Cybersecurity in SMEs: The Smart-Home/Office
Use Case
1st Nikolaos Vakakis 2nd Odysseas Nikolis 3rd Dimosthenis Ioannidis 4th Konstantinos Votis 5th Dimitrios Tzovaras
CERTH-ITI CERTH-ITI CERTH-ITI
Thessaloniki, Greece Thessaloniki, Greece Thessaloniki, Greece
nikovaka@iti.gr odynik@iti.gr djoannid@iti.gr
Abstract—Today, small and medium-sized enterprises (SME)
can be considered as the new big target for cyber attacks,
while the cybercrime prevention is often neglected within their
environment. This paper aims to investigate the characteristics
of cybersecurity threats in the Digital Innovation Hub (DIH)
ecosystem of a Smart-Home/Office environment being constituted
by SMEs that contains various smart-devices and IoT equipment,
smart-grid components, employees'workstations and medium
sized networking equipment. As the Cyber-security in such an
ecosystem is greatly demanding and challenging because of the
various communication layers and the different supported IoT
devices, we introduce a more robust, resilient and effective
cybersecurity solution that can be effortlessly tailored to each
individual enterprise's evolving needs and can also speedily
adapt/respond to the changing cyber threat landscape. Thus, this
Cyber-security framework will be evaluated through three major
types of Smart-Home/Office datasets and will be supported from
SME/ICT clusters under the framework of the Secure and Private
Smart Grid (SPEAR) H2020 project. The first promising results
of our work indicate the potential of implementing strong defence
mechanisms for SMEs’ environments within DIHs.
Index Terms—cybersecurity, anomaly detection, SME, dataset,
Smart-Home/Office environment, SPEAR, IoT, smart-devices,
security, LSTM, Neural Networks
I. I NTRODUCTION
Cybersecurity in SMEs is an ever growing concern due
to the increasing adoption of digital technologies like Cloud
Computing and Internet of Things (IoT) but also the consti-
tution of a wide range of devices (e.g. PCs, servers, mobile
devices, etc.) and business practices (e.g. Bring Your Own
Device, remote access, use of cloud-based apps and services,
etc.). In this context, the increased connectivity that comes
with IoT technologies also entails bigger attack surface for
adversaries, by leveraging security gaps of interconnected IoT
devices within a Smart-Home/Office environment. On the one
hand, providing secure protocols can protect organization data
from being eavesdropped, as well as from unauthorized access
to their systems or even denial of service attacks and save
them from security breaches that could cost much in terms of
capital or customer dissatisfaction. On the other hand, security
imposes slower communications, thus it is important to find the
right balance between security and communication efficiency.
Therefore, it can be understood that it is crucial to have
security mechanisms that can detect attacks not only in the
network layer but also on the application layer and compensate
for any protocol vulnerabilities.
978-1-7281-1016-5/19/$31.00 ©2019 IEEE
CERTH-ITI CERTH-ITI
Thessaloniki, Greece Thessaloniki, Greece
kvotis@iti.gr tzovaras@iti.gr
Recent studies show not only a high percentage of small
or medium sized businesses suffering from cyber attacks [12],
but also that SMEs appear to have a significant perception
gap when it comes to cyber awareness and preparedness [7].
Similarly, according to one FireEye claim [13], 77% of all
cyber-crimes target SMEs. Simple endpoint protection through
antivirus has become by far inadequate due to the complexity
and variety of cyber threats as well as the integration of a
wealth of digital technologies in business processes even of
the smallest enterprises.
The fact that SMEs represent the vast majority of total
businesses and that hackers consider them as an easier tar-
get than large enterprises reinforce the need for new robust
security mechanisms that achieve early and accurate detection
of attack patterns. The SPEAR H2020 project [33] aims
to develop tools that enhance the security by design and
introduce cyber security prevention mechanisms in the area
of smart grids, including also smart homes (like the smart
home of CERTH in Thessaloniki which operates both as a
living and working environment). This dual nature renders
the smart home an appropriate testbed for applying advanced
anomaly detection methodologies and tools with data deriving
from a real environment that can be a powerful weapon for
SMEs'security administrators support.
The discussion on this paper will proceed as follows: Sec-
tion II presents relevant publications, section III describes the
derived from the Smart-Home/Office environment, different
kinds of real datasets that have been collected efficiently, while
in section IV we analyse how anomaly detection techniques
could be applied on these data sets. Thus, we present some
advanced methods based on deep learning techniques, while in
section V the first results obtained from the previously defined
models are presented. Finally, in section VI we conclude with
the future discussion and work.
