution layer wasprocessed using equation (5)
xi f wi otimes ximinus1 + bi( 1113857 (6)
IoTID20 datasetattack
Swarminitialization Fitness of particle Pbest
Fitness of particlegbest
Update velocity
Update position
Evaluate the subsetfeatures
NoYesObtained best subset
features
Figure 5 Particle swarm optimization algorithm steps for selecting subsets
Table 2 21 significant features obtained by using the PSO method
Totalfeatures Feature name
21Src_IP Fwd_Pkt_Len_Min Flow_Pktss Flow_IAT_Mean Flow_IAT_Min Fwd_IAT_Tot Fwd_IAT_Mean
Bwd_IAT_Mean 1 Bwd_IAT_Max Bwd_IAT_Min Fwd_PSH_Flags FIN_Flag_Cnt RST_Flag_Cnt CWE_Flag_CountECE_Flag_Cnt fwd_bytsb_avg bwd_pktsb_avg Init_Bwd_Win_Byts Active_Mean Idle_Max class
(1) Initialize parameters Xti is fitness N numbers of particles
(2) Initialize population Pi_besta while (number of generations or the stopping criterion is not met) (3) for (i 1 to N) (4) if fitness Xt
i gt fitness Pi_best(5) (6) then update Pi_best Xt
i
(7) if the fitness of Xti gt gbest then
(8) then update gbest Xti
(9)
(10) Update velocity vector(11) Update particle position(12) Next particle(13) (14) Next generation
ALGORITHM 1 PSO algorithm
6 Complexity
Tabl
e3
Correlatio
ncoeffi
cientbetweenfeatures
andno
rmal
class
Features
Normal
Normal
Normal
Normal
Normal
inNormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Src_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
064
Flow
_IAT_
Min
063
Fwd_
IAT_
Tot
080
Fwd_
IAT_
Mean
089
Bwd_
IAT_
Mean
062
Bwd_
IAT_
Max
062
Bwd_
IAT_
Min
062
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
058
Active_Mean
01
Idle_M
ax050
Complexity 7
Tabl
e4
Correlatio
ncoeffi
cientbetweenfeatures
andattack
class
Features
Atta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckSrc_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
050
Flow
_IAT_
Min
068
Fwd_
IAT_
Tot
069
Fwd_
IAT_
Mean
084
Bwd_
IAT_
Mean
063
Bwd_
IAT_
Max
063
Bwd_
IAT_
Min
063
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
053
Active_Mean
094
Idle_M
ax087
8 Complexity
where xi is the output convolution l i is the convolutionkernel otimes is the convolution operation and f(x) is theactivation function
e convolution kernel was used to pass the IoT trainingdata into max pooling for the extraction of the character-istics of the IoT network data e extracted features weretransferred into the output layer using the tanh function Itwas noted that the tanh function was an appropriate acti-vation function for designing the system
f(x) tanh(x) 2
1 + eminus 2x
minus 1 (7)
where tanh is the function and x is the training input data
Qj Max P0j P
1j P
2j P
3j P
tj1113872 1113873 (8)
where Qj is the output results from the IoT cybersecuritydataset j is the pooling region Max is the operation and Pt
j
is the element of the poolinge softmax function was used to calculate the proba-
bility distribution of an N-dimensional vector e mainpurpose of using softmax at the output layer was for themulticlass classification method used in machine learningalgorithms deep learning and data science e correctcalculation of the output probability helps determine theproper target class for the input dataset and the probabilitiesof the maximum values are increased using an exponentialelement e softmax equation is shown in the followingequation
Oi e
zi
1113936Mi1 e
zi (9)
where i and zi are the output from pervious layers Oi in-dicates the output of softmax function and M is the totalnumber of output nodes
242 Long Short-Term Memory Recurrent Neural Networke recurrent neural network (RNN) is an advanced arti-ficial intelligence algorithm used in many real-life applica-tions A traditional RNNwas applied to predict the temporaltraining data but it faced difficulties when handling gradient
explosion data To solve this issue the LSTM model wasproposed e LSTM model used a memory function toreplace the hidden RNN unit Figure 7 displays the structureof the LSTM model for detecting intrusions from the IoTnetwork dataset e LSTM model consisted of three im-portant gates the forget input and output gates [48]
e forget gate was used to find forgotten informationwhere ht is the input data and the interval number of theoutput gate is [0 1] where 0 indicates ldquocompletely dis-cardedrdquo and 1 indicates ldquocompletely retainedrdquo e currentstate is represented by ct as follows
ht sigma Wxt + Uhtminus1 + b(h)
1113872 1113873
ft sigma W(f)
+ Xt + U(f)
htminus1 + b(f)
1113872 1113873(10)
where ht is input training data and input to the previous cell ispresented by htminus1 e forget gate is indicated by ft thesignificant parameters of the LSTM are weight W(f) and b(f)
is biase input gate was used to update the information usingtwo functions namely sigma and tanhe sigma functionwasemployed to determine what information needed updatingwhereas the tanh function generated information for updating
it sigma W(i)
+ Xt + U(i)
htminus1 + b(i)
1113872 1113873
mt tanh W(m)
+ Xt + U(m)
htminus1 + b(m)
1113872 1113873
ct it middot mt + ft middot ctminus1
(11)
When the cell state ctminus1 is the cell state from the previouscell which was used to update by using cell state ct the newinformation must be discarded and ft ctminus1 and it mt arecombined to obtain the next cell state as follows
