MALICIOUS ACTIVITY ANALYSIS OF IOT USING DEEP NEURAL

NETWORK INTRUSION DETECTION SYSTEM

A Thesis
Presented to the Faculty of the
College of Computer and Information Sciences
Polytechnic University of the Philippines

In Partial Fulfilment
of the Requirements for the Degree

Bachelor of Science in Computer Science

Crispino, Jerome Samuel P.

Loto, Ramzel Renz L.
BSCS 4-1N

October 2017
 ii

TABLE OF CONTENTS

TITLE PAGE ............................................................................................................................. i

TABLE OF CONTENTS .......................................................................................................... ii

LIST OF FIGURES .................................................................................................................. v

LIST OF TABLES ................................................................................................................... vi

LIST OF NOTATION ............................................................................................................ vii

CHAPTER 1 The Problem and Its Background ....................................................................... 1

1.1 BACKGROUND OF THE STUDY .......................................................................... 1

1.2 STATEMENT OF THE PROBLEM ......................................................................... 3

1.3 CONCEPTUAL FRAMEWORK .............................................................................. 3

1.4 SIGNIFICANCE OF THE STUDY ........................................................................... 4

1.5 SCOPE AND LIMITATION ..................................................................................... 4

1.6 OPERATIONAL TERMS ......................................................................................... 5

CHAPTER 2 Review of Related Literature and Studies .......................................................... 6

2.1. What is the Internet of Things ..................................................................................... 6

2.1.1 The Layers of the IoT Model.....7

2.1.1.1 Sensor Layer...7
2.1.1.2 Gateway and Network Layer......8
2.1.1.3 Management Service Layer....8
2.1.1.4 Application Layer...9
2.2 Technologies in IoT....10

2.2.1 Radio Frequency Identifiication (RFID)......10

2.2.2 Sensor...11
2.2.3 Smart Technologies..11
2.2.4 Nano Technologies...11
 iii

2.3 Threat analysis in IoT ................................................................................................ 12

2.3.1 Denial-of-Service attacks....12

2.3.2 Distributed Denial-of-Service attacks.....12
2.3.3 Jamming......12
2.3.4 Cloning of thing..........13
2.3.5 Eavesdropping....13
2.3.6 Routing Attack....13
2.3.7 Application Layer Attack....14
2.4 Security Treatment ........................................................................................................ 14

2.4.1 Application Layer Security.....14

2.4.2 Deep Neural Network.........15
2.4.3 Support Vector Machine.....15
2.4.4 KDD Cup 1999 Dataset......16
2.4.5 Intrusion Detection System Solution......16
2.4.5.1 Detection of DoS/DDoS attacks using Artificial Neural Network..16
2.4.5.2 A Malicious Pattern Detection Engine for Embedded Security Systems in
the Internet of Things...17
2.4.5.3 Advocating for Hybrid Intrusion Detection Prevention System and
Framework Improvement.........17
2.4.6 Machine Learning...18
2.4.6.1 A Machine Learning Framework for Network Anomaly Detection Using
SVM and GA18
2.4.7 IP Tracking..18
2.4.7.1 Record route IP traceback: Combating DoS attacks and the
variants.....18
2.5 SYNTHESIS OF THE STUDY ............................................................................... 18

CHAPTER 3 Research Methodology ..................................................................................... 19

3.1 RESEARCH DESIGN ............................................................................................. 19

3.2 SOURCES OF DATA .............................................................................................. 19

 iv

3.3 INSTRUMENTATION ............................................................................................ 19

3.3.1 SORFTWARE/HARDWARE TOOLS ................................................................ 20

3.3.1.1 SYSTEM ARCHITECTURE .......................................................................... 20

3.3.1.2 DEVELOPMENT DETAILS .......................................................................... 21

3.3.2 RESEARCH INSTRUMENT................................................................................. 23

3.4 DATA GENERATION ............................................................................................ 23

3.5 ETHICAL CONSIDERATIONS ............................................................................. 24

3.6 DATA ANALYSIS .................................................................................................. 24

REFERENCES ....................................................................................................................... 27

APPENDIX ............................................................................................................................. 31

SAMPLE RESEARCH INSTRUMENT ............................................................................ 31

 v

LIST OF FIGURES
Figure 1.3.1 Conceptual Framework of the Study .................................................................... 4
Figure 2.1 IoT viewed as a network of networks...................................................................... 7
Figure 2.2 Sensors in IoT .......................................................................................................... 7
Figure 2.3 Network Layer Components.................................................................................... 8
Figure 2.4 Management Service Tool ....................................................................................... 9
Figure 2.5 Applications ............................................................................................................. 9
Figure 2.6 IoT Technologies ................................................................................................... 10
Figure 3.1 System Architecture with DNN Algorithm ........................................................... 20
Figure 3.2 Prototyping Process Model.................................................................................... 21
 vi

LIST OF TABLES
Table 3.3 Experiment Paper .......................................................................................................... 23
 vii

LIST OF NOTATIONS
Below is the list of acronyms, abbreviations and symbols used in this research.
Acronym
DNN Deep Neural Network
SVM Support Vector Machine
IDS Intrusion Detection System
NIDS Network Intrusion Detection System
DoS Denial-of-Service Attack
NS3 Network Simulator 3
API Application Programming Interfaces
JRE Java Runtime Environment
 1

CHAPTER 1
The Problem and Its Background
This chapter presents the problem and the background of the study. It also discusses the
framework, the significance of the study, the systems scope and limitations and the definition of
terms. Included in this chapter is the proposed solution of the researchers to attend and overcome
the problem.