II. R ELATED W ORK
The work, described in this paper, focuses on cyber-security
in the Smart-Home/Office use case. The latest advancements
in this domain are related with two main research topics, the
collection of valuable datasets from a commercial/industrial
IoT network and the exploitation of the datasets with state-
of-the-art machine learning methods for intrusion/anomaly
detection.
 For cyber-security, most of the publicly available datasets
[37] are cyber-attack specific or the network architecture of the
collected datasets is not clear, especially for IoT networks. The
lack of available datasets brought the collection and creation
of the Smart-Home/Office dataset as a natural solution. These
data come from three different layers, the network capture
from common IP-network infrastructure (pcap files), commer-
cial & industrial network protocols and the operational data
(electricity & sensor measurements).
Similar datasets and anomaly detection algorithms are used
in cyber-security for Industrial Control Systems(ICS). Papers
[3], [30], [29] describe the different network layers and a
collection of operational data that constitute the basis for
training ICS intrusion detection systems to provide security
and safety for industrial equipment [31], [4].
The profile of these type of datasets and the machine learn-
ing techniques [9] used for the Smart-Home/Office match the
cyber-security requirements of modern SMEs.The increasing
need to provide cyber-security in SMEs [28], [18], [17] gives
more value to the collected Smart-Home/Office dataset and its
application.
For example, a novel secure-by-design system for SMEs
is described in [27]. The results of the current work is a
proof-of-concept for state-of-the-art anomaly detection meth-
ods on network traffic datasets that could be implemented in
programmable logic and enhance the FORTIKA accelerator
gateways installed in the SMEs.
III. DATASETS
After the study of the Smart-Home/Office's services, proto-
cols and network connectivity which are summarized in a 4-
layer IoT communication stack [Fig. 1] as defined by [32], we
conclude in the collection of three different types of datasets
by utilizing Smart-Home/Office’s analysis framework.
• Raw and Network flows traffic: Collection of all the
raw and network flows traffic data (port mirroring).
• Application layer network protocols: Collection of
attributes and features from application layer network
protocols derived from raw network traffic.
• Smart-devices & Sensors Measurements: Collection
of multiple time-series measurements from smart-devices
and sensors (e.g. smart-meters, smart-inverters, etc.).
The dataset is restricted with a Non-Disclosure Agreement
(NDA) for distribution and exploitation to third-parties for
innovation and research actions.
A. Raw and network flows traffic dataset
The production of this dataset contains all the network traffic
going in/out from the Smart-Home/Office network. Through
the port mirroring functionality on the main switch the raw
network traffic is captured in the form of .pcap files. The raw
traffic packets (.pcap files) are processed with parsers 1 for
the extraction of the network flows. The network flows are
extracted in .csv files with up to 84 network flow features (e.g.
1 Cicflowmeter, Argus, t-shark
Fig. 1: Smart Home/Office 4-layer IoT Communication Stack
Source/Dest IP/Port, Flow duration, Total Forward Packets,
Packets/sec, etc.) [22], [8], [1]. The produced dataset provides
a label feature that can be used for manual annotation of a
network traffic flow.
These data cover the network perception of the anomaly
detection systems up to the transport layer in any IP-network
similar to those in SMEs and industries. The raw packet
capture provides the flexibility for customization of feature
extraction, and combined with the already provided features,
different quality analysis methods can be applied to evaluate
and extract the most representative information of the network
traffic flows for the application of state-of-the-art machine
learning techniques that can accurately predict the infection
status of an individual network traffic flow.
B. Application layer network protocols dataset
In cyber-attack/anomaly detection, only the use of the
“Raw and network flows traffic dataset” restricts the net-
work analysis up to the transport layer. As a result, cyber-
attacks/anomalies targeting the upper network layers (up to
L7) may remain undetected. The “Application layer network
protocols dataset” works as a complementary dataset to cover
the upper network layers.
The Smart-Home/Office use case includes smart devices that
utilize more than 12 IoT protocols. The current version of the
dataset focuses on three application layer network protocols
commonly used in industries and SMEs:
• BACnet for the Smart-Home/Office’s HVAC system.
• MQTT as a message broker for sensor measurements.
• Modbus for the smart meters, smart-inverters, etc.
