Intrusion Detection System of IoT Systems Using Artificial Neural Network
Rao Muhammad Ammar Mohammad Ali Qazi
Department of Electrical Department of Electrical
Engineering Engineering
Usman Institute of Usman Institute of
Technology Technology
16b-229- 16b-213-
el@students.uit.edu el@students.uit.edu
Abstract— An increasing number of endpoint devices in IoT
infrastructure, bringing in different protocols and
technology grows complexity and is raising unwanted
vulnerabilities. Vulnerability in IoT endpoints makes a
backdoor for an attacker to exploit, disrupt the IoT system,
or gather any confidential data from an organization.
Hajime and Mirai Botnets have been used to conduct
distributed denial of service (DDoS) attacks on critical IoT
systems. To handle such attacks development of adaptive
techniques are needed which can understand network
behavior and can classify normal and abnormal traffic to
detect anomalies. In this paper, we are going to demonstrate
how effectively a signature-less, cost-effective IDS can detect
Dos attack in a real-time environment. To train our model
we have generated an IoT specific data set for a real-time
environment. Results show raspberry pi acting as an IDS
device can automatically detect DoS attacks using Artificial
neural network.
I. INTRODUCTION
The proliferation of insecure IoT devices has resulted in
a surge of IoT botnet attacks on Internet infrastructure. In
October 2016, the Mirai botnet commanded 100,000 IoT
devices (primarily CCTV cameras) to conduct a
distributed denial of service (DDoS) attack against Dyn
DNS infrastructure [4]. Many popular websites,
including Github, Amazon, Netflix, Twitter, CNN, and
Paypal, were rendered inaccessible for several hours. In
January 2017, the Mirai source code was publicly
released; DDoS attacks using Mirai-derived IoT botnets
have since increased in frequency and severity [5]. This
growing threat motivates the development of new
techniques to identify and block attack traffic from IoT
botnets. Recent anomaly detection research has shown
the promise of machine learning (ML) for identifying
malicious Internet traffic [6]. Yet, little effort has been
made to engineer ML models with features specifically
Fasi ur Rehman Manahil Fraz
Department of Electrical Department of Electrical
Engineering Engineering
Usman Institute of Usman Institute of
Technology Technology
16b-222- 16b-036-
el@students.uit.edu el@students.uit.edu
geared towards IoT device networks or IoT attack traffic.
Fortunately, however, IoT traffic is often distinct from
that of other Internet connected devices (e.g. laptops and
smart phones) [7]. For example, IoT devices often
communicate with a small finite set of endpoints rather
than a large variety of web servers. IoT devices are also
more likely to have repetitive network traffic patterns,
such as regular network pings with small packets at fixed
time intervals for logging purposes. Building on this
observation, we develop a machine learning pipeline that
performs data collection, feature extraction, and binary
classification for IoT traffic DoS detection. The features
are designed to capitalize on IoT-specific network
behaviors, while also leveraging network flow
characteristics such as packet length, inter-packet
intervals, and protocol.
Given the lack of public datasets of IoT attack traffic, we
generate classifier training data by after developing a real
time environment IoT smart device network. We set up a
local network comprised of a router, some popular IoT
devices for benign traffic, and some adversarial devices
performing DoS attacks. Our classifier successfully
identifies attack traffic with an accuracy higher than
0.988. Our pipeline is designed to operate on network
middleboxes (e.g. routers, firewalls, or network switches)
to identify anomalous traffic and corresponding devices
that may be part of an ongoing Dos attack. The pipeline
is flow-based, stateless, and protocol-agnostic; therefore,
it is well suited for deployment on gateway routers or
ISP-controlled switches. To our knowledge, this is the
first network anomaly detection framework to focus on
IoT specific features, as well as the first to apply anomaly
detection specifically to IoT smart devices at the real time
environment local network level.
 II. RELATED WORKS
noisy and incomplete data. ANN has been successfully
Petteri et al. [16] performed a study on the requirement employed in a broad spectrum of data-intensive
analysis of a benchmark dataset for Network and Host applications [10-11]. The neural network consists of an
Intrusions Detection System (NHIDS). The requirements input layer, number of hidden layers and an output layer.
were finalized based on the dataset features, overall Each layer has number of neurons. The information
composition, and systems used to produce the datasets. enters the neural network via the input layer, it is
Nine datasets starting from the traditional KDD CUP’99 processed in the hidden layers and the result can be
dataset to UNSW-NB15 were reviewed. The coexistence retrieved in the output layer. A typical neural network
of both Host-based and Network-based entities was rare model with a hidden layer is shown in Fig.1.
in a single dataset. According to this study, the real-world
network environment is difficult to replicate using the
test-bed Datasets
Kelton et al. [17] reviewed various machine learning
techniques suitable for intrusion detection in IoT
environment. The recent research works related to IoT
security were analyzed with a special concern on the
Intrusion Detection Systems using machine learning
approaches. In this review the protocols, intelligent
techniques like machine learning techniques and
precision obtained in the recent works were highlighted.
Finally, the research challenges and future directions for
IoT security were also emphasized.