1.1 BACKGROUND OF THE STUDY

IoT is susceptible to various threats with such an amount of scaling and diverse
technologies involved. Safety and security measure of such systems lacks to guarantee the quality
of their services. Many systems may try to prevent an intrusion attempt but this is neither required
nor expected of a monitoring system. The focus of Intrusion detection and prevention systems
(IDPS) is to identify the possible incidents, logging information about them and in report attempts
(Jabez and Muthukumar, 2015). Some manufactures do not have any security standard for their
products; some devices use its own de facto standard of security that is not compatible with other
manufactures products; some old versions of devices do not have any security measure at all.
Computer-controlled devices in automobiles such as breakers, engines, locks and dashboards have
been shown to be vulnerable to attackers who have access to the network. (Chen, 2017)
Furthermore, it is equally important to detect network anomaly such as DoS attack at a beginning
of stage to reduce their impacts.

A denial-of-service attack is a security event that occurs when an attacker takes action that
prevents legitimate users from accessing targeted computer systems, devices or other network
resources. In a DoS attack, a criminal uses a single internet connection to either exploit some
software weaknesses or flood a target with fake requestsusually in an attempt to exhaust server
resources (e.g., RAM and CPU).

There are studies that proposed a solution for the detection of denial-of-service attacks in
the IoT network. Study by (Hodo et. al., 2016) proposed a detection which is based on classifying
normal packets from the threat packets. The study implements an Artificial Neural Network
 2

(ANN) algorithm that analyze and combat the threats. Moreover, the approach is based on a
multilevel perceptron and is trained using internet packet traces, then assessment is conducted to
stop (DoS/DDoS) attacks.

To mitigate performance degradation due to limitations of computation power and

memory, (Oh et. al., 2014) introduced two novel techniques in the study namely auxiliary shifting
and early decision. Through both techniques, the study was able to efficiently reduce the number
of matching operations on resource-constrained systems. The study limits the memory usage of
the detection engine in order to make it work on resource-constrained devices.

(Nur and Tozal, 2017) presented an algorithm to construct a forward-paths graph from
multiple attacker sites to a victim site. The algorithm starts from an empty forward-paths graph
and gradually builds up the graph by incorporating the sub-paths reported in the record route
options field of the received packets. The novel probabilistic packet marking scheme proposed to
infer forward paths from attacker sites to a victim site to delegate the defense to the upstream
Internet Service Providers (ISPs).

(Rizvi et. al., 2016) implemented the hybrid VM-based Honeypot system alongside the
hybrid IDPS. The combination of the two approaches structured the reduction in efficiency by
specializing NIDPS in signature based methods and Hybrid Intrusion Detection Prevention System
(HIDPS) in anomaly based methods, while maintaining the objective of decreasing resource
consumption.

The study gathered shows an encouraging viewpoint in helping the researchers to design
the study. On the other hand, the researchers also find out some flaws of the collected related
studies. In the proposed study of (Hodo et. al., 2016), although the experimental result validates
99.4% of accuracy. Improvement of the reliability of the study requires a development of the
framework. (Oh et. al., 2014) concluded with their study that has a limited memory usage of the
pattern-matching process. Oh responds to this scenario by proposing auxiliary shifting method and
early decision scheme. Though the experiments showed that the proposed method achieved a
speedup of up to 2.14 compared to the traditional pattern-matching algorithm given restricted
resources. The study still retained the workload process that leads to performance degradation. The
study of (Nur and Tozal, 2017) proposed a novel probabilistic packet marking scheme to infer
forward paths from attacker sites to a victim site to delegate the defense to the upstream Internet
 3

Service Providers (ISPs). The author compared the result to the other techniques, the proposed
study requires less many packets to construct the paths from attacker sites to a victim site.
However, the method consumes more bandwidth because it utilizes the 40 bytes record route
options field of the IP header.

Concerning on the security treatment of malicious activity of IoT network in particular

attacking by Denial-of-Service attacks (DoS), the researchers will make use of Deep Neural
Networks algorithm (DNN) to make an evaluation about the outcome whether the IoT network is
being attack by an intruder and at the same time, solving the problem in memory and bandwidth
usage, and performance degradation. DNN is highly capable of what other algorithms can do and
is less time-consuming to develop due to its automatic feature identification.

1.2 STATEMENT OF THE PROBLEM

This research is conducted to provide a security to the IoT threats of network management
by detecting malicious network activity through the help of Deep Neural Network intrusion
detection system. In detail, the study intends to answer the following questions:

1. What is the accuracy of the system in detecting network Denial-of-Service attacks

2. What is the significant difference between using Genetic Algorithm and Deep Neural
Network in a Network Intrusion Detection System in terms of:
a. memory usage
b. bandwidth
c. performance degradation

1.3 CONCEPTUAL FRAMEWORK OF THE STUDY

1.3.1 CONCEPTUAL FRAMEWORK

INDEPENDENT DEPENDENT
VARIABLE VARIABLE

Accuracy
Amount of data to
Memory Usage
be sent
Bandwidth
Performance
Degradation
 4

Figure 1.3.1: Conceptual Framework of the Study

The conceptual framework of the study which provides the summary of all study variables
needed; the independent variables are the previous algorithm (Genetic Algorithm) and the
proposed Malicious Activity Analysis of IoT Using Deep Neural Network Intrusion Detection
System in detecting DoS attacks. The dependent variables are the performance measurement for
NIDS to be used in the study. The output is DoS attack detection.

1.4 SIGNIFICANCE OF THE STUDY

This study will be helpful to the society in a way that it will provide network security against
network attacks. This study can also benefit the following:

DNN - the study will use the algorithm called Deep Neural Network to be able to help the
researcher in detecting the network threats in particular, a DoS Attack.
IoT users the study will benefit the users by making them feel safe against IoT network DoS
Attack.
For the Computer Science students - The study will benefit and help the future researchers as
their reference and guide in researching related works in IoT network security, packet inspection
and intrusion detection. This proposed study is open for future development and enhancement.

