Enhancing IoT Security: A Few-Shot Learning Approach for Intrusion Detection
Abstract
:1. Introduction
1.1. IDS Using ML and DL
1.2. Few-Shot Learning
2. Literature Review
3. Proposed Method
3.1. Dataset Selection
3.1.1. MQTT-IOT-IDS2020 Dataset
3.1.2. CIC_IDS2017 Dataset
3.2. Dataset Preprocessing
3.3. Proposed FSL Model Architecture
3.3.1. Feature Extraction (1D CNN)
- The ability to extract vital exceptional patterns from raw data and excellent performance in predicting anomalies in packets in the traffic flow.
- The complexity and dimensionality of the input data are minimized, which can contribute to improving the efficiency and accuracy of an IDS.
- Overcoming the two major challenges in an IDS, which are noise and an imbalanced dataset [35].
- Adapting to various kinds of network attacks, such as DoS, DDoS, and PortScan attacks, by employing a variety of structures and parameters [36].
3.3.2. Classifier Model (Prototypical Networks)
- Centroid Calculation:
- ck: The centroid or prototype of class k. This point represents the “average” of all samples in class k.
- DSk: The set of support samples for class k. These samples are used to calculate the centroid.
- |DSk|: The number of support samples for class k.
- xs: A support sample.
- f (xs): The feature embedding of support sample, xs, represented as a vector in the feature space.
- : The sum of feature embeddings of all support samples in class k.
- : Used to calculate the average of feature embeddings.
- 2.
- Loss Calculation:
- : The loss for query sample belonging to class k.
- f (xq): The feature embedding of query sample xq.
- ck: The centroid or prototype of class k.
- : The squared Euclidean distance between the feature embedding of the query sample and the centroid of class k.
- : The exponential of the negative squared distance, scaled by . Measures similarity between the query sample and class k’s centroid.
- : Sum of similarities between the query sample and centroids of all classes.
- : SoftMax of negative squared distances, yielding a probability distribution over classes.
- 3.
- Intra-class Loss Calculation:
- 4.
- Out-of-distribution Loss Calculation:
Algorithm 1: Training Episode Loss Computation for Prototypical Networks |
Require: .
Require: Number of classes in the meta-training set. Require: Number of query samples per class. Require: Number of classes in the meta-training set. Ensure: The loss L for a randomly generated training episode. 1. VID ←RandomSample jj = 1Mtrain,K ▷ Randomly select K classes for the episode. 2. for 𝑘 in {1, 2, …, K} do 3. Dk ← RandomSample (DVk,Nshot + Nquery) ▷ Sample support and query samples. 4. DSk,DQk←SplitDk, Nshot ▷ Split samples into support and query sets. 5. Calculate ck by using Equation (1) 6. End for 7. VOOD ← RandomSample jj = 1Mtrain VID,1 ▷ Select a class not in VID for out-of-distribution samples. 8. DOOD ← RandomSample DVOOD, NOOD. ▷ Sample out-of-distribution samples. 9. L ← 0 10. for in {1, 2, …, K} do 11. do 12. Calculate L1 and Lin by using Equations (2) and (3); 13. 14. end for 15. end for 16. for in do 17. ; 18. 19. end for |
4. Experiment and Results
4.1. Implementation
4.2. Results
4.2.1. MQTT-IOT-IDS2020 Dataset Results
4.2.2. CICIDS2017 Dataset Results
