Anomaly Based Intrusion Detection on IOT Devices using Logistic Regression

Sasikala K Vasuhi S
Assistant Professor Associate Professor
Department of Computer Science Engg., Department of Electronics Engg.,
Saveetha Engineering College Madras Institute of Technology, India
ksasikala1792@gmail.com vasuhi_s@annauniv.edu
2023 International Conference on Networking and Communications (ICNWC) | 979-8-3503-3600-9/23/$31.00 ©2023 IEEE | DOI: 10.1109/ICNWC57852.2023.10127375

Abstract
The collecting and exchange of information without human intervention will soon be possible thanks to
the Internet of Things. Numerous conflicts with IOT technology are emerging due to the fast increase
in connected devices, including those related to diversity, expansibility, service quality, security
requirements, and many more. IOT technology has advanced as a result of technological developments
like machine learning. To reduce learning difficulty by computing features, factor selection, also called
feature selection, is crucial, especially for a large, huge data set like network traffic. Despite the ease of
the new selection approaches, it is actually not an easy task to do feature selection properly. The
Internet of Things will soon make it feasible to gather and transmit information without human
involvement. Due to the rapid growth in connected devices, a number of conflicts with IOT
technologies are arising. These conflicts include those involving diversity, expansibility, quality of
service, security needs, and many more. As a consequence of technical advancements like machine
learning, IOT technology has improved. Factor selection, also known as feature selection, is essential
to lessen the complexity of learning by computing features, especially for a massive, enormous data set
like internet traffic. Even though the new selection methods are simple, selecting features correctly is a
difficult undertaking. Systems that detect and prevent intrusions are the most popular technology for
spotting suspicious behaviour and defending diverse infrastructures against network intrusions (IDPSs).
On the UNSW (University of New South Wales)-NB15 data set, our suggested logistic regression
algorithm makes predictions of anomalies with an accuracy of 98% using the automated feature
selection approach since the accuracy of the model depends on the feature. The dimensionality
reduction approach is used to reduce the misleading data.

Keywords: Internet of things, Anomaly, Factor selection, logistic regression, Detection rate.

I Introduction information from theft, disclosure, and DOS

With smart sensors having enhanced connection,
such as patient monitoring, environmental
sensing, flood control, smart farming, and smart
homes, the Internet of Everything (IoT) is
transforming the industry and making life wiser.
More precisely, Without the need of human or
device-to-device interfaces, the Internet of
Things (IoT) enables a variety of dissimilar
physical items to cooperate and interact with one
another for the goal of sharing data over a wide
range of networks. [1].On the other hand,
malicious traffic is growing more intricate and
regular. To assault their targets, organized cyber
terrorists employ a range of strategies. script
youths, hacktivists, and hackers supported by
nations. Detecting, protecting, and limiting
unwanted traffic is challenging and expensive as
businesses strive to adhere to national norms,
organization-specific requirements, and
compliance duties. To defend internal operations
from outside threats, a secured network
architecture should incorporate front-line
systems such firewalls, intrusion prevention
system, online content screening, and URL
filtering[2]Due to the evolution of attack
strategies and the complexity of organized
crime, it is difficult to properly protect sensitive
attacks. Researchers are looking at alternative
anomalous traffic detection techniques using
machine learning methodologies to improve
conventional signature-based intrusion detection
systems. An intrusion detection system can
identify both attacks and suspicious activity.
However, the intrusion protection system could
miss certain frames if the network is congested.
systems that audit files, monitor real-time traffic,
and identify breaches. Depending as to how
intrusion detection systems interpret the traffic,
it is categorized as real positive, false alarm, true
negative, or false-negative.
II. RELATED WORK
The data set utilized in Adeel et alstudy .'s of the
classification issue is termed as CICIDS2017. In
their work[1], they employ six distinct methods
for supervised ML classification in intrusion
detection. Tree structure (DT), naive Bayes
(NB), Gaussian and multi variable, random
forests (RF), regression models (LR), linear
SVM, and stochastic gradient descent predictor
are some of the techniques utilized with stacked
classifier as an ensemble approach (SGD
Classifier). Using an ensemble paradigm, it
gives high accuracy with less processing power,

XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on June 15,2023 at 04:53:44 UTC from IEEE Xplore. Restrictions apply.
 resources, and false alarm rate by using ML
algorithms instead of ANN and DL techniques.
Classifier NB, DT, and LR have accuracy levels
of 83.93%, 93.50%, and 87.60% in multi-class,
respectively, with a notable improvement in
accuracy.
Fekadu et al. experimented with five machine
learning algorithms to discover an effective
classifier that detects anomalous traffic from the
NSL- KDD data set with high precision level
and minimum error rate[2]. Five classifiers—
Stochastic Gradient Descending, Random
Forests, Logistic Regression, Support Vector
Machine, and Sequential Models—have been
examined and validated to provide the result.
The results show that Random forest
classification performs better than the other four
classifiers both with and without using the
normalisation method to the dataset.
In a sensor or Internet of Things node with
limited resources, Christiana et al. assessed the
viability of operating a lightweight detection
mechanism system[3]. They employed mIDS,
which is a statistical analysis technique based on
Binary Regression Analysis to monitor and
detect assaults (BLR). mIDS creates a normal
behaviour model that recognizes abnormalities
inside the confined node using just local node
characteristics for both malicious and benign
activity as input. ensures proper functioning by
validating mIDS in a situation with active
network-layer assaults. Critical information from
the network level is acquired and used in this
system as the foundation for profiling sensor
activity.
Rough Set Theory (RST) and Support Vector
Machine (SVM) were utilised by Vipin et al. to
detect network breaches[4]. RST is used to
reduce the size and restore the previous state of
the data after the initial collection of packets
from the network. The SVM model will get the
attributes that RST chooses to utilise for training
and testing. The technique works well to reduce
data space density. The studies indicate that RST
and SVM schema may lower the number of false
positives and boost accuracy by comparing the
results with Principal components analysis
(PCA).
With the use of network anomaly detection,
Makiya et al. investigated the difficulties in
automated feature selection. By incorporating
the existing methodologies, the author proposed
an ensemble classifier that reaps their benefits.
One of the suggested ensemble techniques,
based on greedy search, performs highly
consistently and produces results that are
comparable to those of the existing
techniques[5]. The author also discusses the
issue of knowing when to end the feature
removal process and offers a variety of
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on June 15,2023 at 04:53:44 UTC from IEEE Xplore. Restrictions apply.
techniques for figuring out how many features
should remain in the decreased feature set. The
experimental findings with two current network
datasets demonstrate that the provided ensemble
and halting approaches consistently produce
performance with a lesser number of features
compared to traditional selection strategies for
the feature sets found.
Machine learning-based intrusion in resource-
constrained IoT contexts was proposed by
Yakub et al. [5]. In order to prevent information
from leaking onto test data, the proposed
learning algorithm uses calculated on the basis
based on the min-max idea of normalization in
the UNSW-NB15 data set. Then, all XGBoost,
Cat-boost, K - nearest neighbors, SVM, QDA, &
NB classifiers are trained using the reduced data
set. In terms of testing data, accuracy, F1,MCC,
or correctness of the two suggested models, the
experimental results of the proposed study
exceeded the state-of-the-art, reaching 99.99%.
Ahmed et alevaluation .'s of the issues with
machine learning-based intrusion detection
systems for the The Internet of Things may be
found at [6]. Investigated large dimensionality,
computational complexity, and changing and
idea drift as the three key issues of learning
algorithms when interacting with an IDS for
such IoT. demonstrated every one of these
difficulties generally, and their connections to
machine learning specifically. Additionally, it
featured the KDD99, NSL, and Kyoto datasets
as its three core datasets. The key issues with
IoT and IDSs were then discussed, along with
solutions based on the literature that has already
been written on the subject.
To better perform its function as an assistant
driver, ADAS should incorporate the suggested
RBM-LSTM framework. D. Wu et al.[14]
proposed the RBM-LSTM framework serves as
the driver's warning since it is able to identify
how the driver's actions affect the vehicle while
driving. The security of ADAS itself is increased
thanks to RBM-LSTM, which helps ADAS
comprehend the effects of each operation, which
actions are appropriate and which behaviors
would cause issues.
The operational architectures and theoretical
underpinnings of the primary anomaly-based
network intrusion detection methods were
explored by Jyothsna et al. [7] in addition to
their classification of processing types in relation
to the "behavioral" model for the target system.
The key characteristics of numerous ID