ot sigma W(o)
+ Xt + htminus1 + b(o)
1113872 1113873
ht ot middot tanh ct( 1113857(12)
where ot is the output gate and the weight vector of theneural network is represented by W U and V e sigmafunction was used to find which information would be theoutput and tanh was employed to propose the cell state anddeclare the final output
Convolution Convolution Max pooling Convolution Convolution Max pooling Fully connected
Figure 6 Structure of the convolution neural network (CNN) model for classification of Internet of ings (IoT) intrusions
Complexity 9
243 Combined CNN-LSTM Network We proposedcombining two advanced deep learning algorithms todetect intrusion from an IoT network dataset A hybridmodel was designed to automatically detect the attacksand the structure of the proposed model is presented inFigure 8 e architecture was developed by combiningtwo deep learning models namely the CNN and LSTMnetworks whereas the CNN algorithm was used toprocess the significant features obtained from the PSOmethod with the size of 20 times 625783 to extract newcomplex features A convolutional layer size of threekernels was used to extract the complex features and tanhactivation was proposed to transfer the data A two-kernel max pool was used for dimension reduction andwe mapped the features to the LSTM model for the ex-traction of new time information After the LSTM timeinformation was extracted the fusion features were fullyconnected for use in the classification process esoftmax was proposed to detect attacks from the IoTnetwork data
3 Results
In this section results of the proposed formwork for de-tection intrusion are presented
31 Experiment Environment Setup e proposed researchwas completed using different software and hardware en-vironments Table 5 shows the requirements used to developthe proposed system It was noted that these requirementswere suitable for training the big data
Significant parameters used for the development of thedeep learning algorithm are presented in Table 6 e kernelconvolution was three and the dropout was 50 Moreoverthe experiment epochs were 10 due to the big dataWe used thetanh function for the activation function for both models
32 Evaluation Metrics Sensitivity specificity precision re-call and F1-score evaluation metrics were proposed to test andevaluate the framework e equations are defined as follows
Input does X(t) matter
h(tndash1)
X(t)
h(tndash1)
X(t)
W(i)
σ
σU(i)
W(o)
U(o)
i(t)
h(tndash1)
X(t)h(t)
W(c)
U(c)
σ
f (t)
h(tndash1)
X(t)
W(f)
U(f)
cprime(t)
c(t)
o(t)
c(tndash1)
tanh
tanh+
deg
deg
deg
New memory computer new memory
Forget should c(tndash1) be forgotten
Output how much c(t) should be exposed
Figure 7 Generic structure of the long short-term memory (LSTM) model for the classification of Internet of ings (IoT) intrusions
10 Complexity
accuracy TP + TN
FP + FN + TP + TN
specificity TN
TN + FPtimes 100
sensitivity TP
TP + FNtimes 100
recall TPTP + FN times 100
F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall
times 100QUOTE Sensivity TP
TP + FNtimes 100
(13)
where TP is true positive FP is false positive TN is truenegative and FN is false negative
33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method
e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion
matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11
To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models
From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the
80 times 625783The
Original Preprocessing
PSO method
Dimensionality reduction
Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783
20 times 625783
LSTM LSTM LSTM LSTM LSTM LSTM
Flatten
Fully connected
ClassificationNormal Attacks
Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model
Complexity 11
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
Tabl
e3
Correlatio
ncoeffi
cientbetweenfeatures
andno
rmal
class
Features
Normal
Normal
Normal
Normal
Normal
inNormal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Normal
Src_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
064
Flow
_IAT_
Min
063
Fwd_
IAT_
Tot
080
Fwd_
IAT_
Mean
089
Bwd_
IAT_
Mean
062
Bwd_
IAT_
Max
062
Bwd_
IAT_
Min
062
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
058
Active_Mean
01
Idle_M
ax050
Complexity 7
Tabl
e4
Correlatio
ncoeffi
cientbetweenfeatures
andattack
class
Features
Atta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckSrc_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
050
Flow
_IAT_
Min
068
Fwd_
IAT_
Tot
069
Fwd_
IAT_
Mean
084
Bwd_
IAT_
Mean
063
Bwd_
IAT_
Max
063
Bwd_
IAT_
Min
063
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
053
Active_Mean
094
Idle_M
ax087
8 Complexity
where xi is the output convolution l i is the convolutionkernel otimes is the convolution operation and f(x) is theactivation function
e convolution kernel was used to pass the IoT trainingdata into max pooling for the extraction of the character-istics of the IoT network data e extracted features weretransferred into the output layer using the tanh function Itwas noted that the tanh function was an appropriate acti-vation function for designing the system
f(x) tanh(x) 2
1 + eminus 2x
minus 1 (7)
where tanh is the function and x is the training input data
