ANOMALY DETECTION ON IoT NETWORK USING DEEP

LEARNING

A SEMINAR PAPER

BY

NAME: BELLO AHMAD

ADM. NO.: 20210310014

SUBMITTED TO THE

DEPARTMENT OF MATHEMATICS, COMPUTER SCIENCE UNIT

USMANU DANFODIYO UNIVERSITY, SOKOTO

IN PARTAIL FULFILLMENT FOR THE AWARD OF THE DEGREE OF

MASTERS OF SCIENCE (COMPUTER SCIENCE)
1.0 INTRODUCTION

1.1 BACKGROUND OF THE STUDY

The Internet of Things (IoT) is the inter-networking of physical devices such as Vehicle,
smart grid, oil refineries, Building and other items embedded with electronics, software,
actuators and network connectivity that enable these objects to collect and exchange data. As
industries embrace IoT devices, the need to defend key IoT infrastructure from a wide range
of external cybersecurity threats has grown, posing some of society's most pressing concerns.
When it comes to IoT devices, security has always been a top priority. Real-world things are
connected to the Internet in an IoT context, which can pose a security risk. However the
distributed and heterogeneous nature of devices and protocols in use, the sensitivity of the
data contained within; as well as legal and privacy issues, make security for the IoT a
growing research priority and industry concern. Both home and industrial IoT applications
are the primary targets, threatening families and nations' security and privacy in general.
Some on-going projects for enhancing IoT security include methods for providing data
confidentiality and authentication, access control within the IoT network, privacy and trust
among users and things, and the enforcement of security and privacy policies. The
cyberattacks on a power grid that caused a blackout for 200,000 people in Ukraine in
December 2015 and in 2016, (Haber J. 2016) the Dyn cyberattack harvested connected
devices installed within smart-homes and conscripted them into “botnets” via a malware
called Mirai are recent examples

Despite the availability of traditional security mechanisms, IoT networks still have been
subject to network attacks necessitating a second line of defence design for detecting
attackers are needed. Therefore, an Intrusion Detection System (IDS) is required for detecting
malicious activities in the IoT besides the standard security mechanisms. It’s a security
detection systems put in place to monitor networks and computer systems. IDS have gained a
significant consideration among the best security mechanisms for safeguarding the IoT cyber
infrastructures against various cyber-attacks in the last decades. That is, IDS has become one
of the prominent tools to enhance security in today's IoT network-based systems. The
signature or misuse-based IDS, anomaly-based IDS, and hybrid approach are the well-known
categories of security techniques to detect intrusions and anomalies in IoT devices(Morteza
Behniafar, Alireza Nowroozi, 2020). IDS is categorized into two i) Host-based Intrusion
Detection Systems (HIDSs); and ii) Network-based Intrusion Detection Systems (NIDSs).

1
NIDS capture and analyse packet flow in the network. In other words, they are scanning
sniffed packets. Consequently the traditional NIDSs suffer from zero day attack detection,
false recognition rate and slight variations in attacks cannot be effectively detected. Thus,
Deep Learning (DL) techniques seem to be a suitable solution especially with the good
results that they achieve in the different domains. Therefore, this proposed approach can
distinguish between normal and aberrant traffic behavior with high detection accuracy and a
low false-positive rate. As a result the IoT devices will be secure to the maximum extent
possible.

1.2 STATEMENT OF THE PROBLEM

The safety and security of IoT systems are of paramount important in ensuring the quality of
their services. IDSs are one of the primary tools used for the protection of traditional
networks and information systems, it monitor the operations of a host or a network, alerting
the system administrator when it detects a security violation. However, the anomaly
detection solution presented in (Maniriho et al., 2020) that uses Random Forest algorithm is
ineffective for real-time prediction and relatively slow in computation during the feature
selection. This proposed approach tends to use an Artificial Neural Network IDS to improve
run-time performance in prediction of anomalous behaviour on IoT network on IoTID20
dataset.

1.3 AIM
The aim of this research is to develop anomaly detection model that will cope with resource
constraints nature of IoT network infrastructure using deep leaning.

1.4 OBJECTIVES
 To processes dataset with an optimal feature selection algorithm and extract relevant
features, with less computation, the data will be classified in to normal and anomalous
network traffic
 Deep learning algorithm, namely, Artificial Neural Network, will be apply to detect
anomalies in IoT networks using the most relevant features generated by the feature
selection module.

