Unsupervised intelligent system based on one class support vector machine and Grey Wolf optimization for IoT botnet detection

Abstract

Recently, the number of Internet of Things (IoT) botnet attacks has increased tremendously due to the expansion of online IoT devices which can be easily compromised. Botnets are a common threat that takes advantage of the lack of basic security tools in IoT devices and can perform a series of Distributed Denial of Service (DDoS) attacks. Developing new methods to detect compromised IoT devices is urgent in order to mitigate the negative consequences of these IoT botnets since the existing IoT botnet detection methods still present some issues, such as, relying on labelled data, not being validated with newer botnets, and using very complex machine learning algorithms. Anomaly detection methods are promising for detecting IoT botnet attacks since the amount of available normal data is very large. One of the powerful algorithms that can be used for anomaly detection is One Class Support vector machine (OCSVM). The efficiency of the OCSVM algorithm depends on several factors that greatly affect the classification results such as the subset of features that are used for training OCSVM model, the kernel type, and its hyperparameters. In this paper, a new unsupervised evolutionary IoT botnet detection method is proposed. The main contribution of the proposed method is to detect IoT botnet attacks launched form compromised IoT devices by exploiting the efficiency of a recent swarm intelligence algorithm called Grey Wolf Optimization algorithm (GWO) to optimize the hyperparameters of the OCSVM and at the same time to find the features that best describe the IoT botnet problem. To prove the efficiency of the proposed method, its performance is evaluated using typical anomaly detection evaluation measures over a new version of a real benchmark dataset. The experimental results show that the proposed method outperforms all other algorithms in terms of true positive rate, false positive rate, and G-mean for all IoT device types. Also, it achieves the lowest detection time, while significantly reducing the number of selected features.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

References

  1. Angrishi K (2017) Turning internet of things (iot) into internet of vulnerabilities (iov): Iot botnets. arXiv preprint arXiv:170203681

  2. Bertino E, Islam N (2017a) Botnets and internet of things security. Computer 2:76–79

    Article  Google Scholar 

  3. Bertino E, Islam N (2017b) Botnets and internet of things security. Computer 2:76–79

    Article  Google Scholar 

  4. Blenn N, Ghiëtte V, Doerr C (2017) Quantifying the spectrum of denial-of-service attacks through internet backscatter. In: Proceedings of the 12th international conference on availability, reliability and security, ACM, pp 1–10

  5. Bostani H, Sheikhan M (2017) Hybrid of anomaly-based and specification-based ids for internet of things using unsupervised opf based on mapreduce approach. Compute Commun 98:52–71

    Article  Google Scholar 

  6. Butun I, Kantarci B, Erol-Kantarci M (2015) Anomaly detection and privacy preservation in cloud-centric internet of things. In: Communication workshop (ICCW), 2015 IEEE international conference on, IEEE, pp 2610–2615

  7. Celebucki D, Lin MA, Graham S (2018) A security evaluation of popular internet of things protocols for manufacturers. In: Consumer electronics (ICCE), 2018 IEEE international conference on, IEEE, pp 1–6

  8. Dheeru D, Taniskidou EK (2017) UCI machine learning repository. http://archive.ics.uci.edu/ml. Accessed July 2018

  9. Domingues R, Filippone M, Michiardi P, Zouaoui J (2018) A comparative evaluation of outlier detection algorithms: experiments and analyses. Pattern Recogn 74:406–421

    Article  Google Scholar 

  10. Emary E, Zawbaa HM, Grosan C (2018) Experienced Gray Wolf optimization through reinforcement learning and neural networks. IEEE Trans Neural Netw Learn Syst 29(3):681–694

    MathSciNet  Article  Google Scholar 

  11. Faris H, Aljarah I, Mirjalili S, Castillo PA, Guervós JJM (2016) Evolopy: an open-source nature-inspired optimization framework in python. In: IJCCI (ECTA), pp 171–177

  12. Faris H, Aljarah I, Al-Betar MA, Mirjalili S (2018) Grey wolf optimizer: a review of recent variants and applications. Neural Comput Appl 30:1–23

