An Adaptive Deep-Ensemble Anomaly-Based Intrusion Detection System for the Internet of Things

Nowadays, IoT technology has become an essential part of many aspects of life and business. Nevertheless, such widespread application has come at the cost of many security concerns that threaten data privacy and diminish IoT utilization momentum in critical applications such as the smart grid and intelligent transportation systems. To address this challenge, several approaches have been proposed to detect and prevent IoT cyberthreats from materializing. Anomaly detection is one of these approaches that defines the boundaries of legitimate (normal) behavior. Any behavior that falls outside these boundaries is considered anomalous. However, these solutions should have the capability to adapt and adjust to environmental changes that prompt IoT nodal behavioral aberrations, except they only assume that these nodes show the same behavior. This assumption does not hold due to the heterogeneity of IoT nodes and the dynamic nature of an IoT network topology. Furthermore, existing adaptive solutions rely on static (pre-defined) thresholds to control the moment for retraining updates. The cost is heavy for highly dynamic environments like IoT as it leads to an unnecessary higher frequency of retraining. Consequently, the model becomes unstable and adversely affects its accuracy and robustness. This paper addresses these problems by offering an improved Adaptive Anomaly Detection (AAD) methodology that resolves the heterogeneity issues by building local profiles that define normal behavior at each IoT node. The One Class Support Vector Machines (OC-SVM) was used to build these profiles. Then, K-Means clustering was used to build a global profile that represents all network nodes. A Local-Global Ratio-Based (LGR) Anomaly Detection scheme is advanced and was enlisted to control the adaptation process by adjusting the threshold of adaptive functionality dynamically based on the "current" situation to prevent unnecessary retraining. An Ensemble of Deep Belief Networks (EDBN) is developed and used to train the anomaly detection model. Additionally, this study's proposes a new Minimized Redundancy Discriminative Feature Selection (MRD-FS) technique to resolve the issue of redundant features. The MRD-FS experimental evaluation shows detection accuracy higher than those of the related solutions including lower false alarm rates. This validates the efficacy of the proposed model for various IoT applications such as smart grids, smart homes, smart cities and intelligent transportation systems.