The features of this dataset are a wide variety of network
protocol attributes. The extraction of the protocol attributes
is conducted with a network protocol analyzer 2 analyzing
the raw network traffic captured from the Smart-Home/Office
network.
2 Network analysis (t-shark -T fields)
 The network protocol analyzer dissects the protocols’ pack-
ets and extracts the features needed to train machine learning
models that learn the common network traffic patterns of a
specific environment (Smart-Home/Office, SMEs, other indus-
tries) in terms of type or sequences of packets and exchanged
messages. An indicative sample of the protocol attributes used
in Smart-Home/Office use case are shown in Table I, II and
III.
TABLE I: MQTT protocol attributes and description
Attribute Description
mqtt.msgtype Specifies the type of an MQTT message
Specifies the length of an MQTT publish
mqtt.len
message.
TABLE II: BACnet protocol attributes and description
Attribute Description
Indicates the type of application service
bacapp.confirmed service
selected in a service request message
Defines the Application Protocol Data Unit
bacapp.type (APDU) message type and the fields that
appear
TABLE III: Modbus protocol attributes and description
Attribute Description
mbtcp.len Identifies the remaining length of the packet
mbtcp.modbus.func code Code that identifies the function to execute
mbtcp.modbus.data The actual transmitted data
The Smart-Home/Office “Application layer network pro-
tocols dataset” contains all the available protocol attributes.
Table I, II, III present only the attributes derived from
the quality analysis for the feature selection process for the
anomaly detection methods described in Section IV.
C. Smart-Devices & Sensor Measurements dataset
The last dataset consists of time-series measurements
collected from smart devices and sensors all around the
Smart-Home/Office. More specifically, the dataset consists
of electricity measurements related to smart devices such
as smart-meters, smart-inverters, smart-battery controllers and
PV-installation monitors. Each smart-device returns a set of
more than 20 time-series measurements such as Total Ac-
tive/Reactive/Apparent power, Voltage phase and Amperage
phase.
The idea of collecting and analyzing this dataset for anoma-
lies detection lies in the foundation of the IoT network ar-
chitecture. Anomaly detection over time-series measurements
may impose a physical attack, a service/communication chan-
nel corruption, malfunctioning devices or fraudulent activity
against the Smart-Home/Office equipment.
The three different datasets complement each other in order
to provide different perceptions and features for anomaly
detection in different layers of a Smart-Home/Office environ-
ment.
IV. A NOMALY D ETECTION M ETHODS
This section presents the initial exploitation of the datasets
described in Section III with two anomaly detection machine
learning methods based on Long-Short Term Memory (LSTM)
neural networks, a variation of Recurrent Neural Networks
(RNNs) based on LSTM memory cells [Fig. 2] [14], [15],
[16] [36]. The first anomaly detection method uses the dataset
in sub-section III-B and focuses on the attributes of the MQTT
protocol. This method can be adjusted easily to the other
application layer network protocols (BACnet, Modbus). The
second anomaly detection method operates on the dataset
described in sub-section III-C and focuses on the time-series
measurement of the Total Apparent Power of the Smart-
Home/Office. This anomaly detection method can be applied
to any other time-series measurement if the values do not lead
to a truly ascending/descending waveform.
The selection of these methods is derived from the sequen-
tial nature of the data. Both methods utilize LSTM layers, for
the reason that this type of RNNs exhibit remarkable results in
learning sequences of data containing long/mid-term patterns
by efficiently modeling complex multivariate sequences. The
unsupervised learning approach of the former method and
the semi-supervised learning approach of the second was yet
another reason for our choice of them since we are dealing
with unlabeled datasets.
A. Stacked LSTM neural network
This section describes an unsupervised learning anomaly
detection method that implements a stacked LSTM neural
network topology, that has the ability to learn the normal
patterns of the application layer network protocol packet traffic
and detect any unusual change in the packet traffic flow.
Stacked LSTM neural networks are capable of accurately
detecting deviations from normal behaviour without requiring
prior knowledge of abnormalities [24] [5] [35]. More specif-
ically, the machine learning model is continuously trained
with normal streaming data consisting of two MQTT protocol
attributes, the message type and length.
The goal of this method is to learn the patterns of MQTT
message sequences that appear in the Smart-Home/Office net-
work considering their type and length. The anomaly detection
is based on the detection of local peaks in the training loss. If
at some point in time the network receives as training input an
unusual sequence of message types or message lengths which
could indicate an infiltration in the network or a Denial of
Service (DoS) attack, then the training loss is expected to
exhibit a local peak.