2
2.0 LITERATURE REVIEW

Intrusion detection have been implemented by (Teng & Lu, 1990) and (S & E, 1989) that
employ rule-based anomaly detection and the Time-based Inductive Machine (TIM)
approaches, this approach has the potential of detecting masqueraders or misfeasors based on
deviations from the known sequential patterns of a user. The major weakness to current rule-
based intrusion identification expert systems is their inability to foresee an impending
compromise or limit the damage before it occurs. Intrusion detection systems should be
designed with prediction in mind, and it’s difficult to design and update. Also the intrusion
detection tools present by (Lunt et al., 1992) and (Porras et al., 1992) supplement their
anomaly detection components with rule-based expert system components. This Approaches
models penetrations as a series of state transitions which is described in terms of signature
actions and state descriptions. The State Transition diagrams form the basis of a rule-based
expert system for detecting penetrations, referred to as STAT. STAT'S modular design allows
one the flexibility of updating both its penetration rule-chains and its responses to the firing
of its rules without requiring modification to its code. One major weakness is that they use
audit records to represent a penetration scenario and try to pattern match their rules to the
audit records, it also requires a person who is experienced in the particular intrusion detection
system and who has in-depth knowledge of the underlying audit collection mechanism.
(Ilgun, 1993) Developed the first USTAT prototype, US- TAT Makes use of the audit trails
that are collected by the C2 Basic Security Module and it keeps track of only those critical
actions that must occur for the successful completion of the penetration. This approach differs
from other rule-based penetration detection tools that pattern match sequences of audit
records. It is an implementation of a prototype of STAT for UNIX. USTAT uses the audit
collection mechanism that exists as an add-on package and it gives opportunity to monitor,
detect and possibly pre-empt certain activities that would be considered illicit or that would
cause a security risk for the system. The system tends to identified behaviour as dubious,
even when the behavior appears to conform to established patterns of use. Another work
by(Ilgun et al., 1995) presents a new approach detecting penetrations in real-time. The
approach, called State Transition Analysis (STAT), models penetrations as a series of state
changes that lead from an initial secure state to a target compromised state. The STAT
approach targets the same penetrations identifiable by current rule-based. However, it offers
several key advantages over existing rule-based, as such the audit record rule-based is easier

