Wireless Personal Communications

https://doi.org/10.1007/s11277-020-07137-0

SH‑IDS: Specification Heuristics Based Intrusion Detection

System for IoT Networks

M. Jagadeesh Babu1 · A. Raji Reddy2

© Springer Science+Business Media, LLC, part of Springer Nature 2020

Abstract
The loosely coupled independent hardware of any kind under internet protocol refers to the
Internet of Things (IoT). The IoT network has often framed by the composition of various
standards, techniques, and services that are having diversified privacy & security prerequi-
sites. Therefore, it has noted that paradigm IoT has similar problems of security as cloud
services, the internet, and “mobile communication networks”. Nevertheless, the outdated
countermeasures of security, & implementation of privacy cannot be applied directly to
the technologies of IoT because of confined IoT elements computing power, the maximum
amount of interrelated devices & data sharing among users & objects. The proposals of
IDS for the IoT will be placed to be distributed or central system or in the combination of
bi-phase systems. The traditional intrusion detection strategies detect intrusion either by
signature, anomalies, or a combination of any of these. Due to the limited resources of the
devices placed in IoT networks, the intrusion detection strategies should perform the intru-
sion defense under the constrained resources of the corresponding devices. Regarding this
argument, a novel specification measure that allows each of the devices falls in an IoT net-
work to defend the intrusion at a corresponding device level. The method explored in this
manuscript is a specification approach that determines Specification Heuristics to assess
the scope of intrusion in IoT network requests.

Keywords  Internet of Things · Low power lossy network (LLN) · IDS · Distributed
monitoring · Central monitoring · Hybrid monitoring

1 Introduction

In this era of automation, the system which has become pervasive and has touched all
dimensions of the universe that is unpredictably impacting the lives of humans is the term
called “Internet”. Now we are getting into a world where a wide variety of applications

* M. Jagadeesh Babu
jagadeeshm.me@gmail.com
A. Raji Reddy
ar_reddy@yahoo.com
1
Department of ECE, JNTUA​, Ananthapuramu, AP, India
2
ITI Limited, Bangalore, Karnataka, India

13
Vol.:(0123456789)
 M. J. Babu, A. R. Reddy

will be associated with the web. The term “internet of things (IoT)” is the contemporary
system and is defined by diverse authors in diverse forms. The two important and well-
known definitions have discussed. The work [1] defines that IoT is simply a communication
between digital and physical worlds. Moreover, the “digital world” communicates with the
“physical world” utilizing a plethora of actuators & sensors. The work [2] defines the IoT
in another way where networking & computing capabilities have entrenched in any imagi-
nable object. We utilize these capabilities for questioning object state and to alter its state
whenever possible. Moreover, in general, the term IoT refers to a novel kind of universe
that evinces a network having diversified devices & applications linked under internet pro-
tocol utilizing them cooperatively for obtaining the intricate tasks, which prerequisite max-
imum “degree of intelligence”. Aimed at this interconnection & intelligence, the devices
of IoT are organized with the embedded actuators, transceivers, sensors & processors. The
term IoT is not the individual system or technology; instead, it is the accumulation of sev-
eral technologies that work collectively in tandem.
The devices, which assist in communicating with the physical environment, are actua-
tors & sensors. Moreover, the data gathered by sensors should be intelligently stored &
processed in esteem to derive resourceful implications from them. The sensor is exten-
sively defined; the microwave oven or mobile phone can be a sensor as it offers inputs
regarding its contemporary state. The device actuator is utilized to impact an alteration
in an environment like an air conditioner temperature controller. The data storage & pro-
cessing will conduct on the corner of remote-server. When any data processing is prob-
able, then it will be characteristically conducted either at the sensor or at some other adja-
cent device. Moreover, the data which is processed is then characteristically forwarded to
“remote-server”. The IoT object capabilities of storage & processing are confined by avail-
able resources that have often restricted because of the confines of energy, size, computa-
tional capability & power.
Identical to many consumer systems, the technologies IoT are the vulnerable attacks
that developed as an important barrier in the extensive adoption of “MEMS (Microelec-
tromechanical systems) integrated Diversified IoT networks and services [3]”. Therefore,
the work [4] presents defense methods & intrusion detections are crucial in concern to the
networks based on IoT.
The differentiated IoT networks included with MEMS like “capacitive accelerometers”
will be tricked for giving inexact readings, and in this way, they bypass the respective “IoT
network security”. The fast enhancement of the IoT market and extensive deployment of
MEMS & sensors results in a deficiency of security about the respective MEMS & sensors,
which are vulnerable to cooperation [5] referred in Table 1.

2 Related Work

The work [6, 7] proposed “distributed lightweight IDSs”. The work [6] defined algorithm,
which is insubstantial for matching the signatures of attack and payloads of packets. More-
over, they proposed two methods, “auxiliary shifting & early decision” that has the objec-
tive of lessening the amount of matches prerequisite for identifying the attacks.
The other method of the distributed approach of intrusion detection relies on the reputa-
tion and trust rate of the devices involving in the IoT network. This strategy influences the
nodes to monitor the conduct of the neighbor nodes. The contribution “Intrusion detection
of Sinkhole attacks on 6LoWPAN for the Internet of Things” [8] is one of these kinds,

13
SH‑IDS: Specification Heuristics Based Intrusion Detection…

Table 1  Descriptions of used IoT Internet of Things

technical terms
IDS Intrusion detection system
LLN Low power lossy network
MEMS Micro electro-mechanical systems
DSC Dice similarity coefficient
PV Pattern value
Pa Pattern of attribute
TLA-IDS Transfer learning algorithm based IDS
SH-IDS Specification heuristics based intru-
sion detection system
PPV Positive predictive value
NPV Negative predictive value
PPV positive predictive value

