Realguard: A Lightweight Network Intrusion Detection System for IoT Gateways
Abstract
:1. Introduction
- Offer better protection for IoT devices by moving the NIDS to the IoT network gateway. Indeed, moving near network traffic sources (IoT devices) could not only increase NIDS’s detection accuracy by lowering the volume and complexity of incoming network traffic, but also rapidly identify both internal and external cyber threats. To do this, the proposed NIDS must be lightweight enough to operate on resource-constrained devices while ensuring sufficient detection performance. In addition, it demands operating in real time to satisfy latency requirements. This means that the packet processing rate of the NIDS must be higher than the estimated packet arrival rate of the IoT network to guarantee there is no waiting packet.
- Identify multiple cyber-attack, including ensemble attacks merged from several attack strategies. In more detail, the proposed NIDS has to identify a large set of attacks from malicious signs in the network traffic. To achieve this aim, we proposed a DNN model that effectively detects ten popular attacks in the IoT domain with high accuracy. We note that executing the model must consume minor computational resources to make it suitable for the former objective.
- We present Realguard, a DNN-based intrusion detection system operated directly on an IoT edge gateway. The proposed NIDS not only automatically distinguishes between normal and abnormal network traffic but also effectively identifies the various attacks from external attackers or internal compromised devices. It is interesting to note that Realguard has a small memory footprint and high packet processing rate because of the superiority of our DNN model acting as an anomaly detection algorithm. To the best of our knowledge, we are the first to propose the use of a DNN-based NIDS on resource-constraint IoT gateway in real time.
- We propose an efficient feature extraction module to extract network features from network traffic. To increase extraction speed, we also applied a Damped Incremental Statistic algorithm that boosts the extraction speed on concurrent data streams, and the time complexity is only O(1).
- We demonstrate that Realguard can fully operate on resource-constrained IoT gateways, while detecting a wide range of cipher threats (10 attack types) in real time with a very low false-positive rate. To evaluate the packet processing rate of our proposal, we implemented a labeling method to convert the CICIDS2017 dataset into a packet-based dataset that could be reused by the research community.
- We pack all the components of our proposal into a Docker container which is publicly available for the research and development of open communities. This container can be seamlessly integrated into any IoT gateway frameworks supporting Docker containers (e.g., AGILE [18], Balena [19]). In addition, the integration process could be automated by using Jenkins [20], an open-source automation server. This promotes the popularity of our proposed system and makes it become platform-independent.
2. Related Works
3. The Realguard IDS
3.1. Overview
- Feature Extraction Component (FEC): It calculates the network traffic statistic based on the collection of packet metadata in previous blocks. The statistic is then formed as feature vectors compatible with the deployed detection model. In more detail, n features are extracted from network packets to create a network vector . To increase the extraction rate, we applied the Damped Incremental Statistics algorithm [23].
- Attack Detection Component (ADC): It is responsible to detect abnormality in network traffic in real-time given network features. To fulfill this aim, we proposed a DNN model that not only detects whether an attack occurred or not, but also identifies the attack type. This ability is important for system administrators to quickly deploy appropriate countermeasure methods to prevent or reduce the severity of the attack.
- Action Manager Component (AMC): It is responsible to provide necessary actions based on pre-configuration from users when an attack is detected by ADM. In Realguard, the supported actions are to log and block abnormal traffic, send the notification to administrators by email.
- In the feature extraction component, an exponential decay function is used to calculate the weight of network packets that is exponentially decreased over time. The packet information is removed to save memory if its weight equals zero. In addition, instead of storing the statistical values of packets in a sliding window, which has O(n) complexity, the cumulative sum is employed to accumulate these values, decreasing the complexity to O(1).
- In the attack detection component, a DDN model consisting of five hidden layers with only 34,315 parameters is proposed and produces a high detection performance while ensuring simplicity.
- The POC monitors and captures inbound and outbound network packets that are used to extract metadata information relating network traffic statistic (e.g., IP, port, packet size, timestamp, protocol, and so on). The metadata information is then sent to FEC for further processing.