After experimenting with different model architectures, the
model which achieved the best results is a neural network with
6 LSTM layers with 10 LSTM units (Fig 2) [2] each and a time
distributed output layer (Fig 3). Furthermore, Adam [20] was
chosen as the optimization method for the learning rate of the
model. As a first step the length and the message type values
are normalized in the range [0,1] and then the neural network
receives 10 training samples in its input layer and each layer
passes 1 hidden state output for each input time step to the

Fig. 2: LSTM cell [23]
next layer. Finally, the time distributed layer applies a dense
layer for each input and thus outputs one time step from the
sequence for each input time step.
Fig. 3: Stacked LSTM neural network model architecture.
B. Seq2seq LSTM Encoder-Decoder
The second model is a self-supervised sequence-to-sequence
(seq2seq) LSTM network with an encoder-decoder architec-
ture [25] [26] [11] [6] [34]. The seq2seq LSTM model maps
a fixed length input sequence with a fixed length output
sequence where the length of both sequences is the same. The
encoder part of the seq2seq LSTM neural network is trained
with the input time-series and produces the internal LSTM
cells states that are used as an input for the initialization
of the decoder part. Additionally, the decoder part has one
more input, which is the same time-series as the encoder and
predicts a time-series similar to the training data and the input
data.
Experimenting with the dataset in Section III-C, the best
results were achieved with the seq2seq LSTM model architec-
ture presented in Figure 4. In details, the seq2seq LSTM model
consists of an encoder and decoder, both with 2 LSTM layers
and a dense output layer. Each input and output sequence is
the time-series with 96 samples per day. The proposed model
is trained on manually annotated “normal” days and tested
on mixed “normal” and “abnormal” days. Data are fed to
the seq2seq LSTM model in a 3D format, e.g. (100, 96, 1),
which corresponds to 100 days, where each day consists of
96 samples and each sample represents a single Total Reactive
Power measurement.
The anomaly detection is based on a user-specified threshold
and the Mean Squared Error (MSE) between the input and the
reconstructed output of the decoder [21] [10] [19]. Every day
with a threshold value bigger than the specified MSE threshold
limit is marked as an anomaly.
Fig. 4: Seq2Seq LSTM encoder-decoder model architecture.
V. I NITIAL R ESULTS - A NOMALY D ETECTION
This section presents the initial anomaly detection results of
the ML methods described in section IV. The obtained results
are promising and pave the way for further improvement and
research on ML models applied on the datasets of section III.
A. Application layer network protocols - Anomaly detection
results
The stacked LSTM neural network was tested for its efficacy
by using real normal and synthetic abnormal MQTT protocol
network traffic data. The real abnormal data come from the
dataset in sub-section III-B. The synthetic abnormal data were
produced from the normal data in two different ways:
1) randomly shuffling a portion of the MQTT message
sequence.
2) modifying the length of a portion of publish messages
which contain the payload of MQTT packets.
Specifically, the initial dataset consists of approximately
34000 messages and is split to chunks of 500 messages that
were fed consequently to the neural network in the 3D format
(50, 10 ,2). This means 50 batches of 10 timesteps each, where
each timestep corresponds to a message with two features,
message type and length. In such a dataset, two artificial
anomalies were produced:
1) the first is a shuffled chunk of 500 messages to test
whether the neural network would react to a different
sequence of messages
2) the second is generated by replacing the publish mes-
sages with a specific length (223) with another random
length (130) which indicates different payload, to test
whether the neural network would react to an unusual
length of payload that could be caused by a compro-
mised IoT device.
Figures 5 and 6 visualize the training loss as an anomaly
detection metric. As can be observed in both figures, in
the beginning the neural network fits to the input message
sequences that it considers as normal and the training loss
converges to low values close to zero. In figure 5, the first
anomaly is visible on the first spike of the training loss
where the shuffled sequence of messages is fed to the neural
network. This spike indicates that “abnormal” sequence of
messages was detected. After the detection of the spike, the
weights of the neural network are reset back to the “normal”
input sequence of messages and the training loss falls again
close to zero. Furthermore, the sensitivity of the anomaly
detection model was tested by forming a second synthetic
batch of abnormal data, but this time only 10% (50 from
500) of messages were shuffled. This anomaly is detected
in the training loss as the second spike at the end of the
training loss waveform. This is a proof-of-concept that the
model can efficiently detect even small changes in the network.
