FEATURE ARTICLE: INTERNET OF THINGS

Intrusion Detection System Through

Advance Machine Learning for the Internet
of Things Networks
Tanzila Saba, Prince Sultan University
Tariq Sadad, University of Central Punjab
Amjad Rehman, Prince Sultan University
Zahid Mehmood, University of Engineering and Technology
Qaisar Javaid, IIU Islamabad

Network security is the main issue in the Internet of Things networks because most
manufacturers do not focus on security standards during design. The performance
of firewalls, intrusion prevention systems, and intrusion detection systems depend
upon accuracy, thus its essentials, to enhance the detection rate to lessen false
alarms. The objective of the firewall is to find violations as per predefined rules and
block the incoming risky traffic. However, it is very tough to differentiate between
malicious and regular traffic due to advanced techniques of attack. To address
these issues, a two-stage hybrid method is proposed. First, the genetic algorithm
(GA) is applied to select appropriate features to improve the accuracy of the
proposed framework. Next, the well-known machine learning (ML) algorithm,
including the support vector machine (SVM), ensemble classifier, and decision tree
are employed. The achieved accuracy is 99.8% through 10-fold cross-validation
using a multiclass NSL-KDD database.

I
ntrusion is a process through which intruders
enter into a network system inauthentically to
modify, steal, or encrypt important/ confidential
information. It could also be used to damage the
hardware system shortly. Moreover, intrusion
causes huge financial losses, and thus, companies
are using different intelligent tools to enhance secu-
rity against intrusion.1 In a global network, more
security issues may arise due to the Internet of
Things (IoT) enabled devices as online systems are
more attractive to intruders, e.g., microwave,
blender, wearable devices, clothing, cognitive build-
ings, etc., allows access to the internet openly.2
Therefore, extensive research in the IoT security is
the need of the day. This requires intelligent
1520-9202 ß 2021 IEEE
Digital Object Identifier 10.1109/MITP.2020.2992710
Date of current version 31 March 2021.
systems to ensure reliability and to protect network
infrastructure against intrusion. Therefore, computer
and network security are essential and fundamental
for organizations and individuals, as well to protect
the cause of damages. To avoid such situations,
advanced machine learning (ML) techniques have
been employed to develop an intrusion detection
system (IDS) for IoT networks. Therefore, developing
efficient IDS is vital to defend network systems. The
proposed model uses a genetic algorithm (GA) that
could select appropriate features and advance ML
algorithms.
The rest of the article is organized as follows:
Related work of recent IDS techniques and cyber-
attacks in IoT environments are discussed in
“Related Work.” The proposed model of IDS is
described in “Proposed IDS for IOT Based on
Machine Learning Technique.” The experimental
results exhibited in “Performance Measures, Results,
Discussions,” and “Conclusion and Future Works
”concludes the research.

58 IT Professional Published by the IEEE Computer Society March/April 2021

Authorized licensed use limited to: University of Arid Agriculture. Downloaded on June 01,2022 at 12:12:27 UTC from IEEE Xplore. Restrictions apply.

RELATED WORK
Intrusion is a severe dilemma of security disclosure
because only one occurrence of intrusion might be
enough to delete or steal data from a computer. In
past few years, IDS has become essential to handle
security breaches and to resolve the concern issues.3
ML techniques in the view of IoT environments are
not highlighted too much for security challenges.
However, a large number of research works are pres-
ently being presented in area of intrusion detection.
Different approaches are concentrated on enhancing
the system’s ability to isolate network traffics into nor-
mal and abnormal packet.4
Horng et al.5 proposed support vector machine
(SVM) based IDS, which mixes hierarchical clustering
algorithm to preprocess the data and claimed high
accuracy. Eduardo et al.6 developed a classification
model to find network anomalies by statistical techni-
ques and self-organizing maps. Initially, principal com-
ponent analysis is used for feature selection. Network
classification of normal or malicious is done through
Probabilistic Self-Organizing Maps. Ravale et al.7 pro-
posed a hybrid method that utilizes a mix of data min-
ing techniques, K-means clustering is used for feature
selection and SVM is utilized for classification. Guo
et al.8 suggested a hybrid learning approach termed
as distance sum-based SVM (DSSVM) to demonstrate
an efficient IDS.