3
to read, it provides greater flexibility in identifying variations of known penetrations, also
provides a modest, but intuitive procedure for rule generation. The main disadvantage is that
it lacks the ability to detect the truly innovative (i.e., newly invented) attacks. A software
architecture for structuring a pattern matching solution to misuse intrusion detection is
designed by (Spafford, 2014), the main advantage of misuse detection is that it can accurately
and efficiently detect instances of known attack. It uses a pattern of well-known attacks or
weak spot of the system to match and identify known intrusions. For example, the system
will trigger alarm on "guessing password attack" when there are more than 4 failed login
attempts within 2 minute. The main disadvantage is that it lacks the ability to detect the truly
innovative (i.e., newly invented) attack. (Zhang & Lee, 2000) propose a new model for
intrusion detection and response in mobile, ad-hoc wireless network, the paper, first examine
the vulnerabilities of a wireless ad-hoc network and highlight reasons why the need for
intrusion detection, They have shown that an architecture for better intrusion detection in
wireless ad-hoc networks should be distributed and cooperative, and highlight trace analysis
and anomaly detection should be done locally in each node and possibly through cooperation
with all nodes in the network. Further, intrusion detection should take place in all networking
layers in an integrated cross-layer manner. The problem of this is monolithic IDS design. All
the nodes have to accommodate IDS clients and take parts in global intrusion detection
process and also intrusion activities with new patterns are likely to be underreported. Also
(Kachirski & Gutan, 2002) Proposed distributed modular IDS system designed for ad hoc
wireless networks. This architecture is aimed to minimize the costs of network monitoring
and maintaining a monolithic IDS system, also providing a degree of protection against the
intruder. The proposed IIDS is built on a mobile agent framework using Clustered network-
monitoring node selection algorithm and implement an efficient and bandwidth-conscious
framework that targets intrusion at multiple levels and takes into account distributed nature of
ad hoc wireless network management and decision policies. This approach is inefficient in
terms of network bandwidth consumption and increased computational power resources that
are highly limited in a wireless network. The work in (Huang et al., 2003) examine the
vulnerabilities of wireless networks and argue that intrusion detection in the security
architecture for mobile computing environment must be included. They developed such
architecture and evaluated a key mechanism in it, and use anomaly detection models
constructed using information available from the routing protocols for intrusion detection
purposes by applied RIPPER and SVM Light to compute classifiers as anomaly detectors.
The work cannot be applied directly to sensor networks. Because, i) it is not possible to have
4
an active full-powered node ii) an IDS for sensor networks must send the alerts to the base
station in order to warn the human user. The work proposed in (Tseng et al., 2003), a
specification-based intrusion detection system that can detect attacks on the AODV routing
protocol. The IDS is built on a distributed network monitor architecture that traces AODV
request-reply flows. In this approach, the correct behaviors of critical objects are manually
abstracted and crafted as security specifications, and compared with the actual behavior of the
objects. thus, address unknown attacks and the algorithm can effectively detect most of the
serious AODV routing attacks effectively, and with low overhead. If some nodes do not
respond to broadcast messages, this will cause serious problems. The proposed (Paula et al.,
2005) IDS is “based on the specification since the WSN may vary depending on the
application goal. The detection is decentralized since the IDSs are distributed on network
installed in common nodes, so that IDS can notice the attack fast because the monitor is near
to the intruder. The following attacks were considered in this work; message delay, jamming,
data alteration and message negligence. This work fits the demands and restrictions of WSNs.
In this scheme, every IDS agent functions independently, and can detect signs of intrusion
locally, by observing all data received, without collaboration between its neighbours. They
tried to apply an anomaly technique based on wired networks for WSNs, so the scheme
incurs excessive computational resource consumption in each node. This paper (Roman et al.,
2006) discuss the general guidelines for applying IDS to static sensor networks, and introduce
a novel technique to optimally watch over the communications of the sensors’ neighbourhood
and discussed why IDS architectures for ad hoc networks cannot be applied into a sensor
network scenario. It proposed a general IDS architecture for static sensor networks, and
introduced a new technique, the spontaneous watchdogs, where some nodes are able to
choose independently to monitor the communications in their neighbourhood. The main goal
of this solution is to activate only one global agent per packet circulating in the network. The
main setback of this approach is that it’s only work WSN not IoT and there is no centralized
management and control point. In this paper, (Hai et al., 2010) A lightweight intrusion
detection framework integrated for clustered sensor networks was put forward. Furthermore,
it used algorithms to minimize the triggered intrusion modules in clustered WSNs by using an
over-hearing mechanism to reduce the sending alert packets. The scheme can prevent most
routing attacks on sensor networks and this detection module involves less energy
consumption techniques. The general problem with watchdog based approaches is that they
require promiscuous listening, which consumes a lot of power and therefore is not suitable
for constrained devices. The authors in (Raza et al., 2013) considered 6LoWPAN networks to
5
be an integral part of the IoT, because the potential applications of the IoT it is important that
6LoWPAN networks are protected against internal and external intrusions. The work
presented SVELTE the first IDS for the IoT which consists of a novel architecture and
intrusion detection algorithms. SVELTE implemented and evaluate and finally shows it is
indeed feasible to use it in the context of RPL, 6LoWPAN, and the IoT. To guard against
global attacks we also design and implement a mini-firewall. Furthermore, the detection
algorithms in SVELTE currently target spoofed or altered information, sinkhole and selective
forwarding IoT network attacks. However SVELTE is not flexible and therefore cannot be
extended to detect more attacks. The Denial-of-Service (DoS) detection system within IoT
network based on 6LoWPAN was designed in (Kasinathan, Pastrone, et al., 2013). Mint of
this work is to detect the DoS attacks in 6LoWPAN networks before it disrupt and trigger the
proper countermeasures. The system monitors the network traffic of 6LoWPAN through
hybrid IDS detection method and in case of DoS attacks the protection manager, on receiving
the alerts, confirms the attack by leveraging the information available by other network
manager components. This attack detection approach can be implemented with any network
manager in general. The limitation of this work is that it cannot monitor large IoT network
architecture. IDS framework for 6LoWPAN is proposed which could be able to detect DoS
attacks in the IoT network; the IoT applications require real-time monitoring of various
physical parameters to detect any kind of DoS activity in network. It is also capable of
executing complicated attacks in 6LoWPAN such as RPL-rank attack. The system has
prelude-correlate that rigger an attack confirmation notification by sending email and
message alerts to the administrators. This work is rule-based IDS which is very power in
detecting novel attacks (Kasinathan, Costamagna, et al., 2013). Also (Chawla & Thamilarasu,
2016) Propose a novel intrusion detection system that uses machine learning algorithms to
detect security anomalies in IoT networks. This proposed model uses machine learning based
anomaly detection technique and independent integrated intrusion detection (IID) system to
provide on-demand security as a service to the host network. The IID device works on
transport layer level to secure both the ingress traffic and the exiting traffic based on their
placement and monitors and analyse the network traffic. It also comprises of three phases
Network Connection Phase, Anomaly Detection Phase and the Mitigation Phase. The major
setback of this framework is due to its in adaptive nature to change threat landscape and
network topology for anomaly detection. The authors in (Thamilarasu & Chawla, 2019)
design an intelligent intrusion detection system secure the IoT environment using Deep
Learning (DL) algorithm to detect malicious traffic in IoT networks. The framework requires
6
no prior knowledge of captured network payload binaries, traffic signatures, or compromised
node address. The proposed Integrated Intrusion Detection (IID) system works independent
of the IoT protocols and network structure, and requires no prior knowledge of security
threats. The performance of this scheme is evaluated using five different attack scenarios,
including blackhole attack, opportunistic service attack, DDoS attack, sinkhole, and
wormhole attacks. this work is limited to the fact that the solution provided limited to only
five attacks listed above and the dataset used is generated which may not be suitable for IoT
network environment. (Ullah & Mahmoud, 2020b) Also Proposed detection system for IoT
networks called a two-level anomalous activity. In this level model, level-1 model classifies
network traffic as normal or abnormal. If the level-1 model detects the flow as an anomaly,
then the flow will be forwarded to the level-2 model for further classification to find the
category or subcategory of the detected anomaly. The proposed model adopts a new IoT
Botnet dataset and extracted the flow-based features. The authors take advantage of IoT
architecture layers and design the detection model for smart infrastructure. The dataset used
comes from three sources CPU/memory Usage, low-level system information and network
data packets. The work achieve high accurate result in detecting multiple IoT attacks such as
DDoS-HTTP, DDoS-TCP, DDoS-UDP, DoS-HTTP, DoS-TCP, DoS-UDP, OS Fingerprint
etc. some of the weakness of this work is that networks attacks embedded in packets cannot
be detected via flow-based IDS such as XSS and SQL injection attacks and has a limited
number of publicly available datasets. The paper proposed Anomaly-based IDS for detecting
various anomaly traffic in the IoT network, this approach is new, improved and efficient that
is based on machine learning and capable of identifying normal and abnormal traffic
behaviour with relatively high detection accuracy and low false positive rate. The authors
designed a new hybrid selection engine (HFS-Engine) that combined filter features of
selection method using a tree based ensemble Machine Learning Algorithm (Random Forest)
and three subsets selection from the IoTID20 primary dataset. The proposed work have two
main operational phases i) data pre-processing and ii) Feature Selection engine and it can
detect DoS, Scan and MITM network traffic categories. Because of the resources constraints
of IoT network environment (where runtime performance is important) and high
computation nature of the algorithm used ( which too slow and ineffective for real-time
predictions), there a need for improvement and selection of algorithm that can perform better
with less computation (Maniriho et al., 2020)

