Intrusion detection with deep learning on internet of things heterogeneous network

ABSTRACT


INTRODUCTION
The in the number of complex and diverse (heterogeneous) traffic and distribution of internet of things (IoT) devices or services makes IoT security more complex and challenging [1]. According to [2]- [4] from 2013 to 2020, there will be around 24-50 billion new IoT devices that will be connected to the internet. With so many devices connected, it raises serious security problems, and it was proven [5] that in 2016 the biggest DDoS attack had occurred through an IoT device. Therefore, one solution is to implement an intrusion detection system in the heterogeneous network.
Diro and Chilamkurti [6] authors states that traditional machine learning cannot detect complex cybercrime actions, because the traditional machine learning train process fails to recognize small changes in the packet attack scenario and because it cannot extract invisible features. This is consistent with the fact that many attacks have mutated (around 99%) and only (1%) are still in the previous concepts and ways. The success of deep learning in detecting small changes such as small changes in image pixels shows the reliability of DL in the training process.
In research [7] shows that the application of deep learning not only can be applied to big data but can also be implemented in the classification of network traffic and intrusion detection systems. Several previous studies have used deep learning to detect attack traffic, including [8] using and combining deep learning and shallow learning for NIDS on KDD'99 and NSL-KDD datasets, besides [9] using deep learning sparse autoencoder and soft-max regression for detecting NSL-KDD datasets. Research [10] has been proposed applying hybrid deep learning and autoencoder to improve the performance of accurate detection IDS. Then, detection time will faster with reducing dimensions of the dataset.
However, some attack detection studies on IoT using deep learning still use the KDD '99 and NSL-KDD dataset so that the results of deep learning testing become a major issue, therefore an IoT dataset will be built with several services that can describe heterogeneous networks. The purpose of this study is to apply deep learning for IoT intrusion detection systems on heterogeneous networks.

RELATE WORKS
DL has been implemented in various fields. for instance in network security (IDS). From literature [11] has been surveyed on the use of DL in IDS with several deep learning algorithms such as AE, RNN, CNN, RBM, and DBN. In [12] authors has been conducting research by comparing several conventional machine learning methods such as logistic regression, J45, SVM, RF, and DL were able to achieve the best accuracy. In addition, [12] also conducted a study attempting to apply deep learning using TensorFlow and tested on the MAWILeb's 2017 dataset also achieved satisfactory detection results.
Some propose a hybrid deep learning algorithm [9], namely AE and DBN whose purpose is to use AE for automatic feature extraction and DBN for detection or classification. From literature, previous researchers [13]- [18] result evaluate the proposed method using NSL-KDD and KDD'99 Cup datasets the research is not much different. The interesting is in [19] has been described as a few public datasets that can be used for testing with deep learning.
Sharipuddin et al. [20], the authors have been proposed deep learning with DBN to improve the intrusion detection system on IoT by comparing it with existing DGAs standards. Besides, [6] also proposes to use DL for detection systems on the IoT network, and the results of the research reach 99 percent accuracy. However, this study was evaluated with NSL-KDD and KDD CUP 99 datasets so it needs to be tested on real IoT networks to obtain accurate results.

RESEARCH METHOD 3.1. Deep learning algorithms
DL is the metamorphosis of machine learning from an ANN. DL are one of great innovations that pushing a lot of organization to advantage artificial Intelligence. DL is algorithms capable of founding the features such as the human brain. DL are developed with step by step of ANN. DL is consists of large neuron connections that can to high-level extraction of data features. In DL function learned by a neuron is evaluated and calculated by 1000s sub-neuron that outcome a comprehensive classification. DL has several forms, this work proposed to use deep belief network (DBN) to detect attacks in IDS-IoT. In the DBN process of learning and training data is in input. The DBN has features to pre-processes the data to clean the noise of the data that not suitable. There are a few DBN invariants in the range Figure 1. The normalization process in DBN is to prevent the decision that misguided. DBN can use the procedure of probabilistically to reconstruct data inputs, so the layer itself describes feature detectors [21], [22].
Deep belief network is consists of stacked few layers such as a multi-stage restricted boltzmann machine (RBM). The hidden layers in DBN composed of one number to allow the learning process faster. Often called log-linear, the RBM algorithm is constructed based on markov random field (MRF). The RBM energy function has its free parameters to increase accuracy. RBM is a block part of a deep trust network. The connections among neurons in visible layer are shown in Figure 1. The hidden layers exist between the layers in Figures 2. The neuron stores the results of computations at each layer. Each node can randomly input weights.
There are two steps of the DBN training process [23]: The first, train each layer of RBM separately in an unsupervised manner. The second, BP neural network in the last layer of DBN. We set the output vector from the last RBM as the input vector of the BP neural network, and then conduct supervised training for classifier relations.

Topology heterogeneous
We built a testbed topology to get heterogeneous real IoT datasets by using several different enddevices, services, and protocols so that they will depict heterogeneous networks in the real. In this work used hardware to develop testbed such as soil moisture, MQ2, Fundulno and DHT22. There are some nodes as end-devices and middleware. The middleware to communicate are using XBee, w1d D1 and wireless routers to connecting among middleware and monitoring server. The topology proposed in this study is shown in Figure 3. The attack used in this paper is DoS. The patterns of normal and attack obtained with analyzed through attributes [20], thus who can manually identify normal or attack data.