Bostani et al.9 described that wireless sensor net-
works and internet are exposed to several attacks to
the IoT environment. The results exhibited proposed
system could acquire false positive rate and true posi-
tive rate of 5.92% and 76.19%, respectively. Yang et al.10
presented a study declaring that IoT network works
under limited security guarantee. For this purpose, an
anomaly-based detection system is developed to secure
the environment from false data injection attacks. Sev-
eral ML classifiers have been incorporated to enhance
the functionality of IDS, for example, K-nearest neighbor
(K-NN),11 SVM,4 ANN,12 decision tree (DT),13 naive Bayes
network,14 etc. However, performance of detection
should not depend upon the employed techniques only,
but also the features of the given data.4 Indeed, the
quality of the data is based on the results of IDS. Still,
about the security concern and the hurdle of intrusions
in the IoT environment, we observed that its framework
is not standardized so far, but organizations, such as ITU
and IEEE are working on it.
Cyber-Attacks in IOT Environments
Secure routing is difficult for designing ID measures in
IoT networks. Several reviews15 have disclosed that IoT
networks are insecure due to different attacks. Among
March/April 2021
Authorized licensed use limited to: University of Arid Agriculture. Downloaded on June 01,2022 at 12:12:27 UTC from IEEE Xplore. Restrictions apply.
INTERNET OF THINGS
FIGURE 1. Framework of the proposed model.
them, a few are lack of authorization/authentication
mechanisms, insecure web interfaces and lack of
transport encryption, etc., creating a challenging task
to utilizing security measures in the IoT network. Some
of the most widespread attacks are explained in the fol-
lowing, as a result of which IoT networks are insecure.
Denial of Service (DoS) Attack: In such attacks,
machines are not accessible to an authentic user.
When different devices become a part of this attack,
then it is termed as distributed denial of service. It dis-
turbs network and computation capacity, etc.
Sybil Attack: During this attack, an attacker gener-
ates multiple fake identities to control a peer network.
Sinkhole Attack: This attack is used to catch the
attention of all network traffic from its adjacent points
through advertising fake routing tables. It badly
affects IoT networks and is hard to detect such
attacks since it utilizes RPL as routing protocol.
Jamming: During this attack, attackers transmit
faked signals to disturb communication of IoT networks.
PROPOSED IDS FOR IoT BASED
ON MACHINE LEARNING
TECHNIQUE
Figure 1 shows the proposed IDS, which is based on
machine learning techniques for IoT networks. The
proposed model includes feature selection and train-
ing through different classifiers.
Database Description
The performance analysis of the proposed model is
carried using a dataset called NSL-KDD.16 In each
record of NSL-KDD database, there are 41 features.
The 42nd attribute comprises the information regard-
ing five different classes (1 normal class and 4 attack
class). The attack classes are categorized as DoS
IT Professional 59
INTERNET OF THINGS
attack, remote to local (R2L) access, probing attack
(Probe), and User to Root (U2R) access.
Genetic Algorithm as Feature Selection
In the proposed model, the system is trained through
NSL-KDDTrainþ20%.17 This dataset includes 25192
cases, 13449 are considered normal data and 11743 of
which are attack data. First, attack type is trans-
formed into its numeric categories before the opera-
tion of features selection. 1 is used for DoS attack, 2, 3,
4, and 5 are given to Probe, R2L, U2R, and normal data,
respectively. Then, Genetic Algorithm (GA) is used for
feature selection.18
Algorithm: IDS; Take input, perform preprocess-
ing and feature selection, classification
1 procedure data_ processing (selection);
2 Input ¼ NSL_KDD (41features);
3 GA ¼ fselection (Input);
4 return v1, v2, v3, v5, v6, v17, v29, v30, v33, v34;
5 procedure classification [(v1, v2, v3, v5, v6, v17, v29, v30,
v33, v34), trueclass];
6 Model ¼ training [(v1, v2, v3, v5, v6, v17, v29, v30, v33,
v34), trueclass];
7 Predictedclass ¼ testing (Model (v1, v2, v3, v5, v6, v17,
v29, v30, v33, v34];
8 Accuracy ¼ Confusionmat (Predicedclass, trueclass);
9 return Predictedclass, Accuracy.