    Google Scholar 

  13. Faris H, Mirjalili S, Aljarah I (2019) Automatic selection of hidden neurons and weights in neural networks using grey wolf optimizer based on a hybrid encoding scheme. Int J Mach Learn Cybern 2019:1–20

    Google Scholar 

  14. García S, Zunino A, Campo M (2014a) Survey on network-based botnet detection methods. Secur Commun Netw 7(5):878–903

    Article  Google Scholar 

  15. García S, Zunino A, Campo M (2014b) Survey on network-based botnet detection methods. Secur Commun Netw 7(5):878–903

    Article  Google Scholar 

  16. Hallman R, Bryan J, Palavicini G, Divita J, Romero-Mariona J (2017) Ioddos the internet of distributed denial of service attacks. In: 2nd international conference on internet of things, big data and security. SCITEPRESS, pp 47–58

  17. Han J, Pei J, Kamber M (2011) Data mining: concepts and techniques. Elsevier, Amsterdam

    Google Scholar 

  18. Hatta N, Zain AM, Sallehuddin R, Shayfull Z, Yusoff Y (2018) Recent studies on optimisation method of grey wolf optimiser (gwo): a review (2014–2017). Artif Intell Rev 2018:1–33

    Google Scholar 

  19. Hudaa S, Abawajy J, Alazab M, Abdollalihian M, Islam R, Yearwood J (2016) Hybrids of support vector machine wrapper and filter based framework for malware detection [J]. Future Gener Comput Syst 55:376–390

    Article  Google Scholar 

  20. Khan MA, Salah K (2018) Iot security: review, blockchain solutions, and open challenges. Future Gener Comput Syst 82:395–411

    Article  Google Scholar 

  21. Kohavi R, John GH (1997) Wrappers for feature subset selection. Artif Intell 97(1–2):273–324

    Article  Google Scholar 

  22. Kolias C, Kambourakis G, Stavrou A, Voas J (2017a) Ddos in the IoT: Mirai and other botnets. Computer 50(7):80–84

    Article  Google Scholar 

  23. Kolias C, Kambourakis G, Stavrou A, Voas J (2017b) Ddos in the IoT: Mirai and other botnets. Computer 50(7):80–84

    Article  Google Scholar 

  24. Lazarevic A, Ertoz L, Kumar V, Ozgur A, Srivastava J (2003) A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the 2003 SIAM international conference on data mining, SIAM, pp 25–36

  25. Lin K-C, Chen S-Y, Hung JC (2014) Botnet detection using support vector machines with artificial fish swarm algorithm. J Appl Math 2014:986428

    Google Scholar 

  26. Mansfield-Devine S (2016) Ddos goes mainstream: how headline-grabbing attacks could make this threat an organisation’s biggest nightmare. Netw Secur 2016(11):7–13

    Article  Google Scholar 

  27. Meidan Y, Bohadana M, Mathov Y, Mirsky Y, Breitenbacher D, Shabtai A, Elovici Y (2018) N-baiot: Network-based detection of IoT botnet attacks using deep autoencoders. IEEE Pervasive Comput 13(9):12–22

    Article  Google Scholar 

  28. Midi D, Rullo A, Mudgerikar A, Bertino E (2017) Kalis—a system for knowledge-driven adaptable intrusion detection for the internet of things. In: Distributed computing systems (ICDCS), 2017 IEEE 37th international conference on IEEE, pp 656–666

  29. Mirjalili S, Mirjalili SM, Lewis A (2014) Grey Wolf optimizer. Adv Eng Softw 69:46–61

    Google Scholar 

  30. Mirsky Y, Doitshman T, Elovici Y, Shabtai A (2018) Kitsune: an ensemble of autoencoders for online network intrusion detection. arXiv preprint arXiv:180209089

  31. Nguyen MH, De la Torre F (2010) Optimal feature selection for support vector machines. Pattern Recogn 43(3):584–591

    Article  Google Scholar 

  32. Ozcelik M, Chalabianloo N, Gur G (2017) Software-defined edge defense against IoT-based ddos. In: 2017 IEEE International conference on computer and information technology (CIT), IEEE, pp 308–313