1.5 SCOPE AND LIMITATION OF THE STUDY

This study will focus on the development and accuracy of the system specifically in its
intrusion detection. The study will be conducted to help in identifying DoS attacks in an IoT
network. It will cover any kind of potential network intrusion DoS attack to the IoT Smart Home
devices that can harm the digital lifestyle of the users.
 5

1.6 OPERATIONAL TERMS

The following describes how some key terms were used in the study:

DNN this is the algorithm that will be used in the study.

SVM the algorithm that will be used for classification

IoT the ability to transfer data over a network without requiring human-to-human or human to-
computer interaction.

Packets this will serve as the population in the study.

Prototype Model this will serve as the template for developing the system.

Quota sampling technique this will be used in selecting packets as from the population.
 6

CHAPTER 2
Review of Related Literature
This chapter specifies analysis of related works for network management and other
techniques that are relevant to the propose study. A detailed investigation and explanation of the
academic literature is delivered within the context. The chapter concludes with a summary of the
major findings from the analysis.

2.1What is the Internet of Things

The Internet of Things (IoT) is a complex paradigm where billions of devices are connected to
a network. These connected devices form an intelligent system of systems that share the data
without human-to-computer or human-to-human interaction. These systems extract meaningful
data that can transform human lives, businesses, and the world in significant ways (Putchala,
2011). The IoT has been highlighted as a new growth engine of the ICT industry. However, it was
15 years ago that the term things of Internet was first used, when Kevin Ashton of P&G
mentioned that the IoT mounted with RFID and sensors would be e built in 1999 (Kang et al,
2015). Interconnecting the physical world with the virtual world and applying this concept to all
things opens new possibilities in the sense of being able to at any time access anything from any
place (Bude and Bergstrand, 2015). At its core IoT is simplest its about connecting devices over
the internet letting them talk to us (Dsouza, 2016). Conversations about the IoT have been taking
place for several years all over the world as we try to understand how this will influence our way
of living. We should also be considered the several opportunities and challenges that are going to
be as IoT will be link more and more devices. For now, educating ourselves is one way to know
the potential impacts of IoT on how it will affect the way we work and live (Morgan, 2014).
Currently, IoT is made up of diverse, purpose-built networks. Todays examples are multiple
networks to control engine function, safety features and communications systems of a car.
Commercial and residential buildings also have numerous controller for heating, venting, and air
conditioning (HVAC); telephone service, security and lighting. As IoT develops, these networks
will be linked with added security, analytics, and management capabilities (see figure 2.1). This
will allocate IoT to become even more persuasive in what it can help people achieve (Evans, 2011).
 7

Figure 2.1: IoT viewed as a network of networks

2.1.1 The Layers of the IoT Model

2.1.1.1 Sensor Layer

The lowest layer of the IoT is the ability to sense some aspect of the physical
environment. An individual sensor typically measures a few components of a narrow
realitytemperature, pressure, position and speed, a switch thats on or off (Davenport
and Lucker, 2015). A layer in which it interconnects the physical and digital world,
incorporates measurement of physical quantities and collects and process the real-time
information (Negi, 2014). As such, these are small devices, with varying operating systems,
CPU types, memory, etc (Cisco, n. d.). This process of perception is based on several
sensing technologies (e.g. RFID, WSN, GPS, NFC, etc.). In addition, this layer is in charge
of converting the information to digital signals, which are more convenient for network
transmission (Romdhani, 2015).
 8

Figure 2.2: Sensors in IoT

2.1.1.2 Gateway and Network Layer

The layer supports the communication requirements for latency, bandwidth or

security and allows multiple organizations to share and use the same network
independently for high performance network infrastructure resources (Negi, 2014). Fog
computing exist in this layer that carry the benefits cloud closer to edge devices by
addressing the massive amount of data that IoT devices can and potentially will send to the
cloud to be processed (Kliarsky, 2014). For example, a diagnostic of a car consisting of
multiple sensors decides whether to turn on the check engine light or to notify you that
you need to change the oil (Davenport and Lucker, 2015).

Figure 2.3: Network Layer Components

2.1.1.3 Management Service Layer

Capturing of periodic sensory data, extraction of relevant information from massive

amount of raw data, processing of real time data, ensures security and privacy of data takes
place in this layer of IoT (Negi, 2014). IOT brings connection and interaction of objects
and systems together providing information in the form of events or contextual data such
as temperature of goods, current location and traffic data (Chakrabarti, 2016).
 9

Figure 2.4: Management Service Tool

2.1.1.4 Application Layer

The application layer uses the processed data by the previous Layer. In fact, this
layer constitutes the front end of the whole IoT architecture through which IoT potential
will be exploited. Moreover, this layer provides the required tools (e.g. actuating devices)
for developers to realize the IoT vision. In this vision, the range of possible applications is
impressive (e.g. Intelligent transportation, logistics management, identity authentication,
location based services, safety, etc.) (Abdmeziem et. al., 2015).

Figure 2.5: Applications

 10

2.2 Technologies in IoT

Integrating different facilitating technologies enables the existent of IoT to be possible.

The most important contributors to the IoT are radio-frequency identification, sensors, smart
technologies and nanotechnologies as shown in Figure 2.7.

RFID Sensors

To trace and classify the data of things. To gather and manage data.

To identify physical status of things.

Smart Technologies Nano Technologies

To enhance the control of the network by To give the ability to connect and interact
decentralizing the processing capabilities using small things like gadgets and
to different parts of the network. devices.