- The FEC computes numerous statistical features to describe the current network states from the received information. Due to the variety of IoT devices (considering as data sources in the network) and network topologies, the value of extracted features is highly diverse, so these features are normalized and formed into a vector before being transferred to ADC.
- The Component receives vector and uses it differently in two modes:
- In training mode: We group these vectors according to their respective labels, and then divide them into two subsets of data used for training and validating. After training the model is complete, we receive an output model and deploy this model on network devices under executing mode.
- In executing mode: The model executes and returns an integer number indicating the type of the network packet. In Realguard, we could classify 10 attack types. If any attacks are detected, a notification command is sent to AMC.
3.2. Feature Extraction Component
- An IoT network contains several devices that may create a large number of parallel sessions. This makes extracting valuable information about the relationships between these sessions more challenging.
- The network packets observed from simultaneous sessions are often intertwined with each other.
- Since the network sessions have different duration and traffic volumes, the feature extraction may consume a large amount of memory to store the session information.
- The network packet rate is enormous under DoS/DDoS attacks, up to millions of packets per second.
Algorithm 1: Update |
Input : Output:
|
3.3. Attack Detection Component
4. Evaluation
4.1. Evaluation Environments
- Edge gateway is represented by a single board computer (Raspberry PI 4B), which has Quad core Cortex-A72 processor and 8GB RAM.
- Edge server is represented by a PC, which is equipped with 8 Intel-i7 processors and 16 GB available memory.
4.2. Datasets
4.3. Evaluation Metrics
- Confusion matrix: It is a specific table with two rows and two columns that present the values of true positives (TP), true negatives (TN), false positives (FP), and false negatives (FN).
- True Positive Rate (TPR or Recall or Detection Rate): It is the ratio of abnormal activities correctly detected over the total of abnormal activities.
- False positive rate (FPR or Fallout or Fall Alert): It is the rate of abnormal activities imprecisely detected over the total of normal activities, also known as the false alert rate.
- Accuracy (ACC): It is the ratio of accurately detected activities over all activities.
- Confusion matrix: It is a table widely used to visualize the performance of classification method. Its rows represent the actual classes, while its columns represent the predicted classes. In our evaluation results, each cell of the confusion matrix presents the number of correct predictions and the TPR values.
4.4. Results and Discussion
5. Limitations and Future Works
- RealGuard requires well-labeled traffic data to train the attack detection model. However, these data are uncommon, and building them requires a massive effort.
- RealGuard is potentially vulnerable to adversarial attacks due to missing barrier layers that mitigate the effect of adversarial samples.
- The attack detection model has to be frequently re-trained to maintain high accuracy. This consumes significant computation and network resources to deploy and update the model.
6. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Al-Bahri, M.; Yankovsky, A.; Borodin, A.; Kirichek, R. Testbed for identify IoT-devices based on digital object architecture. In Internet of Things, Smart Spaces, and Next Generation Networks and Systems; Springer: Cham, Switzerland, 2018; pp. 129–137. [Google Scholar]
- Hejazi, H.; Rajab, H.; Cinkler, T.; Lengyel, L. Survey of platforms for massive IoT. In Proceedings of the 2018 IEEE International Conference on Future IoT Technologies (Future IoT), Eger, Hungary, 18–19 January 2018; pp. 1–8. [Google Scholar]
- Wu, Y.; Dai, H.N.; Wang, H. Convergence of blockchain and edge computing for secure and scalable IIoT critical infrastructures in industry 4.0. IEEE Internet Things J. 2020, 8, 2300–2317. [Google Scholar] [CrossRef]
- Hassija, V.; Chamola, V.; Saxena, V.; Jain, D.; Goyal, P.; Sikdar, B. A survey on IoT security: Application areas, security threats, and solution architectures. IEEE Access 2019, 7, 82721–82743. [Google Scholar] [CrossRef]
- Hassan, W.H.; Noor, M.b.M. Current research on Internet of Things (IoT) security: A survey. Comput. Netw. 2019, 148, 283–294. [Google Scholar]
- Cert, U. Heightened DDoS Threat Posed by Mirai and Other Botnets. U.S. CERT. Heightened DDOS Threat Posed by Mirai and Other Botnets. Available online: https://www.us-cert.gov/ncas/alerts/TA16-288A (accessed on 1 May 2021).