7
3.0 METHODOLOGY

3.1 INTRODUCTION
Intrusion Detection Systems (IDS) has gained a significant consideration among the best
security mechanisms for safeguarding the IoT cyber infrastructures against various cyber-
attacks in the last decades. That is, IDS has become one of the prominent tools to enhance
security in today's IoT network-based systems. The signature or misuse-based IDS, anomaly-
based IDS, and hybrid approach are the well-known categories of security techniques to
detect intrusions and anomalies in IoT devices (Morteza Behniafar, Alireza Nowroozi, 2020).
The spider monkey optimization (SMO) algorithm and the artificial neural network (ANN) to
achieve optimal detection recognition; SMO selects the optimal features in the data sets and
ANN classifies the data as normal or anomalies.

3.2 DEVELOPMENT OF NIDSs

Network Intrusion Detection Systems analyse network traffic to detect malicious behaviors.
To build a NIDS, these are the needed basic steps (Chaabouni et al., 2019) :
1) Collect the traffic data from the network.

2) Analyse the collected data.

3) Identify relevant security events.

4) Detect and report malicious events.

To perform these steps, there are two choices, use of the existing tools to facilitate
implementation of the NIDS or to develop novel detection strategy. About existing tools, a
person can choose between i) free datasets in an offline mode (since it is difficult to test
proposals on real networks and that datasets are a good solution for benchmarking); ii) free
open source network sniffers to capture his own network traffic data; or iii) free open source
NIDS that can be used and adapted for desired goals. To help researchers get a clear about
available tools, there are free datasets for NIDS, then, free and open source network sniffers
and NIDS. These three types of tools are correlated. The network sniffers are used to collect
network traffic data that will be stored in dataset. The Input is unlabelled therefore; NIDS are
needed to differentiate the instance as an attack or normal behavior. NIDS are generally
larger than network sniffers. They use network sniffers to capture data which is subsequently
used to differentiate attacks from normal behaviors.