Ganesh et al. [18] proposed an approach for ANN based

Intrusion Detection System with less number of features.
Important features from KDD Cup’99 dataset were
selected by using Mutual Information based feature
selection method. The performance of Mutual
Information with ANN was compared with Support
Vector with ANN and Mutation Information approach
outperformed without any false positive and less negative
rates. Though there are many advantages in this method,
it requires more computation in terms of number epochs
to obtain the accuracy.
Mohammad et al. [19] assessed the challenges of IoT
security by considering various machine learning
techniques in smart cities. Taxonomy of machine
learning algorithms and the issues and challenges
regarding the data analytics of machine learning
algorithms were also discussed. They suggested some
machine learning algorithms like ANN that are useful for
the IoT security and fraud detection.
Alex et al. [20] suggested that the IDS to analyze the data
packets and to detect malicious shell code. In their work,
integer values were obtained by converting the byte level
data retrieved from the data transmission of the nodes and
fed into the ANN. Their best classifier identified 100% of
malicious file contents in the test set. This ANN model is
useful for anomaly detection.
III.ARTIFICIAL NEURAL NETWORKS
A set of processing units also called as neurons are
interconnected according to the specified topology is
termed as an Artificial Neural Network (ANN). It has the
ability to learn by example and generalizes from limited,
Fig.1. Neural Network Model
There are ‘n’ numbers of inputs available for a single
neuron in this network and each input is associated with
a weight on it. ‘x0’ is the bias value which is added to the
input of the activation function. Let x1, x2, x3, …….xn
are the inputs to a neuron and let w1, w2, w3, …….wn
are weights, let ‘b’ is the bias and then ‘a’ is the out of the
neuron which is calculated using the equation (1).
where, f is the activation function which is used to get the
output of that layer and feed it as an input to the next layer
[12]. Artificial Neural Network is made up of nodes and
corresponding weights which typically require learning
based on the given patterns. Some examples of learning
patterns include supervised learning and unsupervised
learning. In supervised learning, the output has been
labelled and so the network has a known expected
answer. The Back-propagation algorithm and Multilayer
Perceptron (MLP) belong to this category [13]. In
unsupervised learning, the neural network analyses the
input patterns and extract the features based on the
characteristics of the given input. The Self-Organizing
Map is an example of this unsupervised learning [14]
Multilayer Perceptron
Multilayer Perceptron Multilayer Perceptron is the
widely used neural network model. It is based on
supervised learning technique which uses the historical
data as input to generate a labeled output. In Multilayer
Perceptron, a set of input and its corresponding output are
trained to learn the relationship between those input and
the output. In the training phase, the parameters like
weights and biases are adjusted, so that the error is
minimized. This trained MLP model is used in the testing
phase to classify the test dataset.
MLP is a feed forward neural network which involves
forward and backward pass. The signal flow moves
through the hidden layer from the input layer to the output
layer. The result of the output layer is measured against
the labels and the error is calculated. In order to minimize
the error, the weights and bias are adjusted in the
backward pass. The error is minimized in all iteration and
finally it will be closer to the approximate output.
Determining the optimal number of hidden layers and the
hidden units in each layer is also a challenging issue. It is
difficult to determine the optimal hidden units than the
hidden layer. Based on empirical method, the optimum
number of hidden units suitable for the MLP can be
assigned [15].
IV.ANOMALY DETECTION PIPELINE
In this portion, we present an Artificial Neural Network
based DoS detection framework for IoT network traffic.