which detecting and mitigating intrusion based on the reputation and trust rank of the
nodes. Unlike other methods, this approach is a preventive measure instead of defensive.
Hence, the constraint of this approach is an inability to identify the zero-day intrusions.
The other format of the intrusion detection is the system that monitors the traffic
between the IoT network built by Low power Lossy Network (LLN) nodes and the target
domain, which is of the internet. The contributions [9, 10] of this centralized gateway for-
mat that is using a border router to perform the traffic monitoring between LLN and inter-
net. However, this method of intrusion detection approach assumes that the communication
between the adaptively connected LLN nodes of the IoT is fair, which is the considerable
constraint of the intrusion detection by a centralized gateway mechanism. This is since;
the centralized method not intended to deal with the intrusion practices in communica-
tion between the LLN nodes. The contributions [11–13] are also the methods of intrusion
detection by a centralized gateway mechanism. The “Attack model and detection scheme
for botnet on 6LoWPAN” [11] is intended to defend the botnets, and other two contribu-
tions [12, 13] envisioned to identify the egress or ingress of the traffic in regard to LLN
nodes of IoT, and the internet has compromised to DOS attack or not. The other centralized
gateway method of intrusion detection [14] performs the state of the LLN nodes at uniform
time intervals. This is done by sending ICMPv6 signals and verifies the state of LLN nodes
through their response. However, the method evinces considerable false positives, which
is since the corresponding detection strategy is not fit to differentiate the delay in response
due to intrusion and other noble reasons often occur in transactions of the IoT networks.
In the domain of IoT, there were various researches done. However, the researchers are
still contributing to this domain.
The work [15, 16] presents a comprehensive description regarding the smart home sys-
tem, here, the breaches of security have identified through deep learning model DRNN
(Dense random neural network). Besides, they have prominently described DoS attack &
denial sleep attacks in the site of IoT.
The work [17] presents an identifier for on & off attack through malevolent network
node in the site of industrial IoT. Through on & off attack, they thought that the network
of IoT might be attacked through malevolent node while it could be in a dynamic state.
Moreover, the network of IoT behaves in a normal way while its malevolent node could be
in a non-dynamic state.

13
 M. J. Babu, A. R. Reddy

The work [18] explored attack identification by utilizing the fog-things framework. This
contribution researchers exhibited comparison study among shallow & deep –NN by using
dataset related to open source. Here, the main objective is to identify four classes of anomaly
& attack.
The work [19] presents the intrusion detection system (IDS) for IoT. For this reason, vari-
ous ML classifiers are utilized to detect scanning of network probing & DoS attacks.
The work [20] depicted a method for IDS based on 2-layer dimension decrement and 2-tier
classification method. This method is devised for detecting malevolent activities like root-local
attacks (R2L) & user-root (U2R). To reduce dimension, the linear discriminate & component
analysis have utilized.
The work [21] implemented UBRAIN (uncertainty-managing batch related based artificial
intelligence). Here, U-Brain could be dynamic method operated on manifold machines that
might manage data, which is missing. The dataset NSL-KDD comprises 41 features. Besides,
out of 41, only six features are chosen by utilizing a classification algorithm based on J-48.
Here, the values of accuracy for NSL-KDD are 94.1%, and for real data, traffic is 97.4%.
The work [22] depicted an attack identification service based on classification by using
the framework of a cloud. The network of IoT yielded this formatted data netflow. Here, the
contribution is concentrated on three prominent instances in the domain of IoT: infected host,
control, command & scanning.
The stated argument on contemporary models, clearly evincing that the either of distrib-
uted or centralized methods of Intrusion detection is not alone optimal. Hence, it is obvious
to adopt the cross models, which are the combination of both distributed and centralized
[23–26]. However, the contemporary models of intrusion detection in IoT are critically com-
promising due to the constrained resources regarding distributed strategies. This is since, any
of these contemporary models perform the intrusion detection either by the signature methods
[6, 12, 13, 27, 28] or anomaly-based detection methods [7, 25, 26, 29, 30] which are inept to
perform in LLN nodes of the IoT.
In order to this, it is obvious to rely on specification models [24, 29, 31, 32] to detect the
intrusion by distribution methods. The specification models rely on certain rules and thresh-
olds to label the network transactions as prone to intrusion or not. Hence, the constraints of
these specification models often are poor definitions of rules and thresholds, which network
specific. Hence it is obvious to denote the scope to perform considerable research regard-
ing defining optimal specification methods to perform intrusion detection under distribution
or cross method strategy. In the context of this argument, Deng et al. [33] proposed IDS the
centric to the novel method of feature optimization using fuzzy c-means clustering technique.
This is the method handling the crux of dimensionality in the values projected for the features
of the given training corpus. However, the method falls into the same category of other con-
temporary models that are intended to learn from the training corpus, which is not represent-
ing the crux of dimensionality.
The contribution of this manuscript endeavored to define an optimal specification approach
to boost the distributed method of intrusion detection in the IoT network formed by the LLN
nodes.

13
SH‑IDS: Specification Heuristics Based Intrusion Detection…

3 Methods and Materials

The proposed model derives Specification Heuristics, which is the distribution method
of intrusion detection in IoT networks. The heuristics will define from the network
transaction records of positive (prone to intrusion) and negative (not prone to intrusion)
labels, which further used to scale the target network transactions, are positive or nega-
tive to intrusion attack.
Technical Analysis of the SH-IDS
The proposal is a machine learning approach that includes the two phases called the
training phase and the testing phase (see Fig. 1). The training phase bipartite the given
labelled records set D into two sets D+ , D− such that these sets contain the records hav-
ing labels “positive”, and “negative” in corresponding order. Further, extracts the opti-
mal attributes of the network transactions, which are specific to identify the correla-
tion between the network transaction and labels. Afterwards, for each of the sequential
n-gram patterns of attributes, the proposal discovers the unique sequential patterns of
values from the network transactions of the positive label and negative label. Later, the
proposal explores specification heuristics from the unique sequential patterns of the val-
ues discovered for both labels and uses these specification heuristics to label the given
network transaction in the testing phase of the proposal. The detailed descriptions of

Fig. 1  Flow diagram of the SH-IDS

13
 M. J. Babu, A. R. Reddy

the sequence of phases involved in the proposed method have briefed in the following
sections.

3.1 Technical Analysis

Diversity and heterogeneity make IoT systems intrusion defence more crucial. Towards
intrusion scope, detection, and defence, the IoT systems are more vulnerable than tradi-
tional systems, the symbols used in the preceding manuscript is reered in Table 2, which is
since:
Majority of IoT devices are attained limited computational capability, constrained mem-
ory capacity, battery life and network bandwidth. Hence, the benchmark intrusion detec-
tion strategies are inept at deploying in IoT. Network heterogeneity, distribution properties
of IoT are two constructive limits to attain centralized intrusion detection strategies are not
competent to deploy in IoT networks. The distributed network-ability of the IoT vulnerable
to intrusion practices. The devices in IoT networks are prone to physical attacks, which
often compromises these devices as prone to intrusion. These IoT network’s communica-
tion medium is internet protocol; hence it is unconditionally vulnerable to many internet
intrusions practices such as flood attacks. Regarding this, the proposal of this manuscript
portrayed a specification scale, which is competent to deploy in IoT network devices with
limited resources of memory, process abilities. The detailed technical description of the
proposed model is visualized in Fig. 1, which explored in further description.
The flow diagram indicating two major phases and they are training and testing phase.
In both the phases, the initial effort is to preprocess the given data, partitions the records
of the corpus into two sets, which is based on their label. This description is indicating that

