Skip to main content
SpringerLink
Log in

A two-tier hybrid ensemble learning pipeline for intrusion detection systems in IoT networks

  • Original Research
  • Published:
Journal of Ambient Intelligence and Humanized Computing Aims and scope Submit manuscript

Abstract

With an increasing number of network devices, the need for a robust intrusion detection system is also increasing for ensuring ubiquitous and secure Internet of Things (IoT) network traffic flow. Most of the existing intrusion detection systems do not consider the dataset imbalance and model maintenance, subsequently this leads to high bias, high false positive and false negative rates leading to security breaches. To mitigate these shortcomings, an ensemble learning model is proposed to detect anomalous behaviour in IoT network flow. The proposed machine learning pipeline uses voting between a random forest classifier and an XGBoost classifier, thus combining the bagging and the boosting algorithms, to classify the network flow as normal or anomalous. The proposed model is trained on two standard benchmark datasets: UNSW-NB15 and BoT-IoT and it attained an accuracy of 99.7% and 99.66% respectively with false positive rates of 0.0027 and 0.0042 over the two datasets with 10 folds cross-validation. If the network flow is classified as anomalous, the category of anomaly is predicted for which accuracies of 99.53% and 99.65% are attained. With such high accuracies and low false positive rate, the proposed framework can be deployed to detect any malicious or anomalous behaviour in IoT networks in the real-world conditions like in smart cities.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

Data availability statement

The datasets used during the current study are available in the UNSW-NB15 and BoT-IoT repository.

References

  • Ahmad R, Alsmadi I (2021) Machine learning approaches to IoT security: a systematic literature review. Internet Things 100365

  • Alaba FA, Othman M, Hashem IAT, Alotaibi F (2017) Internet of things security: a survey. J Netw Comput Appl 88:10–28

    Google Scholar 

  • Alimi OA, Ouahada K, Abu-Mahfouz AM, Rimer S, Alimi KOA (2021) A review of research works on supervised learning algorithms for SCADA intrusion detection and classification. Sustainability 13(17):9597

    Google Scholar 

  • Alsoufi MA, Razak S, Siraj MM, Nafea I, Ghaleb FA, Saeed F, Nasser M (2021) Anomaly-based intrusion detection systems in IoT using deep learning: a systematic literature review. Appl Sci 11(18):8383

    Google Scholar 

  • Al-Taleb N, Saqib NA, Dash S et al (2020) Cyber threat intelligence for secure smart city. arXiv preprint arXiv:2007.13233

  • Arko AR, Khan SH, Preety A, Biswas MH (2019) Anomaly detection in IoT using machine learning algorithms. PhD thesis, Brac University

  • Auld T, Moore AW, Gull SF (2007) Bayesian neural networks for internet traffic classification. IEEE Trans Neural Netw 18(1):223–239

    Google Scholar 

  • Aversano L, Bernardi ML, Cimitile M, Pecori R (2021) A systematic review on deep learning approaches for IoT security. Comput Sci Rev 40:100389

    MathSciNet  Google Scholar 

  • Belhadi A, Djenouri Y, Srivastava G, Lin JCW (2021) Reinforcement learning multi-agent system for faults diagnosis of mircoservices in industrial settings. Comput Commun 177:213–219

    Google Scholar 

  • Buitinck L, Louppe G, Blondel M, Pedregosa F, Mueller A, Grisel O, Niculae V, Prettenhofer P, Gramfort A, Grobler J et al (2013) API design for machine learning software: experiences from the scikit-learn project. arXiv preprint arXiv:1309.0238

  • Burhan M, Rehman RA, Khan B, Kim BS (2018) IoT elements, layered architectures and security issues: a comprehensive survey. Sensors 18(9):2796

    Google Scholar 

  • Calabretta M, Pecori R, Vecchio M, Veltri L (2018a) MQTT-auth: a token-based solution to endow MQTT with authentication and authorization capabilities. J Commun Softw Syst 14(4):320–331

    Google Scholar 

  • Calabretta M, Pecori R, Veltri L (2018b) A token-based protocol for securing MQTT communications. In: 2018 26th International conference on software, telecommunications and computer networks (SoftCOM), IEEE, p 1–6

  • Cauteruccio F, Cinelli L, Corradini E, Terracina G, Ursino D, Virgili L, Savaglio C, Liotta A, Fortino G (2021) A framework for anomaly detection and classification in multiple IoT scenarios. Future Gen Comput Syst 114:322–335