Qj Max P0j P
1j P
2j P
3j P
tj1113872 1113873 (8)
where Qj is the output results from the IoT cybersecuritydataset j is the pooling region Max is the operation and Pt
j
is the element of the poolinge softmax function was used to calculate the proba-
bility distribution of an N-dimensional vector e mainpurpose of using softmax at the output layer was for themulticlass classification method used in machine learningalgorithms deep learning and data science e correctcalculation of the output probability helps determine theproper target class for the input dataset and the probabilitiesof the maximum values are increased using an exponentialelement e softmax equation is shown in the followingequation
Oi e
zi
1113936Mi1 e
zi (9)
where i and zi are the output from pervious layers Oi in-dicates the output of softmax function and M is the totalnumber of output nodes
242 Long Short-Term Memory Recurrent Neural Networke recurrent neural network (RNN) is an advanced arti-ficial intelligence algorithm used in many real-life applica-tions A traditional RNNwas applied to predict the temporaltraining data but it faced difficulties when handling gradient
explosion data To solve this issue the LSTM model wasproposed e LSTM model used a memory function toreplace the hidden RNN unit Figure 7 displays the structureof the LSTM model for detecting intrusions from the IoTnetwork dataset e LSTM model consisted of three im-portant gates the forget input and output gates [48]
e forget gate was used to find forgotten informationwhere ht is the input data and the interval number of theoutput gate is [0 1] where 0 indicates ldquocompletely dis-cardedrdquo and 1 indicates ldquocompletely retainedrdquo e currentstate is represented by ct as follows
ht sigma Wxt + Uhtminus1 + b(h)
1113872 1113873
ft sigma W(f)
+ Xt + U(f)
htminus1 + b(f)
1113872 1113873(10)
where ht is input training data and input to the previous cell ispresented by htminus1 e forget gate is indicated by ft thesignificant parameters of the LSTM are weight W(f) and b(f)
is biase input gate was used to update the information usingtwo functions namely sigma and tanhe sigma functionwasemployed to determine what information needed updatingwhereas the tanh function generated information for updating
it sigma W(i)
+ Xt + U(i)
htminus1 + b(i)
1113872 1113873
mt tanh W(m)
+ Xt + U(m)
htminus1 + b(m)
1113872 1113873
ct it middot mt + ft middot ctminus1
(11)
When the cell state ctminus1 is the cell state from the previouscell which was used to update by using cell state ct the newinformation must be discarded and ft ctminus1 and it mt arecombined to obtain the next cell state as follows
ot sigma W(o)
+ Xt + htminus1 + b(o)
1113872 1113873
ht ot middot tanh ct( 1113857(12)
where ot is the output gate and the weight vector of theneural network is represented by W U and V e sigmafunction was used to find which information would be theoutput and tanh was employed to propose the cell state anddeclare the final output
Convolution Convolution Max pooling Convolution Convolution Max pooling Fully connected
Figure 6 Structure of the convolution neural network (CNN) model for classification of Internet of ings (IoT) intrusions
Complexity 9
243 Combined CNN-LSTM Network We proposedcombining two advanced deep learning algorithms todetect intrusion from an IoT network dataset A hybridmodel was designed to automatically detect the attacksand the structure of the proposed model is presented inFigure 8 e architecture was developed by combiningtwo deep learning models namely the CNN and LSTMnetworks whereas the CNN algorithm was used toprocess the significant features obtained from the PSOmethod with the size of 20 times 625783 to extract newcomplex features A convolutional layer size of threekernels was used to extract the complex features and tanhactivation was proposed to transfer the data A two-kernel max pool was used for dimension reduction andwe mapped the features to the LSTM model for the ex-traction of new time information After the LSTM timeinformation was extracted the fusion features were fullyconnected for use in the classification process esoftmax was proposed to detect attacks from the IoTnetwork data
3 Results
In this section results of the proposed formwork for de-tection intrusion are presented
31 Experiment Environment Setup e proposed researchwas completed using different software and hardware en-vironments Table 5 shows the requirements used to developthe proposed system It was noted that these requirementswere suitable for training the big data
Significant parameters used for the development of thedeep learning algorithm are presented in Table 6 e kernelconvolution was three and the dropout was 50 Moreoverthe experiment epochs were 10 due to the big dataWe used thetanh function for the activation function for both models
32 Evaluation Metrics Sensitivity specificity precision re-call and F1-score evaluation metrics were proposed to test andevaluate the framework e equations are defined as follows
Input does X(t) matter
h(tndash1)
X(t)
h(tndash1)
X(t)
W(i)
σ
σU(i)
W(o)
U(o)
i(t)
h(tndash1)
X(t)h(t)
W(c)
U(c)
σ
f (t)
h(tndash1)
X(t)
W(f)
U(f)
cprime(t)
c(t)
o(t)
c(tndash1)
tanh