In the same way, in figure 6 the anomalous sequence of
messages with the corrupted payload causes a sharp spike in
the waveform.
Fig. 5: Loss diagram indicating abnormal traffic due to unusual
message type sequence
B. Smart-devices & Sensors Measurements - Anomaly detec-
tion results
The pre-processing of the dataset described in section III-C
has four stages,
1) Time-axis harmonization: Some time-series measure-
ments have a different number of samples per day
because of different sampling frequencies or missing
samples. As a result, the time-axis for each day was
Fig. 6: Loss diagram indicating abnormal traffic due to unusual
message length sequence
re-sampled with the frequency of 15 minutes (96 sam-
ples/day) and the existing measurement values were
aligned respectively to the closest time-stamp based on
their time-index3 .
2) Interpolation: Time-axis re-sampling may introduce
NaN values in time-series samples. A linear interpola-
tion is used to fill the gaps.
3) Min-max normalization: Normalization of the mea-
surements values between [0,1].
4) Manual annotation: There is no calendar with manual
annotation of the normal and abnormal events in the
measurements. Visual inspection, measurement interpre-
tation and manual annotation were used to create the
ground truth of the “normal” behavior.
The training set for the Seq2Seq LSTM model is a manually
annotated dataset of more than 100 “normal” days. The test set
consists of the rest of the days which are a mix of “normal”
and “abnormal” days. The seq2seq LSTM model is able to
detect the time-series days that do not follow the pattern of a
“normal” day as an anomaly.
Figure 7a presents with red the real data of a normal day
and with blue the prediction outcome of the trained model. The
prediction seems to follow the trend of a normal day. On the
other hand, figure 7b presents a day marked as anomalous. The
anomaly is detected at the right side of figure 7b where the last
samples do not follow the normal day pattern. This difference
increases the MSE and results to a MSE score bigger than the
threshold value. The threshold value is a hyper-parameter that
is tuned based on the current ML application4 .
From a user’s perspective, the interpretation of the anomaly
detection results indicates an excessive consumption of “To-
tal Apparent Power” in the Smart-Home/Office during the
night. This event detection could be exploited to increase
energy efficiency and reduce the electricity costs in a Smart-
Home/Office environment or trigger further investigation in
case of a malfunction due to a cyber-attack.
VI. C ONCLUSIONS AND FUTURE WORK
Securing SMEs’ ecosystems, in the era of IoT evolution,
is a very challenging and extremely important task for the
3 Pandas.DataFrame.Resample
4 In this experiment, the threshold value is 0.1

(a) A “normal” day from the time-series of the “Total Apparent
Power” consumed in the Smart-Home/Office.
(b) An “abnormal” day from the time-series
of the “Total Apparent Power” consumed in
the Smart-Home/Office. The anomaly here in-
dicates a high-consumption of “Total Apparent
Power” during the night visualized as a tail at
the last samples of the day
Fig. 7: Seq2Seq LSTM Encoder-Decoder - Anomaly Detec-
tion: Red - Original measurement values of the time-series.
Blue - The predicted time-series measurement values from the
seq2seq LSTM model.
cyber-security researchers. Nowadays, legacy signature-based
anomaly detection techniques are no longer sufficient as rapid
technology improvements lead to new attack schemes. In the
context of the SPEAR project, the Smart-Home/Office use case
scenario offers the opportunity for testing and implementing
novel anomaly detection methodologies that apply in smart-
environments similar to the SMEs.
The initial experimental results present the potential value
of the original datasets extracted from the Smart-Home/Office,
which constitute a solid basis upon which effective and robust
anomaly detection models can be build. Those datasets offer
a wealth of useful information and features in different layers
that can be leveraged not only from the models presented
in this paper but also from other type of predictive models.
One more step in the future work is the further improvement
and experimentation with the two LSTM-based models with
their hyper-parameters and the features in different layers
(raw packet traffic, application layer network protocols, multi-
variate measurements). Additionally, we aim to generate real
attack scenarios against the Smart Home/Office equipment and
test our methodologies with actual cyber-attack data. These are
the next steps towards implementing a state-of-the art security
mechanism that operates on several different levels of a Smart-
Home/Office environment and can efficiently detect different
cyber-attack patterns.