systems/platforms that are now accessible are
also briefly described in this study. With
assessment given special consideration, the most
significant outstanding issues with anomaly-
based network intrusion detection are addressed.
 Talking about research and development in the
field of IDS must start with the material that has
been presented. More speed and effectiveness in
countermeasures are needed to deal with the
uptick in assaults.
III PROPOSED WORK
A security system that integrates host and
network activity is known as an IDS.[11] This
examines the network packets being exchanged,
looks for unusual activity, and processes the
alert notice. The cornerstone for anomaly-based
detection is network behaviour. The anomaly -
based event will be initiated or the network
activity will be permitted if it fits the expected
behaviour. The expected network behaviour is
prepared for or taught by the network
administrators. Anomaly detection is the process
of identifying deviations from the regular pattern
of network traffic. During non-attack times, the
network's typical profile is noted and is mostly
reflected by statistical information. [6] A
manager who generally only uses his account
after hours and only accesses the network during
the day is an example of this type of activity
deviation. Even if it was not related to an assault,
such a variance is odd and might be a sign of
one. This can result in a false alert as a result. In
order to avoid erroneous alarms, it is therefore
possible to carry out regular updates of the user
behaviour patterns on the network. The three
categories of anomaly-based intrusion detection
are statistical, knowledge-based, and machine
learning-based.
Statistical-based anomaly IDS Anomaly
detection based on statistics The regular
statistical properties of the traffic are compared
to a stochastic model of the usual functioning of
the traffic using statistical-based anomaly IDS.
According to sources, the gap is the source of
the attack.
knowledge-based anomaly IDS Professionals
supply a set of rules in the form of an expert
system or fuzzy system to characterise the
behaviour of usual connections and attacks in
knowledge-based anomaly identification. The
rule-based technique is coupled to inputs for soft
anomaly detection. In addition to enabling some
of the rules to be based on input values,
heuristics or a syntactic description of the
attack's behaviour may be provided.
Machine learning-based anomaly IDS
Analyzed patterns are either explicitly or
implicitly modeled in an anomaly IDS that is
based on machine learning. These models
undergo frequent updates to improve the
efficacy of intrusion detection based on prior
findings. [12]Extracting features from the traffic
is a crucial stage in the training of the ML
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on June 15,2023 at 04:53:44 UTC from IEEE Xplore. Restrictions apply.
models. Here, the IDS was designed using
characteristics whose values fluctuate during
attack phases as opposed to periods of regular
operation. Even the best algorithm will fail to
detect an incursion or an unusual state if the
specified feature does not change during the
attacks.
[13] In order to find the ideal parameter values,
choosing hyper parameters is a time-consuming
and expensive computing operation. As a result,
several selection approaches are available,
including grid search, random search, and
Bayesian-based optimization techniques.
Figure 1. Pie chart with labels for normal and
unhealthy conditions.
Figure 1 displays the labels' normal and
abnormal values. The multi-class label
distribution chart is displayed.
i. Logistic Regression (LR)
LR is a supervising method of machine learning
for categorizing things that keeps an eye on a
certain set of classes.While it is referred to as
"regression," Logistic Regression (LR) is a
machine learning approach that is mostly used
for the binary classification job. When the
learning algorithm uses the one-vs rest
techniques for multi class classification tasks,
the LR can also be applied[15]. The logistic
function uses the sigmoid function as its cost
function. Predictions are converted to
probabilities using this function [9]. We showed
that the probability of an event happening may
be anticipated by fitting the data to a linear
model. The sigmoid function's formula is:
(1)
Where F(x) is an outputs between 0 and 1, x is
an input to the function, and e is the natural log
base. Logistic regression is one of them that has
 been widely utilized as a broad data processing account. Common categorization metrics include
tool for binary classification that predictions. correctness, real positive values, and false
However, one linear model—logistic positive rates. Recall and precision are functions
regression—is the subject of this work [10]. of accuracy and true positive rates.
Binary classifier data types might be modeled
using a number of learning strategies. ! " # / ! " # "
1| , 1 ! " # (3)
(2)
! % & '( !/ ! " ! (4)
The model for logistic regression for a binary
)% ** !/ ! " # (5)
answer may be stated by integrating the different
combination of input characteristics, a
correlating weight (w), or a biased term (b) for
every occurrence, as shown in equation (2).