tanh+
deg
deg
deg
New memory computer new memory
Forget should c(tndash1) be forgotten
Output how much c(t) should be exposed
Figure 7 Generic structure of the long short-term memory (LSTM) model for the classification of Internet of ings (IoT) intrusions
10 Complexity
accuracy TP + TN
FP + FN + TP + TN
specificity TN
TN + FPtimes 100
sensitivity TP
TP + FNtimes 100
recall TPTP + FN times 100
F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall
times 100QUOTE Sensivity TP
TP + FNtimes 100
(13)
where TP is true positive FP is false positive TN is truenegative and FN is false negative
33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method
e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion
matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11
To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models
From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the
80 times 625783The
Original Preprocessing
PSO method
Dimensionality reduction
Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783
20 times 625783
LSTM LSTM LSTM LSTM LSTM LSTM
Flatten
Fully connected
ClassificationNormal Attacks
Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model
Complexity 11
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
Tabl
e4
Correlatio
ncoeffi
cientbetweenfeatures
andattack
class
Features
Atta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckAtta
ckSrc_IP
055
Fwd_
Pkt_Len_
Min
050
Flow
_Pktss
050
Flow
_IAT_
Mean
050
Flow
_IAT_
Min
068
Fwd_
IAT_
Tot
069
Fwd_
IAT_
Mean
084
Bwd_
IAT_
Mean
063
Bwd_
IAT_
Max
063
Bwd_
IAT_
Min
063
Fwd_
PSH_F
lags
01
FIN_F
lag_Cnt
099
RST_
Flag_C
nt099
CWE_
Flag_C
ount
099
ECE_
Flag_C
nt099
Fwd_
Bytsb_A
vg01
Bwd_
Pktsb_A
vg01
Init_
Bwd_
Win_B
yts
053
Active_Mean
094
Idle_M
ax087
8 Complexity
where xi is the output convolution l i is the convolutionkernel otimes is the convolution operation and f(x) is theactivation function
e convolution kernel was used to pass the IoT trainingdata into max pooling for the extraction of the character-istics of the IoT network data e extracted features weretransferred into the output layer using the tanh function Itwas noted that the tanh function was an appropriate acti-vation function for designing the system
f(x) tanh(x) 2
1 + eminus 2x
minus 1 (7)
where tanh is the function and x is the training input data
Qj Max P0j P
1j P
2j P
3j P
tj1113872 1113873 (8)
where Qj is the output results from the IoT cybersecuritydataset j is the pooling region Max is the operation and Pt
j
is the element of the poolinge softmax function was used to calculate the proba-
bility distribution of an N-dimensional vector e mainpurpose of using softmax at the output layer was for themulticlass classification method used in machine learningalgorithms deep learning and data science e correctcalculation of the output probability helps determine theproper target class for the input dataset and the probabilitiesof the maximum values are increased using an exponentialelement e softmax equation is shown in the followingequation
Oi e
zi
1113936Mi1 e
zi (9)
where i and zi are the output from pervious layers Oi in-dicates the output of softmax function and M is the totalnumber of output nodes
242 Long Short-Term Memory Recurrent Neural Networke recurrent neural network (RNN) is an advanced arti-ficial intelligence algorithm used in many real-life applica-tions A traditional RNNwas applied to predict the temporaltraining data but it faced difficulties when handling gradient
explosion data To solve this issue the LSTM model wasproposed e LSTM model used a memory function toreplace the hidden RNN unit Figure 7 displays the structureof the LSTM model for detecting intrusions from the IoTnetwork dataset e LSTM model consisted of three im-portant gates the forget input and output gates [48]
e forget gate was used to find forgotten informationwhere ht is the input data and the interval number of theoutput gate is [0 1] where 0 indicates ldquocompletely dis-cardedrdquo and 1 indicates ldquocompletely retainedrdquo e currentstate is represented by ct as follows
ht sigma Wxt + Uhtminus1 + b(h)
1113872 1113873
ft sigma W(f)
+ Xt + U(f)
htminus1 + b(f)
1113872 1113873(10)
where ht is input training data and input to the previous cell ispresented by htminus1 e forget gate is indicated by ft thesignificant parameters of the LSTM are weight W(f) and b(f)
is biase input gate was used to update the information usingtwo functions namely sigma and tanhe sigma functionwasemployed to determine what information needed updatingwhereas the tanh function generated information for updating
it sigma W(i)
+ Xt + U(i)
htminus1 + b(i)
1113872 1113873
mt tanh W(m)
+ Xt + U(m)
htminus1 + b(m)
1113872 1113873
ct it middot mt + ft middot ctminus1
(11)
When the cell state ctminus1 is the cell state from the previouscell which was used to update by using cell state ct the newinformation must be discarded and ft ctminus1 and it mt arecombined to obtain the next cell state as follows
ot sigma W(o)
+ Xt + htminus1 + b(o)
1113872 1113873
ht ot middot tanh ct( 1113857(12)
where ot is the output gate and the weight vector of theneural network is represented by W U and V e sigmafunction was used to find which information would be theoutput and tanh was employed to propose the cell state anddeclare the final output
