Jose Costa Sapalo Sicato* , Sushil Kumar Singh* , Shailendra Rathore* and Jong Hyuk Park*
A Comprehensive Analyses of Intrusion Detection System for IoT Environment
Abstract: Nowadays, the Internet of Things (IoT) network, is increasingly becoming a ubiquitous connectivity between different advanced applications such as smart cities, smart homes, smart grids, and many others. The emerging network of smart devices and objects enables people to make smart decisions through machine to machine (M2M) communication. Most real-world security and IoT-related challenges are vulnerable to various attacks that pose numerous security and privacy challenges. Therefore, IoT offers efficient and effective solutions. intrusion detection system (IDS) is a solution to address security and privacy challenges with detecting different IoT attacks. To develop an attack detection and a stable network, this paper’s main objective is to provide a comprehensive overview of existing intrusion detections system for IoT environment, cyber-security threats challenges, and transparent problems and concerns are analyzed and discussed. In this paper, we propose software-defined IDS based distributed cloud architecture, that provides a secure IoT environment. Experi-mental evaluation of proposed architecture shows that it has better detection and accuracy than traditional methods.
Keywords: IDS , IoT , M2M , Security , Privacy
The information technology age, Internet of Things (IoT) is known as the most exciting technologies. The internet allows connected devices to grow exponentially every day, and it has been announced that over 50 million devices will be connected via the internet by 2020 . The IoT technology’s purpose is to interconnect all objects in such a way as to make all computers, programmable, intelligent, and make it more secure to communicate with humans. Sensors and networks allow everything to communicate with each other directly for exchanging critical information. It is possible by machine to machine (M2M) communication in the future. Numerous practical of IoT applications can be used almost in many fields such as smart city applications (smart home, and smart grid, healthcare, and others), where those applications improve the quality of life . The concept of the intrusion detection system (IDS) intends to detect a threat or intrusion into the network, and it actively tracks the network by detecting potential events and logging information about them by stopping incidents. Intrusion detection and prevention system (IDPS) which is a combination of two systems used to monitor events occurring in a network and evaluate them for possible violations or incidents in security policies and also the process of performing intrusion detection and stop to detect incidents.
Using the IoT system in many applications domains such as healthcare, smart home, smart industry, environmental monitoring, and others provides significant benefits to the IoT system. IoT security issues are a significant concern, which is confidentiality, integrity, availability, and authorization [3, 4]. The integration of real-world objects with IoT, however, brings a range of cybersecurity threats in daily activities. Those possible attacks occur against critical infrastructure in IoT, such as denial of service (DoS), man-in-the-middle (MITM), and others . They can compromise any device, the main server, if it’s compromised by the attacker, the whole system to shut down. To solve these problems, IDS recognized as one of the key tools plays a crucial role in the IoT security framework used for information systems and conventional networks. It detects many known and unknown attacks not only to detect known attacks.
In this study, we provide brief overview research related to IDS for IoT security issues. Our research objective demonstrates state of the art from a different perspective, which includes the architecture of the layered IoT environment and security mechanism. We also focus on future recommendations and guidance related to cybersecurity issues in the IoT environment. Considering the development of IDS for the IoT environment presents significant challenges for security. Therefore, the study of our survey offers some key contributions as follows:
First, we sketch relevant aspects of security issues, vulnerabilities, and attack surfaces on the IoT environment.
Second a comprehensive discussion on open issues in IDS for IoT environment.
Finally, evaluate the proposed architecture and shows that it is better than traditional methods.
The remainder of our research structured as follows: The literature review and related work are summarized in Section 2. Section 3 provides an overview of the IoT security environment; Section 4 describes problems and challenges relating to IoT security. Experimental results and analysis are shown in Section 5. Finally, Section 6 concludes our work.
2. Related Work
While IoT has been gaining popularity, security and privacy challenges pose significant barriers for deployment of these dives and widespread adoption. Intrusion detection has been a considerable field of work for more than three decades. Knowledge in network intrusion detection, along with security needs, has increased among researchers. Many researchers have studied and discussed the open-ended research issues of the IDS for the IoT environment, as it’s shown in Fig. 1.
