An Efficient IDS Using FIS to Detect

DDoS in IoT Networks

Authors: Trong – Minh Hoang, Nhat – Hoang Tran, Vu – Long Thai, Dinh-Long Nguyen, Nam- Hoang Nguyen

NICS 2022
31 Oct - 1 Nov 2022
Outline

• Introduction
• Our main works
• Conclusion and our future work
• Discussions
Introduction

Motivation
• The growing IoT applications of today have brought numerous benefits to our lives. In
addition, cyber-attacks are growing as a result of increasingly sophisticated and
violent attacks.
• Many additional challenges continue to emerge as demand for IDS deployment at the
edge network, where resource-constrained devices exist, continues to increase.
Our approach
• Developing Fuzzy Inference System with the help of PSO algorithm to detect DDoS
attacks on IoT 23 dataset
Our contribution
• Propose a novel IDS system based on a fuzzy inference system (FIS model) to detect
DDOS attacks on little IoT 23 with high accuracy so that edge computing can be
deployed
Our main Work

Related work
• Various studies are focusing on the schemes in which FIS is used to build abnormal
detection systems [18-24].
• Some reliable and effective fuzzy-based IDS proposals for IoT networks against
DDoS attacks have been published [1] [2] [19] [20] [25].
• Solutions to detect DDOS at the edge of the network brings great benefits to
network operators with the classification and dimensionality reduction for the data
set is a core condition [27][28][29].
• Researchers have focused their attention on the frameworks for IDS in IoT
networks evaluated by the IoT23 dataset [30-34]
 Our main Work

Background
• Fuzzy Inference System
• Fuzzy Logic Theory is a kind of soft computing approach to solve real-world problems with solutions
that are close to natural human decisions.
• A Fuzzy Inference System (FIS) is a system that uses a fuzzy set theory to map input variables to an
output space.

Fig. 1. The basic model of a FIS system

Our main Work

Background
• Particle Swarm Optimization (PSO)
• PSO is a meta-heuristic population-based optimization algorithm under the category of
evolutionary algorithm.
• The particles move iteratively around the search space to find the global best location (the best
solution).
• In each iteration, a particle updates its velocity and location according to two formulas:
(1)

(2)

Where: x(t) is the location of a particle at time t

v(t) is the velocity of a particle at time t
w is the initial weight factor;
c1 and c2 are learning factors
r1 and r2 are uniformly distributed numbers in the range (0,1)
 Our main Work

Data processing
• Network features are extracted from the conn.log.labeled file in the little IoT-23 dataset
and exported to the file in CSV format.
• Local network features will be removed from the dataset; Index features of the dataset
are coded and presented as binary data; NaN values are substituted for 0.
• The featured columns are then normalized to a specified range [-1 1] to eliminate large
values and speed up computation.
• The appropriate features are selected through the recursive feature elimination
technique.
• The principal components analysis (PCA) technique is applied to the data.
 Our main Work

Data processing
• We select the dataset's secure (Benign) and DDoS patterns. This dataset is divided into 3
sets: Training_set, Validating_set, and Testing_set.
• The training_set is a standard space for the following stages' calculations.

Fig. 2. Data processing system

Our main Work

The proposed system

• The proposed IDS system components

Fig.3. The proposed intrusion detection system

 Our main Work

The proposed system

• The Mamdani FIS model is implemented has 2 inputs, including N_benign, N_ddos, and 1 output. Each
input has 2 membership functions, L (Low) and H (High).
• The output has 3 membership functions that are FA (False Attack), MA (Medium Attack), and HA (High
Attack) functions.
• Inference rules and output membership functions are fixed.
N_Benign N_DDoS Output 1
FA MA HA

L L FA 0.8

Degree of membership
0.6

L H HA
0.4

H L FA 0.2

H H MA 0

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

result

TABLE 1. RULES OF FUZZY INFERENCE Fig. 4. Defuzzification Membership functions

SYSTEM
Our main Work

The proposed system

• Each input membership function has a trapezoid shape characterized by four
parameters (a, b, c, d) and coded by three parameters (x, y, z).
• After being encoded, the parameters of the four membership functions of two
inputs will be joined together and connected with radius r to form a particle for
the PSO algorithm of length 13.