Figure 4. Multi-label correlation matrix

Figure2. Binary categorization in log regression
The binary classification in Figure 2 of our
suggested strategy for logistic regression is
shown. The response variable in logistic
regression has a numerical value. Logistic
regression uses the log of the probability of
being allocated to the i-th grouping of a single or
multi-class answer as the answer variable [9].
When employing logistic regression, a variety of
assumptions are made, such as the following:
independent, normally distributed answers
(logits) at each and every level of a subgroups of
the explained variable, with variance between
the answers and so all values of the explained
variable.
The accuracy of logistic regression using binary
classification is 97.80%, and the accuracy of
regression models using multi-class
classification is 97.58%.
IV CONCLUSION
To defend internal operations from outsider
threats, a protected network design should
incorporate front-line systems including
firewalls, intrusion prevention and detection
systems, online media filtering, and URL
filtering. Using logistic regression, we suggested
an anomaly-based intrusion detection system for
IOT devices in this work. Binary and multi-class
classification were employed using logistic
regression. The accuracy of logistic regression
using classifier is 97.80%, and the accuracy of
regression models using multi-class
classification is 97.58%.

Figure 3. Multi class classification and logistic
regression
Figure 3 displays the multi class categorization
using logistic regression in our suggested
approach.
IV Results
When assessing the effectiveness of the
complete model, correctness, positive predictive
value, rate of false positives accuracy, and
recalls were the primary criteria taken into
References
[1]. Abbas, Adeel & Khattak, Muazzam &
Latif, Shahid & Ajaz, Maria & Shah, Awais &
Ahmad, Jawad. (2021). A New Ensemble-Based
Intrusion Detection System for the Internet of
Things. ARABIAN JOURNAL FOR SCIENCE
AND ENGINEERING. 47. 10.1007/s13369-
021-06086-5.
[2].F. Yihunie, E. Abdelfattah and A. Regmi,
"Applying Machine Learning to Anomaly-Based
Intrusion Detection Systems," 2019 IEEE Long
Island Systems, Applications and Technology
Conference (LISAT), Farmingdale, NY, USA,
2019, pp. 1-5, doi:
10.1109/LISAT.2019.8817340.

XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE

Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on June 15,2023 at 04:53:44 UTC from IEEE Xplore. Restrictions apply.
 [3].Christiana Ioannou and Vasos Vassiliou.
2018. An Intrusion Detection System for
Constrained WSN and IoT Nodes Based on
Binary Logistic Regression. Proceedings of the
21st ACM International Conference on
Modeling, Analysis and Simulation of Wireless
and Mobile Systems (MSWIM '18). Association
for Computing Machinery, New York, NY,
USA, 259–263.
https://doi.org/10.1145/3242102.3242145
[4]. Vipin, Das & Vijaya, Pathak & Sattvik,
Sharma & Sreevathsan, & MVVNS.Srikanth, &
T, Gireesh. (2010). Network Intrusion Detection
System Based On Machine Learning
Algorithms. International Journal of Computer
Science & Information Technology. 2.
10.5121/ijcsit.2010.2613.
[5] Yakub Kayode Saheed, Aremu Idris
Abiodun, Sanjay Misra, Monica Kristiansen
Holone, Ricardo Colomo-Palacios,A machine
learning-based intrusion detection for detecting
internet of things network attacks,Alexandria
Engineering Journal, Volume 61, Issue 12, 2022,
Pages 9395-9409, ISSN 1110-0168,
https://doi.org/10.1016/j.aej.2022.02.063.
(https://www.sciencedirect.com/science/article/p
ii/S1110016822001570)
[6]Adnan, A.; Muhammed, A.;Abd Ghani, A.A.;
Abdullah, A.;Hakim, F. An Intrusion Detection
System for the Internet of Things Based on
Machine Learning: Review and Challenges.
Symmetry 2021, 13, 1011.
https://doi.org/10.3390/sym13061011
[7]Ansam Khraisat *, Iqbal Gondal, Peter
Vamplew, Joarder Kamruzzaman and Ammar
Alazab Internet Commerce Security Laboratory,
Federation University Australia, Mount Helen
3350, Australia; iqbal.gondal@federation.edu.au
(I.G.); p.vamplew@federation.edu.au (P.V.);
joarder.kamruzzaman@federation.edu.au (J.K.);
aalazab@mit.edu.au (A.A.) * Correspondence:
a.khraisat@federation.edu.au,A Novel Ensemble
of Hybrid Intrusion Detection System for
Detecting Internet of Things Attacks ,2020
[8]. Valerio Morfifino and Salvatore Rampone *
Department of Law, Economics, Management
and Quantitative Methods (DEMM), University
of Sannio, I-82100 Benevento, Italy;
valerio.morfifino@ctcgroup.it * Correspondence:
rampone@unisannio.it,Towards Near-Real-Time
Intrusion Detection for IoT Devices using
Supervised Learning and Apache Spark ,2020
[9]. Veeramreddy, Jyothsna & Prasad, V. &
Prasad, Koneti. (2011). A Review of Anomaly
based Intrusion Detection Systems. International
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on June 15,2023 at 04:53:44 UTC from IEEE Xplore. Restrictions apply.
Journal of Computer Applications. 28. 26-35.
10.5120/3399-4730.
[10].M. A. Siddiqi and W. Pak, "An Agile
Approach to Identify Single and Hybrid
Normalization for Enhancing Machine Learning-
Based Network Intrusion Detection," in IEEE
Access, vol. 9, pp. 137494-137513, 2021, doi:
10.1109/ACCESS.2021.3118361.
[11]. P. L. S. Jayalaxmi, R. Saha, G. Kumar,
M. Conti and T. -H. Kim, "Machine and Deep
Learning Solutions for Intrusion Detection and
Prevention in IoTs: A Survey," in IEEE Access,
vol. 10, pp. 121173-121192, 2022, doi:
10.1109/ACCESS.2022.3220622.
[12]. M. Zolanvari, M. A. Teixeira, L. Gupta,
K. M. Khan and R. Jain, "Machine Learning-
Based Network Vulnerability Analysis of
Industrial Internet of Things," in IEEE Internet
of Things Journal, vol. 6, no. 4, pp. 6822-6834,
Aug. 2019, doi: 10.1109/JIOT.2019.2912022.
[13]. G. Abdelmoumin, D. B. Rawat and A.
Rahman, "On the Performance of Machine
Learning Models for Anomaly-Based Intelligent
Intrusion Detection Systems for the Internet of
Things," in IEEE Internet of Things Journal, vol.
9, no. 6, pp. 4280-4290, 15 March15, 2022, doi:
10.1109/JIOT.2021.3103829.
[14] Di Wu, Hanlin Zhu, Yongxin Zhu,
Victor Chang, Cong He, Ching-Hsien Hsu, Hui
Wang, Songlin Feng, Li Tian, and Zunkai
Huang. 2020. Anomaly Detection Based on
RBM-LSTM Neural Network for CPS in
Advanced Driver Assistance System. ACM
Trans. Cyber-Phys. Syst. 4, 3, Article 27 (July
2020), 17 pages.
https://doi.org/10.1145/3377408.
[15] Kasongo, S.M., Sun, Y. Performance
Analysis of Intrusion Detection Systems Using a
Feature Selection Method on the UNSW-NB15
Dataset. J Big Data 7, 105 (2020).
https://doi.org/10.1186/s40537-020-00379-6