Figure 2.6: IoT Technologies

2.2.1.2 Radio Frequency Identification (RFID)

RFID (Radio Frequency Identification) devices are wireless microchips used for
tagging objects for automated identification. RFID can identify objects wirelessly without
line-of-sight (Maharjan, 2010). With the use of a reading device called a reader and tags to
detect the channel and sense the collections (Putchala, 2011). There are several applications
of RFID in our everyday life like credit card, automobile ignition keys, passports, tracking
cattle, anti-collision protocols and so on. The application of RFID technologies to the
Internet of Things (IoT) system is critical to take advantage of the moving nodes and
building an intelligent system.
 11

2.2.1.3 Sensor

The sensors are key to gathering the information (Tongue, n. d.). A large number
of sensor nodes deployed randomly inside of or near the monitoring area (sensor field),
form networks through self-organization (Yinbiao, n. d.). The communication between the
IoT ecosystem is achieved with data flow between the devices where the data is collected
and received. Sensors act as a gateway to collect the data and to detect the physical status
of the things (Putchala, 2011).

2.2.1.4 Smart Technologies

Smart technology devices like smart fridge, smart phone, and other wearable
technologies make the Internet of Things(IoT) dream possible with robust performance in
the network. The smart technologies adapt smart solutions while accessing the resources
in the IoT system and enhance the processing capabilities of the network (Putchala, 2011).

2.2.1.5 Nano Technologies

Complex IoT systems make use of nanotechnologies, which have a potential impact
to design smart solutions. For example, nanosensors can be used in city locations to
monitor the spread of diseases (Putchala, 2011).
 12

2.3 Threat analysis in IoT

2.3.1 Denial-of-service attacks

Traditionally, DoS attackers target the server, which is providing a service to its
consumers. Behaving like a legitimate customer, DoS attackers try to flood active server
in a manner such that the service becomes unavailable due to a large number of requests
pending and overflowing the service queue (Somani et. al., 2017). For example, shutting
down access to an external-facing online asset like an ecommerce site constitutes a denial-
of-service (Kesavan, 2016).

2.3.2 Distributed Denial-of-service attacks

A Distributed Denial of Service (DDoS) attack is an attempt to make an online

service unavailable by overwhelming it with traffic from multiple sources (Arbor
Networks, n. d.). DDoS attacks achieve effectiveness by utilizing multiple compromised
computer systems as sources of attack traffic. Exploited machines can include computers
and other networked resources such as IoT devices. From a high level, a DDoS attack is
like a traffic jam clogging up with highway, preventing regular traffic from arriving at its
desired destination (Cloudfare, n. d.). A different flavor of DoS is Distributed DoS, or
DDoS, where attackers are a group of machines targeting a particular service (Somani et.
al., 2017).

2.3.3 Jamming

The jamming attack is one of the most critical security issues in wireless networks,
which disseminates out sufficient adversarial signals into the radio frequencies used by
normal sensor nodes, without following any legitimate protocols (Shin et. al., 2010). (Xu
et. al., 2005) outline a jammer to be an entity who is purposefully trying to interfere with
the physical transmission and reception of wireless communications. The jamming is
accomplished by transmitting high continuous streams of noise on the frequency used in
the network, causing interference (Johari, 2015).
 13

2.3.4 Cloning of thing

IoT network or cloud application is polluted by fake devices sending erroneous data
(IRT Nanoelec, 2016). Cloning occurs when the attacker copies data from a legitimate tag
to gain access to an IoT network. Fraudsters can often gain unauthorized access to RFID
tags due to poor authentication that enables them to read, change and delete data (Gorman,
2017).

2.3.5 Eavesdropping

This attack can be carried out if the platforms used communicate in clear text, since
there is nothing stopping an attacker from using a receiver to pick up the communication
between the participants when the communication is using a wireless solution (Johari,
2015). (Bude and Bergstrand, 2015) highlighted the two-possible position of the attacker.
The attacker could be positioned somewhere on the internet as an intermediate node where
it monitors or modifies information flowing between the server and gateway. The other
option is the wireless network where the attacker eavesdrops traffic between gateway and
device.

2.3.6 Routing Attack

Routers can be core network equipment in any organization so the security of router
is major concern. However, there are different types of router attacks that network
professionals must be aware of such as: DoS, packet mistreating attacks, routing table
poisoning, hit-and-run attacks and persistent attacks (Bipin, 2012).
 14

2.3.7 Application Layer attack

The application layer consists of a variety application of IoT. The application layer
security concerns such as DDoS attack, malicious code injection attack and phishing attack
need to be addressed (Chen, 2017). Underestimating safety and security of monitoring a
physical environment In IoT applications is a critical issue that that needs to be addressed.
First, unlike in typical computer systems, in IoT systems the physical environment can be
affected through IoT actuators. Second, attackers can affect a cyber-physical system by
manipulating the physical environment. Moreover, as we are dealing with resource
constrained devices in IoT, lightweight approaches need to be undertaken to ensure the
quality of service and feasibility of such security measures (Hosseinpour et. al., 2016).

2.4 Security Treatment

2.4.1 Application Layer Security

Nowadays, the architecture of the Internet must be updated and rethought in order
to interconnect trillions of devices and to ensure interoperability between them.
Nevertheless, the most important problem is the security requirements of the IoT, which is
probably one of the main reasons of the relatively slow development of this field (Nastase,
2017). Message Queue Telemetry Transport (MQTT), Extensible Messaging and Presence
Protocol (XMPP) and Blockchain are the most important application layer protocols that
are currently used in the IoT framework (Mendez et. al., 2017).

MQTT is a lightweight network protocol used for publishing and subscribing to

messages that are send between devices. It is invented by Dr Andy StanfordClark of IBM
and Arlen Nipper of Arcom, with the goal to create a protocol that is bandwidth-efficient
and uses little battery power. The protocol works on top of the TCP/IP protocol, and is
ideal for use in constrained environments or low-bandwidth networks with limited
processing capabilities, small memory capacities and high latency (Arnoys, 2015).
 15

The purpose of XMPP is to enable the exchange of relatively small pieces of

structured data (called "XML stanzas") over a network between any two (or more) entities.
XMPP is typically implemented using a distributed client-server architecture, wherein a
client needs to connect to a server in order to gain access to the network and thus be allowed
to exchange XML stanzas with other entities (which can be associated with other servers)
(Saint-Andre, 2011).