(3)
(4)

(5)

(6)
Fig. 5. The input membership function
Our main Work

The proposed system

• In the Training_set, the distance is calculated to the rest of the set points to
obtain the D_train distance matrix, D_train.
• The distance between each point in the Valid_set and each point in Training_set
is calculated to obtain the distance matrix, D_val.
• The PSO algorithm randomly initializes n particles of length 13, with r in the range
[0 avg(D_train)] and the remaining parameters in the range [0 1].
• In each round of the PSO algorithm, every particle receives parameters such as r
and membership functions of inputs.
Our main Work

The proposed system

• D_train and D_val, and the radius r are two inputs of DtoN module. With a
subset, the point is to find the neighbor points under the r ratio.
• Based on the labels of the points, the number of safe points (N_benign) and the
number of DDoS attack points (N_ddos) in the two sets (Training_set and
Validating_set) could be found. It is to build two matrices of N_train and N_val,
respectively.
• The two matrices are then divided by the maximum value in the N_train matrix
and limited to the interval [0 1].
• Two matrices, N_train and N_val, are fed into the FIS to get the corresponding
output.
Our main Work

The proposed system

• The output of the FIS is a value in the range [0 1]. The Result Calculator converts
this output into 0 (Benign) or 1 (DDoS).
• The threshold value in the Result Calculator is 0.5.
• If output value > 0.5, result is 1 (DDoS).
• Otherwise, result is 0 (Benign).
• The results are then compared with the original labels of the Training_set and
Validating_set to obtain acc and val, respectively.
• The PSO algorithm uses acc and val to find the most optimal particle.
Our main Work

Experimental and results

• Experimental parameters and evaluations

Parameter Value
population 50
c1 = 2
constriction factor
c2 = 2
inertia factor 1
inertia factor
0.99
reduction rate
Number of rounds 50

TABLE II. PARAMETERS FOR PSO ALGORITHM

Our main Work

Experimental and results

• Experimental parameters and evaluations

Fig. 6. The experimental system

Our main Work

Experimental and results

• Convergence evaluation

Fig. 7. The convergence rate of PSO

Our main Work

Experimental and results

• Experimental results
L(low) H(high) L(low) H(high)
1 1

0.8 0.8

Degree of membership
Degree of membership

0.6 0.6

0.4 0.4

0.2 0.2

0
0

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
N - DDoS
N - Benign

Fig. 8. N_Benign's Membership function Fig. 9. N_DDoS's Membership function

Our main Work

Experimental and results

• Experimental results

Accuracy Precision Recall FPR F1

0.998 1 0.995 0 0.998

TABLE III. EXPERIMENTAL RESULTS ON TESTING_SET

Our main Work

Experimental and results

• Experimental results
Features Acc Pre Recall FPR F1
32 0.999 0.998 0.999 0.001 0.999
23 0.997 0.997 0.996 0.003 0.997
5000
16 0.998 0.996 1 0.004 0.998
10 0.998 1 0.995 0 0.998
32 0.995 1 0.990 0 0.995
23 0.996 1 0.993 0 0.996
2500
16 0.996 1 0.993 0 0.996 TABLE IV. THE EXPERIMENTAL RESULTS ON
10 0.996 1 0.992 0 0.996
32 0.994 0.996 0.992 0.004 0.994 DIFFERENT DATASETS
23 0.996 1 0.992 0 0.996
1000
16 0.995 1 0.990 0 0.995
10 0.994 1 0.988 0 0.994
32 0.990 1 0.980 0 0.990
23 0.990 1 0.980 0 0.990
500
16 0.990 1 0.980 0 0.990
10 0.994 1 0.988 0 0.994
Our main Work

Experimental and results

• Experimental results

Fig. 10. The experimental results in a bar chart

Conclusion & Future Work

Conclusion
• This paper presents an IDS model for detecting DDOS attacks that can be
deployed on edge devices.
• Using PSO-optimized FIS, our proposed model produced amazing results
compared to previously proposed methods. The detection accuracy of DDOS
attacks is up to 99.9%, with IoT23 database sample sizes fully deployable on edge
devices.
Future Work
• Deploying the proposed model on practical IoT devices.
Discussion