Convolution Convolution Max pooling Convolution Convolution Max pooling Fully connected
Figure 6 Structure of the convolution neural network (CNN) model for classification of Internet of ings (IoT) intrusions
Complexity 9
243 Combined CNN-LSTM Network We proposedcombining two advanced deep learning algorithms todetect intrusion from an IoT network dataset A hybridmodel was designed to automatically detect the attacksand the structure of the proposed model is presented inFigure 8 e architecture was developed by combiningtwo deep learning models namely the CNN and LSTMnetworks whereas the CNN algorithm was used toprocess the significant features obtained from the PSOmethod with the size of 20 times 625783 to extract newcomplex features A convolutional layer size of threekernels was used to extract the complex features and tanhactivation was proposed to transfer the data A two-kernel max pool was used for dimension reduction andwe mapped the features to the LSTM model for the ex-traction of new time information After the LSTM timeinformation was extracted the fusion features were fullyconnected for use in the classification process esoftmax was proposed to detect attacks from the IoTnetwork data
3 Results
In this section results of the proposed formwork for de-tection intrusion are presented
31 Experiment Environment Setup e proposed researchwas completed using different software and hardware en-vironments Table 5 shows the requirements used to developthe proposed system It was noted that these requirementswere suitable for training the big data
Significant parameters used for the development of thedeep learning algorithm are presented in Table 6 e kernelconvolution was three and the dropout was 50 Moreoverthe experiment epochs were 10 due to the big dataWe used thetanh function for the activation function for both models
32 Evaluation Metrics Sensitivity specificity precision re-call and F1-score evaluation metrics were proposed to test andevaluate the framework e equations are defined as follows
Input does X(t) matter
h(tndash1)
X(t)
h(tndash1)
X(t)
W(i)
σ
σU(i)
W(o)
U(o)
i(t)
h(tndash1)
X(t)h(t)
W(c)
U(c)
σ
f (t)
h(tndash1)
X(t)
W(f)
U(f)
cprime(t)
c(t)
o(t)
c(tndash1)
tanh
tanh+
deg
deg
deg
New memory computer new memory
Forget should c(tndash1) be forgotten
Output how much c(t) should be exposed
Figure 7 Generic structure of the long short-term memory (LSTM) model for the classification of Internet of ings (IoT) intrusions
10 Complexity
accuracy TP + TN
FP + FN + TP + TN
specificity TN
TN + FPtimes 100
sensitivity TP
TP + FNtimes 100
recall TPTP + FN times 100
F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall
times 100QUOTE Sensivity TP
TP + FNtimes 100
(13)
where TP is true positive FP is false positive TN is truenegative and FN is false negative
33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method
e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion
matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11
To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models
From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the
80 times 625783The
Original Preprocessing
PSO method
Dimensionality reduction
Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783
20 times 625783
LSTM LSTM LSTM LSTM LSTM LSTM
Flatten
Fully connected
ClassificationNormal Attacks
Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model
Complexity 11
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
where xi is the output convolution l i is the convolutionkernel otimes is the convolution operation and f(x) is theactivation function
e convolution kernel was used to pass the IoT trainingdata into max pooling for the extraction of the character-istics of the IoT network data e extracted features weretransferred into the output layer using the tanh function Itwas noted that the tanh function was an appropriate acti-vation function for designing the system
f(x) tanh(x) 2
1 + eminus 2x
minus 1 (7)
where tanh is the function and x is the training input data
Qj Max P0j P
1j P
2j P
3j P
tj1113872 1113873 (8)
where Qj is the output results from the IoT cybersecuritydataset j is the pooling region Max is the operation and Pt
j
is the element of the poolinge softmax function was used to calculate the proba-
bility distribution of an N-dimensional vector e mainpurpose of using softmax at the output layer was for themulticlass classification method used in machine learningalgorithms deep learning and data science e correctcalculation of the output probability helps determine theproper target class for the input dataset and the probabilitiesof the maximum values are increased using an exponentialelement e softmax equation is shown in the followingequation
Oi e
zi
1113936Mi1 e
zi (9)
where i and zi are the output from pervious layers Oi in-dicates the output of softmax function and M is the totalnumber of output nodes
242 Long Short-Term Memory Recurrent Neural Networke recurrent neural network (RNN) is an advanced arti-ficial intelligence algorithm used in many real-life applica-tions A traditional RNNwas applied to predict the temporaltraining data but it faced difficulties when handling gradient