2.1 Detection Methods for Intrusion Detection System
In the IoT environment, the deployment of IDS can’t succeed specified security issues. The IDS attempt to track either the device or the network events of potentially malicious attacks across the network [6,7]. Most of the research work based on intrusion detection and prevention system focused on cloud computing [8,9]. IDS’s purpose is to detect unauthorized access from attackers. These systems are considered to include: wireless local area network (WLAN), clouds, wide area network (WANs), and others . Based on Jun and Chi  mentioned that effective IDS need to be simple and accurately detected for different security threats in the IoT environment. According to the deployment of IoT based IDS showed in Fig. 1, it can be categorized into anomaly-based IDS, host-based IDS, a network-based IDS, and distributed IDS.
Anomaly based IDS (AIDS): In the case of AIDS, known as dynamic behavior-based detection, it creates significant false alarms and generates alerts, where unknown threats can be detected at various levels and vulnerabilities can be identified [12,13], and evaluated the appropriate actions to take. On the other hand, IDS continue to show a relatively high rate of false-positive . Anomaly includes gathering data on authorized users’ actions over a period to track device operation and to identify either normal or defect. These classifications are based on rules, rather than signatures, attempting to detect any attack in regular operation.
Host-based IDS (HIDS): The HIDS is software installed host computer of the network capacity to monitor, analyze, and collect traffic activities on the network interfaces that are originated from the host of system application. IDS have limited views, and it can only detect malicious behaviors for a single host.
Network-based IDS (NIDS): The NIDS makes anomaly detection and signature detection. For example, in Signature detection, list the types of attacks suitable for it, such as application layer reconnaissance, policy validation, transport layer reconnaissance, and network layer reconnaissance. The network-based intrusion detection system operates by monitoring the traffic as the network flows over the network infrastructure. Both NIDS and HDIS have capabilities for detecting and monitoring malicious activities .
Distributed IDS (DIDS): It consists of multiple IDS on an extensive network, where all of which communicates and facilitates advanced network monitoring, instant attack data, and incident analysis. It incorporates information from the number of sensors, including both network and hose-based IDS. The central analyzer is best equipped to detect and respond to intrusion activities.
2.2 Security Threats
he IoT security threats are vulnerable to various attacks, based on other research mentions different types of attacks that have been discussed in the IDS for IoT proposals. As a result, enabling IoT solutions will include various systems, facilities, and standards, each with its security and privacy criteria. Based on three aspects of exchanging data between users and objects: (1) limited power for the IoT environment, (2) a large number of interconnected devices have noted that conventional protection, and (3) privacy cannot be applied directly to such IoT technologies, some indication of how IoT devices are susceptible to attack has been identified [16,17].
According to Kollias et al.  mentioned the IoT technologies had been developed that could leave vulnerabilities attacks related to security and privacy issues in the IoT network. Some other research studies based on security threats that can affect entities in IoT is organized as the following categories shown in Fig. 1: routing attacks, MITM, DoS, eavesdropping attacks .
2.3 Existing Research Studies
In recent years many authors have been surveyed relevant to IoT and tend to focus on particular aspects of IDS. A survey-based on machine learning techniques which focusing on IDS for the wireless sensor network (WSN) and IoT . Kasinathan et al.  proposed a network-based DoS detection for intrusion detection system architecture, where using the IDS probe approach to monitor 6LoWPAN traffic. Based on Buczak and Guven  survey mentions IDS on the general system regularly used for specific WSN and IoT, and highlights a certain number of issues with techniques in particular for the complexity of those which require acquisition. Abudaliyev et al.  mention a survey related on the characteristics of IDS in WSN, where the shortcomings for validation includes a low amount of data available, lack of universal attack detection and poor energy consumption. Another similar survey that focuses on IDS for WSN introduced . In Table 1, we just mentioned a comparative overview survey on IDS for IoT security.
3. IoT Security
In this section, is reviewed an overview of current security issues within the IoT environment. IoT is known as the new generation of the internet; it consists of a large number of ad-hoc connected devices, and features highly limit these devices. The IoT architecture focuses on the core of three layers, as shown in Fig. 2.