    Google Scholar 

  • Cervantes C, Poplade D, Nogueira M, Santos A (2015) Detection of sinkhole attacks for supporting secure routing on 6lowpan for internet of things. In: 2015 IFIP/IEEE international symposium on integrated network management (IM), IEEE, p 606–611

  • Chaabouni N, Mosbah M, Zemmari A, Sauvignac C, Faruki P (2019) Network intrusion detection for IoT security based on learning techniques. IEEE Commun Surv Tutor 21(3):2671–2701

    Google Scholar 

  • Cheng Y, Xu Y, Zhong H, Liu Y (2020) Leveraging semisupervised hierarchical stacking temporal convolutional network for anomaly detection in iot communication. IEEE Internet of Things J 8(1):144–155

    Google Scholar 

  • Cho EJ, Kim JH, Hong CS (2009) Attack model and detection scheme for botnet on 6lowpan. In: Asia-Pacific network operations and management symposium, Springer, p 515–518

  • da Costa KA, Papa JP, Lisboa CO, Munoz R, de Albuquerque VHC (2019) Internet of things: a survey on machine learning-based intrusion detection approaches. Comput Netw 151:147–157

    Google Scholar 

  • Derhab A, Aldweesh A, Emam AZ, Khan FA (2020) Intrusion detection system for internet of things based on temporal convolution neural network and efficient feature engineering. Wirel Commun Mob Comput 2020

  • Dietterich TG (2000) An experimental comparison of three methods for constructing ensembles of decision trees: bagging, boosting, and randomization. Mach Learn 40(2):139–157

    Google Scholar 

  • Diro AA, Chilamkurti N (2018) Distributed attack detection scheme using deep learning approach for internet of things. Future Gen Comput Syst 82:761–768

    Google Scholar 

  • Djenouri Y, Djenouri D, Belhadi A, Srivastava G, Lin JCW (2021) Emergent deep learning for anomaly detection in internet of everything. IEEE Internet Things J

  • Dong X, Yu Z, Cao W, Shi Y, Ma Q (2020) A survey on ensemble learning. Front Comput Sci 14(2):241–258

    Google Scholar 

  • Engen V (2010) Machine learning for network based intrusion detection: an investigation into discrepancies in findings with the KDD CUP’99 data set and multi-objective evolution of neural network classifier ensembles from imbalanced data. PhD thesis, Bournemouth University

  • Fakirah J, Zishan LM, Mooruth R, Johnstone MN, Yang W (2021) A low-cost machine learning based network intrusion detection system with data privacy preservation. arXiv preprint arXiv:2107.02362

  • Garg S, Kaur K, Kumar N, Kaddoum G, Zomaya AY, Ranjan R (2019) A hybrid deep learning-based model for anomaly detection in cloud datacenter networks. IEEE Trans Netw Serv Manag 16(3):924–935

    Google Scholar 

  • Golomb T, Mirsky Y, Elovici Y (2018) Ciota: Collaborative IoT anomaly detection via blockchain. arXiv preprint arXiv:1803.03807

  • Hasan M, Islam MM, Zarif MII, Hashem M (2019) Attack and anomaly detection in IoT sensors in IoT sites using machine learning approaches. Internet of Things 7:100059

    Google Scholar 

  • Honeine P, Noumir Z, Richard C (2013) Multiclass classification machines with the complexity of a single binary classifier. Signal Process 93(5):1013–1026

    Google Scholar 

  • Jung W, Zhao H, Sun M, Zhou G (2020) IoT botnet detection via power consumption modeling. Smart Health 15:100103

    Google Scholar 

  • Kaur G (2020) A comparison of two hybrid ensemble techniques for network anomaly detection in spark distributed environment. J Inf Secur Appl 55:102601

    Google Scholar 

  • Khoshgoftaar TM, Van Hulse J, Napolitano A (2010) Comparing boosting and bagging techniques with noisy and imbalanced data. IEEE Trans Syst Man Cybern Part A Syst Hum 41(3):552–568

    Google Scholar 

  • Khraisat A, Gondal I, Vamplew P, Kamruzzaman J, Alazab A (2019) A novel ensemble of hybrid intrusion detection system for detecting internet of things attacks. Electronics 8(11):1210

    Google Scholar 

  • Kim J, Kim J, Kim H, Shim M, Choi E (2020) Cnn-based network intrusion detection against denial-of-service attacks. Electronics 9(6):916