VII. ACKNOWLEDGEMENT
The aforementioned work effort in this paper is conducted
under the framework of the SPEAR project, a Horizon 2020
program, funded by the European Union under the grant
agreement No. 787011.
R EFERENCES
[1] URL : http : / / www. netflowmeter. ca / netflowmeter. html
(visited on 06/27/2019).
[2] Justin Bayer et al. “Evolving memory cell structures
for sequence learning”. In: International Conference on
Artificial Neural Networks. Springer. 2009, pp. 755–
764.
[3] Justin Beaver, Raymond Borges, and Mark Buckner.
“An Evaluation of Machine Learning Methods to Detect
Malicious SCADA Communications”. In: vol. 2. Dec.
2013, pp. 54–59. DOI: 10.1109/ICMLA.2013.105.
[4] R. C. Borges Hink et al. “Machine learning for power
system disturbance and cyber-attack discrimination”. In:
2014 7th International Symposium on Resilient Control
Systems (ISRCS). Aug. 2014, pp. 1–8.
[5] Sucheta Chauhan and Lovekesh Vig. “Anomaly de-
tection in ECG time signals via deep long short-
term memory networks”. In: 2015 IEEE International
Conference on Data Science and Advanced Analytics
(DSAA). IEEE. 2015, pp. 1–7.
[6] Kyunghyun Cho et al. “Learning phrase representations
using RNN encoder-decoder for statistical machine
translation”. In: arXiv preprint arXiv:1406.1078 (2014).
[7] Chubb. 2018. URL: https : / / www . chubb . com / sg -
en / articles / too - small - to - fail . aspx ? utm source =
mediaroom & utm medium = referral & utm campaign =
sme-cyber-report (visited on 06/27/2019).
[8] Gerard Draper-Gil. et al. “Characterization of En-
crypted and VPN Traffic using Time-related Fea-
tures”. In: Proceedings of the 2nd International Con-
ference on Information Systems Security and Privacy
- Volume 1: ICISSP, INSTICC. SciTePress, 2016,
pp. 407–414. ISBN: 978-989-758-167-0. DOI: 10.5220/
0005740704070414.
[9] Benedikt Eiteneuer and Oliver Niggemann. “LSTM
for Model-based Anomaly Detection in Cyber-Physical
Systems”. In: DX@Safeprocess. 2018.
[10] Cheng Fan et al. “Analytical investigation of
autoencoder-based methods for unsupervised anomaly
detection in building energy data”. In: Applied Energy
211 (2018), pp. 1123–1135. ISSN: 0306-2619. DOI:
https://doi.org/10.1016/j.apenergy.2017.12.005. URL:
http : / / www . sciencedirect . com / science / article / pii /
S0306261917317166.
[11] Tharindu Fernando et al. “Soft+ hardwired attention:
An lstm framework for human trajectory prediction and
abnormal event detection”. In: Neural networks 108
(2018), pp. 466–478.
[12] Kelly Finnerty et al. “Cyber Security Breaches Survey
2018: Statistical Release”. In: (2018).
[13] FireEye. 5 reasons cyber attackers target SMEs. 2016.
URL: https : / / www. fireeye . com / content / dam / fireeye -
www/global/en/offers/pdfs/SME-Infographic web.pdf
(visited on 06/27/2019).
[14] Felix Gers and Jurgen Schmidhuber. “Recurrent nets
that time and count”. In: vol. 3. Feb. 2000, 189–194
vol.3. ISBN: 0-7695-0619-4. DOI: 10.1109/IJCNN.2000.
861302.
[15] Klaus Greff et al. LSTM: A Search Space Odyssey.
arXiv. org. 2015.
[16] Rafal Jozefowicz, Wojciech Zaremba, and
Ilya Sutskever. “An empirical exploration of recurrent
network architectures”. In: Journal of Machine
Learning Research (2015).
[17] Salah Kabanda, Maureen Tanner, and Cameron Kent.
“Exploring SME cybersecurity practices in developing
countries”. In: Journal of Organizational Computing
and Electronic Commerce 28.3 (2018), pp. 269–282.
DOI : 10.1080/10919392.2018.1484598.
[18] Cameron Kent, Maureen Tanner, and Salah Kabanda.
“How South African SMEs address cyber security:
The case of web server logs and intrusion detection”.
In: 2016 IEEE International Conference on Emerging
Technologies and Innovative Business Practices for
the Transformation of Societies (EmergiTech) (2016),
pp. 100–105.