Table 2  Descriptions of below-
used formulas D Dataset
Atrb Attributes
v+a , v−a Vectors
dsc Dice similarity coefficient
dsct Dice similarity coefficient threshold
SPA Sequential pattern of attributes
r Record
pv Pattern of values
pvc+pa Confidence of the sequential pattern values
npvc+pa (pv) Normalizing the confidence pvc+pa (pv) of the sequen-
tial pattern of values pv
fpa Fitness of the sequential pattern of attributes pa
fpa Least fitness of the sequential pattern of attributes pa
ecr Energy consumption ratio
erp Energy required to process the transaction
errq The energy required to receive network transaction
oec Threshold of energy consumption
mur Memory usage ratio
mupq Memory used to process the transaction
musq Memory used to store the network transaction
muh Threshold of memory used to store the heuristics

13
SH‑IDS: Specification Heuristics Based Intrusion Detection…

all of the records in the given corpus are listed under either of the labels positive (intru-
sion prone) and negative (benign transaction). The records labelled as positive are found to
be one set, and the records labelled as negative have found to the other set. Further, these
records of a positive label and negative label are used to derive the n-gram sequential pat-
terns as features and their correlation with labels. The features that have significance to
discover positive label, if the correlation between the label positive and the correspond-
ing pattern is high and the corresponding feature is having zero or less correlation with
the other label negative. Further performs the predictive analysis to discover the positive
scope of the given test record of the input parameter values and types submitted to the cor-
responding web form. Each block of the flow diagram has been explored in the following
description.
The corpus having a set of records such that, each of these records representing the
attributes of the network transaction request. Each record is representing one among the
two labels called attack and normal.
Preprocessing in training phase performs as follow. From the specified record of IoT
network transaction, the preprocessing task verifies about missing values of the attributes if
any. Moreover, records possessing partial data and records which do not possess either of
negative and positive labels are detected and removed.
Feature Extraction of the proposed model signifies the n-gram sequential patterns of the
given IoT network transaction as “Feature”. There should be several features, which are
discovered from diverse attributes of specified input records.
Specification heuristics for both labels have to derive as follow. Initially derives sequen-
tial n-gram pattern as features, such that the respective features exists in one or more
records given as input to the training phase. Then estimates the ratio of each n-gram occur-
rence in given training records count each label, and further discovers the empirical prob-
ability of these ratios of occurrence of all the n-grams and respective mean square error.
Preprocessing in testing phase is very much similar to the task of preprocessing block
in the training phase. The task of preprocessing identifies and discards the records having
partial data due to missing values, and the records not having either of the labels positive
and negative.
The feature extraction of the testing phase is identical to the feature extraction task of
the training phase. For a given IoT network record, discovers the n-gram sequence patterns,
which have said to be featured. Further, these features are used to perform the next phase
called predictive analysis.
Predictive Analysis performs to label the given record. In this regard, it defines all pos-
sible n-gram patterns of the features, which have discovered in the feature extraction phase.
Further, estimates the correlation between these values and specification heuristics discov-
ered. If these values are compatible to the rules representing attack prone label then the
given test record is predicted as prone to attack, else if these patterns discovered in the test-
ing phase are more competent to the rules defined for a negative label, then the given test
record predicted to be negative.

3.2 The Data

An IoT network transaction has framed by the values representing the set of attributes in
sequence. The context of the method proposed is intended to define a Specification Heuristics
from the network transactions cached in a given temporal period, which have been labelled
as positive or negative to intrusion prone. The initial phase identifies the attributes that are

13
 M. J. Babu, A. R. Reddy

representing distribution diversity between the values of the corresponding attribute in given
records of label positive and negative. Further phase portrays all possible n-gram sequential
patterns of the optimal attributes as a set SPA . The process intended to identify the possible
features explored in the following section.

3.3 The Selection of Optimal Attributes

The given dataset D of network transactions, which have labeled as positive or negative, will
be partitioned into two sets D+ , D− that representing the records of positive labels and nega-
tive labels in respective order.
Further,
{ list all attributes} representing the values of a network transaction as a set
Atrb = a1 , a2 , a3 , … , a|Atrb|
For each attribute {a∃a ∈ Atrb} , the values portrayed in the given transactions of positive
labels and negative labels will be listed as vectors v+a , v−a in respective order. Further, find the
distribution diversity between the values listed as vectors v+a , v−a  . In this regard, we adapted
the method called dice similarity coefficient. The adaptation of this method has been since
the contemporary statistics indicating that dice similarity coefficients optimal to identify the
two different sets of values from the same distribution are distinct or similar [26]. The Dice
Similarity Coefficient is adapted for selecting optimal attributes about positive and negative
records of the training set. Diversity of values in given two vectors v+a , v−a denotes by Dice
Similarity Coefficient dsc is estimated by using the (Eq 1):
2 ∗ |v+a ∩ v−a |
dsc = (1)
|v+a | + |v−a |

In the equation above

• The notations ||v+a ||, ||v−a || denote the cardinalities of the corresponding vectors v+a , v−a  , and
the notation |v+a ∩ v−a | denotes the cardinality of the intersecting values of the given vectors
v+a , v−a
• If the dice similarity coefficient dsc is less than the given dice similarity coefficient thresh-
old dsct (usually 0.7 ≤ dsct < 1 ), then the two vectors v+a , v−a said to be distinct, and the
attribute a is said to be the optimal attribute.

Further phase of the method derives the features, which are divergent sequential patterns
of the values projected for corresponding sequential pattern of the attributes. The details of
feature selection explored in the following section

3.4 The Features Selection

Further, find all possible sequential patterns of the optimal attributes and list them as a set
SPA . Sort the all possible n-gram sequential patterns of optimal attributes listed in set SPA in
the descending order of their size ( n value).

13
SH‑IDS: Specification Heuristics Based Intrusion Detection…

The resultant sets of a sequential pattern of values for each sequential pattern of
attributes denoted further as features.

3.5 Features Optimization

This phase intended to reduce the sequential pattern values obtained for divergent sizes
of sequential pattern attributes. In this regard, for each sequential pattern of attributes
pa , prune the sequential patterns of values pvpa , which is subset of other sequential
patterns of values representing the other sequential pattern attributes, if the confidence
of the both sequential patterns of the values are identical.

• For each sequential pattern of attributes {pai ∃pai ∈ SPA ∧ i = 1, 2, … |SPA|} in set
SPA Begin

13
 M. J. Babu, A. R. Reddy

3.5.1 Pruning the Features Representing the Positive Label

3.5.2 Pruning the Features Representing the Negative Label

3.6 Specification Heuristics

The proposed Specification Heuristics from n-gram features has briefed in this section. Also,
the method of predicting the appropriate label for the given unlabeled network transaction
record has briefed in this section. The overall procedure carried in a sequence of following
steps.