    Google Scholar 

  • Koroniotis N, Moustafa N, Sitnikova E, Slay J (2017) Towards developing network forensic mechanism for botnet activities in the IoT based on machine learning techniques. In: International conference on mobile networks and management, Springer, p 30–44

  • Koroniotis N, Moustafa N, Sitnikova E, Turnbull B (2019) Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-IoT dataset. Future Gen Comput Syst 100:779–796

    Google Scholar 

  • Kotsiantis S, Pintelas P (2004) Combining bagging and boosting. Int J Comput Intell 1(4):324–333

    Google Scholar 

  • Krawczyk B, Minku LL, Gama J, Stefanowski J, Woźniak M (2017) Ensemble learning for data stream analysis: a survey. Inf Fusion 37:132–156

    Google Scholar 

  • Kumar V, Das AK, Sinha D (2020) Statistical analysis of the UNSW-NB15 dataset for intrusion detection. In: Computational intelligence in pattern recognition, Springer, pp 279–294

  • Latif S, Idrees Z, Zou Z, Ahmad J (2020) Drann: A deep random neural network model for intrusion detection in industrial IoT. In: 2020 International conference on UK-China emerging technologies (UCET), IEEE, p 1–4

  • Li X, Xu M, Vijayakumar P, Kumar N, Liu X (2020a) Detection of low-frequency and multi-stage attacks in industrial internet of things. IEEE Trans Veh Technol 69(8):8820–8831

    Google Scholar 

  • Lin JCW, Srivastava G, Zhang Y, Djenouri Y, Aloqaily M (2020) Privacy-preserving multiobjective sanitization model in 6G IoT environments. IEEE Internet Things J 8(7):5340–5349

    Google Scholar 

  • Li Y, Xu Y, Liu Z, Hou H, Zheng Y, Xin Y, Zhao Y, Cui L (2020b) Robust detection for network intrusion of industrial IoT based on multi-CNN fusion. Measurement 154

  • Lopez-Martin M, Carro B, Sanchez-Esguevillas A, Lloret J (2017) Conditional variational autoencoder for prediction and feature recovery applied to intrusion detection in IoT. Sensors 17(9):1967

    Google Scholar 

  • Lopez-Martin M, Carro B, Sanchez-Esguevillas A, Lloret J (2017) Network traffic classifier with convolutional and recurrent neural networks for internet of things. IEEE Access 5:18042–18050

    Google Scholar 

  • Manimurugan S, Al-Mutairi S, Aborokbah MM, Chilamkurti N, Ganesan S, Patan R (2020) Effective attack detection in internet of medical things smart environment using a deep belief neural network. IEEE Access 8:77396–77404

    Google Scholar 

  • Moustafa N, Slay J (2016) The evaluation of network anomaly detection systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf Secur J Glob Perspect 25(1–3):18–31

    Google Scholar 

  • Moustafa N, Slay J (2015) UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: 2015 Military communications and information systems conference (MilCIS), IEEE, p 1–6

  • Moustafa N, Creech G, Slay J (2018a) Anomaly detection system using beta mixture models and outlier detection. In: Progress in computing, analytics and networking, Springer, p 125–135

  • Moustafa N, Turnbull B, Choo KKR (2018b) An ensemble intrusion detection technique based on proposed statistical flow features for protecting network traffic of internet of things. IEEE Internet Things J 6(3):4815–4830

    Google Scholar 

  • Moustafa N, Hu J, Slay J (2019) A holistic review of network anomaly detection systems: a comprehensive survey. J Netw Comput Appl 128:33–55

    Google Scholar 

  • Muna AH, Moustafa N, Sitnikova E (2018) Identification of malicious activities in industrial internet of things based on deep learning models. J Inf Secur Appl 41:1–11

    Google Scholar 

  • Munir M, Siddiqui SA, Dengel A, Ahmed S (2018) Deepant: a deep learning approach for unsupervised anomaly detection in time series. IEEE Access 7:1991–2005

    Google Scholar 

  • Nawir M, Amir A, Yaakob N, Lynn OB (2019) Effective and efficient network anomaly detection system using machine learning algorithm. Bull Electr Eng Inform 8(1):46–51

    Google Scholar 

  • Parra GDLT, Rad P, Choo KKR, Beebe N (2020) Detecting internet of things attacks using distributed deep learning. J Netw Comput Appl 163:102662