Our anomaly detection pipeline has four steps.
1) Traffic Capture:
The traffic capture process sniffs the Time, duration
source and destination IP address, Protocol, Length and
flag of all IP packets sent from the smart devices and Dos
attack data using Kali Linux.
2) Data preprocessing:
To prepare dataset for training and testing of neural
network, raw data was processed. The features were
extracted and engineered. The string values were
converted to numerical values and normalized to get them
in a range.
3) Training
After preparing dataset it was divided into two parts, 75%
for training and 25% for testing phase. the parameters like
weights and biases are adjusted, so that the error is
minimized. Purpose was to get optimized weights after
the process of stochastic steepest gradient. Back
propagation algorithm was used to achieve the optimized
model.
4) Model Evaluation:
After training comes the step of testing our trained model
and evaluate the model for improvement. Different things
can be tried to improve the model, size of data used was
increased, associated parameters were tuned and we tried
different suitable activation functions. After trying
different techniques, we finally exported the optimized
model for real time deployment.
V.EXPERIMENTAL SCENARIO
A: Experimental Setup
We set up a experimental IoT smart device network to
collect realistic normal and malicious IoT device traffic
(Fig. 1b). We configured a Raspberry Pi v4 as a WiFi
access point to act as a middlebox using linux terminal.
We then connected a M5 Stack Camera, weather station
module consisting of Dht 11 and Home automation
module to the Raspberry Pi’s WiFi network. To collect
normal traffic, we interacted with all three IoT devices
for 10 minutes and recorded pcap files, logging all
packets sent during that time period. We performed many
interactions that would occur during regular smart device
use, including streaming video from the M5 camera ,
turning the lights of home automation on and off ,
collecting temperature and humidity measurements from
the Dht11 sensor in weather station. We then filtered out
all non-IoT traffic from the pcap recordings, including
background traffic from the Android phone. Collecting
DoS traffic was more challenging. To avoid
the security risks and complexity of running the real
Mirai botnet code, we simulated the three most common
classes of DoS attacks a Mirai-infected device will run: a
TCP SYN flood, a UDP flood, and a ICMP flood. We
used a Kali Linux virtual machine running on a laptop as
the DoS source, and we used on of the smart device as the
DoS victim. We connected both devices via WiFi to our
Raspberry Pi 4 access point. The DoS source then
targeted the victim’s IP address with each class of DoS
attack for approximately 1.5 minutes each. The access
point recorded PCAPs of the attack traffic using the
Wireshark. The TCP SYN Flood, UDP Flood and ICMP
Flood were simulated using Kali Linux’s hping3 utility
[21]. We then combined the DoS traffic with the normal
traffic, spoofing source IP addresses, MAC addresses,
and packet send times to make it appear as if the IoT
devices simultaneously produced normal traffic and
conducted DoS attacks. Each of the three IoT-devices
appeared to execute each of the three DoS attack classes
once within 10-minute internal. The attacks occurred in
a random order for a random duration ranging uniformly
from 90 to 110 seconds each. Thus, we collected roughly
300 seconds (5 minutes) of attack traffic per device. The
distribution of attacks between devices was independent.
This process produced a dataset of 491,855 packets,
comprised of 459,565 malicious packets and 32,290
benign packets.
B. Feature Engineering
We explore two classes of features and analyze why they
are relevant to differentiating normal and attack IoT
traffic. Stateless features can be derived from flow-
independent characteristics of individual packets. These
features are generated without splitting the incoming
traffic stream by IP source. Thus, these features are the
most lightweight. Stateful features capture how network
traffic evolves over time. There is inherent overhead in