5. Discussion
6. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Al-Hadhrami, Y.; Hussain, F.K. Real time dataset generation framework for intrusion detection systems in IoT. Futur. Gener. Comput. Syst. 2020, 108, 414–423. [Google Scholar] [CrossRef]
- Min, E.; Long, J.; Liu, Q.; Cui, J.; Cai, Z.; Ma, J. SU-IDS: A semi-supervised and unsupervised framework for network intrusion detection. In Cloud Computing and Security; Sun, X., Pan, Z., Bertino, E., Eds.; Springer International Publishing: Berlin/Heidelberg, Germany, 2018; pp. 322–334. [Google Scholar]
- Althnian, A.; AlSaeed, D.; Al-Baity, H.; Samha, A.; Dris, A.B.; Alzakari, N.; Abou Elwafa, A.; Kurdi, H. Impact of dataset size on classification performance: An empirical evaluation in the medical domain. Appl. Sci. 2021, 11, 796. [Google Scholar] [CrossRef]
- Iliyasu, A.S.; Abdurrahman, U.A.; Zheng, L. Few-shot network intrusion detection using discriminative representation learning with supervised autoencoder. Appl. Sci. 2022, 12, 2351. [Google Scholar] [CrossRef]
- Chawla, S. Deep Learning-Based Intrusion Detection System for Internet of Things; University of Washington: Seattle, WA, USA, 2017; p. 72. [Google Scholar]
- Samaila, M.G.; Neto, M.; Fernandes, D.A.B.; Freire, M.M.; Inácio, P.R.M. Security challenges of the Internet of things. In Beyond the Internet of Things: Everything Interconnected; Batalla, J.M., Mastorakis, G., Mavromoustakis, C.X., Pallis, E., Eds.; Springer International Publishing: Berlin/Heidelberg, Germany, 2017; pp. 53–82. [Google Scholar]
- Fink, M. Object classification from a single example utilizing class relevance metrics. In Advances in Neural Information Processing Systems; MIT Press: Cambridge, MA, USA, 2004; Volume 17. [Google Scholar]
- Wang, Y.; Yao, Q.; Kwok, J.; Ni, L.M. Generalizing from a few examples: A survey on few-shot learning. ACM Comput. Surv. 2020, 53, 1–34. [Google Scholar] [CrossRef]
- Bontonou, M.; Béthune, L.; Gripon, V. Predicting the accuracy of a few-shot classifier. arXiv 2020, arXiv:2007.04238. [Google Scholar]
- Miao, G.; Wu, G.; Zhang, Z.; Tong, Y.; Lu, B. SPN: A Method of Few-Shot Traffic Classification with Out-of-Distribution Detection Based on Siamese Prototypical Network. IEEE Access 2023, 11, 114403–114414. [Google Scholar] [CrossRef]
- Snell, J.; Swersky, K.; Zemel, R.S. Prototypical Networks for Few-shot Learning. arXiv 2017, arXiv:1703.05175. [Google Scholar]
- Wu, K.; Chen, Z.; Li, W. A novel intrusion detection model for a massive network using convolutional neural networks. IEEE Access 2018, 6, 50850–50859. [Google Scholar] [CrossRef]
- Yin, C.; Zhu, Y.; Fei, J.; He, X. A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access 2017, 5, 21954–21961. [Google Scholar] [CrossRef]
- Yang, J.; Yu, X.; Xie, Z.-Q.; Zhang, J.-P. A novel virtual sample generation method based on gaussian distribution. Knowl. Based Syst. 2011, 24, 740–748. [Google Scholar] [CrossRef]
- Andonie, R. Extreme data mining: Inference from small datasets. Int. J. Comput. Commun. Control 2010, 5, 280. [Google Scholar] [CrossRef]
- Fei-Fei, L.; Fergus, R.; Perona, P. One-shot learning of object categories. IEEE Trans. Pattern Anal. Mach. Intell. 2006, 28, 594–611. [Google Scholar] [CrossRef] [PubMed]
