Identification of Important Features at Different IoT layers for Dynamic Attack Detection

Abstract

With the growth of Internet of Things (IoT), it is essential to devise mitigation techniques to curb related attacks to prevent losses and network disruptions. One popular method of achieving this is with the use of intrusion detection systems (IDSs) that incorporate machine learning (ML) techniques to automatically detect attacks and anomalies. The main purpose of this study was to compare attacks within the same layer (e.g. network layer) or across two different layers (e.g. network and application layers) in order to determine features that are common or unique to each attack and to further determine if attacks belonging to different layers have distinguishing features. To achieve this outcome, the Edge-IIoT dataset was taken into consideration, a recent IoT-related dataset with a varied collection of attack signatures collected using IoT and IIoT (Industrial IoT) sensors. This study mainly focuses on home IoT networks and therefore network traffic flows primarily from five sensors that can be commonly found in a home IoT network were selected from the Edge-IIoT dataset for the ML processes. For the scope of this study, transmission control protocol (TCP) and user datagram protocol (UDP) distributed denial of service (DDoS) attacks were selected as the network layer attacks, while structured query language (SQL) injection and cross-site scripting (XSS) attacks were selected as the application layer attacks. The study identified three features as unique to application layer attacks, four to the XSS attack only, and three to the UDP DDoS attack only. This study also showed that the Edge-IIoT dataset can be reduced to 20 features for optimal ML results (Naïve Bayes [NB] improved to 89.2%, J48 to 94.7% and k-nearest neighbour [k-NN] to 91.7%) using the gain ratio feature selection technique.