generating these features as we split the network traffic

into streams by device and divide the per-device streams
into time windows. The time windows serve as a simple
time-series representation of the devices’ evolving
network behavior. These features require aggregating
statistics over multiple packets in a time window; the
middlebox performing classification must retain state,
but the amount of state can be limited by using short (e.g.
10-second) time windows.

Flowchart:

From the above matrix we can see that among the

121,306 data packets of the testing dataset, there are
31507 packets which are True Positive (TP), 460 packets
are False Negative (FN) , 271 packets are False Positive
(FP) and 89068 are True Negative (TN). So, we can
check the accuracy rate by comparing these results.

Normal behavior of Network in 5th minute:

V RESULT AND OUTPUT

The pre-processed dataset was fed into the Multilayer

Perceptron (MLP) Neural Network which has four
layers including two hidden layers with 10 neuron each,
input layer and an output layer. Since MLP is a
supervised learning technique, it has training as well as
testing phases, in our dataset 121,306 packets have been
used to test the data model. The MLP model classified
the data packets by sending one for the attack data (1)
and zero for normal data packets (0).
Testing phase Confusion Matrix
 UDP DOS attack Network behavior

DOS NETWORK BEHAVIOR:

TCP DOS attack Network behavior:

ICMP DOS attack Network behavior: VI FUTURE WORK

• This IoT Intrusion detection system can be

converted into intrusion prevention system.
• This machine learning model can be trained
with different type of attack data so that it also
detects or prevent them.
• To deal with more complex scenarios and for
behavior analysis of massive networks, deep
learning techniques can be adopted.
• Better GUI or desktop application can be
developed with more features and ease of use,
• Cloud based IoT IDS/IPS can be developed to
manage it remotely.