explosion data To solve this issue the LSTM model wasproposed e LSTM model used a memory function toreplace the hidden RNN unit Figure 7 displays the structureof the LSTM model for detecting intrusions from the IoTnetwork dataset e LSTM model consisted of three im-portant gates the forget input and output gates [48]
e forget gate was used to find forgotten informationwhere ht is the input data and the interval number of theoutput gate is [0 1] where 0 indicates ldquocompletely dis-cardedrdquo and 1 indicates ldquocompletely retainedrdquo e currentstate is represented by ct as follows
ht sigma Wxt + Uhtminus1 + b(h)
1113872 1113873
ft sigma W(f)
+ Xt + U(f)
htminus1 + b(f)
1113872 1113873(10)
where ht is input training data and input to the previous cell ispresented by htminus1 e forget gate is indicated by ft thesignificant parameters of the LSTM are weight W(f) and b(f)
is biase input gate was used to update the information usingtwo functions namely sigma and tanhe sigma functionwasemployed to determine what information needed updatingwhereas the tanh function generated information for updating
it sigma W(i)
+ Xt + U(i)
htminus1 + b(i)
1113872 1113873
mt tanh W(m)
+ Xt + U(m)
htminus1 + b(m)
1113872 1113873
ct it middot mt + ft middot ctminus1
(11)
When the cell state ctminus1 is the cell state from the previouscell which was used to update by using cell state ct the newinformation must be discarded and ft ctminus1 and it mt arecombined to obtain the next cell state as follows
ot sigma W(o)
+ Xt + htminus1 + b(o)
1113872 1113873
ht ot middot tanh ct( 1113857(12)
where ot is the output gate and the weight vector of theneural network is represented by W U and V e sigmafunction was used to find which information would be theoutput and tanh was employed to propose the cell state anddeclare the final output
Convolution Convolution Max pooling Convolution Convolution Max pooling Fully connected
Figure 6 Structure of the convolution neural network (CNN) model for classification of Internet of ings (IoT) intrusions
Complexity 9
243 Combined CNN-LSTM Network We proposedcombining two advanced deep learning algorithms todetect intrusion from an IoT network dataset A hybridmodel was designed to automatically detect the attacksand the structure of the proposed model is presented inFigure 8 e architecture was developed by combiningtwo deep learning models namely the CNN and LSTMnetworks whereas the CNN algorithm was used toprocess the significant features obtained from the PSOmethod with the size of 20 times 625783 to extract newcomplex features A convolutional layer size of threekernels was used to extract the complex features and tanhactivation was proposed to transfer the data A two-kernel max pool was used for dimension reduction andwe mapped the features to the LSTM model for the ex-traction of new time information After the LSTM timeinformation was extracted the fusion features were fullyconnected for use in the classification process esoftmax was proposed to detect attacks from the IoTnetwork data
3 Results
In this section results of the proposed formwork for de-tection intrusion are presented
31 Experiment Environment Setup e proposed researchwas completed using different software and hardware en-vironments Table 5 shows the requirements used to developthe proposed system It was noted that these requirementswere suitable for training the big data
Significant parameters used for the development of thedeep learning algorithm are presented in Table 6 e kernelconvolution was three and the dropout was 50 Moreoverthe experiment epochs were 10 due to the big dataWe used thetanh function for the activation function for both models
32 Evaluation Metrics Sensitivity specificity precision re-call and F1-score evaluation metrics were proposed to test andevaluate the framework e equations are defined as follows
Input does X(t) matter
h(tndash1)
X(t)
h(tndash1)
X(t)
W(i)
σ
σU(i)
W(o)
U(o)
i(t)
h(tndash1)
X(t)h(t)
W(c)
U(c)
σ
f (t)
h(tndash1)
X(t)
W(f)
U(f)
cprime(t)
c(t)
o(t)
c(tndash1)
tanh
tanh+
deg
deg
deg
New memory computer new memory
Forget should c(tndash1) be forgotten
Output how much c(t) should be exposed
Figure 7 Generic structure of the long short-term memory (LSTM) model for the classification of Internet of ings (IoT) intrusions
10 Complexity
accuracy TP + TN
FP + FN + TP + TN
specificity TN
TN + FPtimes 100
sensitivity TP
TP + FNtimes 100
recall TPTP + FN times 100
F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall
times 100QUOTE Sensivity TP
TP + FNtimes 100
(13)
where TP is true positive FP is false positive TN is truenegative and FN is false negative
33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method
e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion
matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11
To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models
From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the
80 times 625783The
Original Preprocessing
PSO method
Dimensionality reduction
Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783
20 times 625783
LSTM LSTM LSTM LSTM LSTM LSTM
Flatten
Fully connected