Thank you for the

discussions and
suggestions!
 References

• [1] Faisal Hussain, Syed Ghazanfar Abbas, etc. "IoT DoS and DDoS Attack Detection using ResNet" 2020 IEEE 23rd International Multitopic Conference (INMIC), pp. 1-6, 2020.
• [2] Mohammed Hasan Ali, etc. "Threat Analysis and Distributed Denial of Service (DDoS) Attack Recognition in the Internet of Things (IoT),“ Electronics 2022.
• [3] L. Xiaoming, V. Sejdini, and H. Chowdhury, "Denial of service (dos) attack with udp flood," School of Computer Science, University of Windsor, Canada, 2010.
• [4] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the IoT: Mirai and Other Botnets,” Computer, vol. 50, no. 7, pp. 80–84, 2017.
• [5] Tarak Nandy, Mohd Yamani Idna Idris, Rafidah Md. Noor and Sananda Bhattacharyya, "Review on Security of Internet of Things Authentication Mechanism," IEEE Access, vol. 7, pp.
151054-151089, oct 2019.
• [6] Yinhao Xiao, Yizhen Jia, etc. "Edge Computing Security: State-of- The-Art and Challenges," Proceedings of the IEEE, vol. 107, no. 8, pp.1608-1631, 2019.
• [7] R. Shanmugavadivu and N. Nagarajan, "Network intrusion detection system using fuzzy logic," Indian Journal of Computer Science and Engineering (IJCSE), vol. 2, no. 1, pp. 101–111,
2011.
• [8] M. Almseidin, M. Al-kasassbeh, and S. Kovacs, "Fuzzy rule interpolation and snmp-mib for emerging network abnormality,“ International Journal on Advanced Science, Engineering
and Information Technology, vol. 9, no. 3, pp. 735–744, 2019.
• [9] M. Al-Kasassbeh, M. Almseidin, K. Alrfou, and S. Kovacs, "Detection of iot-botnet attacks using fuzzy rule interpolation," Journal of Intelligent & Fuzzy Systems, Vol 39, pp. 421–431,
2020.
• [10] M. Almseidin and S. Kovacs, "Intrusion detection mechanism using fuzzy rule interpolation," Journal of Theoretical and Applied Information Technology, vol. 96, no. 16, pp. 5473–
5488, 2018.
• [11] B. A. Khalaf, S. A. Mostafa, A. Mustapha, M. A. Mohammed, and W. M. Abduallah, "Comprehensive review of artificial intelligence and statistical approaches in distributed denial of
service attack and defense methods," IEEE Access, vol. 7, pp. 51 691–51 713, 2019.
• [12] S. Ghazanfar, F. Hussain, A. U. Rehman, U. U. Fayyaz, F. Shahzad, and G. A. Shah, "Iot-flock: An open-source framework for iot traffic generation," in 2020 International Conference
on Emerging Trends in Smart Technologies (ICETST). IEEE, 2020, pp. 1–6.
• [13] I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, "Developing realistic distributed denial of service (ddos) attack dataset and taxonomy," in 2019 International Carnahan
Conference on Security Technology (ICCST). IEEE, 2019, pp. 1–8.
 References