- Alladi, T.; Chamola, V.; Zeadally, S. Industrial control systems: Cyberattack trends and countermeasures. Comput. Commun. 2020, 155, 1–8. [Google Scholar] [CrossRef]
- Stellios, I.; Kotzanikolaou, P.; Psarakis, M.; Alcaraz, C.; Lopez, J. A survey of iot-enabled cyberattacks: Assessing attack paths to critical infrastructures and services. IEEE Commun. Surv. Tutor. 2018, 20, 3453–3495. [Google Scholar] [CrossRef]
- Hindy, H.; Brosset, D.; Bayne, E.; Seeam, A.; Tachtatzis, C.; Atkinson, R.; Bellekens, X. A Taxonomy and Survey of Intrusion Detection System Design Techniques, Network Threats and Datasets; 2018. Available online: https://strathprints.strath.ac.uk/64653/ (accessed on 26 December 2021).
- Gajewski, M.; Batalla, J.M.; Mastorakis, G.; Mavromoustakis, C.X. A distributed IDS architecture model for Smart Home systems. Clust. Comput. 2019, 22, 1739–1749. [Google Scholar] [CrossRef] [Green Version]
- Liu, H.; Lang, B. Machine learning and deep learning methods for intrusion detection systems: A survey. Appl. Sci. 2019, 9, 4396. [Google Scholar] [CrossRef] [Green Version]
- Aldweesh, A.; Derhab, A.; Emam, A.Z. Deep learning approaches for anomaly-based intrusion detection systems: A survey, taxonomy, and open issues. Knowl.-Based Syst. 2020, 189, 105124. [Google Scholar] [CrossRef]
- RM, S.P.; Maddikunta, P.K.R.; Parimala, M.; Koppu, S.; Gadekallu, T.R.; Chowdhary, C.L.; Alazab, M. An effective feature engineering for DNN using hybrid PCA-GWO for intrusion detection in IoMT architecture. Comput. Commun. 2020, 160, 139–149. [Google Scholar]
- Mittal, S. A survey on modeling and improving reliability of DNN algorithms and accelerators. J. Syst. Archit. 2020, 104, 101689. [Google Scholar] [CrossRef]
- Goel, A.; Tung, C.; Lu, Y.H.; Thiruvathukal, G.K. A survey of methods for low-power deep learning and computer vision. In Proceedings of the 2020 IEEE 6th World Forum on Internet of Things (WF-IoT), New Orleans, LA, USA, 5–9 April 2020; pp. 1–6. [Google Scholar]
- Berman, D.S.; Buczak, A.L.; Chavis, J.S.; Corbett, C.L. A survey of deep learning methods for cyber security. Information 2019, 10, 122. [Google Scholar] [CrossRef] [Green Version]
- Al-Garadi, M.A.; Mohamed, A.; Al-Ali, A.K.; Du, X.; Ali, I.; Guizani, M. A survey of machine and deep learning methods for internet of things (IoT) security. IEEE Commun. Surv. Tutor. 2020, 22, 1646–1685. [Google Scholar] [CrossRef] [Green Version]
- The Agile IoT Project Website. Available online: http://agile-iot.eu (accessed on 28 February 2021).