• Normalizes the confidence of each sequential pattern of values to the range ≥ 0 and ≤ 1 ,
which is as follows:

13
SH‑IDS: Specification Heuristics Based Intrusion Detection…

• Estimates the least fitness of each sequential pattern of attributes pa towards both posi-
tive and negative labels
  For each {pa∃pa ∈ SPA} Begin

Towards Positive Label

⎛��npvc+pa �� ⎞
⎜� � � � �
+ ⎟
�
�
�
� −1
fpa =⎜ nc∃nc ∈ npvcpa ⎟ × �npvc+pa � (.(2)
� �
⎜ i=1 ⎟
⎝ ⎠

//finding the fitness of the sequential pattern of attributes pa towards the positive label.

⎛⎛��npvc+pa �� �� �⎞ � ⎞
⎜⎜� � � � �2 ⎟ �−1 ⎟
� +�
lfpa = fpa − ⎜⎜ fpa − nc ∃nc ∈ npvcpa ⎟ × �npvcpa � ⎟
+
(3)
� �
⎜⎜ i=1 ⎟ ⎟
⎝⎝ ⎠ ⎠

//scaling the least fitness of the sequential pattern of attributes pa towards positive label,
which is the absolute difference between the fitness fpa and the mean square distance of the
confidence values of the sequential pattern values of the sequential pattern attributes pa
Towards Negative Label

⎛��npvc−pa �� ⎞
⎜� � � � �
− ⎟
�
�
�
� −1
−
fpa =⎜ nc∃nc ∈ npvcpa ⎟ × �npvc−pa � (4)
� �
⎜ i=1 ⎟
⎝ ⎠

//finding the fitness of the sequential pattern of attributes pa towards the negative label.

⎛⎛��npvc−pa �� �� �⎞ � ⎞
⎜⎜� � � � �2 ⎟ �−1 ⎟
� −�
−
lfpa −
= fpa − ⎜⎜ fpa − nc ∃nc ∈ npvcpa ⎟ × �npvcpa � ⎟
−
(5)
� �
⎜⎜ i=1 ⎟ ⎟
⎝⎝ ⎠ ⎠

//scaling the least fitness of the sequential pattern of attributes pa towards negative label,
which is the absolute difference between the fitness fpa − and the mean square distance of the

confidence values of the sequential pattern values of the sequential pattern attributes pa

13
 M. J. Babu, A. R. Reddy

End

• Estimates Specification scale threshold of both positive and Negative Labels

Specification Heuristics for Positive Label

(|SPA| )
∑{ }
+
ess = +
lfpa ∃pai ∈ SPA × (|SPA|)−1 (6)
i
i=1

(|SPA| √ )
∑ ({( ) }) 2
ess+d = + +
ess − lfpa ∃pai ∈ SPA × (|SPA|)−1 (7)
i
i=1

ess+ = ess+ − ess+d (8)

min

ess+max = ess+ + ess+d (9)

Specification Heuristics for Negative Label

(|SPA| )
∑{ }
−
ess = −
lfpa ∃pai ∈ SPA × (|SPA|)−1 (10)
i
i=1

(|SPA| √ )
∑ ({( ) }) 2
ess−d = − −
ess − lfpa ∃pai ∈ SPA × (|SPA|)−1 (11)
i
i=1

ess− = ess− − ess−d (12)

min

ess−max = ess− + ess−d (13)

• Performs Predictive analysis by Specification Heuristics

For a given test record (unlabeled network transaction record)r,

rc+ = 0 //aggregate confidence of the sequential pattern values of given record r towards
positive label
rc− = 0 //aggregate confidence of the sequential pattern values of given record r towards
negative label

13
SH‑IDS: Specification Heuristics Based Intrusion Detection…

Further, find the confidence ratio of the record r towards positive and negative labels in
respective order, which is as follows,
⟨ +⟩
rc = rc+ × (|SPA|)−1 (14)

⟨ −⟩
rc = rc− × (|SPA|)−1 (15)

Further scale the fitness of the record towards the labels positive and negative as follows:

Condition Label
(⟨ − ⟩ )
rc ≥ ess−max Negative
(⟨ − ⟩ ) (⟨ ⟩ )
rc ≥ ess− && rc+ < ess+ Negative
min

The label is claimed to positive against rest of all conditions

4 Experimental Study

The UNSW-NB15 [34, 35] is the dataset used in the empirical study. The count of records
comprised in this dataset is 197336; those are tagged as negative (93,600) & intrude
(104,336) and deliberated aimed at empirical study. Furthermore, in esteem to predict the
proposal performance, a four-fold classification strategy is adapted. The given records are
partitioned into fourfolds, such that each iteration of experiments, threefolds of records
were used to define scale, and the other fold was used to test. The statistics of the scale
definition have explored in Table 3 that is showing the importance of suggested heuristics
to detect the intrusion. The detailed statistics of scale evaluation have discussed in Table 4.
The performance of the proposal is scaled by comparison with the contemporary model
called Transfer Learning Algorithm based IDS (TLA-IDS) [33].

4.1 The Experimental Setup

The experimental simulation and pragmatic analysis of the proposal has carried on desk-
top environment that equipped with intel 7th generation processor with 3.6 GHz, 16 GB
ram, NVIDIA GeForce graphics card [36] and running windows 10 operating system. The
IoT network simulation has carried by using simulator called CUPCORBAN [37], which
is potential and exclusive IoT simulator built on JAVA platform. The data preprocessing,

13
 M. J. Babu, A. R. Reddy

Table 3  The mean statistics of Input (Intrude: 78252, nega-

scale definition from four folds tive: 69750) for each
of training fold

ess+ 0.5738 ± 0.01

ess+d 0.1196 ± 0.0061
ess+ 0.4819 ± 0.0035
min
ess+max 0.6904 ± 0.0094
ess− 0.658 ± 0.0094
ess−d 0.1855 ± 0.0085
ess− 0.4788 ± 0.0024
min
ess−max 0.8211 ± 0.0015

