Skip to main content
SpringerLink
Log in

Study of Network IDS in IoT devices

  • Original Research
  • Published:
SN Computer Science Aims and scope Submit manuscript

Abstract

As connected objects become the norm for quality of life, network intrusion detection is more critical than ever. Over the past decades, several different datasets have been developed to tackle this security challenge. Among them, CIC-IDS2017, one of the most recent IDS datasets, has become a popular choice. Its benefit is the availability of raw data in PCAP files as well as flow-based features in CSV files. In this paper, we study IDS for IoT devices. The objective is to optimize the detection model to be compatible on a device with limited resources. To do so, we propose a methodology to improve the reliability and processing speed of flow-based IDS data. By applying it to CIC-IDS2017 dataset, we highlight serious flaws at several levels and propose a new feature extraction tool named LycoSTand used to generate a corrected version of the dataset called LYCOS-IDS2017. The performance comparison between the original and the corrected datasets shows significant performances increases for all evaluated machine learning algorithms with simpler and more efficient ML models. We carry out a runtime analysis showing that the feature extraction is the bottleneck in flow-based IDS. The experimentation with our solution removing the bottleneck proves that the whole intrusion detection system can be executed on a resource-constrained device. To conclude this paper, a discussion presents the difficulty to compare fairly the performance of the two datasets, identifies other non reliable datasets and finally, highlights limitations of supervised ML approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. https://cve.mitre.org/.

References

  1. (1999) Kdd cup 1999: computer network intrusion detection. https://kdd.org/kdd-cup/view/kdd-cup-1999/Tasks.

  2. Agilent Technologies. The journal of internet test methodologies. 2007. http://www.ixiacom.com/pdfs/test_plans/agilent_journal_of_internet_test_methodologies.pdf.

  3. Banerjee U, Vashishtha A, Saxena M. Evaluation of the capabilities of wireshark as a tool for intrusion detection. Int J Comput Appl. 2010;6(7):1–5. https://doi.org/10.5120/1092-1427. (published By Foundation of Computer Science).

    Article  Google Scholar 

  4. Bul’ajoul W, James A, Pannu M. Improving network intrusion detection system performance through quality of service configuration and parallel technology. J Comput Syst Sci. 2015;81(6):981–99. https://doi.org/10.1016/j.jcss.2014.12.012. (special Issue on Optimisation, Security, Privacy and Trust in E-business Systemsspecial Issue on Optimisation, Security, Privacy and Trust in E-business Systemsspecial Issue on Optimisation, Security, Privacy and Trust in E-business Systems).

    Article  Google Scholar 

  5. Canadian Institute for Cybersecurity. Applications—icflowmeter (formerly iscxflowmeter). 2017a. https://www.unb.ca/cic/research/applications.html.

  6. Canadian Institute for Cybersecurity. Intrusion detection evaluation dataset (cicids2017). 2017b. https://www.unb.ca/cic/datasets/ids-2017.html.

  7. Canadian Institute for Cybersecurity. Cse-cic-ids2018 on aws, a collaborative project between the communications security establishment (cse) & the Canadian institute for cybersecurity (cic). 2018. https://www.unb.ca/cic/datasets/ids-2018.html.

  8. Catillo M, Pecchia A, Rak M, et al. Demystifying the role of public intrusion datasets: a replication study of dos network traffic data. Comput Secur. 2021;108(102):341.

    Google Scholar 

  9. Claise B, Trammell B, Aitken P. Specification of the ip flow information export (ipfix) protocol for the exchange of flow information. STD 77, 2013. http://www.rfc-editor.org/rfc/rfc7011.txt.

  10. Dietzfelbinger M. Universal hashing and k-wise independent random variables via integer arithmetic without primes. In: Puech C, Reischuk R, editors. STACS 96. Berlin, Heidelberg: Springer Berlin Heidelberg; 1996. p. 567–80.

    Chapter  Google Scholar 

  11. Draper-Gil G, Lashkari AH, Mamun MSI, et al. Characterization of encrypted and vpn traffic using time-related features. In: Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP), INSTICC, vol 1. SciTePress, 2016; pp 407–414, https://doi.org/10.5220/0005740704070414.

  12. Felt AP, Barnes R, King A, et al. Measuring https adoption on the web. In: Proceedings of the 26th USENIX Conference on Security Symposium. USENIX Association, USA, SEC’17, 2017; pp. 1323–1338.

  13. Fenanir S, Semchedine F, Baadache A. A machine learning-based lightweight intrusion detection system for the internet of things. Rev d’Intell Artif. 2019;33(3):203–11. https://doi.org/10.18280/ria.330306.

    Article  Google Scholar 

  14. Garg A, Maheshwari P. Performance analysis of Snort-based Intrusion Detection System. In: 3rd International Conference on Advanced Computing and Communication Systems (ICACCS), 2016a; pp 1–5, https://doi.org/10.1109/ICACCS.2016.7586351.