Blockchains has recently received a lot of attentions in the field of IoT. Researchers
and practitioners believe blockchain is one of the key technologies that can securely enable
smart contracts among the things (Mendez et. al., 2017). Blockchains is being used in
respect of IoT devices. Blockchains are cryptographically secure ledgers that typically
require a significant amount of memory, disk space and processor power to work
(Fremantle and Scott, 2017).

2.4.2 Deep Neural Network

Deep Neural Network is a feed forward artificial neural network composed of

multiple hidden layers between the input and the output layer. Deep learning is the name
we use for stacked neural networks that is, networks composed of several layers.

Deep neural networks learn by adjusting the strengths of their connections to better
convey input signals through multiple layers to neurons associated with the right general
concepts (Wolchover, 2017).

2.4.3 Support Vector Machine

A Support Vector Machine (SVM) is a discriminative classifier formally defined

by a separating hyperplane. In other words, given labeled training data (supervised
learning), the algorithm outputs an optimal hyperplane which categorizes new examples
(OpenCV, 2017).

SVM is an idea in insights that investigate data and perceive designs. It is utilized
for order and relapse investigation. The SVM takes an classification of data and predicts,
 16

for every given data, which of two conceivable classes contains the data (Yadav and
Sachan, 2016). (Gualtieri et al., 2000) related to the use of SVM for classification of HS
images has been followed by several researchers to analyze the theoretical properties and
empirical performances of SVM applied to different kinds of classification problems.

2.4.4 KDD Cup 1999 Dataset

One of the most favoured and widely used dataset by the research community of
intrusion detection is KDD99 dataset. Since 1999, it has been the most widely used data
set for the evaluation of anomaly detection methods. This data set is prepared by Stolfo et
al. and is built based on the data captured in DARPA98 IDS evaluation program.
DARPA98 is about 4 gigabytes of compressed raw (binary) tcpdump data of 7 weeks of
network traffic, which can be processed into about 5 million connection records, each with
about 100 bytes. The two weeks of test data have around 2 million connection records.
KDD training dataset consists of approximately 4,900,000 single connection vectors each
of which contains 41 features and is labeled as either normal or an attack, with exactly one
specific attack type (Tavallaee et al., 2009).

KDD99 is the only available dataset with labeled normal and attack records and
became a benchmark to evaluate IDSs. The simulated attacks fall in one of the four
categories. These categories are Denial of Service Attack (DoS), Probing Attack, User to
Root Attack (U2R), and Remote to Local Attack (R2L). The datasets contain a total number
of (22) training attack types, with an additional (16) types in the test data (Al-mamory et
al., 2015).

2.4.5 Intrusion Detection System Solution

2.4.5.1 Detection of DoS/DDoS attacks Using Artificial Neural Network

On the study Threat analysis of IoT networks Using Artificial Neural Network
(ANN) Intrusion Detection System an investigation is presented in the area of security
threats on IoT networks particularly in Dos/DDoS attacks with an implementation of ANN
 17

algorithm to counteract these threats. The study also classified the IoT threats into four
types; Denial of Service (DoS), Malware, Data breaches and Weakening Perimeters. The
study demonstrates an experimental architecture in which the IoT network is composed of
5 node sensors. Four of the nodes are acting as client, and one is acting as a server relay
node for data analytic purposes. The traffic is captured via a network tap avoiding
modification of the live traffic. The server node acknowledges the data sent by the sensor
nodes and replies with data based on the received data. This allows the sensor nodes to
adapt their behavior and react to occurring events. In this study an ANN is used as an
offline Intrusion Detection System (IDS) collect and assess information from several parts
of the IoT network and identify a DoS attack on the network. The detection was based on
classifying normal and threat pattern. However, the study is limited as more attacks should
be initiate to test reliability of the method against attacks and accuracy of its framework
(Hodo et. al., 2016).

2.4.5.2 A Malicious Pattern Detection Engine for Embedded Security Systems in the
Internet of Things

(Oh et. al., 2014) present a lightweight security system that uses a novel malicious
pattern-matching engine. The study limits the memory usage of the proposed system in
order to make it work on resource-constrained devices. To mitigate performance
degradation due to limitations of computation power and memory, two novel techniques
proposed in the study are auxiliary shifting and early decision. Through both techniques,
the study able to efficiently reduce the number of matching operations on resource-
constrained systems.

2.4.5.3 Advocating for Hybrid Intrusion Detection Prevention System and

Framework Improvement

(Rizvi et. al., 2016) implemented the hybrid VM-based Honeypot system alongside
the hybrid IDPS which makes up for the reduction in efficiency by specializing NIDPS in
signature based methods and Hybrid Intrusion Detection Prevention System (HIDPS) in
anomaly based methods, while maintaining the objective of decreasing resource
consumption. The authors plan on implementing the theorized architecture in future
 18

research. In order to further research, algorithms similar to the standard genetic and fuzzy
logic methods must be created, including neural techniques.

2.4.6 Machine Learning

2.4.6.1 A Machine Learning Framework for Network Anomaly Detection using SVM
and GA

The main goal of the author was to present a general framework for detection and
classification of novel attacks in network traffic. Four preliminary tests were directed using
GA for optimized field selection that this method had a relatively fast processing time and
a better correction rate. Modified SVM classification approach and data preprocessing
were proposed for producing better SVM inputs. Specifically, the author designed an
Enhanced SVM incorporating both a high-performance supervised scheme and an
unsupervised scheme that operates without the use of labels. Moreover m-fold was used in
crossing validation methods and real-world experiments to verify the results and prove the
relative effectiveness of the framework over existing NIDS (Shon, et. al., 2005).

