Future Generation Computer Systems

Volume 102, January 2020, Pages 198-209

Averaged dependence estimators for DoS

attack detection in IoT networks
Author links open overlay panelZubair A. Baig a, Surasak Sanguanpong b, Syed
Naeem Firdous c, Van Nhan Vo d e, Tri Gia Nguyen e, Chakchai So-In d
Show more
Add to Mendeley
Share
Cite
https://doi.org/10.1016/j.future.2019.08.007Get rights and content

Abstract
Wireless sensor networks (WSNs) have evolved to become an integral part of the
contemporary Internet of Things (IoT) paradigm. The sensor node activities of both
sensing phenomena in their immediate environments and reporting their findings to
a centralized base station (BS) have remained a core platform to sustain
heterogeneous service-centric applications. However, the adversarial threat to the
sensors of the IoT paradigm remains significant. Denial of service (DoS) attacks,
comprising a large volume of network packets, targeting a given sensor node(s) of the
network, may cripple routine operations and cause catastrophic losses to emergency
services. This paper presents an intelligent DoS detection framework comprising
modules for data generation, feature ranking and generation, and training and
testing. The proposed framework is experimentally tested under actual IoT attack
scenarios, and the accuracy of the results is greater than that of
traditional classification techniques.

Introduction
A wireless sensor network (WSN) is defined as a network of interconnected sensors
that constantly monitor their respective environments for phenomena, communicate
their readings to peer sensor nodes and to a centralized base station (BS) for storage
and processing, and inform relevant stakeholders in the event of the detection of an
anomalous event. Minute sensor nodes deployed for these activities have limited
computing, storage, and communication capabilities for carrying out their
designated tasks [1], [2], [3], [4].
Historically, WSNs have played a vital role in supporting critical infrastructures. In
legacy sensor networks, the sensor nodes communicated with a centralized BS, which
would effectively be connected to emergency services, on stand by for mobilization in
the event of an emergency event. For instance, the detection of unusually high
temperatures in a bush region would be indicative of a likely fire in the area. Further
investigation may be entailed, and a fire control crew may need to be mobilized to
contain the threat posed by the fire [2], [4].

Recent and widespread adoption of Internet-connected devices that constitute the

modern-day Internet of Things (IoT) paradigm has taken sensor node application to
a new dimension [3], [4]. Embedded IoT devices and wireless sensors comprise the
lowest layer of the IoT paradigm. These devices are protocol-dependent and
communicate with peer devices wirelessly, relying on standards such as ZigBee and
6LoWPAN. Embedded sensors may include those found in smart vehicles, road-side
traffic controllers, smart home appliances (smart TVs, refrigerators, washing
machines), smart bicycles, and eHealth devices, such as pace makers and insulin
dispensers. Industrial IoT (IIoT) refers to cyber manufacturing systems (CMSs) that
comprise the Industry 4.0 paradigm [5], which is effectively as vulnerable to the
adversarial threats as other IoT-based systems.

We categorize the above sensors as smart IoT sensors, as they not only sense the
environment but also perform intelligent processing of collected sensory data,
participate in the transmission of the data to centralized data centers (e.g., Cloud),
and respond to requests received from decision makers such as the BS. These sensor
nodes are deployed at various locations of the IoT infrastructure for monitoring and
reporting observed phenomena from their local environments [6], [7].

Based on the application categories specified by Libelium [8], sensor applications for
contemporary applications include the following: 1. smart cities; 2. smart
environments; 3. smart water; 4. smart metering; 5. retail; 6. logistics; 7. industrial
control; 8. smart agriculture; 9. smart animal farming; 10. domestic and home
automation; and 11. eHealth. A related enumeration of smart city services, smart
grids, smart water management, and smart healthcare was presented in [9].

In general, an IoT sensor network architecture comprises data generators and data
capturers, as shown in Fig. 1. Data generators are identified as individual IoT sensors
of the network, which operate in the immediate environment, sensing their
surroundings for phenomena such as temperature or pressure variations, and
reporting the same to a centralized entity (in most cases, a higher performance node
such as a BS).

Data capturers are centralized sensor nodes within a cluster (region) of operation,
that is, a cluster head (CH); responsible for the capture/aggregation and subsequent
rendering of environmental readings to a powerful computing node of the IoT
network, i.e., the BS. Several CH nodes will be operational within a mid- to large-
scale IoT network. Data capturers play a similar role to IoT middleware platforms,
where they aggregate data from multiple sensors and route the data to various
endpoints, such as the Cloud. The large number of connections from the IoT and the
exchange of massive amounts of data from numerous IoT devices requires a fast and
reliable data connection. The fifth generation (5G) network is poised to become a key
technology enabler for the IoT to complement this explosive growth of connected
devices [10]. With the advent of the 5G infrastructure, the IoT middleware platforms
will play a crucial role in providing necessary device abstractions and data
management services.