- Botez, R.; Strautiu, V.; Ivanciu, I.A.; Dobrota, V. Containerized Application for IoT Devices: Comparison between balenaCloud and Amazon Web Services Approaches. In Proceedings of the 2020 International Symposium on Electronics and Telecommunications (ISETC), Timisoara, Romania, 5–6 November 2020; pp. 1–4. [Google Scholar]
- Lenz, M. Continuous Integration with Jenkins. In Python Continuous Integration and Delivery; Apress: Berkeley, CA, USA, 2019; pp. 39–52. [Google Scholar]
- Midi, D.; Rullo, A.; Mudgerikar, A.; Bertino, E. Kalis—A system for knowledge-driven adaptable intrusion detection for the Internet of Things. In Proceedings of the 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), Atlanta, GA, USA, 5–8 June 2017; pp. 656–666. [Google Scholar]
- Liu, Y.; Liu, S.; Zhao, X. Intrusion detection algorithm based on convolutional neural network. In DEStech Transactions on Engineering and Technology Research; DEStech: Lancaster, PA, USA, 2017. [Google Scholar]
- Mirsky, Y.; Doitshman, T.; Elovici, Y.; Shabtai, A. Kitsune: An ensemble of autoencoders for online network intrusion detection. arXiv 2018, arXiv:1802.09089. [Google Scholar]
- Ahmim, A.; Maglaras, L.; Ferrag, M.A.; Derdour, M.; Janicke, H. A novel hierarchical intrusion detection system based on decision tree and rules-based models. In Proceedings of the 2019 15th International Conference on Distributed Computing in Sensor Systems (DCOSS), Santorini, Greece, 29–31 May 2019; pp. 228–233. [Google Scholar]
- Faker, O.; Dogdu, E. Intrusion detection using big data and deep learning techniques. In Proceedings of the 2019 ACM Southeast Conference, Kennesaw, GA, USA, 18–20 April 2019; pp. 86–93. [Google Scholar]
- Wang, B.; Su, Y.; Zhang, M.; Nie, J. A Deep Hierarchical Network for Packet-Level Malicious Traffic Detection. IEEE Access 2020, 8, 201728–201740. [Google Scholar] [CrossRef]
- Sun, P.; Liu, P.; Li, Q.; Liu, C.; Lu, X.; Hao, R.; Chen, J. DL-IDS: Extracting features using CNN-LSTM hybrid network for intrusion detection system. Secur. Commun. Netw. 2020, 2020, 8890306. [Google Scholar] [CrossRef]
- Mohammadpour, L.; Ling, T.C.; Liew, C.S.; Aryanfar, A. A Mean Convolutional Layer for Intrusion Detection System. Secur. Commun. Netw. 2020, 2020, 8891185. [Google Scholar] [CrossRef]
- Jiang, K.; Wang, W.; Wang, A.; Wu, H. Network intrusion detection combined hybrid sampling with deep hierarchical network. IEEE Access 2020, 8, 32464–32476. [Google Scholar] [CrossRef]
- Shaukat, K.; Luo, S.; Varadharajan, V.; Hameed, I.A.; Xu, M. A survey on machine learning techniques for cyber security in the last decade. IEEE Access 2020, 8, 222310–222354. [Google Scholar] [CrossRef]
- Shaukat, K.; Luo, S.; Chen, S.; Liu, D. Cyber Threat Detection Using Machine Learning Techniques: A Performance Evaluation Perspective. In Proceedings of the 2020 IEEE International Conference on Cyber Warfare and Security (ICCWS), Norfolk, VA, USA, 12–13 March 2020; pp. 1–6. [Google Scholar]
- Shaukat, K.; Luo, S.; Varadharajan, V.; Hameed, I.A.; Chen, S.; Liu, D.; Li, J. Performance comparison and current challenges of using machine learning techniques in cybersecurity. Energies 2020, 13, 2509. [Google Scholar] [CrossRef]