  33. Pa YMP, Suzuki S, Yoshioka K, Matsumoto T, Kasama T, Rossow C (2015) Iotpot: analysing the rise of IoT compromises. EMU 9:1

    Google Scholar 

  34. Schölkopf B, Platt JC, Shawe-Taylor J, Smola AJ, Williamson RC (2001a) Estimating the support of a high-dimensional distribution. Neural Comput 13(7):1443–1471

    Article  Google Scholar 

  35. Schölkopf B, Platt JC, Shawe-Taylor J, Smola AJ, Williamson RC (2001b) Estimating the support of a high-dimensional distribution. Neural Comput 13(7):1443–1471

    Article  Google Scholar 

  36. Sedjelmaci H, Senouci SM, Al-Bahri M (2016) A lightweight anomaly detection technique for low-resource IoT devices: a game-theoretic methodology. In: Communications (ICC), 2016 IEEE international conference on IEEE, pp 1–6

  37. Shearer C (2000) The crisp\(-\)dm model: the new blueprint for data mining. J Data Warehosusing 5(4):13–22

    Google Scholar 

  38. Summerville DH, Zach KM, Chen Y (2015) Ultra-lightweight deep packet anomaly detection for internet of things devices. In: Computing and communications conference (IPCCC), 2015 IEEE 34th international performance, IEEE, pp 1–8

  39. Wang H, Gu J, Wang S (2017) An effective intrusion detection framework based on svm with feature augmentation. Knowl Based Syst 136:130–139

    Article  Google Scholar 

  40. Weston J, Mukherjee S, Chapelle O, Pontil M, Poggio T, Vapnik V (2001) Feature selection for svms. In: Advances in neural information processing systems, pp 668–674

  41. Whitmore A, Agarwal A, Da Xu L (2015) The internet of things—a survey of topics and trends. Inf Syst Front 17(2):261–274

    Article  Google Scholar 

  42. Wolpert DH, Macready WG (1997) No free lunch theorems for optimization. IEEE Trans Evol Comput 1(1):67–82

    Article  Google Scholar 

  43. Wu G, Chang EY (2003) Class-boundary alignment for imbalanced dataset learning. ICML 2003 workshop on learning from imbalanced data sets II., Washington DC, pp 49–56

  44. Wu M, Ye J (2009) A small sphere and large margin approach for novelty detection using training data with outliers. IEEE Trans Pattern Anal Mach Intell 31(11):2088–2092

    Article  Google Scholar 

  45. Xiao Y, Wang H, Zhang L, Xu W (2014) Two methods of selecting gaussian kernel parameters for one-class svm and their application to fault detection. Knowl Based Syst 59:75–84

    Article  Google Scholar 

  46. Xiao Y, Wang H, Xu W (2015) Parameter selection of gaussian kernel for one-class svm. IEEE Trans Cybern 45(5):941–953

    Article  Google Scholar 

  47. Yang XS (2011) Review of metaheuristics and generalized evolutionary walk algorithm. Int J Bio-Inspired Comput 3(2):77–84

    Article  Google Scholar 

  48. Zou X, Cao J, Guo Q, Wen T (2018) A novel network security algorithm based on improved support vector machine from smart city perspective. Comput Electr Eng 65:67–78

    Article  Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Hossam Faris.

Ethics declarations

Conflict of interest

There is no conflict of interest to declare.

Ethical standards

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Al Shorman, A., Faris, H. & Aljarah, I. Unsupervised intelligent system based on one class support vector machine and Grey Wolf optimization for IoT botnet detection. J Ambient Intell Human Comput 11, 2809–2825 (2020). https://doi.org/10.1007/s12652-019-01387-y

Download citation

Keywords

  • Internet of Things
  • Anomaly detection
  • Botnets
  • Feature selection
  • Intrusion detection system
  • Grey wolf optimization algorithm
  • Novelty detection
  • One class support vector machine.