ClassificationNormal Attacks
Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model
Complexity 11
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
243 Combined CNN-LSTM Network We proposedcombining two advanced deep learning algorithms todetect intrusion from an IoT network dataset A hybridmodel was designed to automatically detect the attacksand the structure of the proposed model is presented inFigure 8 e architecture was developed by combiningtwo deep learning models namely the CNN and LSTMnetworks whereas the CNN algorithm was used toprocess the significant features obtained from the PSOmethod with the size of 20 times 625783 to extract newcomplex features A convolutional layer size of threekernels was used to extract the complex features and tanhactivation was proposed to transfer the data A two-kernel max pool was used for dimension reduction andwe mapped the features to the LSTM model for the ex-traction of new time information After the LSTM timeinformation was extracted the fusion features were fullyconnected for use in the classification process esoftmax was proposed to detect attacks from the IoTnetwork data
3 Results
In this section results of the proposed formwork for de-tection intrusion are presented
31 Experiment Environment Setup e proposed researchwas completed using different software and hardware en-vironments Table 5 shows the requirements used to developthe proposed system It was noted that these requirementswere suitable for training the big data
Significant parameters used for the development of thedeep learning algorithm are presented in Table 6 e kernelconvolution was three and the dropout was 50 Moreoverthe experiment epochs were 10 due to the big dataWe used thetanh function for the activation function for both models
32 Evaluation Metrics Sensitivity specificity precision re-call and F1-score evaluation metrics were proposed to test andevaluate the framework e equations are defined as follows
Input does X(t) matter
h(tndash1)
X(t)
h(tndash1)
X(t)
W(i)
σ
σU(i)
W(o)
U(o)
i(t)
h(tndash1)
X(t)h(t)
W(c)
U(c)
σ
f (t)
h(tndash1)
X(t)
W(f)
U(f)
cprime(t)
c(t)
o(t)
c(tndash1)
tanh
tanh+
deg
deg
deg
New memory computer new memory
Forget should c(tndash1) be forgotten
Output how much c(t) should be exposed
Figure 7 Generic structure of the long short-term memory (LSTM) model for the classification of Internet of ings (IoT) intrusions
10 Complexity
accuracy TP + TN
FP + FN + TP + TN
specificity TN
TN + FPtimes 100
sensitivity TP
TP + FNtimes 100
recall TPTP + FN times 100
F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall
times 100QUOTE Sensivity TP
TP + FNtimes 100
(13)
where TP is true positive FP is false positive TN is truenegative and FN is false negative
33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method
e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion
matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11
To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models
From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the
80 times 625783The
Original Preprocessing
PSO method
Dimensionality reduction
Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783
20 times 625783
LSTM LSTM LSTM LSTM LSTM LSTM
Flatten
Fully connected
ClassificationNormal Attacks
Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model
Complexity 11
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
accuracy TP + TN
FP + FN + TP + TN
specificity TN
TN + FPtimes 100
sensitivity TP
TP + FNtimes 100
recall TPTP + FN times 100
F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall
times 100QUOTE Sensivity TP
TP + FNtimes 100
(13)
where TP is true positive FP is false positive TN is truenegative and FN is false negative
33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method
e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion
matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11
To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models
From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the
80 times 625783The
Original Preprocessing
PSO method
Dimensionality reduction
Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783
20 times 625783
LSTM LSTM LSTM LSTM LSTM LSTM
Flatten
Fully connected
ClassificationNormal Attacks
Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model
Complexity 11
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training
loss and number of epochs for the combined model arepresented in Figure 13
e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM
Table 5 Experiment environment setup
Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36
Table 6 Parameters of the proposed model
Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000
438048
187735
Size
Size
Training Testing
Figure 9 Size of sample for training and testing
Table 7 Confusion matrices for the proposed framework in testing phase
Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572
12 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems
e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis
(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9101
485
False positive3003
160
False negative713
038
True positive1749189317
Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True negative9512
507
False positive2592
138
False negative3736
199
True positive1718959156
(a)
Nor
mal
Atta
ck
Normal Attack
160000
140000
120000
100000
80000
60000
40000
20000
True positive1750599325
False negative572
030
True negative9346
498
False positive2758
147
(b)
Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model
Table 8 Results of the proposed system for the validation phase
Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80
Complexity 13
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
022
020
018
016
014
012
010
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
(a)
Accu
racy
2 4 6 8 10Number of epochs
0225
0200
0175
0150
0125
0100
0075
0050
Training lossValidation loss
(b)
Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model
020
018016014012010
008006
Accu
racy
2 4 6 8 10Number of epochs
Training lossValidation loss
Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model
097
096
095
094
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
(a)
Accu
racy
2 4 6 8 10Number of epochs
Training accuracyValidation accuracy
098
097
096
095
094
093
(b)
Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
14 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the
performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)
0102030405060708090
100
SVM NB LDA Decsiontree
Randomforest
Ensemble Proposedmodel
(LSTM)
Proposedmodel
(LSTM)
Proposedmodel
(CNN-LSTM)
Models
AccuracyPrecisionF1-score
Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric
Accu
racy
2 4 6 8 10Number of epochs
098
097
096
095
094
093
Training accuracyValidation accuracy
Figure 15 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model
Table 9 Comparison of the proposed and existing model results
Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80
Complexity 15
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
4 Conclusion
We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions
e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure
Data Availability
e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4
Conflicts of Interest
e authors declare that they have no conflicts of interest
Acknowledgments
e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068
References
[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020
[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017
[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of
Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019
[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020
[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019
[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020
[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018
[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020
[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973
[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722
[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014
[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018
[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017
[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015
[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017
[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016
[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016
16 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]
[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]
[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]
[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017
[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020
[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]
[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]
[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]
[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014
[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018
[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012
[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012
[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637
[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017
[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019
[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]
[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]
[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013
[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016
[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]
[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]
[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]
[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]
[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021
[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995
[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012
[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010
[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018
[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020
Complexity 17
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity
[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019
[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020
[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020
18 Complexity