2.4.7 IP Tracking

2.4.7.1 Record route IP traceback: Combating DoS attacks and the variants

The authors proposed a novel probabilistic packet marking scheme to infer forward
paths from attacker sites to a victim site to delegate the defense to the upstream Internet
Service Providers (ISPs). The authors exploit the record route feature of the IP protocol to
implement the probabilistic packet marking scheme. An algorithm was presented to
construct a forward-paths graph from multiple attacker sites to a victim site. The algorithm
starts from an empty forward-paths graph and gradually builds up the graph by
incorporating the sub-paths reported in the record route options field of the received
packets (Nur and Tozal, 2017).
 19

CHAPTER 3
Research Methodology

3.1 RESEARCH DESIGN

The researchers will incorporate quantitative analysis in conducting the study. Moreover,
the researchers will use experimental type of research It is a systematic and scientific approach in
which the researcher manipulates one or more variables, and controls and measures any change in
other variables (Blackstad 08). Key (1997) defines experimental research as an attempt by the
researcher to maintain control over all factors that may affect the result of an experiment. In
doing this, the researcher attempts to determine or predict what may occur, he added. The
researchers will evaluate the functionality of the proposed system in terms of accuracy after
generalizing the results of the quantitative analysis.

3.2 SOURCES OF DATA

The researchers will use packets as the population in the experimentation. Network packets
taken from the KDD Cup 1999 dataset will be used and will serve as the population frame. The
researchers determined that the sample size of the population will be 2000 of network packets.

3.3 INSTRUMENTATION

This section describes the collected data in more detail. The tools used for the collection of
data is identified. How the instrument was acquired or created as well as its reliability and validity
is also presented in this section.
 20

3.3.1 SOFTWARE /HARDWARE TOOLS

3.3.1.1 SYSTEM ARCHITECTURE

START

ATTACK OVER THE

INTERNET

NETWORK
TRAFFIC

PACKET CAPTURE

FEATURE EXTRACTION
AND SELECTION USING
DNN AND SVM

Detection Engine

INPUT LAYER

MALICIOUS
NO
ACTIVITY
DETECTED
HIDDEN LAYER

YES OUTPUT LAYER

DISPLAY ALERT
LOG

End

Figure 3.1 System Architecture with DNN Algorithm

 21

The figure above shows how the system will detect and analyze a Denial of
Service attack on a device in the IoT network. Initially, the system will capture packets
from the IoT network traffic. The captured packets are then forwarded to a DNN for
feature extraction. The DNN is trained to recognize features of DoS attack packets.
Next, the extracted packet features are fed to a classifier which in this case, we will be
using a support vector machine. The SVM will identify which packets are normal and
which packets are attack packets using the features extracted. An alert is issued when a
malicious activity is detected due to recognition of a DoS attack packet.

3.3.1.2 DEVELOPMENT DETAILS

Figure 3.2: Prototyping Process Model

Prototype model will serve as a process template for developing the system. Wherein,
prototype begins from project initiation and collecting of requirements, developed, tested, and
revisions of necessary until the expected prototype is targeted.
 22

The following are the steps in prototyping model:

Requirements Gathering requirements of the system software is collected.

Developing the initial Prototype set of plans is made and defining the problems, objectives and
resources is executed.

Review of the Prototype simulation of developed prototype will be conducted. The researchers
will assess the data gathered from the simulation result. Then from the evaluated data, conclusion
will be made for more enhancement of the prototype.

Review and enhance the Prototype Feedback is examined. In this phase, if the simulation of
prototype is unsuccessful, feedbacks will be used for further enhancement and revisions until the
required results is met.

The researchers will conduct a simulation process for the system through NS-3 and Virtual
Box. NS-3 will be our simulation tool and Virtual Box will serve as the emulator of NS-3
application. The algorithm to be follow will be based on the system architecture. The DNN will
interpret the packets passing the IoT network. The researchers will use the following instruments
in developing and implementing the study.

NS-3 open source simulation tool and publicly available for research, development, and
use. An open simulation environment for networking research. Made to Linux operating system
and is required that your system is installed with java runtime environment (JRE) 6 or above. This
software will help the researchers in modifying and implementing the DNN algorithm in network
intrusion detection.

Virtual Box Emulator for running NS-3 on different operating system. Virtual box will
help the researchers to run the simulation tool without the use of Linux operating system.
 23

3.3.2 RESEARCH INSTRUMENT

Experiment paper will be used as a research instrument to collect data. This will help in
recording of observations about the performance of the study. The researchers experimental paper
consists the following variables as shown in the table:

DNN Intrusion Detection System

DNN Average
Performance
Trial Trial Trial
1 2 3
Actual Number of
Attack Packets
No. of Correctly
Detected Attack
Packets
No. of Normal
Packets Detected
as Attack Packets
No. of Attack
Packets NOT
Detected
Accuracy

Table 3.3 Experiment Paper

3.4 DATA GENERATION/GATHERING PROCEDURE

The researchers collect the data and information of IoT threats from the library, online
works and studies, and gathering of further information from the internet. The researchers will
consult a network security specialist about the study concerning on DoS attack on IoT. After the
gathering of data, the researchers will consult to research advisor for the development of the study,
additional recommendation, revision of documents, and authorization of the study. The researcher
 24

will perform the simulation process using NS-3 to understand the effectiveness of DNN algorithm
in analyzing malicious activity. Through simulation, the collection of data based on the
performance of network intrusion detection will be conducted. The effectiveness of the study is
calculated through the given performance data. The researchers will record all the resulting data,
present a findings, conclusion and recommendation of the study.