3.1 IoT Layer Architecture
Perception layer, starting from this layer is the lowest level and input data gate for IoT, where communications occur between nodes and devices, it’s critical to have security measures defending against any breach. The perception layer components are M2M, radio-frequency identification (RFID), and sensor network . First, the M2M considered as one of the important elements of the IoT, which enables interconnection and interoperability between machines over the network . Second, RFID allows the object to wirelessly communicate different types of communication over the IoT environment, leading to the ability to monitor data. The last sensor network, is considered important information in the perception layer and is another feature that feeds the signal database.
The network layer forms one of the largest and is responsible for enabling IoT devices to communicate with other devices as well with the application services . The network layer consists of a network interface, Wi-Fi, Ethernet, cellular, Zigbee, intelligent management, RIFD, and other devices. Network features are used for processing and transmit sensor data . These sensors are small, with limit computing power and limited processing.
Application layer includes an IoT infrastructure consisting of a network such as a cloud system for data storage and actuators. It is responsible for making sense of the data obtained and transmitted to another IoT layer. The IoT application layer method, filters and typically consists of those associated, often located by passing a message through all areas of the network from the perception layer . Application is expected to present high-security requirements, but it presents common security issues such as related to data integrity, reliability, and privacy protection. Therefore, the security of IoT needs to be addressed.
3.2 IoT Cyber-Attacks
In cybersecurity, confidentiality, integrity, and availability are well known. Different types of attacks are exposed in the IoT network either from internal or external, Fig. 3 describes detailed taxonomy of threats in IoT, where these kinds of attacks are mainly classified as two types as outside and inside attacks. The outside attack is considered when the attacker is not part of the network, while in an inside attack, malicious nodes are part of the network, therefore we discuss some cyber-attacks in the IoT environment.
Software attacks: It is the primary source of security vulnerability and it consists of various kinds of attacks in IoT, these attacks can replicate without human action and it exploits the system by using logic bombs, viruses, worms and other examples of software attacks that deliberately inject system code through its communication interface which can steal information and even damage devices on IoT system [39-41].
Network attacks: It centered on the IoT environment, consists of two different types of attacks, passive and active, that might affect the IoT system environment. Passive attacks which are under intruders monitor a system is performed by several attacks allowing the attacker to collect information from the sensor, besides, by eavesdrop, an attacker could spy on a communication channel causing privacy violation (e.g., side chain, cryptographic, eavesdropping, routing) [42,43]. The active attack involves the use of information collected during the passive attack to compromise the network, and the attacker modifies the IoT system to change the configurations. Try to break the protection feature of data connected to the district or mess the network communication system. Attacks may include a sequence of medication, disruption, and many types of attacks (e.g., routing attack, DoS, false node, and battery exhaustion).
Cryptanalysis attacks: This type of attack is a type of decryption and analysis of codes encrypted and cyphertext where they use some mathematics formulas for search vulnerabilities and beak into cryptography algorithms, and their purpose is to find encryption key used to breaking encryption. These types of attacks are known as well as implementation attacks, and it includes (MITM attack, chosen ciphertext attack) .
Physical Attacks: Physical attacks know as a critical type of cryptanalysis used to discover hidden aspects of devices, and to identify IoT vulnerabilities focused on the hardware component, the attacker will try to get physical access before an attack is done by creating a false attack test. It exposes vulnerabilities such as (e.g., micro probing, node jamming, physical damage chip Repackaging, and sleep deprivation), causing damage to the sensor node. The adversaries change the behavior of devices that involves the IoT environment system .
4. Proposed Distributed Cloud Architecture
In this section, we describe the design overview of proposed distributed cloud architecture, and experiment results and analysis.
4.1 Design Overview of Proposed Architecture
We discussed the fundamental security concerns and some safety measures related to the IoT architecture referred to in Section 3. To secure the IoT system inside, it is considered as four layers. In Fig. 4 presents our proposed method, we will review in-depth and security features of each level in detail.
Based on Patel et al.  research suggests the idea of a new Open Flow switch that involves IDS in it, making Open Flow protocol safer. The other author proposed a framework with the programmability benefits provided by SDN to include the IDS architecture to detect suspicious packets . The authors present the definition in  to identify illegal activities carried out in the SDN setting. We suggest using SDN technologies and machine learning algorithms to track and detect malicious activities in the SDN data plane. We increase the performance and achieve the identification of U2R attacks.
Our proposed software-defined IDS for distributed cloud architecture specification consists of the following four components in different layers of the IoT environment: the first layer of perception consisting of IoT modules, second SDN-enabled switch, third cluster SDN controller and last SDN controller.