  15. Garg A, Maheshwari P. Performance analysis of Snort-based Intrusion Detection System. In: 3rd International Conference on Advanced Computing and Communication Systems (ICACCS), 2016b; pp 1–5, https://doi.org/10.1109/ICACCS.2016.7586351.

  16. Gohari M, Hashemi S, Abdi L. Android malware detection and classification based on network traffic using deep learning. In: 2021 7th International Conference on Web Research (ICWR), 2021; pp 71–77, https://doi.org/10.1109/ICWR51868.2021.9443025.

  17. Goto K, Geijn RAVD. Anatomy of high-performance matrix multiplication. ACM Trans Math Softw. 2008. https://doi.org/10.1145/1356052.1356053.

    Article  MathSciNet  MATH  Google Scholar 

  18. Gregorutti B, Michel B, Saint-Pierre P. Correlation and variable importance in random forests. Stat Comput. 2017;27(3):659–78. https://doi.org/10.1007/s11222-016-9646-1.

    Article  MathSciNet  MATH  Google Scholar 

  19. Joshi P, Prasad R, Mewada P, et al. A new neural network-based ids for cloud computing. In: Pattnaik PK, Rautaray SS, Das H, et al., editors. Progress in computing, analytics and networking. Singapore: Springer Singapore; 2018. p. 161–70.

    Chapter  Google Scholar 

  20. Kali. Kali linux, the most advanced penetration testing distribution. 2017. https://en.wikipedia.org/wiki/Internet_Mix, https://www.kali.org/.

  21. Lashkari AH, Gil GD, Mamun MSI, et al. Characterization of tor traffic using time based features. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,. SciTePress, 2017; p 253–262, https://doi.org/10.5220/0006105602530262.

  22. Lashkari AH, Kadir AFA, Taheri L, et al. Toward developing a systematic approach to generate benchmark android malware datasets and classification. In: 2018 International Carnahan Conference on Security Technology (ICCST), 2018. pp 1–7, https://doi.org/10.1109/CCST.2018.8585560.

  23. Loukas G, Vuong T, Heartfield R, et al. Cloud-based cyber-physical intrusion detection for vehicles using deep learning. IEEE Access. 2018;6:3491–508. https://doi.org/10.1109/ACCESS.2017.2782159.

    Article  Google Scholar 

  24. McHugh J. Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans Inf Syst Secur. 2000;3(4):262–94. https://doi.org/10.1145/382912.382923.

    Article  Google Scholar 

  25. Milenkoski A, Vieira M, Kounev S, et al. Evaluating computer intrusion detection systems: a survey of common practices. ACM Comput Surv. 2015. https://doi.org/10.1145/2808691.

    Article  Google Scholar 

  26. Ming G, Kenong Z, Jiahua L. Efficient packet matching for gigabit network intrusion detection using tcams. In: 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA’06), 2006; pp 6 pp.–254, https://doi.org/10.1109/AINA.2006.164.

  27. Moustafa N, Slay J. UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: Military Communications and Information Systems Conference (MilCIS), 2015;pp 1–6, https://doi.org/10.1109/MilCIS.2015.7348942.

  28. Ndatinya V, Xiao Z, Manepalli VR, et al. Network forensics analysis using wireshark. Int J Secur Netw. 2015;10(2):91–106. https://doi.org/10.1504/IJSN.2015.070421.

    Article  Google Scholar 

  29. Park JS, Shazzad KM, Kim DS. Toward modeling lightweight intrusion detection system through correlation-based hybrid feature selection. In: Feng D, Lin D, Yung M, editors. Information security and cryptology. Berlin, Heidelberg: Springer Berlin Heidelberg; 2005. p. 279–89. https://doi.org/10.1007/11599548_24.

    Chapter  Google Scholar 

  30. Parliament E. Regulation (EU) 2015/758 of the European Parliament and of the Council of 29 April 2015 concerning type-approval requirements for the deployment of the eCall in-vehicle system based on the 112 service and amending Directive 2007/46/EC. Official Journal of the European Union. 2015. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015R0758.

  31. Pugh W. A skip list cookbook. USA: Tech. rep; 1990.

  32. Pugh W. Skip lists: a probabilistic alternative to balanced trees. Commun ACM. 1990;33(6):668–76. https://doi.org/10.1145/78973.78977.

    Article  Google Scholar 

  33. Quinlan JR. C4.5: programs for machine learning. Oxford: Morgan Kaufmann; 1993.

    Google Scholar 

  34. Roesch M. Snort—lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration. USENIX Association, USA, LISA ’99, 1999; p 229-238, https://doi.org/10.5555/1039834.1039864.

  35. Sahar N, Mishra R, Kalam S. Deep learning approach-based network intrusion detection system for fog-assisted iot. In: Tiwari S, Suryani E, Ng AK, et al (eds) Proceedings of International Conference on Big Data, Machine Learning and their Applications. Springer Singapore, Singapore, 2021; pp. 39–50, https://doi.org/10.1007/978-981-15-8377-3_4.