    Google Scholar 

  • Parveen AN, Inbarani HH, Kumar ES (2012) Performance analysis of unsupervised feature selection methods. In: 2012 International conference on computing. communication and applications, IEEE, p 1–7

  • Pavlov DY, Gorodilov A, Brunk CA (2010) BAGBOO: a scalable hybrid bagging-the-boosting model. In: Proceedings of the 19th ACM international conference on Information and knowledge management, p 1897–1900

  • Pecori R, Tayebi A, Vannucci A, Veltri L (2020) IoT attack detection with deep learning analysis. In: 2020 International joint conference on neural networks (IJCNN), IEEE, p 1–8

  • Pedregosa F, Varoquaux G, Gramfort A, Michel V, Thirion B, Grisel O, Blondel M, Prettenhofer P, Weiss R, Dubourg V et al (2011) Scikit-learn: machine learning in python. J Mach Learn Res

  • Primartha R, Tama BA (2017) Anomaly detection using random forest: a performance revisited. In: 2017 International conference on data and software engineering (ICoDSE), IEEE, p 1–6

  • Protogerou A, Papadopoulos S, Drosou A, Tzovaras D, Refanidis I (2021) A graph neural network method for distributed anomaly detection in IoT. Evol Syst 12(1):19–36

    Google Scholar 

  • Sarhan M, Layeghy S, Moustafa N, Portmann M (2021) A cyber threat intelligence sharing scheme based on federated learning for network intrusion detection. arXiv preprint arXiv:2111.02791

  • Sethi P, Sarangi SR (2017) Internet of things: architectures, protocols, and applications. J Electr Comput Eng 2017

  • Shi WC, Sun HM (2020) Deepbot: a time-based botnet detection with deep learning. Soft Comput 24:16605–16616

    Google Scholar 

  • Tahsien SM, Karimipour H, Spachos P (2020) Machine learning based solutions for security of internet of things (IoT): a survey. J Netw Comput Appl 161:102630

    Google Scholar 

  • Tama BA, Rhee KH (2017) Attack classification analysis of IoT network via deep learning approach. Res Briefs Inf Commun Technol Evol(ReBICTE) 3:1–9

    Google Scholar 

  • Timčenko V, Gajin S (2018) Machine learning based network anomaly detection for IoT environments. In: ICIST-2018 conference

  • Ullah I, Mahmoud QH (2019) A two-level hybrid model for anomalous activity detection in IoT networks. In: 2019 16th IEEE annual consumer communications & networking conference (CCNC), IEEE, p 1–6

  • Xu R, Cheng Y, Liu Z, Xie Y, Yang Y (2020a) Improved long short-term memory based anomaly detection with concept drift adaptive method for supporting iot services. Future Gen Comput Syst 112:228–242

    Google Scholar 

  • Xu S, Qian Y, Hu RQ (2020b) Edge intelligence assisted gateway defense in cyber security. IEEE Netw 34(4):14–19

    Google Scholar 

  • Yap BW, Abd Rani K, Abd Rahman HA, Fong S, Khairudin Z, Abdullah NN (2014) An application of oversampling, undersampling, bagging and boosting in handling imbalanced datasets. In: Proceedings of the first international conference on advanced data and information engineering (DaEng-2013), Springer, p 13–22

  • Yin C, Zhang S, Wang J, Xiong NN (2020) Anomaly detection based on convolutional recurrent autoencoder for IoT time series. IEEE Trans Syst Man Cybern Syst

  • Zhong Y, Chen W, Wang Z, Chen Y, Wang K, Li Y, Yin X, Shi X, Yang J, Li K (2020) Helad: a novel network anomaly detection model based on heterogeneous ensemble learning. Comput Netw 169:107049

    Google Scholar 

  • Zhou ZH (2009) Ensemble learning. Encycl Biometr 1:270–273

    Google Scholar 

Download references

Funding

Not applicable.

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineeing, Amity University, Noida, Uttar Pradesh, India

    Devansh Srivastav

  2. Department of Computer Science and Engineeing, Graphic Era (Deemed to be University), Dehra Dun, Uttarakhand, India

    Prakash Srivastava

Authors
  1. Devansh Srivastav
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Prakash Srivastava
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Devansh Srivastav.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Srivastav, D., Srivastava, P. A two-tier hybrid ensemble learning pipeline for intrusion detection systems in IoT networks. J Ambient Intell Human Comput 14, 3913–3927 (2023). https://doi.org/10.1007/s12652-022-04461-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12652-022-04461-0

Keywords

Search

Navigation