- Lin, W.H.; Lin, H.C.; Wang, P.; Wu, B.H.; Tsai, J.Y. Using convolutional neural networks to network intrusion detection for cyber threats. In Proceedings of the 2018 IEEE International Conference on Applied System Invention (ICASI), Tokyo, Japan, 13–17 April 2018; pp. 1107–1110. [Google Scholar]
- Eskandari, M.; Janjua, Z.H.; Vecchio, M.; Antonelli, F. Passban IDS: An intelligent anomaly-based intrusion detection system for IoT edge devices. IEEE Internet Things J. 2020, 7, 6882–6897. [Google Scholar] [CrossRef]
- Shaukat, K.; Alam, T.M.; Hameed, I.A.; Khan, W.A.; Abbas, N.; Luo, S. A Review on Security Challenges in Internet of Things (IoT). In Proceedings of the 2021 IEEE 26th International Conference on Automation and Computing (ICAC), Portsmouth, UK, 2–4 September 2020; pp. 1–6. [Google Scholar]
- Kirupakar, J.; Shalinie, S.M. Situation aware intrusion detection system design for industrial IoT gateways. In Proceedings of the 2019 IEEE International Conference on Computational Intelligence in Data Science (ICCIDS), Gurgaon, India, 6–7 September 2019; pp. 1–6. [Google Scholar]
- Subbarayalu, V.; Surendiran, B.; Arun Raj Kumar, P. Hybrid network intrusion detection system for smart environments based on internet of things. Comput. J. 2019, 62, 1822–1839. [Google Scholar] [CrossRef]
- Yahyaoui, A.; Abdellatif, T.; Attia, R. Hierarchical anomaly based intrusion detection and localization in IoT. In Proceedings of the 2019 IEEE 15th International Wireless Communications & Mobile Computing Conference (IWCMC), Tangier, Morocco, 24–28 June 2019; pp. 108–113. [Google Scholar]
- Shaukat, K.; Alam, T.M.; Luo, S.; Shabbir, S.; Hameed, I.A.; Li, J.; Abbas, S.K.; Javed, U. A review of time-series anomaly detection techniques: A step to future perspectives. In Proceedings of the Future of Information and Communication Conference, Vancouver, BC, Canada, 29–30 April 2021; Springer: Cham, Switzerland, 2021; pp. 865–877. [Google Scholar]
- Kalaria, R.; Kayes, A.; Rahayu, W.; Pardede, E. A Secure Mutual authentication approach to fog computing environment. Comput. Secur. 2021, 111, 102483. [Google Scholar] [CrossRef]
- Liu, X.; Xie, L.; Wang, Y.; Zou, J.; Xiong, J.; Ying, Z.; Vasilakos, A.V. Privacy and security issues in deep learning: A survey. IEEE Access 2020, 9, 4566–4593. [Google Scholar] [CrossRef]
- Yang, H.; Yuan, J.; Li, C.; Zhao, G.; Sun, Z.; Yao, Q.; Bao, B.; Vasilakos, A.V.; Zhang, J. BrainIoT: Brain-Like Productive Services Provisioning with Federated Learning in Industrial IoT. IEEE Internet Things J. 2021. [Google Scholar] [CrossRef]
- Mollah, M.B.; Azad, M.A.K.; Vasilakos, A. Secure data sharing and searching at the edge of cloud-assisted internet of things. IEEE Cloud Comput. 2017, 4, 34–42. [Google Scholar] [CrossRef]
- Dibaei, M.; Zheng, X.; Xia, Y.; Xu, X.; Jolfaei, A.; Bashir, A.K.; Tariq, U.; Yu, D.; Vasilakos, A.V. Investigating the prospect of leveraging blockchain and machine learning to secure vehicular networks: A survey. IEEE Trans. Intell. Transp. Syst. 2021, 1–18. [Google Scholar] [CrossRef]