IoT devices in the perception layer, end-users on other IoT devices should have their obligations. These IoT devices which are a collection of interconnected computing devices, mechanical, digital machines, surveillance cameras, smart devices, wearable devices, and various other devices that are attached to an SDN switch with unique identifiers and the ability to transfer data over a network without the need for human-to-human or computer-to-computer interaction.
SDN-enabled switch in edge layer, in this system, each end user is assumed to have a switch that is compatible with SDN and supports open flow protocol. The transition builds on security policies and guidelines. The switch is the endpoint of a service provider network. SDN allows switching to network service providers using a hybrid approach.
IDS controller in fog layer, the end-users using in IDS controller which has the following key component. (1) Sensors able to collect data, for example, packets using TCP-dump or Wireshark, log files (for applications), system call traces (for the operating system). (2) Analyzer, the data obtained is received, evaluated, and decided whether it is intruded. And (3) user interface enables IDS performance and control actions to be interpreted by security experts, system administrators, and other users.
SDN controller in the cloud layer, SDN controller remains with the telecommunication service provider at the highest level within the Soft Things system. This SDN controller manages all controllers in the IoT environment. This controller has a comprehensive overview of traffic flow and different events on the network.
Machine learning techniques have been used in conventional networks to improve SDN performance to avoid and prevent multiple IoT attacks. With intelligent attacks on the IoT framework layers, its resources, and computational constraints, it is important to explore the use of machine learning techniques to protect the IoT network and to detect anomalies against normal packets. It is understood that nowadays, however, machine learning is growing rapidly for SDN and IDS. For the edge and fog layer, which are processing, network devices capacity and storage, as fog layer have not to realize. Nevertheless, we suggest using a distributed, stable SDN controller network based on the IDS for the edge and fog layer to be virtual machines connected turn to the processing and storage unit seen as a different entity. Its use SDN for the enabled distributed cloud should not only operate the network but also track and effectively defend the network from external and internal attacks.
4.2 Experiment and Analysis
In this subsection, we run our experiment over the NLS KDD master dataset using and conducted on Ubuntu 18.10, with 6 GB of RAM and 100 GB of hard drive space on VMware. To train and test our Machine learning model, we use Weka (3.9.3) and TensorFlow, and for SDN, SDN emulator, and MaxiNet.
The performance study of our work approach usually performed in terms of precision, recall, and accuracy. Software-defined IDS requires low false alarm high efficiency and high detection rate. The confusion matrix is used to measure those parameters; therefore, the evaluation results are the following.
Precision indicates how many intrusions are predicted by and IDS. The higher the P, the lower alarm. The proportion of right positive classification for all positive classification.
Accuracy: Accuracy indicates the flow manifests exactly categorized around the entire traffic traces. The proportion of classifications, above all N cases, they were correct.
Recall shows the percentage number of expected intrusions versus any actual intrusion, its high R-value required. The proportion of positive examples which have been correctly classified.
4.2.2 Graphical and tabular analysis
Accuracy was used for comparison because it calculates the ratio of correctly identified instances to the total number of instances. As shown in Fig. 5, it is clear that distributed fog solution in terms of accuracy, detection rate, recall in six separate attack scenarios. The proposed architecture is slightly lower in terms of detection rate because the device to share information to converge and make the most accurate decision.
The performance of the proposed architecture using the NLS KDD master dataset was evaluated the combination of our chosen algorithms relative to several classes of standard feature selection and machine learning algorithms show in Table 2.
Based on the comparison and experimental evaluation, we can say that proposed architecture is beneficial for attack detection, showing that it offers better detection and accuracy than traditional methods.
5. IoT Security Issues
A great potential is provided by the IoT, where one of the main objectives is to transform the way we perform different activities and standard of living of people in the recent world. Wireless communication systems have been prone to security vulnerabilities from the very inception; therefore, it is crucial to highlight the security issues for IoT related to security and privacy that can be summarized based on Fig. 6 as confidentiality, availability, scalability, integrity, and heterogeneity.
Confidentiality states that trust is a fundamental issue for IoT users sharing information by things and allows not to be compromised by an attacker. When an attacker can easily intercept messages that pass from the sender-receiver so that the privacy can be modified and leaked. Therefore, it’s required a secure message for the IoT environment [49,50].