Table 4  The statistics observed Mean ± SD

for performance metrics as
overall performance (mean and SH-IDS TLA-IDS
standard deviation of four folds)
Positives 26151 ± 163 26779  ± 146
Negatives 23199 ± 179 22555  ± 146
True positives 24086 ± 99 23012  ± 144
False positives 2001 ± 149 3768  ± 155
True negatives 21198 ± 147 19377  ± 245
False negatives 2065 ± 110 3178  ± 73
PPV 0.9211 ± 0.0038 0.8593  ± 0.0055
NPV 0.9138  ± 0.006 0.8591  ± 0.0079
Sensitivity 0.9211  ± 0.0038 0.8822   ± 0.0055
Specificity 0.9138  ± 0.006 0.8334   ± 0.0105
Accuracy 0.9177  ± 0.0047 0.8592   ± 0.006

training, testing, and visualization of the performance metric results have carried using
RStudio [38]. Memory and energy utilization statistics and computational complex-
ity of the proposal and other contemporary methods have verified on the IoT simulation
environment.
The statistics observed in the experimental study for the performance metrics as the
mean and standard deviation of four folds have explored. The proposed method SH-IDS
has 26151 ± 163 positives, and TLA-IDS has 26779 ± 146 positives. The SH-IDS has
23199 ± 179 negatives, and TLA-IDS has 22555 ± 146. The true positives for SH-IDS are
24086 ± 99, which is greater than TLA-IDS whose true positives are 23012 ± 144. The
false positives for SH-IDS are 2001 ± 149, and for TLA-IDS is 3768 ± 155. The true nega-
tives for the SH-IDS are 21198 ± 147, which is greater than TLA-IDS whose true nega-
tives are 19377 ± 245. The false negatives for SH-IDS are 2065 ± 110, and for TLA-IDS is
3178 ± 73. The positive predictive value for SH-IDS is 0.9211 ± 0.0038, which is greater
than TLA-IDS, whose PPV is 0.8593 ± 0.0055. The negative predictive value for SH-
IDS is 0.9138 ± 0.006, which is greater than TLA-IDS, whose NPV is 0.8591 ± 0.0079.
The sensitivity for SH-IDS is 0.9211 ± 0.0038, which is greater than TLA-IDS, whose
sensitivity is 0.8822 ± 0.0055. The specificity for SH-IDS is 0.9138 ± 0.006, which is

13
SH‑IDS: Specification Heuristics Based Intrusion Detection…

greater than TLA-IDS, whose specificity is 0.8334 ± 0.0105. The accuracy for SH-IDS is
0.9177 ± 0.0047, which is greater than TLA-IDS whose accuracy is 0.8592 ± 0.006.

4.2 Performance Analysis

The specified input in the testing phase of the experimental study where negative records
are 23,850 & intruded records are 26,084 records in each of the four-folds. Among which
truly tagged negative records are 21,198 ± 147, 19,377 ± 245 & truly tagged intruder
records are 24,086 ± 99, 23,012 ± 144 of proposed model SH-IDS, and TLA-IDS in respec-
tive order.

4.2.1 Analysis of the Detection Accuracy

The sensitivity observed for proposal SH-IDS, and contemporary model TLA-IDS in
respective order is 0.9211 ± 0.0038 and 0.8822 ± 0.0055. Similarly, the specificity in the
same order of the methods observed as 0.9138 ± 0.006 and 0.8334 ± 0.0105. These two
metrics indicate the performance advantage of the proposal SH-IDS over the contemporary
method TLA-IDS regarding intrusion detection, which is since the sensitivity (intrusion
detection accuracy) and specificity (normal record detection accuracy) of the contempo-
rary method TLA-IDS is much lesser than the proposed model SH-IDS. The truly detected
intruded records against the total records detected as intruded denotes the intrusion pre-
diction value that often denotes as positive predictive value (PPV), which is found to be
0.9211 ± 0.0038 and 0.8593 ± 0.0055 of the SH-IDS and TLA-IDS in respective order.
Similarly, the truly detected normal records against the total records detected as normal
records are the normal record predictive value that often denotes as negative predictive
value (NPV), which is found to be 0.9138 ± 0.006 and 0.8591 ± 0.0079 of the SH-IDS and
TLA-IDS in respective order. The evinced PPV and NPV values denote that the SH-IDS
is much more significant than the contemporary models TLA-IDS. The metric “accuracy”
denotes the ratio of truly predicted records against the total records given as input for the
testing phase, which has observed as 0.9177 ± 0.0047 and 0.8592 ± 0.006 for SH-IDS, and
TLA-IDS in respective order. These values of the metric “accuracy” from an experimental
study portray that the proposal is much more significant than the contemporary model. All
of these statistics enlightening that suggested heuristics to measure the scope of negative &
intrusion of transactions of IoT network are important to distinguish the network traffic of
IoT as negative & intrude with an accuracy that is far higher than the contemporary model.
The depicted sensitivity of the proposed model SH-IDS is signifying that “miss rate” is
lesser than the contemporary models. Nevertheless, the detailed statistics of each fold of
the experiment have portrayed in Table 5 and Figs. 2, 3, 4, 5 and 6.
The metric sensitivity is defined as measuring the ratio of actual positive instances,
which got estimated to be a true positive. It is also called a Recall. Figure 2 represents a
graph drawn between sensitivity and FOLD-ID of SH-IDS & TLA-IDS. It is noticed from
the graph that, the sensitivity for the proposed method SH-IDS and contemporary TLA-
IDS method at fold 1 is 0.92 and 0.887. The sensitivity for SH-IDS and TLA-IDS at fold 2
is 0.92 and 0.88. The sensitivity for SH-IDS and TLA-IDS at fold 3 is 0.91 and 0.87, and
finally, at fold 4 the sensitivity for the proposed and contemporary method is 0.92 and 0.88
respectively. From statistics, it is evinced that, the proposed method SH-IDS performs bet-
ter than TLA-IDS.

13
 M. J. Babu, A. R. Reddy

Table 5  The statistics observed for performance metrics under four-fold strategies

Fold #1 Fold #2 Fold #3 Fold #4
SH-IDS TLA-IDS SH-IDS TLA-IDS SH-IDS TLA-IDS SH-IDS TLA-IDS

Positives 26167 26999 25912 26824 26373 26647 26152 26647

Negatives 23167 22335 22963 22510 23465 22687 23201 22687
True positives 24097 23146 23925 22949 24131 22804 24191 23147
False positives 2076 3853 1933 3875 2196 3843 1800 3500
True negatives 21091 19043 21030 19460 21269 19290 21401 19714
False negatives 2070 3292 1987 3050 2242 3397 1961 2973
PPV 0.9209 0.857 0.9233 0.856 0.915 0.856 0.925 0.869
NPV 0.9104 0.853 0.9158 0.865 0.9064 0.85 0.9224 0.869
Sensitivity 0.9209 0.887 0.9233 0.88 0.915 0.874 0.925 0.887
Specificity 0.9104 0.819 0.9158 0.837 0.9064 0.83 0.9224 0.848
Accuracy 0.916 0.855 0.9198 0.86 0.911 0.853 0.9238 0.869

