Unsupervised intelligent system based on one class support vector machine and Grey Wolf optimization for IoT botnet detection
Recently, the number of Internet of Things (IoT) botnet attacks has increased tremendously due to the expansion of online IoT devices which can be easily compromised. Botnets are a common threat that takes advantage of the lack of basic security tools in IoT devices and can perform a series of Distributed Denial of Service (DDoS) attacks. Developing new methods to detect compromised IoT devices is urgent in order to mitigate the negative consequences of these IoT botnets since the existing IoT botnet detection methods still present some issues, such as, relying on labelled data, not being validated with newer botnets, and using very complex machine learning algorithms. Anomaly detection methods are promising for detecting IoT botnet attacks since the amount of available normal data is very large. One of the powerful algorithms that can be used for anomaly detection is One Class Support vector machine (OCSVM). The efficiency of the OCSVM algorithm depends on several factors that greatly affect the classification results such as the subset of features that are used for training OCSVM model, the kernel type, and its hyperparameters. In this paper, a new unsupervised evolutionary IoT botnet detection method is proposed. The main contribution of the proposed method is to detect IoT botnet attacks launched form compromised IoT devices by exploiting the efficiency of a recent swarm intelligence algorithm called Grey Wolf Optimization algorithm (GWO) to optimize the hyperparameters of the OCSVM and at the same time to find the features that best describe the IoT botnet problem. To prove the efficiency of the proposed method, its performance is evaluated using typical anomaly detection evaluation measures over a new version of a real benchmark dataset. The experimental results show that the proposed method outperforms all other algorithms in terms of true positive rate, false positive rate, and G-mean for all IoT device types. Also, it achieves the lowest detection time, while significantly reducing the number of selected features.
KeywordsInternet of Things Anomaly detection Botnets Feature selection Intrusion detection system Grey wolf optimization algorithm Novelty detection One class support vector machine.
Compliance with ethical standards
Conflict of interest
There is no conflict of interest to declare.
This article does not contain any studies with human participants or animals performed by any of the authors.
- Angrishi K (2017) Turning internet of things (iot) into internet of vulnerabilities (iov): Iot botnets. arXiv preprint arXiv:170203681
- Blenn N, Ghiëtte V, Doerr C (2017) Quantifying the spectrum of denial-of-service attacks through internet backscatter. In: Proceedings of the 12th international conference on availability, reliability and security, ACM, pp 1–10Google Scholar
- Butun I, Kantarci B, Erol-Kantarci M (2015) Anomaly detection and privacy preservation in cloud-centric internet of things. In: Communication workshop (ICCW), 2015 IEEE international conference on, IEEE, pp 2610–2615Google Scholar
- Celebucki D, Lin MA, Graham S (2018) A security evaluation of popular internet of things protocols for manufacturers. In: Consumer electronics (ICCE), 2018 IEEE international conference on, IEEE, pp 1–6Google Scholar
- Dheeru D, Taniskidou EK (2017) UCI machine learning repository. http://archive.ics.uci.edu/ml. Accessed July 2018
- Faris H, Aljarah I, Mirjalili S, Castillo PA, Guervós JJM (2016) Evolopy: an open-source nature-inspired optimization framework in python. In: IJCCI (ECTA), pp 171–177Google Scholar
- Faris H, Aljarah I, Al-Betar MA, Mirjalili S (2018) Grey wolf optimizer: a review of recent variants and applications. Neural Comput Appl 30:1–23Google Scholar
- Faris H, Mirjalili S, Aljarah I (2019) Automatic selection of hidden neurons and weights in neural networks using grey wolf optimizer based on a hybrid encoding scheme. Int J Mach Learn Cybern 2019:1–20Google Scholar
- Hallman R, Bryan J, Palavicini G, Divita J, Romero-Mariona J (2017) Ioddos the internet of distributed denial of service attacks. In: 2nd international conference on internet of things, big data and security. SCITEPRESS, pp 47–58Google Scholar
- Hatta N, Zain AM, Sallehuddin R, Shayfull Z, Yusoff Y (2018) Recent studies on optimisation method of grey wolf optimiser (gwo): a review (2014–2017). Artif Intell Rev 2018:1–33Google Scholar
- Lazarevic A, Ertoz L, Kumar V, Ozgur A, Srivastava J (2003) A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the 2003 SIAM international conference on data mining, SIAM, pp 25–36Google Scholar
- Lin K-C, Chen S-Y, Hung JC (2014) Botnet detection using support vector machines with artificial fish swarm algorithm. J Appl Math 2014:986428Google Scholar
- Midi D, Rullo A, Mudgerikar A, Bertino E (2017) Kalis—a system for knowledge-driven adaptable intrusion detection for the internet of things. In: Distributed computing systems (ICDCS), 2017 IEEE 37th international conference on IEEE, pp 656–666Google Scholar
- Mirsky Y, Doitshman T, Elovici Y, Shabtai A (2018) Kitsune: an ensemble of autoencoders for online network intrusion detection. arXiv preprint arXiv:180209089
- Ozcelik M, Chalabianloo N, Gur G (2017) Software-defined edge defense against IoT-based ddos. In: 2017 IEEE International conference on computer and information technology (CIT), IEEE, pp 308–313Google Scholar
- Pa YMP, Suzuki S, Yoshioka K, Matsumoto T, Kasama T, Rossow C (2015) Iotpot: analysing the rise of IoT compromises. EMU 9:1Google Scholar
- Sedjelmaci H, Senouci SM, Al-Bahri M (2016) A lightweight anomaly detection technique for low-resource IoT devices: a game-theoretic methodology. In: Communications (ICC), 2016 IEEE international conference on IEEE, pp 1–6Google Scholar
- Shearer C (2000) The crisp\(-\)dm model: the new blueprint for data mining. J Data Warehosusing 5(4):13–22Google Scholar
- Summerville DH, Zach KM, Chen Y (2015) Ultra-lightweight deep packet anomaly detection for internet of things devices. In: Computing and communications conference (IPCCC), 2015 IEEE 34th international performance, IEEE, pp 1–8Google Scholar
- Weston J, Mukherjee S, Chapelle O, Pontil M, Poggio T, Vapnik V (2001) Feature selection for svms. In: Advances in neural information processing systems, pp 668–674Google Scholar
- Wu G, Chang EY (2003) Class-boundary alignment for imbalanced dataset learning. ICML 2003 workshop on learning from imbalanced data sets II., Washington DC, pp 49–56Google Scholar