8
3.3 DATASET

Free datasets can be used for NIDS implementation and/or validation. The latest IoTID20
dataset for anomaly detection in the IoT networks presented in (Ullah & Mahmoud, 2020a) is
going to be used to evaluate the performance of the proposed approach. IoTID20 Testbed is a
smart home environment composed of IoT devices, namely, EZVIZ Wi-Fi Security camera,
SKT NGU, and other smart home devices such as smart home Wi-Fi router, tablets, laptops,
and smartphones. Only the EZVIZ Wi-Fi Security camera and SKT NGU are victims, while
the remaining devices act as attacking devices. The dataset has 83 network attributes
(features), and three label features: binary, category, and sub-category.

3.4 PROPOSED ANN-IDS

This section provides detailed explanations about using ANN-IDS to secure IoT
environments. The overall process of ANN-IDS is depicted in Figure 1and shows that it
begins with network traffic capturing to feature extraction in the normalized dataset. Pre-
processing applies two effective processes: training and testing. The trained dataset is then
passed to the model with deep learning and detection classification, based on these; the data
are classified in to normal traffic and attack traffic.

Here, I consider three categories of anomalies (DoS, U2R, and R2L), which can be defined as
follows:

1. DoS: An attacker tries to make a service unavailable to legitimate users by uploading

enormous unwanted packets. Denial-of service attacks include Apache2, Back, Land,
Udpstorm, and Smurf.

2. R2L: In this type of attack, an unauthorized attacker attempts to access the system
without a system account. Remote-to local attacks include Ftpwrite, Guess-password,
and SNMP.

3. U2R: In this scenario, the attacker has local access to a victim's machine and tries to
obtain legitimate user privileges. Buffer overflow, HTTP tunnel, and rootkit attacks are
types of U2R attacks.

9
 Row Network Packet level Feature Pre-
traffic capture feature extraction processing

Deep
Training Normal traffic
learning
model

Testing Attack traffic

Detection
classificatio
n
DoS
U2R
R2U
Propose DL detection system framework

10
4.0 REFERENCES

Chaabouni, N., Mosbah, M., Zemmari, A., Sauvignac, C., & Faruki, P. (2019). Network Intrusion
Detection for IoT Security Based on Learning Techniques. IEEE Communications Surveys and
Tutorials, 21(3), 2671–2701. https://doi.org/10.1109/COMST.2019.2896380

Chawla, S., & Thamilarasu, G. (2016). Security as a Service : Real-time Intrusion Detection in Internet
of Things. ACM ISBN 978-1-4503-6406-5/18/04., 1–4.
https://doi.org/https://doi.org/10.1145/3212687.3212872

Haber M . J, 21 October 2016. "IoT Bots Cause Massive Internet Outage," Beyond Trust[Online].
Available: https://www.beyondtrust.com/.

Hai, T. H., Huh, E., & Jo, M. (2010). A lightweight intrusion detection framework for wireless sensor
networks. WIRELESS COMMUNICATIONS AND MOBILE COMPUTING Wirel. Commun. Mob.
Comput. 2010; 10:559–572 Published Online 15 April 2009 in Wiley InterScience, April 2009,
559–572. https://doi.org/10.1002/wcm.785

Huang, Y., Lee, W., & Zhang, Y. (2003). Intrusion Detection Techniques for Mobile Wireless Networks
∗. ACM WINET, 9, 545–556.

Ilgun, K. (1993). Ustat: USTAT: A Real-time Intrusion Detection System for UNIX. IEEE, 16–28.

Ilgun, K., Kemmerer, R. A., & Porras, P. A. (1995). State Transition Analysis : A Rule-Based Intrusion
Detection Approach. IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 21(3), 181–199.

Kachirski, O., & Gutan, R. (2002). Effective Intrusion Detection Using Multiple Sensors in Wireless Ad
Hoc Networks University of Central Florida. Proceedings of the 36th Hawaii International
Conference on System Sciences (HICSS’03) IEEE, 1–8.