The IoT sensor architecture suffers from several security threats that may affect the
regular working of the network and the delivery of foolproof and resilient service to
critical infrastructure [11]. Data generated from sensor nodes must be securely and
promptly delivered to the data capturers and onwards to the centralized BSs.
Security of these data in transit over the communication lines, as well as at rest
within the various sensor nodes of the communication hierarchy, is paramount.

 •
Data Integrity — An integrity violation in the IoT network is defined as a
deliberate or accidental modification to the reading that is observed by a data
generator. Such a violation of data integrity, which is invariably a matter of
tampering with sensitive information, may occur at one or more locations of
the network, including at the data generator, data capturer, BS, or during
transit through the communication channels [12].
 •
Data Confidentiality — Data generated by the sensor nodes must be
protected against unwanted disclosure to the adversary. To maintain the
confidentiality of sensor data, the following locations of data at rest and in
transit are identified: data generator, data capturer, BS, and the
communication links among these entities. Although, in principle, the
encryption of all data is a solution, the unaltered application of standard
encryption techniques, including Rivest–Shamir–Adleman (RSA), data
encryption standard (DES), Blowfish, and ElGamal methods, are not entirely
viable on resource-constrained sensor nodes. Consequently, data encryption
must be lightweight as well as resilient against adversarial attacks [12].
 •
Data availability — Rogue sensor nodes, middleware devices or a
compromised BSs may be programmed by the adversary class to carry out a
denial of service (DoS) flooding attack against selective targets in the network,
with the purpose of disrupting routine network operations and crippling
critical sensor network services [9], [12].
As IoT networks start adopting 5G networks, the security challenges of IoT
middleware or data capturers will increase drastically [13]. Although 5G networks
will provide fast, reliable, high bandwidth, and location awareness to IoTs, there
remain many unaddressed security concerns. In [13], [14], the authors highlight
many possible attacks against the 5G IoT middleware platforms. Attacks, such as
Man-in-The-Middle, message modification, authentication attacks, DoS attacks,
replay attacks, and eavesdropping, will challenge the effective deployment of the IoT
on a 5G network. With numerous connected devices and critical services depending
on data generated from billions of end points, it is necessary to have an efficient and
robust security mechanism to thwart any malicious attempts to disrupt services,
especially DoS attacks.

While conventional techniques of the statistical analysis of network traffic may be

effective in detecting DoS attacks in sensor networks, the centralized analysis of
fused data at the data capturer nodes facilitates more accurate identification of DoS
network traffic. Naïve Bayes is a popular classifier that has been extensively used in
various applications of data classification [15]. The fundamental basis of the Naïve
Bayes classifier is the assumption that individual data attributes are independent of
each other, so the accuracy of a Naïve Bayes classifier is questionable when the data
attributes are interdependent. The averaged one-dependence estimator (A1DE) and
the averaged two-dependence estimator (A2DE) are two such techniques proposed to
address the attribute independence assumption of Naïve Bayes [15], [16].

In this paper, we present a dependence estimator-based scheme for DoS attack traffic
classification in an IoT sensor network. The presented scheme is the first of its kind,
where the deep analysis of IoT network traffic parameters is conducted to establish a
relationship between the network traffic parameters and to identify the key IoT
network traffic parameters upon which other parameters would depend. Through the
establishment of such a relationship, the analysis of network traffic for malicious
activity proves to be more accurate as well as efficient. The findings presented in this
paper highlight the significance of the dependencies between the individual data
attributes of network traffic and provide the quantification of the quality of solution
proposed. In summary, the key contributions of this paper are as follows:

 •
Adoption and redefinition of the averaged one-dependence and two-
dependence (A1DE and A2DE) techniques for detecting DoS attacks in IoT
networks.

 •
Proposal of an integration of A1DE and A2DE through the introduction of
MultiScheme and Voting schemes for DoS attack detection in IoT networks.

 •
Performance evaluation of the proposed techniques for DoS attack detection
in a real IoT network, i.e., measuring and reporting on the accuracies and
computational times.
This article is organized as follows: Section 2 of the paper provides a background on
machine learning techniques for the IoT and its application to DoS attack detection
for network security. In Section 3, we present the one-dependence estimator
classifier. In Section 4, we present the network and attack model for an IoT network.
Section 5 presents the averaged dependence estimator (ADE)-IoT attack detection
framework. The experimental setup and results analysis are presented in Section 6.
Finally, the article is concluded in Section 7.