- Chowdhury, M.M.U.; Hammond, F.; Konowicz, G.; Xin, C.; Wu, H.; Li, J. A few-shot deep learning approach for improved intrusion detection. In Proceedings of the 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), New York, NY, USA, 19–21 October 2017; IEEE: Piscataway, NJ, USA, 2017; pp. 456–462. [Google Scholar]
- Wu, Y.; Lee, W.W.; Gong, X.; Wang, H. A hybrid intrusion detection model combining sae with kernel approximation in internet of things. Sensors 2020, 20, 5710. [Google Scholar] [CrossRef] [PubMed]
- Yu, Y.; Bian, N. An intrusion detection method using few-shot learning. IEEE Access 2020, 8, 49730–49740. [Google Scholar] [CrossRef]
- Hindy, H.; Tachtatzis, C.; Atkinson, R.; Bayne, E.; Bellekens, X. Developing a siamese network for intrusion detection systems. In Proceedings of the 1st Workshop on Machine Learning and Systems, ACM, New York, NY, USA, 26 April 2021; pp. 120–126. [Google Scholar]
- Xu, C.; Shen, J.; Du, X. A method of few-shot network intrusion detection based on metalearning framework. IEEE Trans. Inf. Forensics Secur. 2020, 15, 3540–3552. [Google Scholar] [CrossRef]
- Wang, Z.-M.; Tian, J.-Y.; Qin, J.; Fang, H.; Chen, L.-M. A few-shot learning-based siamese capsule network for intrusion detection with imbalanced training data. Comput. Intell. Neurosci. 2021, 2021, 7126913. [Google Scholar] [CrossRef]
- Liang, W.; Hu, Y.; Zhou, X.; Pan, Y.; Wang, K.I.-K. Variational few-shot learning for microservice-oriented intrusion detection in distributed industrial IoT. IEEE Trans. Ind. Inform. 2021, 18, 5087–5095. [Google Scholar] [CrossRef]
- Zhou, X.; Liang, W.; Shimizu, S.; Ma, J.; Jin, Q. Siamese neural network based few-shot learning for anomaly detection in industrial cyber-physical systems. IEEE Trans. Ind. Inform. 2021, 17, 5790–5798. [Google Scholar] [CrossRef]
- Alaiz-Moreton, H.; Aveleira-Mata, J.; Ondicol-Garcia, J.; Muñoz-Castañeda, A.L.; García, I.; Benavides, C. Multiclass Classification Procedure for Detecting Attacks on MQTT-IoT Protocol. Complexity 2019, 2019, 6516253. [Google Scholar] [CrossRef]
- Khan, M.A.; Khan, M.A.; Jan, S.U.; Ahmad, J.; Jamal, S.S.; Shah, A.A.; Pitropakis, N.; Buchanan, W.J. A Deep Learning-Based Intrusion Detection System for MQTT Enabled IoT. Sensors 2021, 21, 7016. [Google Scholar] [CrossRef]
- Prajisha, C.; Vasudevan, A.R. An efficient intrusion detection system for MQTT-IoT using enhanced chaotic salp swarm algorithm and LightGBM. Int. J. Inf. Secur. 2022, 21, 1263–1282. [Google Scholar] [CrossRef]
- Hindy, H.; Bayne, E.; Bures, M.; Atkinson, R.; Tachtatzis, C.; Bellekens, X. Machine Learning Based IoT Intrusion Detection System: An MQTT Case Study (MQTT-IoT-IDS2020 Dataset). arXiv 2020, arXiv:2006.15340. [Google Scholar]
- Zeghida, H.; Boulaiche, M.; Chikh, R. Securing MQTT protocol for IoT environment using IDS based on ensemble learning. Int. J. Inf. Secur. 2023, 22, 1075–1086. [Google Scholar] [CrossRef]
- Chesney, S.; Roy, K. AI Empowered Intrusion Detection for MQTT Networks. In Proceedings of the 2022 International Conference on Artificial Intelligence, Big Data, Computing and Data Communication Systems (icABCD), Durban, South Africa, 4–5 August 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 1–6. [Google Scholar] [CrossRef]
