On the Performance of Machine Learning Models for Anomaly-Based Intelligent Intrusion Detection Systems for the Internet of Things

Abstract

Anomaly-based machine learning-enabled intrusion detection systems (AML-IDSs) show low performance and prediction accuracy while detecting intrusions in the Internet of Things (IoT) than that of deep learning-based intrusion detection systems (DL-IDSs). In particular, AML-IDS that employ low complexity models for IoT, such as the principal component machine (PCA) method and the one-class support vector machine (1-SVM) method, are inefficient in detecting intrusions when compared to DL-IDS with the two-class neural network (2-NN) method. PCA and 1-SVM AML-IDS suffer from low detection rates compared to DL-IDS. The size of the data set and the number of features or variants in the data set may influence how well PCA and 1-SVM AML-IDS perform compared to DL-IDS. We attribute the low performance and prediction accuracy of the AML-IDS model to an imbalanced data set, a low similarity index between the training data and testing data, and the use of a single-learner model. The intrinsic limitations of the single-learner model have a direct impact on the accuracy of an intelligent IDS. Also, the dissimilarity between testing data and training data leads to an increasingly high rate of false positives (FPs) in AML-IDS than DL-IDS, which have low false alarms and high predictability. In this article, we examine the use of optimization techniques to enhance the performance of single-learner AML-IDS, such as PCA and 1-SVM AML-IDS models for building efficient, scalable, and distributed intelligent IDS for detecting intrusions in IoT. We evaluate these AML-IDS models by tuning hyperparameters and ensemble learning optimization techniques using the Microsoft Azure ML Studio (AMLS) platform and two data sets containing malicious and benign IoT and industrial IoT (IIoT) network traffic. Furthermore, we present a comparative analysis of AML-IDS models for IoT regarding their performance and predictability.