3.5 ETHICAL CONSIDERATION

The data generated will be used to see the effectiveness of DNN algorithm in detecting a
network intrusion for IoT network. The researchers are responsible to follow all the guidelines,
rules and regulations of the university. The researchers will conduct experiments through a
simulation rather than real-time experiments to avoid inconsistency in gathering data when the
researchers encounter an error during an experiment. To maintain the preciseness of the evaluation,
the researchers shall not change all the data gathered in every simulation. Any type of misleading
information, as well as representation of primary data findings in a biased way must be avoided.
Confidentiality of the generated data shall be maintained. Full consent should be obtained from
the participants prior to the study. Affiliations in any forms, sources of funding, as well as any
possible conflicts of interests must be declared.

3.6 DATA ANALYSIS

The researchers will be using the following statistical formulas to compute the accuracy of
network intrusion detection with the implementation of DNN algorithm. The following metrics
will be used to support the result of the simulation of the study.

ACCURACY FORMULA

The formula for accuracy computes the overall performance rate of the system.

+
= 100
+ + +
Where:
 25

TruePositive where malicious activity that are correctly identified as network threat.

TrueNegative where non-malicious activity is correctly identified.

FalsePositive where non-malicious activity is incorrectly classified as network threat.

FalseNegative where network issues are incorrectly identified.

MEAN
It is the average measurement in a set of data. Mean is calculated by getting the sum of the
data divided by the number of data items. This formula will be used for the t-test in measuring
significant difference between Genetic Algorithm and Deep Neural Network in performance rate.

=

Mean Formula
Where,
, called as X-bar used for the symbol for the mean
, Sigma used as symbol for summation
, used as symbol for the scores
, used as the total number of scores

INDEPENDENT T-TEST
The research will use the Independent T-Test method to find the significant difference of
the result of the comparison of performance rate between using Genetic Algorithm and Deep
Neural Network in IoT network intrusion detection.

=
( )2 2
2 ( ) )
( 2 ) + (
1 1
[ ] [ ]
+
+ 2

Where,
, sum of the following scores.
 26

, mean for the memory usage, bandwidth, and performance degradation using
Genetic Algorithm
, mean for the memory usage, bandwidth, and performance degradation using
Deep Neural Network
, scores for the Network Intrusion Detection System using Genetic Algorithm
, scores for the Network Intrusion Detection System using Deep Neural Network
, total number of scores for the Network Intrusion Detection System using
Genetic Algorithm
, total number of scores for the Network Intrusion Detection System using
Deep Neural Network
The level of significance denoted as alpha or determines how far out from the null
hypothesis and it is the probability of rejecting a null hypothesis when it is true. In this study the
researcher will use significance level of 0.05 it indicates a 5% of risk of concluding that a
difference exists when there is no actual difference.
 27

REFERENCE/S:

J.Jabeza, B.Muthukumar Dr. (2015). Intrusion Detection System (IDS): Anomaly Detection Using
Outlier Detection Approach. International Conference on Computer, Communication and
Convergence (ICCC 2015)

Farhoud Hosseinpour, Payam Vahdani Amoli, Juha Plosila, Timo Hmlinen, and Hannu
Tenhunen. (2016). An Intrusion Detection System for Fog Computing and IoT based Logistic
Systems using a Smart Data Approach. International Journal of Digital Content Technology and
its Applications(JDCTA) Volume10, Number5, Dec. 2016.

Long Chen. (2017). Security Management for The Internet of Things. University of Windsor
Scholarship at UWindsor. Windsor, Ontario, Canada 2017

//M. Surendar, A. Umamakeswari. (2016). InDReS: An Intrusion Detection and response system
for Internet of Things with 6LoWPAN. Wireless Communications, Signal Processing and
Networking (WiSPNET), International Conference on 23-25 March 2016. Chennai, India.

Manoj Kumar Putchala. (2011). Deep Learning Approach for Intrusion Detection System (IDS) in
the Internet of Things (IOT) Network Using Gated Recurrent Neural Networks (GRU). Wright
State University. (2017).

Young-Mo Kang, Mi-Ran Han, Kyeong-Seok Han, and Jong-Bae Kim. (2015). A Study on the
Internet of Things (IoT) Application. International Journal of Software Engineering and Its
Applications. Vol. 9, No. 9 (2015).

Edison Lancy Dsouza, Roopa S, Rohan D Salins. (2016). Integrated Real-Time Intrusion
Detection System Using IoT. International Journal of Innovative Research in Science, Engineering
and Technology. Vol. 5, Issue 5, May 2016.

Christian Bude and Andreas Kervefors Bergstrand. (2015). Internet of Things: Exploring and
Securing a Future Concept. Degree Project in Communication Systems, First Level Stockholm.
Sweden 2015.

Jacob Morgan. (2014). A Simple Explanation Of 'The Internet of Things'. Retrieve from
https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-
anyone-can-understand/#7d12ccbf1d09
 28

Dave Evans. (2011). The Internet of Things: How the Next Evolution of the Internet Is Changing
Everything. Cisco Internet Business Solutions Group (IBSG). Cisco white paper. (2011).

Cisco (IBSG). (2011). Research Gate: IoT viewed as network of a networks. Retrieve from
https://www.researchgate.net/figure/272943881_fig5_Fig-25-IoT-viewed-as-a-network-of-
networks-Source-Cisco-IBSG-April-2011

Vikrant Negi. (2014). Internet of Things. Retrieve from

https://www.slideshare.net/vikrantnegi007/internet-of-things-42105190

Cisco. (n. d.). Securing the Internet of Things: A Proposed Framework. Retrieve from
https://www.cisco.com/c/en/us/about/security-center/secure-iot-proposed-framework.html

Imed Romdhani, Riad Abdmeziem, Djamel Tandjaoui. (2015). Architecting the Internet of Things:
State of the Art. LSI, USTHB: University of Sciences and Technology Houari Boumedienne,
Algeria. CERIST: Center for Research on Scientic and Technical Information, Algeria. School
of Computing, Edinburgh Napier University, UK.