  36. Shaffer CA. Data structures and algorithm analysis in C++. 3rd ed. Mineola: Dover Publications; 2011.

    Google Scholar 

  37. Sharafaldin I, Lashkari AH, Ghorbani AA. Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP), vol 1. SciTePress, 2018; pp 108–116, https://doi.org/10.5220/0006639801080116.

  38. Sharafaldin I, Lashkari AH, Hakak S, et al. Developing realistic distributed denial of service (ddos) attack dataset and taxonomy. In: International Carnahan Conference on Security Technology (ICCST), 2019; pp 1–8, https://doi.org/10.1109/CCST.2019.8888419.

  39. Shiravi A, Shiravi H, Tavallaee M, et al. Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput Secur. 2012;31(3):357–74. https://doi.org/10.1016/j.cose.2011.12.012.

    Article  Google Scholar 

  40. Smith S. Neon coprocessor. Berkeley: Apress; 2020. p. 291–306. https://doi.org/10.1007/978-1-4842-5881-1_13.

    Book  Google Scholar 

  41. Soe YN, Feng Y, Santosa PI, et al. Implementing lightweight iot-ids on raspberry pi using correlation-based feature selection and its performance evaluation. In: Barolli L, Takizawa M, Xhafa F, et al., editors. Advanced information networking and applications. Cham: Springer International Publishing; 2020. p. 458–69. https://doi.org/10.1007/978-3-030-15032-7_39.

    Chapter  Google Scholar 

  42. STMicroelectronics. Data brief—stellar sr6 g7 line. 2022. https://www.st.com/resource/en/data_brief/sr6g7c4.pdf.

  43. Stolfo S, Fan W, Lee W, et al. Cost-based modeling for fraud and intrusion detection: results from the jam project. In: Proceedings DARPA Information Survivability Conference and Exposition. DISCEX’00, 2000; pp 130–144 vol. 2, https://doi.org/10.1109/DISCEX.2000.821515

  44. Sudqi Khater B, Abdul Wahab AWB, Idris MYIB, et al. A lightweight perceptron-based intrusion detection system for fog computing. Appl Sci. 2019. https://doi.org/10.3390/app9010178.

    Article  Google Scholar 

  45. Taheri L, Kadir AFA, Lashkari AH. Extensible android malware detection and family classification using network-flows and api-calls. In: International Carnahan Conference on Security Technology (ICCST), 2019; pp 1–8, https://doi.org/10.1109/CCST.2019.8888430.

  46. Tavallaee M, Bagheri E, Lu W, et al. A detailed analysis of the KDD CUP 99 data set. In: IEEE Symposium on Computational Intelligence for Security and Defense Applications, 2009; pp 1–6, https://doi.org/10.1109/CISDA.2009.5356528.

  47. Trammell B, Boschi E. Bidirectional flow export using ip flow information export (ipfix). STD 5103, 2008. http://www.rfc-editor.org/rfc/rfc5103.txt.

  48. Ullah I, Mahmoud QH. A scheme for generating a dataset for anomalous activity detection in iot networks. In: Goutte C, Zhu X, editors. Advances in artificial intelligence. Cham: Springer International Publishing; 2020. p. 508–20.

    Chapter  Google Scholar 

  49. Völske M, Bevendorff J, Kiesel J, et al. Web archive analytics. In: Reussner RH, Koziolek A, Heinrich R (eds) INFORMATIK 2020. Gesellschaft für Informatik, Bonn, 2021; pp 61–72, https://doi.org/10.18420/inf2020_05.

  50. Wikipedia .internet mix—wikipedia. 2017. https://en.wikipedia.org/wiki/Internet_Mix.

Download references

Author information

Author notes

  1. Arnaud Rosay and Eloïse Cheval have contributed equally to this work.

Authors and Affiliations

  1. STMicroelectronics, Rue Pierre Félix Delarue, Le Mans, 72100, France

    Arnaud Rosay, Eloïse Cheval & Mustapha Ghanmi

  2. CREN, Le Mans University, Avenue Olivier Messiaen, Le Mans, 72100, France

    Arnaud Rosay, Florent Carlier & Pascal Leroux

Authors
  1. Arnaud Rosay
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eloïse Cheval
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mustapha Ghanmi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Florent Carlier
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Pascal Leroux
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Arnaud Rosay.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical Approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is part of the topical collection “Advances on Information Systems Security and Privacy” guest edited by Steven Furnell and Paolo Mori.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Rosay, A., Cheval, E., Ghanmi, M. et al. Study of Network IDS in IoT devices. SN COMPUT. SCI. 4, 407 (2023). https://doi.org/10.1007/s42979-023-01849-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s42979-023-01849-3

Keywords

Search

Navigation