- Sugiyama, Y.; Goto, K. Design and implementation of a network emulator using virtual network stack. In Proceedings of the 7th International Symposium on Operations Research and Its Applications (ISORA’08), Lijiang, China, 31 October–3 November 2008; World Publ. Co.: Beijing, China, 2008; pp. 351–358. [Google Scholar]
- Leblond, E.; Longo, G. Suricata IDPS and Its Interaction with Linux Kernel. In Proceedings of the netdev 1.1, Seville, Spain, 10–12 February 2016. [Google Scholar]
- Merino, B. Instant Traffic Analysis with Tshark How-To; Packt Publishing Ltd.: Birmingham, UK, 2013. [Google Scholar]
- Azizjon, M.; Jumabek, A.; Kim, W. 1D CNN based network intrusion detection with normalization on imbalanced data. In Proceedings of the 2020 IEEE International Conference on Artificial Intelligence in Information and Communication (ICAIIC), Fukuoka, Japan, 19–21 February 2020; pp. 218–224. [Google Scholar]
- Althubiti, S.A.; Jones, E.M.; Roy, K. LSTM for anomaly-based network intrusion detection. In Proceedings of the 2018 IEEE 28th International Telecommunication Networks and Applications Conference (ITNAC), Sydney, Australia, 21–23 November 2018; pp. 1–3. [Google Scholar]
- Almseidin, M.; Alzubi, M.; Kovacs, S.; Alkasassbeh, M. Evaluation of machine learning algorithms for intrusion detection system. In Proceedings of the 2017 IEEE 15th International Symposium on Intelligent Systems and Informatics (SISY), Subotica, Serbia, 14–16 September 2017; pp. 000277–000282. [Google Scholar]
- Thoma, M. Analysis and optimization of convolutional neural network architectures. arXiv 2017, arXiv:1707.09725. [Google Scholar]
- Krizhevsky, A.; Sutskever, I.; Hinton, G. ImageNet Classification with Deep Convolutional Neural Networks. Neural Inf. Process. Syst. 2012, 25. [Google Scholar] [CrossRef]
- Bansal, A.; Kaur, S. Extreme gradient boosting based tuning for classification in intrusion detection systems. In Proceedings of the International Conference on Advances in Computing and Data Sciences, Dehradun, India, 20–21 April 2018; Springer: Singapore, 2018; pp. 372–380. [Google Scholar]
- Gamage, S.; Samarabandu, J. Deep learning methods in network intrusion detection: A survey and an objective comparison. J. Netw. Comput. Appl. 2020, 169, 102767. [Google Scholar] [CrossRef]
- Elmasry, W.; Akbulut, A.; Zaim, A.H. Evolving deep learning architectures for network intrusion detection using a double PSO metaheuristic. Comput. Netw. 2020, 168, 107042. [Google Scholar] [CrossRef]
- Krishnan, P.; Duttagupta, S.; Achuthan, K. VARMAN: Multi-plane security framework for software defined networks. Comput. Commun. 2019, 148, 215–239. [Google Scholar] [CrossRef]
- Gu, J.; Lu, S. An effective intrusion detection approach using SVM with naïve Bayes feature embedding. Comput. Secur. 2021, 103, 102158. [Google Scholar] [CrossRef]
- Sharafaldin, I.; Lashkari, A.H.; Ghorbani, A.A. Toward generating a new intrusion detection dataset and intrusion traffic characterization. In Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP), Prague, Czech Republic, 23–25 February 2018; pp. 108–116. [Google Scholar]