[19] T. Kieu, B. Yang, and C. S. Jensen. “Outlier Detection
for Multidimensional Time Series Using Deep Neural
Networks”. In: 2018 19th IEEE International Confer-
ence on Mobile Data Management (MDM). June 2018,
pp. 125–134. DOI: 10.1109/MDM.2018.00029.
[20] Diederik P. Kingma and Jimmy Ba. Adam: A Method
for Stochastic Optimization. 2014. arXiv: 1412 . 6980
[cs.LG].
[21] Diederik P Kingma and Max Welling. “Auto-encoding
variational bayes”. In: arXiv preprint arXiv:1312.6114
(2013).
[22] Arash Habibi Lashkari. et al. “Characterization of Tor
Traffic using Time based Features”. In: Proceedings
of the 3rd International Conference on Information
Systems Security and Privacy - Volume 1: ICISSP,
INSTICC. SciTePress, 2017, pp. 253–262. ISBN: 978-
989-758-209-7. DOI: 10.5220/0006105602530262.
[23] LSTM cell figure. URL: http://wp.firrm.de/index.php/
2018/04/13/building-a-lstm-network-completely-from-
scratch-no-libraries/ (visited on 06/20/2019).
[24] Pankaj Malhotra et al. “Long short term memory net-
works for anomaly detection in time series”. In: Pro-
ceedings. Presses universitaires de Louvain. 2015, p. 89.
[25] Pankaj Malhotra et al. “LSTM-based encoder-decoder
for multi-sensor anomaly detection”. In: arXiv preprint
arXiv:1607.00148 (2016).
[26] Pankaj Malhotra et al. “Multi-sensor prognostics using
an unsupervised health index based on lstm encoder-
decoder”. In: arXiv preprint arXiv:1608.06154 (2016).
[27] Evangelos Markakis et al. “Acceleration at the edge for
supporting SMEs Security: The FORTIKA paradigm”.
English. In: IEEE Communications Magazine 57.2 (Feb.
2019), pp. 41–47. ISSN: 0163-6804. DOI: 10 . 1109 /
MCOM.2019.1800506.
[28] Alaa Mohasseb et al. “Predicting CyberSecurity In-
cidents Using Machine Learning Algorithms: A Case
Study of Korean SMEs”. In: Feb. 2019. DOI: 10.5220/
0007309302300237.
[29] Thomas H. Morris, Zach Thornton, and Ian P.
Turnipseed. “Industrial Control System Simulation and
Data Logging for Intrusion Detection System Re-
search”. In: 2015.
[30] S. Pan, T. Morris, and U. Adhikari. “Classification
of Disturbances and Cyber-Attacks in Power Systems
Using Heterogeneous Time-Synchronized Data”. In:
IEEE Transactions on Industrial Informatics 11.3 (June
2015), pp. 650–662. ISSN: 1551-3203. DOI: 10.1109/
TII.2015.2420951.
[31] S. Pan, T. Morris, and U. Adhikari. “Developing a
Hybrid Intrusion Detection System Using Data Mining
for Power Systems”. In: IEEE Transactions on Smart
Grid 6.6 (Nov. 2015), pp. 3104–3113. ISSN: 1949-3053.
[32] B. Russell and D. Van Duren. Practical Internet
of Things Security. Packt Publishing, 2016. ISBN:
9781785880292. URL: https://books.google.gr/books?
id=Tv5vDQAAQBAJ.
[33] SPEAR project H2020 official website. URL: https : / /
www.spear2020.eu/ (visited on 06/27/2019).
[34] Ilya Sutskever, Oriol Vinyals, and Quoc V Le. “Se-
quence to sequence learning with neural networks”.
In: Advances in neural information processing systems.
2014, pp. 3104–3112.
[35] Adrian Taylor, Sylvain Leblanc, and Nathalie Japkow-
icz. “Anomaly detection in automobile control network
data with long short-term memory networks”. In: 2016
IEEE International Conference on Data Science and
Advanced Analytics (DSAA). IEEE. 2016, pp. 130–139.
[36] Understanding LSTM networks. URL: http : / / colah .
github . io / posts / 2015 - 08 - Understanding - LSTMs/
(visited on 06/27/2019).
[37] Ozlem Yavanoglu and Murat Aydos. “A Review on
Cyber Security Datasets for Machine Learning Algo-
rithms”. In: Dec. 2017. DOI: 10.1109/BigData.2017.
8258167.