Fig. 2  Sensitivity value observed

for SH-IDS and TLA-IDS

Fig. 3  The specificity value

observed for SH-IDS and TLA-
IDS

13
SH‑IDS: Specification Heuristics Based Intrusion Detection…

Fig. 4  The accuracy value

observed for SH-IDS and TLA-
IDS

Fig. 5  The PPV (precision)

value observed for SH-IDS and
TLA-IDS

Fig. 6  The NPV value observed

for SH-IDS and TLA-IDS

The metric specificity is defined as a ratio of actual negatives that got estimated to be
true negative. Figure 3 represents a graph drawn between specificity and FOLD-ID of SH-
IDS & TLA-IDS. It is noticed from the graph that, the specificity for the proposed method
SH-IDS and contemporary TLA-IDS method at fold 1 is 0.91 and 0.81. The specificity for
SH-IDS and TLA-IDS at fold 2 is 0.91 and 0.83. The specificity for SH-IDS and TLA-
IDS at fold 3 is 0.90 and 0.83, and finally, at fold 4 the specificity for the proposed and
contemporary method is 0.92 and 0.84 respectively. From statistics, it is exhibited that, the
proposed method SH-IDS is more significant than TLA-IDS.

13
 M. J. Babu, A. R. Reddy

The metric accuracy is defined as approximations of measurement for the specific value.
Figure 4 represents a graph drawn between Accuracy and FOLD-ID of SH-IDS & TLA-
IDS. It is perceived from the graph that, the Accuracy for the proposed method SH-IDS
and contemporary TLA-IDS method at fold 1 is 0.91 and 0.855. The accuracy for SH-
IDS and TLA-IDS at fold 2 is 0.91 and 0.86. The accuracy for SH-IDS and TLA-IDS at
fold 3 is 0.91 and 0.85, and finally, at fold 4 the accuracy for the proposed and contempo-
rary method is 0.92 and 0.86 respectively. From statistics, it is evinced that, the proposed
method SH-IDS performs better than TLA-IDS.
The metric PPV is also called precision, which is defined in terms of information
retrieval is it is the fraction of retrieved documents that are related to query. Figure 5 rep-
resents a graph drawn between PPV and FOLD-ID of SH-IDS & TLA-IDS. It is noticed
from the graph that, the PPV for the proposed method SH-IDS and contemporary TLA-
IDS method at fold 1 is 0.92 and 0.85. The PPV for SH-IDS and TLA-IDS at fold 2 is 0.92
and 0.85. The PPV for SH-IDS and TLA-IDS at fold 3 is 0.91 and 0.85, and finally, at fold
4, the PPV for proposed and contemporary method is 0.92 and 0.86 respectively. From sta-
tistics, it is exhibited that, the proposed method SH-IDS is more significant than TLA-IDS.
The metric NPV is defined as a number of true negatives to the number of true negatives
& false negatives. Figure 6 represents that; a graph has drawn between NPV and FOLD-
ID of SH-IDS & TLA-IDS. It is perceived from the graph that, the NPV for the proposed
method SH-IDS and contemporary TLA-IDS method at fold 1 is 0.91 and 0.85. The NPV
for SH-IDS and TLA-IDS at fold 2 is 0.915 and 0.865. The NPV for SH-IDS and TLA-IDS
at fold 3 is 0.90 and 0.85, and finally, at fold 4 the NPV for proposed and contemporary
method is 0.922 and 0.869 respectively. From statistics, it is evinced that, the proposed
method SH-IDS performs better than TLA-IDS.

4.2.2 Analysis of the Process Overheads

The IoT simulation has built by using the simulator CUPCORBAN [37], which has used
to verify the process overheads of the IoT devices while adapting the proposed method
and contemporary methods to deal the intrusion detection. The process overheads mem-
ory usage and energy consumption has explored in following description. The configura-
tion of the IoT devices in simulation environment fall into either of the categories listed

Table 6  Technical specifications Sensor size 22.0 mm × 20.5 mm × 1.6 mm

of the sensor nodes used in
simulation
Resolution 8-bit task 8-bit source
Operating voltage 3.3 to 5 V DC
Operating current < 15 mA
Measuring range 20–95% of relative task
(weather, smoke, motion, or
many other)
Measuring distance 2 cm to 80 cm
Interfaces 3-pin interfaces, 4-pin interfaces
Frequency 40 Hz
Accuracy 3 mm
RAM 10 kb
Flash 48 kb

13
SH‑IDS: Specification Heuristics Based Intrusion Detection…

Fig. 7  Empirical probabilities
of energy consumption in milli
joules (J*10−3)

Fig. 8  Empirical probabilities of
the memory usage observed from
SH-IDS and TLA-IDS

as weather, smoke, humidity, motion, temperature, distance, and depth monitoring. The
technical specifications of the sensors used in simulation are listed in Table 6.
The storage memory required for each n-gram is relatively equal to the length of the
corresponding n-gram. The n-gram patterns from a given test record is fixed, which is
since, the n-grams have generated from the fixed number of optimal attributes of the net-
work transaction. Hence the required storage memory is stable for each iteration. In addi-
tion, the memory required for the process is relatively similar for each network transaction
submitted for detection of intrusion scope, which is since, the number of required iterations
to check the label scope of the corresponding test record is stable and linear (equal for each
attempt of label prediction).
Similarly, the energy consumption observed at IoT device to perform label prediction
is also linear; this is since, as stated above, the number of iterations of the label prediction
process is constant.
The memory usage and energy usage towards performing training phase (detection of
specification heuristics) is not considered in our experimental, which since the training
phase occurs only once and shall be done in passive mode. Concerning this any high-end
computer device has used to perform training phase that discovers specification heuris-
tics. In contrast to the proposed model, the contemporary models evincing the overhead in
memory usage and energy consumption, which is since, the contemporary model is fully
contradict to the advantages explored towards the minimal memory, and process overheads
of the proposed models. Hence, the empirical analysis of the both proposal and contempo-
rary method depicts that the proposal model is linear in overheads related to memory and
energy usage (see Figs. 7 and 8).
The energy consumption denotes by the empirical probability of the energy required
to perform intrusion check on set of buffered network transactions that includes energy

13
 M. J. Babu, A. R. Reddy

consumed during listening time of the sensor that spent to collect each network transac-
tion. The threshold of obligatory energy consumption [39] due to other technical factors
such as noise to ration factor has also considered estimating the required energy to estimate
the empirical probability of the energy consumption for set of buffered transaction. The
description of estimating empirical probability of the energy consumption has formulated
and depicted in (Eq. 16):
�∑ � ��
�nt�
erpq + err q + oec
ecr =
q=1
(16)
�nt�

Here in the (Eq. 16)

• The notation ecr denotes the energy consumption ratio, which is empirical probability
of the energy consumption
• The notation erp denotes the energy required to process the transaction indexed by the
notation q,
• The notation errq denotes the energy required to receive network transaction indexed by
the notation q.
• The notation oec denotes the threshold of energy consumption due to other factors such
as signal to noise ratio.

