Class imbalance and concept drift invariant online botnet threat detection framework for heterogeneous IoT edge

Abstract

Heterogeneous networks (HetIoT) of high-capacity and resource-constrained IoT devices and their edge associations for on-device distributed critical workloads—called the edge-of-things (EoT)—attract short-burst, botnet-based zero-day attacks that exploit latent vulnerabilities due to heterogeneous device properties, dynamic operational contexts, and insufficient security scrutiny of the constituent proprietary devices. Such a scenario necessitates a device-specific network intrusion detection (NID) technique for localizing the threat space and updated rule learning through online (real-time) model retraining. Furthermore, scarce labeled knowledge base and high levels of class imbalance of NID datasets complicate the ID system design process for EoT environments, as online detection cannot afford computationally expensive data balancing techniques; this necessitates a class imbalance invariant traffic inference technique for data preprocessing. Therefore, we propound the ONIDS online NID technique, which consists of a two-fold solution for the above problems. First, we propose a Beta distribution-based inference technique for efficient traffic behavior approximation—invariant of class imbalance and capable of non-cumulative traffic processing of smaller sample sizes. Then, we put forth an online ID technique called ELMO for class imbalance invariant time-bound training of smaller sample sizes on resource-constrained device-specific network traffic. Together, they are invariant of traffic class imbalances and adaptable to resultant concept drift categories exhibited by HetIoT attack behaviors. ONIDS has low memory and compute footprints and can efficiently process large and small amounts of traffic, making it suitable for online and offline NID. It also exhibits qualitative and quantitative superiority—particularly on smaller data samples.