Availability, as we come to rely on IoT security within our daily lives, it must consider the availability of IoT system, this potential for disruption as a result of connectivity devices failure, arising attacks such as DoS, DDoS, jamming attacks, which is considered as more than an inconvenience, therefore the impact of lack of availability could mean a loss .
Integrity, ensuring the integrity data in an IoT network it’s considered as another issue for security, due to the flow of big data generated by a large number of connected devices, it should guarantees that message has not to be altered by an attacker or unauthorized user while in transmission over the network to preserving the integrity of IoT . Efforts have been made to ensure data integrity [53,54]. In near future data integrity in IoT should receive considerable attention.
Heterogeneity, known as a diversity of different hardware performance over the IoT network such as an memory footprint, computation power, protocols, etc., attacks that occur on confidentiality, availability, and integrity, due to the IoT security heterogeneity issues to prevent types of attacks are too complex, the absence of common security service is the biggest problem .
5.1 SDN Based IDS
Enabling SDN is an evolving concept in the design and management of networks that allows optimization of network resources use. SDN is promising as a network technology that brings several advantages for IoT and provides more robust methods to improve the control of the network solutions as follows.
Efficient network traffic management, as it provides direct and indirect control over the entire network traffic so that any suspicious traffic can potentially be detected. It is also desirable to significantly improve the use of resources for the optimal system output when it comes to the exponential growth of cloud computing and IoT devices. Enables the complex and timely control of the actions in network switches and work with each other.
Vulnerability discovered in the near future: Operators will deal with any attacks as long as they discover the logic of the control system is instantly discovered to this type of attack, without waiting for software updates, be it an operating system or an application.
Security, it cannot be based solely on host security, since these defenses are ineffective when the host is compromised.
Based on , research proposed the idea of a new Open Flow switch that includes the IDS, making the Open Flow protocol more secure. Another research was to propose a framework with the advantages of SDN programming capability to include IDS architecture for detecting suspicious packets . Based on research also suggest the idea of using technology and machine learning algorithms for monitoring and detect malicious behavior in the SDN data plane. They increase the performance of attack detection and achieve higher true positive values (TPR) for DoS, U2R, Probe attacks compared with other approaches [58,59].
In this subsection, we describe that the security and privacy of the IDS for the IoT environment are essential to maintaining and its primary concern. Knowing that IoT is relatively considered a new concept, it’s needed to develop security goals. Therefore, as IoT grows because of the dynamic nature, several security challenges remain open in a various layer of the architecture shown in Table 3, which includes the following:
Attack model: This model for IoT, since several smart devices are interconnected. Therefore, cyber attackers can conduct advanced and complicated attacks. Therefore, it is necessary to discover more realistic attack models and find a balance between detection rate and resource consumed.
Secure alert traffic: The protection of IDS communication channels is another constant concern challenge for the IoT system. A variety of networks take over control to secure communication between IDS components and nodes across the network. As a consequence, in the IoT case, many difficulties in securing the IDS and poor protection methods are used to secure communication between nodes and sensors, so that allows the attacker to easily monitor and decrypt network traffic. The importance needs of protection with a strong IDS communication system for IoT.
Trust: It is built on the premise that nothing is going to affect the desired individual. As a consequence, despite the IoT program, many heterogeneous networks can be compromised by being linked through the Internet. This connection with other systems brings lower security standards that can generate trust challenges. The trust system must meet and be updated with the growth of IoT devices . Even though several researchers have been proposed to evaluate positive reputation and interaction, it’s required further research.
Malicious code attacks another challenge, which occurs various attacks in IoT that target application programs such as DoS, worms, it aims to attack security cameras, routers. These types of attacks can exploit the presence of software vulnerabilities. A common attack mechanism is an emerging computing system such as IoT security, a detection mechanism for IoT which focuses on individual detection threats.
Privacy: It required special considerations for IoT to prevent user’s information over the network . Ensuring privacy in the IoT environment is considered as a challenge for establishing secure communication addressing related data. Privacy risk arises as the object in the IoT collect, which aggregate fragments of data.