GA is a search heuristic algorithm employed to
solve optimization problems. It is an evolutionary algo-
rithm inspired by natural evolution. GA replicates the
procedure of natural selection, where the finest indi-
viduals are nominated for reproduction that produces
children for the next generation. Currently, GA docu-
mented a huge interest in the feature selection pro-
cess because it does not apply any formula in the
calculation. The process of GA is explained as follows.
Initially, a random population of chromosomes is
produced. Then, fitness function of each chromosome
is estimated. Usually, GA comprises three key opera-
tions; parent selection, crossover, and finally mutation.
For the selection of parents, the roulette wheel
method is utilized as a selection. This method picks
two parents based on calculated probability from the
fitness value. A chromosome with best instance of fit-
ness having a higher probability is selected as a par-
ent. Once crossover is accomplished between two
nominated parents, a process of mutation is used
based on the mutation rate (MR). The MR specifies
the probability of a feature to flip from bit 0 to 1 or 1 to
0. The fitness of the newly created population is
assessed in the next step. Afterward, newly produced
60 IT Professional
Authorized licensed use limited to: University of Arid Agriculture. Downloaded on June 01,2022 at 12:12:27 UTC from IEEE Xplore. Restrictions apply.
population is merged into current population and
organized according to fitness value. Finally, the best
chromosomes are then chosen for the next produc-
tion, whereas the remainder is removed. The process
is terminated after the maximum number of iterations
reached. The N ( ¼10) best chromosome is nominated
as the feature subset i.e., v1, v2, v3, v5, v6, v17, v29,
v30, v33, v34 through GA, which is to be used for
classification.
Classification
The selection of classifiers is a significant step for IDS.
In the proposed model, supervised ML techniques
have been employed to evaluate the behaviors of IoT
devices in malware detection. The selected features
are evaluated to implement a classification applying
Decision Tree (DT), SVM, and Ensemble classifier to
mark the attack as malicious or normal. In the pro-
posed work, the 10-fold technique is chosen as cross-
validation for the classification to prevent overfitting.19
Support Vector Machine
The SVM works on the principle of statistical learning
theory, and it attempts to find the best hyper-plane to
minimize the classification error in multidimensional
space. The hyper-plane can be formulated as in (1) is
V:x þ b ¼ 0 (1)
where x indicates the n-dimensional input vector, b is
the bias of the model, V is termed the weight vector
and described as V1 ; V2 ; . . . ; Vn .
SVM uses “kernel function” to take input data and
transform into linear separation in case of non-linear
separation. The kernel function expressed as
Kðxu :xv Þ ¼ ’ðxu ÞT : ’ðxv ÞT : (2)
The calculation of the separating hyper-plane does
not need information of ’, but only of K in kernel trick.
Mostly four kernel functions are utilized in SVM: Lin-
ear, Gaussian, Quadratic, and Cubic. However, we
choose the Quadratic kernel function because it is
computationally less intensive. The Quadratic func-
tion is presented as
xu  xv 2
Kðxu :xv Þ ¼ 1  : (3)
xu  xv 2 þ C
Decision Tree
It categorizes the cases by sorting them based on val-
ues using a top–down methodology. Each node of
decision tree denotes instances to be classified, and
March/April 2021

each branch denotes an attribute of that case. A case
is grouped by instigating at root node, testing individ-
ual value using this node, then going down toward
tree branch as per value supplied. The same process
is then repeated for subtree started at the new node.