The experimental study about energy consumption overhead evincing that the proposed
SH-IDS is optimal that compared to contemporary model TLA-IDS. The average energy
consumption that observed in different time intervals of the experiment observed from SH-
IDS and contemporary model TLA-IDS are 316.855 ± 16.155 mJ, and 457.683 ± 44.817 in
respective order. It is clearly notified that he substantial margin appeared between the pro-
posed model and contemporary model towards energy consumption overhead. Approxi-
mately 70% of energy conserved by the SH-IDS that compared to the contemporary model
TLA-IDS.
Similarly, the empirical probability of the memory usage to estimate the intrusion scope
of the set of network transactions has estimated using the mathematical notation in (Eq 17)
( |nt| )
∑{ }
mur = mupq + musq + muh × |nt|−1 (17)
q=1

//Here in the (Eq. 17):

• The notation mur denotes the memory usage ratio, which is empirical probability of the
memory usage of buffered network transactions of count |nt|
• The notation mupq denotes the memory used to process the transaction indexed by the
notation q,
• The notation musq denotes the memory used to store the network transaction indexed
by the notation q.
• The notation muh denotes the threshold of memory used to store the heuristics of intru-
sion and benign scope.

Figure 8 portraying the empirical probabilities of the memory usage observed at differ-
ent time intervals of the experiments. The average of empirical probabilities of the memory

13
SH‑IDS: Specification Heuristics Based Intrusion Detection…

usage observed from proposed model SH-IDS, and contemporary model TLA-IDS are
287.931 ± 17.267 and 667.672 ± 19.727. It is substantial to conclude that the proposal
is evincing least and linear memory usage overhead that compared to the contemporary
model TLA-IDS. An average of 47% less memory has used by the SH-IDS that compared
to contemporary model TLA-IDS.

5 Conclusion

This contribution portrayed a model for defending intrusion of the IoT networks that
labelled as “Specification Heuristics based Intrusion Detection System (SH-IDS)”. The
model, which has depicted as a specification method referred to as Specification Heuristics
for positive and negative labels. The suggested scale enables the prediction of the vulner-
able transaction of the specified IoT networks. The method of defining the Specification
Heuristics portrays unique n-gram sequential patterns of values for sequential patterns of
the attributes from the records of both the positive and negative labels. The experimental
study points out that the suggested method SH-IDS is highly significant because it evinces
the more than 91% detection accuracy that is more significant than contemporary models
such as TLA-IDS [33]. In addition, the energy and memory usage overheads observed from
proposed model SH-IDS are minimal and linear that compared to the contemporary model
TLA-IDF. Future research can attain scope to extend the model to deal with n-gram attrib-
utes. On another aspect of the study, the represented specification scale may be employed
as an objective function for evolutionary computation techniques like genetic algorithm
and Differential Evolution algorithm.

References
1. Vermesan, O., Friess, P., Guillemin, P., Gusmeroli, S., Sundmaeker, H., Bassi, A., et al. (2011). Inter-
net of things strategic research roadmap. Internet of Things-Global Technological and Societal Trends,
1(2011), 9–52.
2. Peña-López, I. (2005). ITU Internet report 2005: The internet of things.
3. Sicari, S., Rizzardi, A., Grieco, L. A., & Coen-Porisini, A. (2015). Security, privacy and trust in Inter-
net of Things: The road ahead. Computer Networks, 15(76), 146–164.
4. Shakshuki, E. M., Kang, N., & Sheltami, T. R. (2013). EAACK—A secure intrusion-detection system
for MANETs. IEEE Transactions on Industrial Electronics, 60(3), 1089–1098.
5. Trippel, T., Weisse, O., Xu, W., Honeyman, P., & Fu, K. (2017). WALNUT: Waging doubt on the
integrity of MEMS accelerometers with acoustic injection attacks. In 2017 IEEE European symposium
on security and privacy (EuroS&P) (pp. 3–18). IEEE.
6. Oh, D., Kim, D., & Ro, W. W. (2014). A malicious pattern detection engine for embedded security
systems in the Internet of Things. Sensors, 14(12), 24188–24211.
7. Lee, T.-H., Wen, C.-H., Chang, L.-H., Chiang, H.-S., & Hsieh, M.-C. (2014). A Light weighted
instruction detection scheme based on energy consumption analysis in 6LowPAN. Lecture Notes in
Electrical Engineering, 260, 1205–1213. https​://doi.org/10.1007/978-94-007-7262-5137.
8. Cervantes, C., Poplade, D., Nogueira, M., & Santos, A. (2015). Detection of sinkhole attacks for sup-
porting secure routing on 6LoWPAN for Internet of Things. In IM (pp. 606–611).
9. Raza, S., Wallgren, L., & Voigt, T. (2013). SVELTE: Real-time intrusion detection in the Internet of
Things. Ad Hoc Networks, 11(8), 2661–2674.
10. Farooqi, A. H., & Khan, F. A. (2009). Intrusion detection systems for wireless sensor networks: A sur-
vey. In Communication and networking (pp. 234–241). Berlin : Springer.
11. Cho, E. J., Kim, J. H., & Hong, C. S. (2009). Attack model and detection scheme for Botnet on 6LoW-
PAN. In Asia-Pacific network operations and management symposium (pp. 515–518). Berlin: Springer.