Today, it is believed that the number of IoT devices being connected worldwide tends to grow on daily basis; its application involves many projects. In this paper, we have identified attacks on IoT devices for which the number of recorded instances of malicious attacks continues to increase; information security experts and researchers regularly find vulnerabilities used by cybercriminals that could compromise privacy, security, and protection of consumers. As a result, the frequency and variety of security threats to these systems have increased in several ways, demonstrating the value of an effective intrusion detection system. Therefore, to summarize this paper, we presented a comprehensive survey about softwaredefined based IDS for IoT security environment, we provided a detailed study about each technology in a different chapter, and we studied the IoT security threats and the convergence. Experimental evaluation of proposed architecture shows that it has better detection and accuracy than traditional methods. Our future work aims to develop and implement a more reliable and secure SD-IDS technology for the IoT environment.
Jose Costa Sapalo Sicatohttps://orcid.org/0000-0002-7834-2268
He received Bachelor’s degree in Telecommunication engineer from the International University of Management in 2015, Namibia and Diploma in PC engineer from the Institute of Information Technology from 2009 to 2011 in Namibia. Since 2018, he is a Master’s degree Scholar at the Seoul National University of Science and Technology. His current research interests include SDN, artificial intelligence, big data, and the IoT.
Sushil Kumar Singhhttps://orcid.org/0000-0003-2926-3931
He received his M.Tech. degree in Computer Science and Engineering from Uttarakhand Technical University, Dehradun, India, in 2018. He also received an M.E. degree in Information Technology from Karnataka State University, Mysore, India, in 2011. Currently, he is pursuing his PhD degree under the supervision of Prof. Jong Hyuk Park at the UCS Lab, Seoul National University of Science and Technology, Seoul, Korea. He has more than 9-year experience of teaching in the field of computer science. His current research interests include blockchain, artificial intelligence, big data, and the Internet of Things. He is a reviewer of the IEEE SYSTEMS Journal, FGCS, Computer Network, HCIS, JIPS Journal, and others.
He is a PhD student in the Department of Computer Science at Seoul National University of Science and Technology (SeoulTech.), Seoul, Korea. Currently, he is working in the Ubiquitous Computing Security (UCS) Lab under the supervision of Prof. Jong Hyuk Park. His broad research interest includes Information and Cyber Security, SNS, AI, IoT. Previous to joining Ph.D. at Seoul Tech, he received his M.E. in Information Security from Thapar University, Patiala, India.
James J. (Jong Hyuk) Parkhttps://orcid.org/0000-0003-1831-0309
He received Ph.D. degrees in Graduate School of Information Security from Korea University, Korea and Graduate School of Human Sciences from Waseda University, Japan. From December 2002 to July 2007, Dr. Park had been a research scientist of R&D Institute, Hanwha S&C Co., Ltd., Korea. From September 2007 to August 2009, He had been a professor at the Department of Computer Science and Engineering, Kyungnam University, Korea. He is now a professor at the Department of Computer Science and Engineering and Department of Interdisciplinary Bio IT Materials, Seoul National University of Science and Technology (SeoulTech), Korea. Dr. Park has published about 200 research papers in international journals and conferences. He has been serving as chair, program committee, or organizing committee chair for many international conferences and workshops. He is a steering chair of international conferences–MUE, FutureTech, CSA, CUTE, UCAWSN, World IT Congress-Jeju. He is editor-in-chief of Human-centric Computing and Information Sciences (HCIS) by Springer, The Journal of Information Processing Systems (JIPS) by KIPS, and Journal of Convergence (JoC) by KIPS CSWRG. He is an Associate Editor / Editor of 14 international journals including JoS, JNCA, SCN, CJ, and so on. In addition, he has been serving as a Guest Editor for international journals by some publishers: Springer, Elsevier, John Wiley, Oxford Univ. press, Emerald, Inderscience, MDPI. He got the best paper awards from ISA-08 and ITCS-11 conferences and the outstanding leadership awards from IEEE HPCC-09, ICA3PP-10, IEE ISPA-11, PDCAT-11, IEEE AINA-15. Furthermore, he got outstanding research awards from the SeoulTech, 2014. His research interests include IoT, Human-centric Ubiquitous Computing, Information Security, Digital Forensics, Vehicular Cloud Computing, Multimedia Computing, etc. He is a member of the IEEE, IEEE Computer Society, KIPS, and KMMS.