The variable employed in a splitting criterion is nomi-
nated as per the splitting condition to maximize the
lessening in impurity. We employed a Gini diversity
index (GDI) as a splitting criterion to select the best
variable, which is stated as
X Accuracy ¼
uðtÞ ¼ PðvjtÞPðujtÞ: (4)
v6¼u
The GDI is expressed as the chance of misclassifi-
cation; thus, the efficacy of the split condition is to per-
form a split at a node upon which the chance of
misclassification is lessened. A feature of the decision
trees is that pure classification will be accomplished, if
no restrictions are employed on the number of splits
that are executed, however, it is impractical in noisy
data situations. The objective of a decision tree is not
only to acquire the correct classification of the instan-
ces but also to support insight into the projecting con-
figuration of the variables. The data happening in the
splitting conditions close to the top of a classification
tree are very significant for data differentiation. How-
ever, we must be concerned in ranking all variables as
per their significance, not only those looking in the
splitting conditions. The measure of the significance of
the data dm Mðdm Þ is expressed through surrogate
splits.20 Here the significance of a variable is measured
to fit within the limit from 0 to 100 through formulation
and defined mathematically as
100Mðdm Þ
: (5)
maxm ðdm Þ
Ensemble Classifier
Ensemble classifiers employ multiple learning meth-
ods to attain enhance performance than any single
classifier. There are different ensemble classifiers,
such as boosting, bagging, and random subspace.
Here, we employed bagging (bootstrap aggregating),
which is the common method of an ensemble. The
methodology of the proposed model is presented in
the form of pseudocode as follows.
PERFORMANCE MEASURES,
RESULTS, AND DISCUSSIONS
Performance Measures
The performance of proposed model is evaluated in
terms of accuracy, confusion matrix as per formulas in
March/April 2021
Authorized licensed use limited to: University of Arid Agriculture. Downloaded on June 01,2022 at 12:12:27 UTC from IEEE Xplore. Restrictions apply.
INTERNET OF THINGS
(6). True positive (TP) gets significant when the model
recognizes a malicious attack as malicious, whereas a
true negative (TN) arises when a normal packet is rec-
ognized as normal. On the other side, a predicted false
positive (FP) value occurs when traffic is normal and it
is recognized as malicious, whereas a false negative
(FN) arises when a particular attack is malicious and is
recognized as normal
TP þ TN
: (6)
ðTP þ TN þ FP þ FNÞ
Results and Discussion
The experiments are carried out on NSL-KDD dataset
and performance is evaluated in terms of accuracy,
confusion matrix. The following sections specify the
outcomes.
Performance Analysis in terms of
Classification Accuracy
To study usefulness of the proposed paradigm, deci-
sion tree, SVM, ensemble classifiers have been
applied. The achieved accuracy of 99.5%, 99.2%, and
99.8% through a decision tree, SVM, and ensemble
approach along with different parameters are tabu-
lated in Table 1. As shown in Table 1, the decision tree
employed the complex tree as preset with GDI, and
the maximum no. of the split is 100. Whereas SVM
employed quadratic SVM as preset with a quadratic
function, and the box constraint level is 1. Ensemble
classifier used bagged tree as preset with bag method.
The type of learner is a decision tree, and the number
of learners employed is 30. Ensemble classifiers
achieved a higher result as compared to other classi-
fiers. The reason is that the ensemble employs multi-
ple learning procedures to reach high results than any
solitary approach. It should be noted that the result
also based on data size, features, problem; some clas-
sifiers accomplish satisfactory results on some of
dataset better than others.
The overall classification accuracy of employed
classifiers, SVM, decision tree, ensemble classifier
have been observed to be 99.2%, 99.5%, and 99.8%,
respectively. The results reveal that ensemble classi-
fier offers best results among all implemented classi-
fiers. Furthermore, results of feature sets are
produced against ensemble classifier, decision tree,
and SVM classifier in form of confusion matrix are pre-
sented in Table 2. The TP and FN Rate achieved using
ensemble classifier illustrated that feature set for DOS
and Probe attack had a TP rate 99% led to better
IT Professional 61
INTERNET OF THINGS
TABLE 1. Classification accuracy.
TABLE 2. Confusion matrix result.
results, whereas TP rate of R2L, U2R attack is 90%,
27%, respectively.