Data preprocessing
This stage is the pre-processing of the dataset from the dataset that was obtained previously. This process is needed to extract the parameters needed to find and identify common basic patterns. Pcap files obtained from the sniffing process are difficult for humans to read because they have different header structures, and have hidden layers depending on different protocols and encapsulation processes. We proposed to two mechanisms to pre-processing dataset namely data conversion and normalization. Data conversions is to converted traffic features of nominal to numeric and ensure all numeric data to be processed by the detection system model. The following is the pseudocode from the process extract parameters dataset. Normalization is implemented to reduce high variants of features to a certain scale of values [21]. Zero values will be eliminated in process normalization. The method to normalize, we proposed to use the minimum-maximum method to scaling values features among zero and one.
[0 − 1] = − − Xi is data point i. Xmin is smaller value of data points. Xmax is highly value of data points. Xi[0-1] is result data point i normalized become range between 0 to 1. Duo some of columns contain only NaN value and in this particular case, NaN has been generated to zero.

IDS-DBN
In this paper, deep learning were useful to identify DoS attacks with dataset has captured. Figure 4 is flowchart proposed method IDS-DBN. First, dataset was captured consist of DoS attacks and benign behaviors from the heterogeneous network. Then the dataset must were normalized. Next flow is samples were split become data training and data testing. The data training consist five parts with number of dataset 50%, 60%, 70%, 80, 90% and to data testing are 50%, 40%, 30%, 20, 10%. The models of IDS-DBN were developing with basis on the data training. Last, the models was develop need evaluate with data testing. The outcome of IDS-BBN was measure performance of models developed. IDS-DBN consists of two hidden layers with number of neurons 8 respectively. The activation function has proposed to IDS-DBN model are relu and sigmoid. The number of neurons and hidden layer to IDS-DBN model changed depending of performances that obtained. In this work, we selected numbers of it based on the models accuracy. On the other hand, we did not apply feature selection method to IDS-DBN and we used all features of normalization. The future work, we will use different artificial intelligence approaches to define optimum values and applied feature extraction or feature selection to reduce the dimension of data input. Figure 4 shown main of steps of IDS-DBN [24], [25]. The First, define of number of dataset of result preprocessing dataset become two data training and data testing. Second, Normalize the dataset is step to convert value of dataset become value with range 0 to 1. In addition, unrelated features like time, value is NaN, infinity, and empty will converted to zero. Third, develop IDS-DBN models that used to process detection with learn based on data training. The last is evaluated of IDS-DBN models.
In this work, the IDS-DBN models consist of a few layers. First layer is input layer with 62 dimensions and 12 nodes. Second layer are hidden layer that consists of 2 layers and 8 nodes. The last layer is layer output with key activation sigmoid that produce two class attack and normal.

Performance metrics
We use four metrics the most common validations to measure of performance IDS-DBN model explained by:

THE RESULTS AND ANALYSIS
For the experiment, we used a Dell notebook with Intel Core i7, 256 SSD, 12GB memory, and the Ubuntu 18.04 LTS. The frameworks to build the DBN are use TensorFlow python and Scikit-learn to the dataset normalization process. Here are the deep learning setup variables. This section is discussing the results of experiment that have carried out. In experiment of topology, there are two data testing is dataset benign and attack with a five-minute observation period. Table 1 is the number of packets from the results of experiments that have been carried out the amount to 1213299, there are a few protocols namely TCP, UDP and ARP. The number of packets is consisting of an attack of 1139179 and a normal amount to 74121. The preprocessing process has obtained attributes from these process 95 features to Wi-Fi protocol. Next is the process of normalization. The goal of normalization is to eliminate irrelevant features used to training and testing process of IDS-DBN to 62 attributes that can be seen in Table 2. It displays the results of the normalization of the extracted data attribute results and then the attributes of the typed string converted to numeric. Then, data transformed to a scale of 0 to 1 as shown in Figure 5, so that it can be input in the IDS-DBN detection system.  The step after preprocessing of dataset is developing IDS-DBN model. In this paper, we have implemented IDS to multi-class classification attack based on DBN, the IDS-DBN models to training use a sequence of RBMs. Each row of dataset has 62 features as input IDS-DBN model and two outputs. In epochs in the proses training is 100 and batch sizes of layers is 10. The detailed of variables for build model IDS-DBN show in Table 3.
In Table 4 is the result of deep learning testing using data sharing by 50 percent for training and 50 percent for testing. In this testing, the attack detection results were 569457 packages and 36707 normal packages with error detection in this test reaching 0 percent. This test will be carried out 5 times by sharing data from 50 percent to 10 percent for testing data.  Table 5 shows the results of performance metrics from the tests that have been carried out and obtained that deep learning can detect packet traffic on a heterogeneous IoT network to reach 100 percent acuity. These results may also be influenced by the lack of packet types in the dataset that has been built. There is an interesting thing that is obtained from the results of this test is that deep learning can conduct training and testing with a large dimension dataset that reaches 62 features successfully. The following Figure 6 shows the experimental accuracy of respect for the percentage of data is used for training.  Figure 6. Result of testing

CONCLUSION
This work proposes to use deep learning to IDS IoT with a deep belief network to detect attacks on heterogeneous networks with considerable dimensional features. The result of the evaluation is deep learning successful to identify attacks that occur in heterogeneous networks. The accuracy detection achieves around 99 percent. In future research, the IDS IoT application of feature extraction to reduce features of dimensions of the data so the resources that can less.

ACKNOWLEDGMENTS
This work funded by UNAMA (Universitas Dinamika Bangsa) by HR development programs and support by COMNETS Lab Universitas Sriwijaya.