Collaborative Intrusion Detection in IoT Networks: A Comprehensive Approach

Detecting intrusions in extensive networks, particularly in the realm of the Internet of Things (IoT), is a demanding task due to high traffic loads, varied traffic patterns, numerous intrusion methods, and the likelihood of unknown attacks. This article delves into a novel collaborative approach based on independent learning models, aimed at tackling these complexities effectively.

Datasets Used for Evaluation

To facilitate our research, we utilized the NSLKDD and NSW-NB15 datasets, both of which are well-established in intrusion detection studies. These datasets are instrumental in providing comprehensive traffic pattern representations and various attack conditions, making them suitable evaluation sources for our proposed intrusion detection strategy.

NSLKDD Dataset

The NSLKDD dataset was created to rectify reliability issues identified in the original KDD’99 dataset, addressing its redundancy and bias problems. It consists of approximately 1.074 million samples capturing network traffic communications between pairs of nodes, detailed through 41 distinct features. These features categorize into four main groups:

1. Basic Features: Protocol type, service, flag
2. Content Features: Failed logins, file creations
3. Time-Based Traffic Features: Counts of connections from the same host
4. Host-Based Traffic Features: Service from host counts

For our analysis, we employed a 20% subset, leading to 25,192 data records, which included 13,413 normal samples along with various attack indicators.

NSW-NB15 Dataset

Complementing the NSLKDD dataset, the NSW-NB15 dataset offers a more contemporary array of network attack patterns, overcoming many deficiencies of its predecessors. This dataset boasts 2,540,044 samples characterized by 49 different features, including:

• Content Features: Payload characteristics
• Temporal Features: Time-related flow attributes
• Header-Based Features: Packet header information
• Flow-Based Features: Statistical flow properties

For our methodology, we balanced the dataset distribution by reducing the number of normal samples while retaining 508,000 attack instances, yielding a representative dataset for model training.

These datasets, though not originally derived from IoT deployments, contain features and characteristics that closely mirror those found in typical IoT network systems. They encapsulate various attack types—such as denial-of-service, probing, and remote-to-local attacks—providing a robust platform for evaluating our intrusion detection methodology.

Proposed Methodology

The essence of our research lies in a collaborative intrusion detection model designed explicitly for IoT architectures. This approach facilitates detection through a network of independent learning models deployed across numerous monitoring nodes, ultimately leading to an aggregated learning system where each model’s effectiveness influences the final detection output.

Overview of the Proposed Method

Our approach unfolds in two principal phases:

1. Network Decomposition and Deployment of the Intrusion Detection Model
2. Collaborative Intrusion Detection

Figure 1 illustrates the details of the collaborative intrusion detection based on this methodology.

Phase 1: Network Decomposition and Deployment

This initial phase involves preparing the communication infrastructure of the network, breaking it down into subnetworks to enhance security management. The process commences with each node identifying its active neighbors by broadcasting a control packet. In response, neighboring nodes relay information about their energy levels and communication link delays, enabling each node to assess its connection weights based on energy and connectivity.

The weight is calculated using the formula:

[
W{ij} = \frac{Energy{i} \times C{i}}{Delay{ij}}
]

Subsequently, active nodes compare their weights, leading to the creation of subnetworks with designated monitor nodes responsible for detecting attacks localized within their boundaries.

Phase 2: Collaborative Intrusion Detection

Within the collaborative detection framework, traffic features are preprocessed, followed by the deployment of a fuzzy model to rank these features based on their relevance to intrusion detection. We utilize three distinct strategies—Information Gain, ANOVA, and Relief—to assign weights to the features. The fuzzy model integrates these weightings to shape the detection process.

Here’s a simplified breakdown of the detection phase:

• Preprocess the traffic flow features
• Rank features using the fuzzy model
• Train a Convolutional Neural Network (CNN) model on the prioritized feature set
• Conduct local attack detection, sharing results among monitoring nodes to ascertain the presence of threats using a weighted voting strategy.

Preprocessing and Feature Selection

In the preprocessing stage, categorical features are transformed into numerical values, while records with missing values are eliminated. Normalization of numeric features to a [0, 1] range is achieved through a straightforward equation, preparing the dataset for feature selection.

The selection process further refines feature sets by eliminating irrelevant indicators. We harness the combined capabilities of Relief, ANOVA, and Information Gain to develop a robust mechanism for feature selection. The final output is determined by the BEFS algorithm, ensuring that only the most predictive features are used in the modeling phase.

Local CNN-Based Detection

Equipped with the most relevant features, we utilize CNNs for local attack detection at each monitoring node. CNNs, traditionally used for image processing, are adapted here to process numeric data efficiently. This is achieved by converting selected features into a binary matrix format, allowing the CNNs to exploit their spatial feature extraction capabilities for enhanced detection of complex patterns.

Moving beyond mere classification, our system is designed to operate within the computational constraints typical of IoT environments. Observer nodes, which host the CNN models, ensure efficient processing by distributing tasks across the network.

Combining Local Results for Collaborative Detection

Each monitoring node employs its CNN model to identify attacks independently, followed by a collaborative strategy where nodes exchange local results. In this method, the traffic features aren’t merely forwarded; instead, they are classified, and results are aggregated using a consensus-driven mechanism.

The collaborative detection approach mitigates the limitations of localized monitoring, enhancing overall security through shared intelligence.

Through this structured and collaborative methodology, we pave the way for a more efficient and reliable intrusion detection system articulate for IoT networks. As interconnected devices proliferate, such advanced techniques can significantly bolster the security posture, protecting against the evolving landscape of cyber threats.