Year | Authors | Research Aspect | Model | Datasets | Num of Label | Data Analyzed | Performance |
---|---|---|---|---|---|---|---|
2017 | Midi et al. [21] | Kalis: An IDS capable of detecting assaults in real-time across a broad variety of IoT systems | Signature based | Custom dataset | 8 | Packet-based | ACC = 100% TPR = 91% |
2017 | Liu et al. [22] | A CNN-base NIDS | CNN | KDD-Cup99 | 5 | Flow-based | DR = 97.66% FAR = 0.1% |
2018 | Mirsky et al. [23] | An Ensemble of Autoencoders for real-time NIDS | ANN | Custom dataset | 10 | Packet-based | TPR = 99.99%, AUC = 99.99% |
2019 | Ahmim et al. [24] | NIDS that incorporate diverse classifier methodologies | REP Tree, JRIP, RF | CICIDS2017 | 15 | Flow-based | DR = 94.475% ACC = 96.66% FAR = 1.145% |
2019 | Faker et al. [25] | Intrusion detection on ML/DL methodologies | DNN; RF; Gradient Boosting | CICIDS2017 UNSW UB15 | 14 9 | Flow-based | ACC= 91–98% |
2020 | Wang et al. [26] | A deep hierarchical model for detecting anomaly traffic at packet-level | CNN-LSTM; CNN-GRU | ISCX2012 USTC-TFC2016 CICIDS2017 | 5 10 6 | Packet-based | ACC = 99–100% DR = 99–100% |
2020 | Sun et al. [27] | A hybrid model of CNN and LSTM to extract network features and enhance NIDS | CNN + LSTM | CICIDS2017 | 7 | Flow-based | ACC = 98.67% TPR = 97.21% FPR = 0.47% |
2020 | Mohammadpour et al. [28] | New CNN architecture for detecting particular abnormality | CNN | CICIDS2017 | 11 | Flow-based | ACC = 99.46% FPR = 0.23% PPV = 99.76% |
2020 | Kaiyuan et al. [29] | A NIDS incorporated hybrid sampling and a deep hierarchical network | CNN + BiLSTM | NSL-KDD UNSW-NB15 | 5 10 | Flow-based | ACC = 76–82% |
Our | Realguard: Realtime IDS for IoT Gateway | DNN | CICIDS2017 | 11 | Packet-based | ACC = 99.93% TPR = 99.57% FPR = 0.04% |
Edge Gateway Raspberry PI 4B | Edge Server PC | ||
---|---|---|---|
CPU | Type | Broadcom BCM2711 | Intel i7-9750H |
Clock | 1.5 GHz | 2.60 GHz | |
Cores | Quad core Cortex-A72 × 4 | 4 (8 logical) | |
RAM | 8 GB | 16 GB |
Attack Type | Description | Total Packet | Used Packet |
---|---|---|---|
Normal | Normal connection | 11,926,723 | 400,000 |
FTP-Patator | File transfer protocol—brute force attack | 110,736 | 110,736 |
SSH-Patator | Secure shell protocol—brute force attack | 136,073 | 136,073 |
DoS Slowloris | Attackers flood the victim machine with malicious requests to overload victim systems | 47,596 | 47,596 |
DoS Slowhttptest | Attackers flood the victim machine with malicious requests to overload victim systems | 39,254 | 39,254 |
DoS Hulk | Attackers flood the victim machine with malicious requests to overload victim systems | 2,245,526 | 200,000 |
DoS GoldenEye | Attackers flood the victim machine with malicious requests to overload victim systems | 106,177 | 106,177 |
Heartbleed Port 444 | Exploited by sending a malformed heartbeat request with a small payload and large length field to the vulnerable party | 47,551 | 47,551 |
Botnet ARES | Zombie machine controlled by bot onwer, can be used to perform various attacks | 9871 | 9871 |
DDoS LOIT | Distributed Denial of Service is an attempt to make victim services down by using multiple sources. This can be done by using botnet | 1,280,602 | 200,000 |