- Mosaiyebzadeh, F.; Araujo Rodriguez, L.G.; Macedo Batista, D.; Hirata, R. A Network Intrusion Detection System using Deep Learning against MQTT Attacks in IoT. In Proceedings of the 2021 IEEE Latin-American Conference on Communications (LATINCOM), Santo Domingo, Dominican Republic, 17–19 November 2021; IEEE: Piscataway, NJ, USA, 2021; pp. 1–6. [Google Scholar] [CrossRef]
- Hindy, H.; Tachtatzis, C.; Atkinson, R.; Bayne, E.; Bellekens, X. Machine Learning Based IoT Intrusion Detection System: An MQTT Case Study (MQTT-IoT-IDS2020 Dataset). In Selected Papers from the 12th International Networking Conference, INC 2020; Ghita, B., Shiaeles, S., Eds.; Lecture Notes in Networks and Systems; Springer: Cham, Switzerland, 2021; Volume 180. [Google Scholar] [CrossRef]
- Sharafaldin, I.; Habibi Lashkari, A.; Ghorbani, A.A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. In Proceedings of the International Conference on Information Systems Security and Privacy, Funchal, Portugal, 22–24 January 2018. [Google Scholar]
- Shitharth, S.; Kshirsagar, P.R.; Balachandran, P.K.; Alyoubi, K.H.; Khadidos, A.O. An Innovative Perceptual Pigeon Galvanized Optimization (PPGO) Based Likelihood Naïve Bayes (LNB) Classification Approach for Network Intrusion Detection System. IEEE Access 2022, 10, 46424–46441. [Google Scholar] [CrossRef]
- Liu, G.; Zhang, J. CNID: Research of Network Intrusion Detection Based on Convolutional Neural Network. Discret. Dyn. Nat. Soc. 2020, 2020, 4705982. [Google Scholar] [CrossRef]
- Qazi, E.U.H.; Almorjan, A.; Zia, T. A One-Dimensional Convolutional Neural Network (1D-CNN) Based Deep Learning System for Network Intrusion Detection. Appl. Sci. 2022, 12, 7986. [Google Scholar] [CrossRef]
- Hindy, H.; Tachtatzis, C.; Atkinson, R.; Brosset, D.; Bures, M.; Andonovic, I.; Michie, C.; Bellekens, X. Leveraging Siamese networks for one-shot intrusion detection model. J. Intell. Inf. Syst. 2023, 60, 407–436. [Google Scholar] [CrossRef]
- Yang, J.; Li, H.; Shao, S.; Zou, F.; Wu, Y. FS-IDS: A framework for intrusion detection based on few-shot learning. Comput. Secur. 2022, 122, 102899. [Google Scholar] [CrossRef]
- Guo, J.; Cui, M.; Hou, C.; Gou, G.; Li, Z.; Xiong, G.; Liu, C. Global-Aware Prototypical Network for Few-Shot Encrypted Traffic Classification. In Proceedings of the 2022 IFIP Networking Conference (IFIP Networking), Catania, Italy, 13–16 June 2022; pp. 1–9. [Google Scholar] [CrossRef]
- Tian, J.-Y.; Wang, Z.-M.; Fang, H.; Chen, L.-M.; Qin, J.; Chen, J.; Wang, Z.-H. Few-Shot Learning-Based Network Intrusion Detection through an Enhanced Parallelized Triplet Network. Secur. Commun. Netw. 2022, 2022, 3317048. [Google Scholar] [CrossRef]
- Ma, Z.; Chen, Z.; Zheng, X.; Wang, T.; You, Y.; Zou, S.; Wang, Y. A Biological Immunity Based Neuro Prototype for Few-Shot Anomaly Detection with Character Embedding. Cyborg Bionic Syst. 2023, 5, 0086. [Google Scholar] [CrossRef]
Reference | Dataset | Performance | Limitation |
---|---|---|---|
[17] | KDD99 NSL-KDD | Accuracy = 97.5% | The training is conducted in two totally separated processes which may affect the efficiency and the scalability. |