CONCLUSION AND FUTURE
WORKS
A secure network is highly significant for an organiza-
tion. Network security is mandatory to be considered
during the design phase of IoT devices. IDS using
advance ML is most important for IoT networks. GA
with SVM, decision tree, and ensemble classifiers are
utilized for IDS. A higher result of classification in
terms of accuracy has been observed on the NSL-
62 IT Professional
Authorized licensed use limited to: University of Arid Agriculture. Downloaded on June 01,2022 at 12:12:27 UTC from IEEE Xplore. Restrictions apply.
KDD dataset through an ensemble classifier using 10-
fold cross-validation technique. Future research work
may focus to detect anomalies in IoT and IoMT (Inter-
net of Medical Things) networks using hybrid features
selection, such as PSO-GA and multiclass classifica-
tion methods.
ACKNOWLEDGMENTS
This work was supported by the Artificial Intelligence
and Data Analytics Lab (AIDA), Prince Sultan Univer-
sity, Riyadh, Saudi Arabia.
March/April 2021

REFERENCES
1. A.Y. Khan, R. Latif, S. Latif, S. Tahir, G. Batool, and
T. Saba, “Malicious insider attack detection in IoTs
using data analytics,” IEEE Access, vol. 8,
pp. 11743–11753, 2019.
2. T. Saba et al., “Cloud-based decision support
system for the detection and classification of
malignant cells in breast cancer using breast
cytology images,” Microsc. Res. Techn., vol. 82,
no. 6, pp. 775–785, 2019.
3. A. Rehman, S. Alqahtani, , A. Altameem, and T. Saba,
“Virtual machine security challenges: Case studies,”
Int. J. Mach. Learn. Cybern., vol. 5, no. 5, pp. 729–742,
2014.
4. S. M. H. Bamakan, H. Wang, T. Yingjie, and Y. Shi, “An
effective intrusion detection framework based on
MCLP/SVM optimized by time-varying chaos particle
swarm optimization,” Neurocomputing, vol. 199,
pp. 90–102, 2016.
5. S. J. Horng et al., “A novel intrusion detection system
based on hierarchical clustering and support vector
machines,” Expert Syst. Appl., vol. 38, pp. 306–313,
2011.
6. E. De la Hoz, E. De La Hoz, A. Ortiz, J. Ortega, and
B. Prieto, “PCA filtering and probabilistic SOM for
network intrusion detection,” vol. 164,
Neurocomputing, pp. 71–81, 2015.
7. U. Ravale, N. Marathe, and P. Padiya, “Feature
selection based hybrid anomaly intrusion
detection system using K means and RBF kernel
function,” Proc. Comput. Sci., vol. 45, pp. 428–435,
2015.
8. C. Guo, Y. Zhou, Y. Ping, Z. Zhang, G. Liu, and
Y. Yang, “A distance sum-based hybrid method
for intrusion detection,” Appl. Intell., vol. 40,
pp. 178–188, 2014.
9. H. Bostani and M. Sheikhan, “Hybrid of anomaly-
based and specification-based IDS for Internet of
Things using unsupervised OPF based on mapreduce
approach,” Comput. Commun., vol. 98, pp. 52–71,
2017.
10. L. Yang, C. Ding, M. Wu, and K. Wang, “Robust
detection of false data injection attacks for data
aggregation in an Internet of Things-based
environmental surveillance,” Comput. Netw., vol. 129,
pp. 410–428, 2017.
11. Y. Li and L. Guo, “An active learning based TCM-KNN
algorithm for supervised network intrusion
detection,” Comput. Secur., vol. 23, pp. 459–467, 2007.
12. G. Wang, J. Hao, J. Mab, and L. Huang, “A new
approach to intrusion detection using artificial
neural networks and fuzzy clustering,” Expert Syst.
Appl., vol. 37, pp. 6225–6232, 2010.
March/April 2021
Authorized licensed use limited to: University of Arid Agriculture. Downloaded on June 01,2022 at 12:12:27 UTC from IEEE Xplore. Restrictions apply.
INTERNET OF THINGS
13. A. S. Eesa, Z. Orman, and A. M. A. Brifcani, “A novel
feature-selection approach based on the cuttlefish
optimization algorithm for intrusion detection
systems,” Expert Syst. Appl., vol. 42, pp. 2670–2679,
2015.