Port Scan | Specify which port is opening for a particular service. Attacker use this to get information. | 327,253 | 200,000 |
(%) | Realguard | NB-SVM | DT-EnSVM | DBN | PSO+LSTM-RNN | PSO+DNN | XGB | AE+ANN |
---|---|---|---|---|---|---|---|---|
TPR | 99.66 | 99.46 | 99.15 | 99.00 | 98.68 | 97.58 | 97.40 | 95.81 |
FPR | 0.40 | 3.00 | 4.00 | 2.10 | 0.16 | 0.28 | 12.00 | 1.23 |
ACC | 99.64 | 98.92 | 98.46 | 98.24 | 98.83 | 97.85 | 91.36 | 98.18 |
(%) | Realguard | MLP | CNN-MCL | XGB | RF | SVC | ANN | LSTM | E-ML | REP Tree |
---|---|---|---|---|---|---|---|---|---|---|
TPR Normal | 99.60 | 99.66 | x | 99.85 | 99.93 | 98.89 | 99.73 | 99.69 | x | x |
TPR Botnet | 98.46 | 91.39 | 95.19 | x | 64.45 | 79.18 | 38.36 | 35.81 | 46.47 | 47.76 |
TPR DoSSlowhttptest | 99.48 | 99.75 | 91.50 | 94.45 | 99.36 | 83.65 | 98.82 | 98.64 | 93.84 | 75.36 |
TPR DoSGoldenEye | 99.98 | 99.98 | 98.71 | 99.27 | 99.76 | 99.91 | 99.08 | 97.62 | 67.57 | 66.43 |
TPR DoSslowloris | 99.52 | 99.85 | 97.96 | 91.62 | 99.14 | 98.04 | 98.27 | 97.07 | 97.76 | 92.73 |
TPR DoSHulk | 98.45 | 97.54 | 99.10 | 99.92 | 99.85 | 93.36 | 99.73 | 99.02 | 96.78 | 92.22 |
TPR FTP-Patator | 99.92 | 99.99 | 99.77 | x | 99.94 | 99.95 | 99.62 | 99.68 | 99.64 | 99.18 |
TPR SSH-Patator | 99.92 | 99.95 | 98.16 | x | 99.75 | 99.42 | 98.30 | 96.61 | 99.91 | 100.00 |
TPR Heartbleed | 99.98 | 99.99 | x | 100.00 | x | 99.97 | x | x | 100.00 | 100.00 |
TPR DDoS | 100.00 | 100.00 | 99.19 | x | 99.94 | 99.98 | 99.91 | 99.88 | 99.88 | 99.79 |
TPR PortScan | 99.94 | 99.28 | 99.86 | x | 99.95 | 99.39 | 99.81 | 99.92 | 99.88 | 99.88 |
TPR (Avg) | 99.57 | 98.85 | 97.72 | 97.52 | 96.21 | 95.61 | 93.16 | 92.39 | 90.17 | 87.33 |
FPR (Overall) | 0.04 | 0.06 | 0.23 | 0.24 | 0.24 | 0.20 | 0.63 | 0.79 | 1.15 | 4.84 |
ACC (Overall) | 99.93 | 99.89 | 99.46 | 99.54 | 99.86 | 99.64 | 99.58 | 99.57 | 96.67 | 93.40 |
Train Rate (pkg/s) | Exec Rate (pkg/s) | ||
---|---|---|---|
Our | PC | 6000 | 88,200 |
Ras | 1150 | 10,600 | |
Kitsune [23] | PC | 1100 | 37,300 |
Ras | x | 5400 | |
Ahmim et al. [24] | PC | 200 | 17,600 |
Ras | x | x |
Realguard | Kitsune | RF | LSTM | |
---|---|---|---|---|
CPU (%) | 36.0 | 33.8 | 76.8 | 47.6 |
RAM (MB) | 114.5 | 156.3 | 180.3 | 143.1 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Nguyen, X.-H.; Nguyen, X.-D.; Huynh, H.-H.; Le, K.-H. Realguard: A Lightweight Network Intrusion Detection System for IoT Gateways. Sensors 2022, 22, 432. https://doi.org/10.3390/s22020432
Nguyen X-H, Nguyen X-D, Huynh H-H, Le K-H. Realguard: A Lightweight Network Intrusion Detection System for IoT Gateways. Sensors. 2022; 22(2):432. https://doi.org/10.3390/s22020432
Chicago/Turabian StyleNguyen, Xuan-Ha, Xuan-Duong Nguyen, Hoang-Hai Huynh, and Kim-Hung Le. 2022. "Realguard: A Lightweight Network Intrusion Detection System for IoT Gateways" Sensors 22, no. 2: 432. https://doi.org/10.3390/s22020432
APA StyleNguyen, X.-H., Nguyen, X.-D., Huynh, H.-H., & Le, K.-H. (2022). Realguard: A Lightweight Network Intrusion Detection System for IoT Gateways. Sensors, 22(2), 432. https://doi.org/10.3390/s22020432