Section snippets

Related work
IoT security is a multifaceted challenge. As elaborated upon in [5], IoT
manufacturers merely give consideration to security as a postproduction exercise.
The limited resources available for data processing, storage, and communication
encumber the deployment of robust data confidentiality techniques that require
security keys of sufficient length to guarantee minimum security of data, in transit
and at rest. While IoT communication protocols such as message queuing telemetry
transport (MQTT)

The averaged dependence estimator

Data classification is a critical component of network security. With a proper data
classification mechanism in place, the network security scheme can accurately
differentiate legitimate traffic from attack traffic and can be effective in protecting
the network from malicious attacks. A data classifier operates through an assessment
of individual features of a given data sample and by categorizing the sample into one
of n predefined classes. An attribute of a given dataset is defined as a 〈�����

Network and attack models

This section provides details for network and attack models, including our DoS
detection architecture for IoT sensor networks.

ADE-IoT DoS detection framework

The ADE-IoT attack detection framework (Fig. 3) comprises a packet capturer
module responsible for capturing raw network traffic in the IoT network. The
captured packets are subsequently preprocessed to extract TCP/IP packet header
data and for statistical information acquired from collections of packet sequences of
a given connection. Feature selection and generation are then performed on the
preprocessed data to identify essential features for classifier training and to generate
additional

Performance analysis
The classification of the captured network traffic was carried out in the Weka Data
Mining Software Environment [38]. For analysis, i.e., testing data packets on both
ingress and egress channels of the network were presented to the classifiers. The
performance of six classifiers, namely, A1DE, A2DE, Naïve Bayes, Bayesian Network,
C4.5, and MLP, was compared. In addition, the performance of the MultiScheme and
Voting-based techniques was also compared. The performance of the dependence

Conclusion
Service-centric WSNs hold promise for the future of the IoT paradigm. The
underlying principles of data communication for sensor networks have evolved over
time to include new standards. However, the adversarial threat to the availability of
sensor resources still remains, with DoS attacks posing a threat to the routine
operations of a sensor network, merely through large-volume network traffic
generation targeting specific sensor nodes. In this paper, an ADE-based DoS attack
detection scheme

Declaration of Competing Interest

No author associated with this paper has disclosed any potential or pertinent
conflicts which may be perceived to have impending conflict with this work. For full
disclosure statements refer to https://doi.org/10.1016/j.future.2019.08.007.

Acknowledgments
This work was supported in part by Enthuse Company Ltd., under Grant Ent-KKU-
2560-01, in part by the Khon Kaen University Grant, in part by the Kasetsart
University Grant, and in part by Thailand Research Fund (TRF) under International
Research Network Program (IRN61W0006).
Zubair Baig is a Senior Lecturer in Cyber Security at the School of Information
Technology, Deakin University. He has authored over 75 journal and conference
articles and book chapters. He is currently serving as the editor of the IET Wireless
Sensor Systems Journal and the PSU — A Review Journal, Emerald Publishing
House. He has served on numerous technical program committees of international
conferences and has delivered numerous keynote talks on cyber security. His
research interests are in

References (40)
 BaigZ.A.
Pattern recognition for detecting distributed node exhaustion attacks
in wireless sensor networks
Comput. Commun.
(2011)
 BaigZ.A. et al.
Future challenges for smart cities: Cyber-security and digital
forensics
Digit. Investig.
(2017)
 LiS. et al.
5G Internet of Things: A survey
J. Ind. Inf. Integr.
(2018)
 DeprenO. et al.
An intelligent intrusion detection system (IDS) for anomaly and
misuse detection in computer networks
Expert Syst. Appl.
(2005)
 BojovićP. et al.
A practical approach to detection of distributed denial-of-service
attacks using a hybrid detection method
Comput. Electr. Eng.
(2019)
 KoroniotisN. et al.
Towards the development of realistic botnet dataset in the internet of
things for network forensic analytics: Bot-IoT dataset
Future Gener. Comput. Syst.
(2019)
  KimB. et al.
A survey on real-time communications in wireless sensor networks
Wirel. Commun. Mob. Comput.
(2017)
 LiuJ. et al.
IoT hierarchical topology strategy and intelligentize evaluation
system of diesel engine in complexity environment
Sensors
(2018)
 McGrathM. et al.
Sensor network topologies and design considerations
Sens. Technol.
(2014)
 SongH. et al.
Overview of security and privacy in cyber-physical systems
View more references

Cited by (72)

 An Optimized Privacy Information Exchange Schema for Explainable

AI Empowered WiMAX-based IoT networks
2023, Future Generation Computer Systems
Show abstract
 A big data analytics for DDOS attack detection using optimized
ensemble framework in Internet of Things
2023, Internet of Things (Netherlands)
Show abstract
 Internet of Things (IoT) security dataset evolution: Challenges and
future directions
2023, Internet of Things (Netherlands)
Show abstract