• [14] M. Almseidin, J. Al-Sawwa, and M. Alkasassbeh, "Anomaly-based Intrusion Detection System Using Fuzzy Logic," in 2021 International Conference on Information Technology
(ICIT), 2021, pp. 290-295
• [15] J. Rabatel, S. Bringay, and P. Poncelet, "Fuzzy anomaly detection in monitoring sensor data," in Fuzzy Systems (FUZZ), 2010 IEEE International Conference on Fuzzy Systems, 2010,
pp. 1-8.
• [16] M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, "A survey of network-based intrusion detection data sets," Computers & Security, vol. 86, pp. 147-167, 2019.
• [17] G. F. Scaranti, L. F. Carvalho, S. Barbon, and M. L. Proença, "Artificial Immune Systems and Fuzzy Logic to Detect Flooding Attacks in Software-defined networks," IEEE Access,
vol. 8, pp. 100172-100184 2020.
• [18] M. E. Aminanto, H. Kim, K.-M. Kim, and K. Kim, "Another Fuzzy Anomaly Detection System Based on Ant Clustering Algorithm,“ IEICE Transactions on Fundamentals of
Electronics, Communications and Computer Sciences, vol. E100.A, pp. 176-183, 2017.
• [19] H. A. P. and K. K., "Secure-MQTT: an efficient fuzzy logic-based approach to detect DoS attack in MQTT protocol for internet of things,“ EURASIP Journal on Wireless
Communications and Networking, vol. 2019, pp. 1-15, April 05 2019.
• [20] M. P. Novaes, L. F. Carvalho, J. Lloret, and M. L. Proença, "Long Short-Term Memory and Fuzzy Logic for Anomaly Detection and Mitigation in Software-Defined Network
Environment," IEEE Access, vol. 8, pp. 83765-83781, 2020.
• [21] M. V. De Assis, A. H. Hamamoto, T. Abrão, and M. L. Proença, "A game theoretical based system using holt-winters and genetic algorithm with fuzzy logic for DoS/DDoS mitigation
on SDN networks," IEEE Access, vol. 5, pp. 9485-9496, 2017.
• [22] M. Usman, V. Muthukkumarasamy, and X.-W. Wu, "Mobile agentbased cross-layer anomaly detection in smart home sensor networks using fuzzy logic," IEEE Transactions on
Consumer Electronics, vol. 61, pp. 197-205, 2015.
• [23] H. S. Mondal, M. T. Hasan, M. B. Hossain, M. E. Rahaman, and R. Hasan, "Enhancing secure cloud computing environment by Detecting DDoS attack using fuzzy logic," in 2017 3rd
International Conference on Electrical Information and Communication Technology (EICT), 2017, pp. 1-4.
• [24] Hajar Moudoud; Lyes Khoukhi; Soumaya Cherkaoui, "Prediction and Detection of FDIA and DDoS Attacks in 5G Enabled IoT," IEEE Network, Volume: 35, Issue: 2, March/April
2021.
• [25] Trong-Minh Hoang, "A Study on Anomaly Data Traffic Detection Method for Wireless Sensor Networks," Intelligent Systems and Networks (pp.429-436), 2021.
 References

• [26] Sharma, DK, Dhankhar, T, Agrawal, G, Singh, SK, Gupta, D, Nebhen, J and Razzak, Muhammad Imran, "Anomaly detection framework to prevent DDoS attack in fog empowered IoT
networks, Ad Hoc Networks", vol. 121, pp. 1-9, doi: 10.1016/j.adhoc.2021.102603.
• [27] L Zhou, H Guo, G Deng," A fog computing based approach to DDoS mitigation in IIoT systems," Computers & Security, vol. 85, pp. 51-62,2019.
• [28] S Myneni, A Chowdhary, D Huang, A Alshamrani, "SmartDefense: A distributed deep defense against DDoS attacks with edge computing, "Computer Networks, vol. 209 2022.
• [29] Lefoane, Moemedi; Ghafir, Ibrahim; Kabir, Sohag; Awan, Irfan U. "Machine Learning for Botnet Detection: An Optimized Feature Selection Approach," ICFNDS 2021.
• [30] Wan Nur Fatihah Wan Mohd Zaki, Raihana Syahirah Abdullah Warusia Yassin, Faizal M.A, Muhammad Safwan Rosli, "Constructing IoT Botnets Attack Pattern for Host-based and
Network-based Platform," (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 8, 2021.
• [31] Nicolas-Alin Stoian, "Machine Learning for Anomaly Detection in IoT networks: Malware analysis on the IoT-23 Data set," University of Twente.
• [32] Imtiaz Ullah; Qusay H. Mahmoud, "A Framework for Anomaly Detection in IoT Networks Using Conditional Generative Adversarial Networks," IEEE Access, vol. 9, pp. 165907-
165931, 02 December 2021.
• [33] Imtiaz Ullah; Qusay H. Mahmoud "Design and Development of a Deep Learning-Based Model for Anomaly Detection in IoT Networks, “IEEE Access, vol. 9, pp. 103906-103926, 01
July 2021.
• [34] Zhuotao Lian; Chunhua Su "Decentralized Federated Learning for Internet of Things Anomaly Detection", ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on
Computer and Communications Security, pp. 1249-1251, May 2022.