[19] | NSL-KDD KDDTrainC + UNSW-NB15 | Accuracy = 92.34% using less than 2% dataset | False alarm rate is high. FSL requires a balanced dataset. |
[20] | CICIDS2017 KDD Cup’99 NSL-KDD | Accuracy = 84% for CICIDS2017 88% for KDD Cup’99 and 91% + for NSL-KDD | The model does not support less than three classes. Pair selection in SN requires enhanced technique as it is carried out randomly with equality constraints for both similarity and dissimilarity. |
[21] | ISCX2012FS CICIDS2017FS (real traffic + source data) | Accuracy = 98.88%, 99.62% | The approach does not consider the worldwide spatial distance between classes, which is detrimental to the further development of recognition accuracy. |
[22] | CICIDS-2017 UNSW_NB15 | Accuracy = 95.25%, 96.26% 91.28%, 93.69% | Depends on two parallel Siamese capsule network mechanisms, making it challenging to apply to actual intrusion detection systems. Real-time detection is essential; detecting time info is missing in the paper. Requires huge computing resources. |
[23] | NSL-KDD CIC-IDS2017 | DR = 99% | Requires more experiment evaluation in complex IoT environments. Should have used a dataset designed especially for IoT. |
[24] | UNSW-NB15 | F1 = 93.06% | Applied only in a simple scenario. The model is required to be implemented in more complex scenarios for more evaluations and accuracy improvement. |
[4] | CIC-IDS2017 NSL-KDD | Accuracy = 81% | Performance requires improvement. Dataset used in the comparison evaluation experiment is different than that used in the main model experiment. |
Sample Type | Number of Samples |
---|---|
normal | 188,378 |
scan_sU | 22,434 |
scan_A | 19,907 |
mqtt_bruteforce | 14,544 |
sparta | 14,116 |
Classes | Shots Per Class | Query Set | Classes Attack Description |
---|---|---|---|
normal | 5 shots and 10 shots | 10 | Being normal |
scan_sU | 5 shots and 10 shots | 10 | The attack aims to compromise port services using UDP |
scan_A | 5 shots and 10 shots | 10 | Attack the explorer port for malicious purposes |
mqtt_bruteforce | 5 shots and 10 shots | 10 | Attack target systems in the MQTT network to perform brute force |
sparta | 5 shots and 10 shots | 10 | The attack technique aims to analyze space and associated cyber threats. |
Method | Accuracy | Precision | Recall | F1-Score |
---|---|---|---|---|
Original features | 86.09 | 86.84 | 86.09 | 86.18 |
Random model weights | 85.93 | 86.62 | 85.93 | 86 |
1D_CNN + prototypical | 99.28 | 99.28 | 99.26 | 99.27 |
Method | Accuracy | Precision | Recall | F1-Score |
---|---|---|---|---|
Original features | 86.87 | 87.69 | 86.87 | 86.95 |
Random model weights | 86.38 | 87.09 | 86.37 | 86.46 |
1D_CNN + prototypical | 99.44 | 99.44 | 99.4 | 99.42 |
Method | Accuracy | Precision | Recall | F1-Score |
---|---|---|---|---|
Original features 5-shot | 86.09 | 86.84 | 86.09 | 86.18 |
Original features 10-shot | 86.87 | 87.69 | 86.87 | 86.95 |
Random model weights 5-shot | 85.93 | 86.62 | 85.93 | 86 |
Random model weights 10-shot | 86.38 | 87.09 | 86.37 | 86.46 |
1D_CNN + prototypical 5-shot | 99.28 | 99.28 | 99.26 | 99.27 |
1D_CNN + prototypical 10-shot | 99.44 | 99.44 | 99.4 | 99.42 |
Method | Accuracy | Precision | Recall | F1-Score |
---|---|---|---|---|