14. L. Koc, T. A. Mazzuchi, and S. Sarkani, “A network
intrusion detection system based on a Hidden Naïve
Bayes multiclass classifier,” Expert Syst. Appl.,
vol. 39, pp. 13492–13500, 2012.
15. D. Miessler, “HP Study Reveals 70 Percent of Internet
of Things Devices Vulnerable to Attack,” Hewlett
Packard Enterprise Community, 2014.
16. M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A
detailed analysis of the KDD CUP 99 data set,” in
Proc. IEEE Symp. Comput. Intell. Secur. Defense
Appl., 2009, Paper no. 11022518
17. S. Aljawarneh, M. Aldwairi, and M. B. Yassein,
“Anomaly-based intrusion detection system through
feature selection analysis and building hybrid efficient
model,” J. Comput. Sci., vol. 25, pp. 152–160, 2018.
18. J. Too, A. R. Abdullah, N. M. Saad, and W. Tee, “EMG
feature selection and classification using a Pbest-
guide binary particle swarm optimization,”
Computation, vol. 7, 2019, Art. no. 12.
19. P. Refaeilzadeh, L. Tang, and H. Liu., “Cross-
Validation, ” in Proc. Encyclopedia Database Syst.,
2009, pp. 532–538.
20. A. Feelders, “Handling missing data in trees:
Surrogate splits or statistical imputation?” in Proc.
Eur. Conf. Princ. Data Mining Knowl. Discovery, 1999,
pp. 329–334.
TANZILA SABA is currently a Research Professor with the
College of Computer and Information Sciences with Prince
Sultan University, Riyadh, Saudi Arabia. Her primary research
interests focus on the recent years is bioinformatics, pattern
recognition, machine learning, and applied soft computing.
She received the Ph.D. degree in information security and
management from the Faculty of Computing, Universiti
Teknologi Malaysia, Malaysia, in 2012. She won the best stu-
dent award in the Faculty of Computing UTM for 2012. Con-
tact her at drstanzila@gmail.com.
TARIQ SADAD is currently an Assistant Professor with the
Department of Computer Science, University of Central
Punjab, Lahore, Pakistan. His research interests include IoT
security, machine learning, image processing, health-infor-
matics, and decision support systems. He received the M.S.
and Ph.D. degrees in computer science from International
Islamic University, Islamabad, Pakistan. Contact him at
tariqsadad@gmail.com.
IT Professional 63
INTERNET OF THINGS
AMJAD REHMAN is a Senior Researcher with the AIDA Lab,
Prince Sultan University, Riyadh, Saudi Arabia. His research
interests include data mining, health informatics, and pattern
recognition. He received the Ph.D. degree from the Faculty of
Computing Universiti Teknologi Malaysia with a specializa-
tion in Forensic Documents Analysis and Security in 2010. He
is the corresponding author of this article. Contact him at
rkamjad@gmail.com.
ZAHID MEHMOOD is currently with the Department of Com-
puter Engineering, University of Engineering and Technology
(UET), Taxila, Pakistan, where he received the Ph.D. degree in
computer engineering in 2016. He received the MS degree in
electronic engineering in 2012 with specialization in signal
and image processing from International Islamic University,
64 IT Professional
Authorized licensed use limited to: University of Arid Agriculture. Downloaded on June 01,2022 at 12:12:27 UTC from IEEE Xplore. Restrictions apply.
Islamabad, Pakistan, and the BS degree in computer
engineering (Hons) in 2009 from the COMSATS University of
Sciences and Technology, Wah Campus, Pakistan. He is a
team-lead of the Forensic Analysis, Machine Learning, and
Information Retrieval (FAMLIR) research group. Contact him
at zahid.mehmood@uettaxila.edu.pk.
QAISAR JAVAID is currently the Working Chairman of the
Department of Computer Science and Software Engineering,
International Islamic University, Islamabad, Pakistan. He is
consistently doing research in the areas of computer net-
works, information security, cloud computing, and IoT. He is
also heading the CISCO Networking Academy of Interna-
tional Islamic University, Islamabad, Pakistan. Contact him at
qaisar@iiu.edu.pk.
March/April 2021