VII CONCLUSION

In this Final year project, we demonstrated a new

and much more effective technique to detect Dos
attack accurately. We used Artificial Neural
Network for behavior analysis of an IoT network
so that it can distinguish between normal and
abnormal traffic from IoT smart devices and DoS
attack source. We wanted our Intrusion detection
system to be deployed in any real-time
environment and to train our model accordingly
we developed an IoT-specific dataset from smart
devices that we made and these included a M5
stack camera surveillance project, a weather
station, and a home automation module. After
Now for the PCAP files of dos, when the attack of
extensive and repeated training, validation, and
different protocol happens as shown in the above three
testing we had our model’s accuracy higher than
diagrams i.e. for TCP, UDP and ICMP, these packets
99% in a real-time IoT Smart device network.
flow or passes through the network in more than one and
These preliminary results motivate additional
a half minute. The difference in the normal behavior and
research into machine learning anomaly
the DOS behavior is that in normal behavior there were
detection to protect networks from insecure IoT
multiple IPs that was sending data packets in different
devices.
time frames but in DOS behavior there is only one IP
which is continually sending the massive amount of data
within short duration.
In the above graphs We have showed the behavior of
three DOS attacks, in TCP DOS attack it can be seen
clearly that most of the packets are of TCP protocol and
same goes for other two protocols
 REFERENCES with anomaly detection,” in Computer Network Security,
V. Gorodetsky, L. Popyack, and V. Skormin, Eds. Berlin,
[1] (2016) Unlocking the potential of the Heidelberg: Springer Berlin Heidelberg, 2003, pp. 171–
internet of things. McKinsey & Company. 182.
[Online]. Available: http://www.mckinsey.com/ [13] S. N. Shirazi, A. Gouglidis, K. N. Syeda, S.
business-functions/digital-mckinsey/our-insights/ Simpson,
the-internet-of-things-the-value-of-digitizing-the- A. Mauthe, I. M. Stephanakis, and D. Hutchison,
physical-world “Evaluation
[2] (2015) Internet of things research study. Hewlett of anomaly detection techniques for scada
PackardEnterprise.[Online].Available: communication
http://h20195.www2.hpe. resilience,” in 2016 Resilience Week (RWS), Aug 2016,
com/V4/getpdf.aspx/4aa5-4759enw pp.
[3] (2016) Internet of things (iot) security and privacy 140–145.
recommendations. [14] M. Miettinen, S. Marchal, I. Hafeez, N. Asokan, A.
BITAG. [Online]. Available: https://www.bitag.org/ Sadeghi,
report-internet-of-things-security-privacy- and S. Tarkoma, “Iot sentinel: Automated device-type
recommendations. identification for security enforcement in iot,” CoRR, vol.
php abs/1611.04880, 2016. [Online]. Available:
[4] S. Hilton. (2016) Dyn analysis summary of friday http://arxiv.org/
october abs/1611.04880
21 attack. Dyn. [Online]. Available: [15] A. Sivanathan, D. Sherratt, H. H. Gharakheili, and
https://dyn.com/blog/ A. V.
dyn-analysis-summary-of-friday-october-21-attack/ Vijay Sivaraman, “Low-cost flow-based security
[5] (2016) Threat advisory: Mirai botnet. Akamai. solutions for
[Online]. Available: https://www.akamai.com/ smart-home iot devices,” 2016.
us/en/multimedia/documents/state-of-the-internet/ [16] S. Hao, N. A. Syed, N. Feamster, A. G. Gray, and S.
akamai-mirai-botnet-threat-advisory.pdf Krasser,
[6] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly “Detecting spammers with snare: Spatio-temporal
detection: networklevel
A survey,” ACM computing surveys (CSUR), vol. 41.3: automatic reputation engine,” USENIX security
15, symposium,
2009. vol. 9, 2000.
[7] N. Apthorpe, D. Reisman, and N. Feamster, “A smart [17] (2017) Yi home camera. [Online]. Available:
home https://www.
is no castle: Privacy vulnerabilities of encrypted iot yitechnology.com/yi-home-camera
traffic,” [18] (2017) Wemo insight smart plug. [Online].
2016. Available:
[8] L. Ertoz, E. Eilertson, A. Lazarevic, P.-N. Tan, V. http://www.belkin.com/us/F7C029-Belkin/p/P-F7C029/
Kumar, [19] (2017) Wireless blood pressure monitor. [Online].
J. Srivastava, and P. Dokas, “Minds minnesota intrusion Available:
detection https://health.nokia.com/us/en/blood-pressure-monitor
system,” In Data Mining: Next Generation Challenges [20] (2017) Goldeneye code repository. [Online].
and Future Directions, 2004. Available:
[9] E. Eskin, W. Lee, and W. Stolfo, “Modeling system https://github.com/jseidl/GoldenEye
call for [21] (2017) hping3 package description. [Online].
intrusion detection using dynamic window sizes,” 2001. Available:
[10] M. Qin and K. Hwang, “Frequent episode rules for http://tools.kali.org/information-gathering/hping3
internet [22] (2017) Scikit learn: Machine learning in python.
anomaly detection,” 2004. [Online].
[11] D. Barbard, J. Couto, S. Jajodia, and N. Wu, “Adam: Available: http://scikit-learn.org/stable/
A [23] F. Chollet et al., “Keras,”
testbed for exploring the use of data mining in intrusion https://github.com/fchollet/keras,
detection,” SIGMOD, vol. 30:4, 2001. 2015.
[12] J. Bigham, D. Gamez, and N. Lu, “Safeguarding [24] N. Apthorpe, D. Reisman, and N. Feamster,
scada systems “Closing the
blinds: Four strategies for protecting smart home privacy
from
network observers,” Workshop on Technology and
Consumer
Protection (ConPro), 2017.