Kasinathan, P., Costamagna, G., Khaleel, H., Pastrone, C., & Spirito, M. A. (2013). DEMO : An IDS
Framework for Internet of Things Empowered by 6LoWPAN. CCS’13, November 4–8, 2013,
Berlin, Germany. ACM 978-1-4503-2477-9/13/11., 1337–1339.
https://doi.org/http://dx.doi.org/10.1145/2508859.2512494.

Kasinathan, P., Pastrone, C., Spirito, M. A., & Vinkovits, M. (2013). Denial-of-Service detection in
6LoWPAN based Internet of Things. IEEE 9th International Conference on Wireless and Mobile
Computing, Networking and Communications (WiMob), 600–607.

Lunt, T., Alto, P., Neumann, P. G., Javitz, H. S., & Garvey, T. D. (1992). A Real-Time Intrusion-
Detection Expert System. SRI International, uploaded April 2015.

11
P. Maniriho, E. Niyigaba, Z. Bizimana, V. Twiringiyimana, L. J. Mahoro and T. Ahmad, "Anomaly-based
Intrusion Detection Approach for IoT Networks Using Machine Learning," 2020 International
Conference on Computer Engineering, Network, and Intelligent Multimedia (CENIM), 2020, pp.
303-308, doi: 10.1109/CENIM51130.2020.9297958.

Morteza Behniafar, Alireza Nowroozi, and H. R. S. (2020). A Survey of Anomaly Detection

Approaches in Internet of Things. The ICS INT’L JOURNAL OF INFORMATION SECURITY, 10(2),
79–92. http://www.isecure-journal.org

Paula, A., Silva, R., Martins, M. H. T., Rocha, B. P. S., Loureiro, A. A. F., & Ruiz, L. B. (2005).
Decentralized Intrusion Detection in Wireless Sensor Networks. Q2 SWinet ACM1-59592-241-
0/05/0010, 5, 16–23.

Porras, P. A., Angeles, L., & Kemmerer, R. A. (1992). Penetration State Transition Analysis A Rule-
Based Intrusion Detection Approach. IEEE, 220–229.

Shahid Raza, Linus Wallgren, Thiemo Voigt, SVELTE: Real-time intrusion detection in the Internet of
hings, Ad Hoc Networks, Volume 11, Issue 8, 2013, Pages 2661-2674, ISSN 1570-8705,
https://doi.org/10.1016/j.adhoc.2013.04.014.

Roman, R., Zhou, J., & Lopez, J. (2006). Applying Intrusion Detection Systems to Wireless Sensor
Networks. Proceedings Communications Society IEEE Publication CCNC, 1-4244-0086-4/06,
640–644.

H. S. Vaccaro and G. E. Liepins, "Detection of anomalous computer session activity," Proceedings.

1989 IEEE Symposium on Security and Privacy, 1989, pp. 280-289, doi:
10.1109/SECPRI.1989.36302.

Spafford, S. K. E. (2014). A Software Architecture to support Misuse Intrusion Detection.

ResearchGate, January, 1–18.

Teng, H. S., & Lu, S. C. (1990). Adaptive Real-time Anomaly Detection Using Inductively Generated
Sequential Patterns. IEEE, 278–284.

Thamilarasu, G., & Chawla, S. (2019). Towards Deep-Learning-Driven Intrusion Detection for the
Internet of Things. Sensors 2019, 19, 1977; Www.Mdpi.Com/Journal/Sensors, 1–19.
https://doi.org/10.3390/s19091977

Tseng, C., Ko, C., Rowe, J., & Levitt, K. (2003). A Specification-based Intrusion Detection System for
AODV. Proceedings of the 1st ACM Workshop Security of Ad Hoc and Sensor Networks Fairfax,

12
 Virginia, 125–134.

Ullah, I., & Mahmoud, Q. H. (2020a). A Scheme for Generating a Dataset for Anomalous Activity
Detection in IoT Networks. In Conference Proceedings - IEEE International Conference on
Systems, Man and Cybernetics (Vols. 2020-Octob, Issue May). Springer International Publishing.
https://doi.org/10.1109/SMC42975.2020.9283220

Ullah, I., & Mahmoud, Q. H. (2020b). A Two-Level Flow-Based Anomalous Activity Detection System
for IoT Networks. Electronics 2020, 9, 530; Www.Mdpi.Com/Journal/Electronics.
https://doi.org/10.3390/electronics9030530

Zhang, Y., & Lee, W. (2000). Intrusion Detection in Wireless Ad-Hoc Networks. Proceedings of the 6th
Annual International Conference on Mobile Computing and Networking, MobiCom’, 275–283.

13