13
 M. J. Babu, A. R. Reddy

12. Kasinathan, P., Pastrone, C., Spirito, M. A., & Vinkovits, M. (2013). Denial-of-service detection in
6LoWPAN based Internet of Things. In 2013 IEEE 9th international conference on wireless and
mobile computing, networking and communications (WiMob) (pp. 600–607). IEEE.
13. Kasinathan, P., Costamagna, G., Khaleel, H., Pastrone, C., & Spirito, M. A. (2013). An IDS framework
for internet of things empowered by 6LoWPAN. In Proceedings of the 2013 ACM SIGSAC conference
on computer & communications security (pp. 1337–1340). ACM.
14. Wallgren, L., Raza, S., & Voigt, T. (2013). Routing attacks and countermeasures in the RPL-based
Internet of Things. International Journal of Distributed Sensor Networks, 9(8), 794326.
15. Gelenbe, E., & Yin, Y. (2017). Deep learning with dense random neural networks. In Proceedings of
the international conference on man–machine interactions (pp. 3–18). Springer.
16. Brun, O., Yin, Y., Gelenbe, E., Kadioglu, Y. M., Augusto-Gonzalez, J., & Ramos, M. (2018). Deep
learning with dense random neural networks for detecting attacks against IoT-connected home envi-
ronments. In Proceedings of the 2018 ISCIS security workshop, Lecture notes CCIS, in: 821. Imperial
College London. Recent Cybersecurity Research in Europe.
17. Liu, X., Liu, Y., Liu, A., & Yang, L. T. (2018). Defending on–off attacks using light probing messages
in smart sensors for industrial communication systems. IEEE Transactions on Industrial Informatics,
14(9), 3801–3811.
18. Diro, A. A., & Chilamkurti, N. (2018). Distributed attack detection scheme using deep learning
approach for Internet of Things. Future Generation Computer Systems, 82, 761–768.
19. Anthi, E., Williams, L., & Burnap, P. (2018). Pulse: An adaptive intrusion detection for the Internet of
Things.
20. Pajouh, H. H., Javidan, R., Khayami, R., Ali, D., & Choo, K.-K. R. (2016). A two-layer dimension
reduction and two-tier classification model for anomaly-based intrusion detection in IoT backbone net-
works. IEEE Transactions on Emerging Topics in Computing, 7(2), 314–323.
21. D’Angelo, G., Palmieri, F., Ficco, M., & Rampone, S. (2015). An uncertainty-managing batch rele-
vance-based approach to network anomaly detection. Applied Soft Computing, 36, 408–418.
22. Kozik, R., Choras´, M., Ficco, M., & Palmieri, F. (2018). A scalable distributed machine learning
approach for attack detection in edge computing environments. Journal of Parallel and Distributed
Computing, 119, 18–26.
23. Le, A., Loo, J., Luo, Y., & Lasebae, A. (2011). Specification-based IDS for securing RPL from topol-
ogy attacks. In 2011 IFIP wireless days (WD) (pp. 1–3). IEEE.
24. Amaral, J. P., Oliveira, L. M., Rodrigues, J. J., Han, G., & Shu, L. (2014). Policy and network-based
intrusion detection system for IPv6-enabled wireless sensor networks. In 2014 IEEE international con-
ference on communications (ICC) (pp. 1796–1801). IEEE.
25. Pongle, P., & Chavan, G. (2015). Real time intrusion and wormhole attack detection in Internet of
Things. International Journal of Computer Applications, 121(9), 1–9.
26. Thanigaivelan, N. K., Nigussie, E., Kanth, R. K., Virtanen, S., & Isoaho, J. (2016). Distributed internal
anomaly detection system for Internet-of-Things. In 2016 13th IEEE annual consumer communica-
tions & networking conference (CCNC) (pp. 319–320). IEEE.
27. Vacca, J. R. (2012). Computer and information security handbook. Newnes: Elsevier.
28. Liao, H. J., Lin, C. H., Lin, Y. C., & Tung, K. Y. (2013). Intrusion detection system: A comprehensive
review. Journal of Network and Computer Applications, 36(1), 16–24.
29. Mitchell, R., & Chen, I. R. (2014). A survey of intrusion detection techniques for cyber-physical sys-
tems. ACM Computing Surveys (CSUR), 46(4), 55.
30. Summerville, D. H., Zach, K. M., & Chen, Y. (2015). Ultra-lightweight deep packet anomaly detection
for Internet of Things devices. In 2015 IEEE 34th international performance computing and communi-
cations conference (IPCCC) (pp. 1–8). IEEE.
31. Butun, I., Morgera, S. D., & Sankar, R. (2014). A survey of intrusion detection systems in wireless
sensor networks. IEEE Communications Surveys & Tutorials, 16(1), 266–282.
32. Le, A., Loo, J., Chai, K. K., & Aiash, M. (2016). A specification-based IDS for detecting attacks on
RPL-based network topology. Information, 7(2), 25.
33. Deng, L., Li, D., Yao, X., Cox, D., & Wang, H. (2018). Mobile network intrusion detection for IoT sys-
tem based on transfer learning algorithm. Cluster Computing, 22, 9889–9904. https​://doi.org/10.1007/
s1058​6-018-1847-2.
34. The-UNSW-NB15-dataset. (2018). https​://www.unsw.adfa.edu.au/austr​alian​-centr​e-for-cyber​secur​ity/
cyber​secur​ity/ADFA-NB15-Datas​ets/.
35. Moustafa, N., & Slay, J. (2015). Unsw-nb15: A comprehensive data set for network intrusion detection
systems (unsw-nb15 network data set). In Military communications and information systems confer-
ence (MilCIS) (pp. 1–6). IEEE.
36. https​://www.nvidi​a.com/Downl​oad/index​.aspx?lang=en-us.

13
SH‑IDS: Specification Heuristics Based Intrusion Detection…

37. http://cupca​rbon.com/.
38. https​://githu​b.com/rstud​io/rstud​io.
39. Siddesh, G. K., Muralidhara, K. N., & Harihar, M. N. (2011). Routing in ad hoc wireless networks
using soft computing techniques and performance evaluation using hypernet simulator. International
Journal of Soft Computing and Engineering, 1(3), 91–97.

Publisher’s Note  Springer Nature remains neutral with regard to jurisdictional claims in published maps and
institutional affiliations.

M. Jagadeesh Babu received his B.Tech from JNT University

Hyderabad in 2001, Masters in Applied Electronics from Anna Uni-
versity, Chennai in 2006 and pursuing Ph.D. in Electronics & commu-
nication Engineering at JNT University, Anantapuramu. He is cur-
rently working as an Associate professor of ECE, Chadalawada
Ramanamma Engineering College, Tirupati, Andhra Pradesh. His
research interests are embedded systems, Internet of Things, Intrusion
detection system and Network security. He life member of IEEE and
IETE. He has more than 13 years of experience in teaching. He has 10
publications and presented 3 papers in National and International
conferences.

A. Raji Reddy  has born in 1956, received his M.Sc from Osmania Uni-
versity and M.Tech in Electrical and Electronics and communication
Engineering from IIT, Kharagpur during the year 1979 and his Ph.D
degree from IIT, Kharagpur during the year 1986.He is having 37
years of experience in Research and Teaching. He worked as a senior
scientist in R&D of ITI Ltd, Bangalore for about 24 years. He worked
as a professor and head in the department of Electronics and Commu-
nication, Madanapalle Institute of Technology & Science. Madana-
palle. He is life member of IETE and CSI. His current research areas in
Cryptography and its application to Wireless systems and Network
security. He has 22 publications and presented 56 papers in National
and International conferences.

13