IDS17—original features 5-shot | 42.94 | 43.68 | 42.94 | 38.67 |
IDS17—random model weights 5-shot | 44.27 | 45.4 | 44.27 | 40.2 |
IDS17—1D_CNN + prototypical 5-shot | 93.13 | 93.46 | 93.13 | 92.4 |
Method | Accuracy | Precision | Recall | F1-Score |
---|---|---|---|---|
MQTT—original features 5-shot | 86.09 | 86.84 | 86.09 | 86.18 |
IDS17—original features 5-shot | 42.94 | 43.68 | 42.94 | 38.67 |
MQTT—random model weights 5-shot | 85.93 | 86.62 | 85.93 | 86 |
IDS17—random model weights 5-shot | 44.27 | 45.4 | 44.27 | 40.2 |
MQTT_1D_CNN + prototypical 5-shot | 99.28 | 99.28 | 99.26 | 99.27 |
IDS17-1D_CNN + prototypical 5-shot | 93.13 | 93.46 | 93.13 | 92.4 |
Reference | Year | Dataset | Method | Result |
---|---|---|---|---|
[25] | 2019 | Their own gendered dataset using MQTT protocol | IDS based on XGBoost, RNN, LSTM, and GRU | LSTM 93.37% GRUs 96.08% |
[26] | 2021 | MQTT-IoT-IDS2020 | DNN (IDS based on ANN) | 97.13% |
[27] | 2022 | MC-IoT dataset, MQTT-IoT-IDS2020 dataset, MQTTset dataset | Chaotic salp swarm optimization algorithm (ECSSA) and LightGBM classifier | 98.91% accuracy for MQTT-IoT-IDS2020 |
[28] | 2020 | MQTT-IoT-IDS2020 | 6 different ML techniques | Accuracy avg—+90% |
[29] | 2023 | MQTT dataset | Ensemble learning (EL) including bagging, boosting, and stacking | Accuracy 95.38% |
[30] | 2022 | MQTT-IoT-IDS2020 dataset | Various ML and DL, RF, LR, DT, K-N, SVM, DNN, CNN | Binary avg —+90% |
[31] | 2021 | MQTT-IoT-IDS2020 dataset | (DNN), (LSTM), and mix of (CNN-RNN-LSTM) | Accuracy = 97.09% |
[PROPOSED MODEL] | 2024 | MQTT-IoT-IDS2020 dataset | CNN (1D_5CNN) + FSL (prototypical network) | Accuracy 10-shot = 99.44% 5-shot = 99.28% |
Reference | Year | Number of Shots | Method | Result |
---|---|---|---|---|
[37] | 2023 | 1-shot | Siamese network | Overall accuracy = 80–85% |
[21] | 2022 | 5-shot | FC-NET (DL + Siamese N) | Accuracy = 89.09% |
[38] | 2022 | 10-shot | FS-IDS flow data encoding + feature fusion mechanism | Accuracy: 93.60 |
[22] | 2021 | 5-shot | Siamese capsule network | Accuracy = 93.87 |
[39] | 2022 | fewer than 20 | Global-aware prototypical network (GP-Net) | Accuracy: 94.58 |
[40] | 2022 | 10-shot | FSL—parallelized triplet network | Recall: 94.57 |
[41] | 2023 | 5-shot | CharNet (neuro-immune + character embedding) | Accuracy: 95.94 |
[PROPOSED MODEL] | 2024 | 5-shot | 1D CNN + prototypical network | Accuracy = 93.13% |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Althiyabi, T.; Ahmad, I.; Alassafi, M.O. Enhancing IoT Security: A Few-Shot Learning Approach for Intrusion Detection. Mathematics 2024, 12, 1055. https://doi.org/10.3390/math12071055
Althiyabi T, Ahmad I, Alassafi MO. Enhancing IoT Security: A Few-Shot Learning Approach for Intrusion Detection. Mathematics. 2024; 12(7):1055. https://doi.org/10.3390/math12071055
Chicago/Turabian StyleAlthiyabi, Theyab, Iftikhar Ahmad, and Madini O. Alassafi. 2024. "Enhancing IoT Security: A Few-Shot Learning Approach for Intrusion Detection" Mathematics 12, no. 7: 1055. https://doi.org/10.3390/math12071055
APA StyleAlthiyabi, T., Ahmad, I., & Alassafi, M. O. (2024). Enhancing IoT Security: A Few-Shot Learning Approach for Intrusion Detection. Mathematics, 12(7), 1055. https://doi.org/10.3390/math12071055