Kaivan Karimi. (n. d.). Sensors: The Role of Sensor Fusion in the Internet of Things. Retrieve
from http://www.mouser.com/applications/sensor-fusion-iot/

Adam Kliarsky. (2014). Detecting Attacks Against The Internet of Things. GIAC (GCIA) Gold
Certification. The SANS Institute 2017.

Pawani Porambage, Mika Ylianttila, Corinna Schmitt, Pardeep Kumar, Andrei Gurtov,
Athanasios V. Vasilakos, "The Quest for Privacy in the Internet of Things", IEEE Cloud
Computing, vol. 3, no., pp. 36-45, Mar.-Apr. 2016, doi:10.1109/MCC.2016.28

Tom Davenport and John Lucker. (2015). Running on data: Activity trackers and the Internet of
Things. Deloitte Review issue 16.

Alex Tongue. (n. d.). The Role of Sensors in the Industrial IoT. Retrieve from
http://www.sensuron.com/industry-news/sensors-in-the-industrial-iot/

Cloudfare. (n. d.). What is a DDoS Attack?. Retrieve from

https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/
 29

J. Mirkovic, P. Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, SIGCOMM
Comput. Commun. Rev. 34 (2) (2004) 3953, doi:10.1145/997150.997156

Arbor Networks. (2013). What is a DDoS Attack?. Retrieve from

http://www.digitalattackmap.com/understanding-ddos/

Dr. Shu Yinbiao, MSB Member. (n. d.). Internet of Things: Wireless Sensor Networks.
International Electrotechnical Commission. White Paper. (n. d.)

Archana Kesavan. (2016). Three Types of DDoS Attacks. Retrieve from

https://blog.thousandeyes.com/What-IoT/Three-Types-of-DDoS-Attacks/

Incheol Shin, Yilin Shen, Ying Xuan, My T. Thai and Taieb Znati. (2010). A Novel Approach
Against Reactive Jamming Attacks. Old City Publishing Inc. (2010).

Farhad Johari. (2015). The security of communication protocols used for Internet of Things.
Department of Computer Science Faculty of Engineering LTH. Lund University. 2015.

Bipin. (2012). Security: Types of Router Attacks. Retrieve from

http://www.mustbegeek.com/types-of-router-attacks/

IRT Nanoelec. (2016). IoT Security Good Practices. Secure MCUs Division. ST
Microelectronics. November 2016. Retrieve from http://www.irtnanoelec.fr/wp-
content/uploads/2016/12/3.-ST-ThFensch.pdf

Tristan O Gorman. (2017). Application Security: A Primer on IoT Security Risks. Retrieve from
https://securityintelligence.com/a-primer-on-iot-security-risks/

Diego Mendez, Ioannis Papapanagiotou, Baijian Yang. (2017). Internet of Things: Survey on
Security and Privacy. Purdue University.

Lander Arnoys. (2015). The Internet of Things: Communicating with the Cloud, The Protocols,
Security and Big Data. New Media and Communication Technology.

P. Saint-Andre. (2011). Extensible Messaging and Presence Protocol (XMPP): Core. Internet
Engineering Task Force (IETF). Cisco. March 2011.

Fremantle P, Scott P. (2017) A survey of secure middleware for the Internet of Things. PeerJ
Computer Science 3:e114 https://doi.org/10.7717/peerj-cs.114
 30

Abdullah Yasin Nur, Mehmet Engin Tozal. (2017). Record route IP traceback: Combating DoS
attacks and the variants. Volume 72.

Doohwan Oh, Deokho Kim and Won Woo Ro. (2014). A Malicious Pattern Detection Engine for
Embedded Security Systems in the Internet of Things.

Syed Rizvi, Gabriel Labrador, Matt Guyan, Jeremy Savan. (2016). Advocating for Hybrid
Intrusion Detection Prevention System and Framework Improvement. Complex Adaptive
Systems. Publication 6. Cihan H. Dagli. Editor in Chief Conference Organized by Missouri
University of Science and Technology. Los Angeles, CA. (2016).

Elike Hodo, Xavier Bellekens, Andrew Hamilton, Pierre-Louis Dubouilh, Ephraim Iorkyase,
Christos Tachtatzis and Robert Atkinson. (2016). Conference: 3th International Symposium on
Networks, Computers and Communications (ISNCC), At Hammamet. May 2016.

Taeshik Shon, Yongdue Kim, Cheolwon Lee, and Jongsub Moon, Member, IEEE. (2005). A
Machine Learning Framework for Network Anomaly Detection using SVM and GA. Proceedings
of the 2005 IEEE Workshop on Information Assurance and Security. United States Military
Academy, West Point, NY

Mahbod Tavallaee, Ebrahim Bagheri, Wei Lu, and Ali A. Ghorbani. (2009). A Detailed Analysis
of the KDD CUP 99 Data Set. Proceedings of the 2009 IEEE Symposium on Computational
Intelligence in Security and Defense Applications (CISDA 2009).

Safaa O. Al-mamory, Firas S. Jassim (2015). On the designing of two grain levels network
intrusion detection system. Karbala International Journal of Modern Science. Volume 1 Issue 1,
September 2015, Pages 15-25.
 31

APPENDIX

SAMPLE RESEARCH INSTRUMENT

The table below shows the format of the experiment paper that will be used in the research
to evaluate the accuracy rate of the system in detecting IoT network DoS attack.

DNN Intrusion Detection System

DNN Average
Performance
Trial Trial Trial
1 2 3
Actual Number of
Attack Packets
No. of Correctly
Detected Attack
Packets
No. of Normal
Packets Detected
as Attack Packets
No. of Attack
Packets NOT
Detected
Accuracy