Akademik Veri Yönetim Sistemi
6th International İstanbul Contemporary Scientific Research Congress, İstanbul, Türkiye, 5 - 07 Temmuz 2024, ss.466-468, (Özet Bildiri)
The Internet of Things (IoT) is increasingly facing security concerns. The security of IoT devices and the data they collect has become significantly important with the growing use of these devices in applications involving sensitive data, critical infrastructures, and personal safety. The necessity to ensure security highlights the importance of robust security measures capable of protecting IoT devices and users against evolving threats. Due to the inherent nature of IoT networks, being susceptible to various types of attacks, including planned and structured attacks by threat actors, successfully classifying attacks, improving defense mechanisms, and prioritizing threats to develop appropriate countermeasures have become crucial. Machine learning plays a vital role in IoT security by helping to detect and mitigate security threats in real-time. Machine learning supported IDSs can analyze large volumes of data generated by IoT devices and identify patterns and anomalies that could indicate a security breach.
The datasets used in studies focusing on detecting IoT attacks are mostly not specific to IoT. Therefore, they may not accurately reflect the true nature of IoT. Additionally, some studies have not considered the staged nature of attacks, where all attacks are treated in the same category despite each attack having a different nature. To address this issue, we developed a staged approach based on the Cyber Kill Chain methodology in our proposed model. We tested our model using datasets specific to IoT environments.
The proposed model is structured as a two-stage model supported by machine learning algorithms aiming to enhance the overall security of IoT networks. This model primarily detects reconnaissance attacks and then classifies various attack types. Early detection of reconnaissance attacks enables timely measures to minimize their harmful effects. Therefore,detecting reconnaissance attacks before classifying various attack types is a critical step. Our proposed model is configured to reflect the layered defense approach commonly used in cybersecurity and evaluated using widespread IoT datasets.
The proposed IDS model consists of two stages. In the first stage, XGBoost, a binary classification algorithm, is used to detect reconnaissance attacks. In the second stage, an Artificial Neural Network (ANN) is employed for multiclassification to identify various attack types. For machine learning training in the study, the UNSW-NB15 dataset containing IoT- specific network traffic characteristics was used. For testing, IoT-specific datasets BoT-IoT and IoT-ID20 were utilized. After preprocessing, including feature extraction, categorical data encoding, and normalization, the dataset was trained in the two-stage model. XGBoost binary classifier was used in the first stage to ensure rapid detection of reconnaissance attacks. In the second stage, training for classifying other attacks was conducted using Artificial Neural Networks consisting of an input layer, two hidden layers, and an output layer. The model's performance was evaluated using accuracy, sensitivity, F1-score, and ROC curve.
In the first stage, detection of reconnaissance attacks was evaluated using binary classification on the UNSW-NB15 dataset. The model achieved an accuracy of 98.99%, a sensitivity of 99.15%, and a specificity of 94.47%. Precision and recall values of 99.80% and 99.14%, respectively, were obtained. Performance evaluations of the proposed model were conducted on the BoT-IoT dataset. When the same model was evaluated on the BoT-IoT dataset for detecting reconnaissance attacks, a high accuracy of 99.98% and precision of 99.98% were achieved, with a sensitivity value of 99.14%. In the second stage involving attack classification, a 96.97% accuracy was obtained. In the performance evaluation on the BoT-IoT dataset, we achieved an accuracy of 99.99%. These values indicate that the XGBoost + ANN supported machine learning model is capable of detecting attacks to a large extent.
In the two-stage hybrid model we developed, we first focused on reconnaissance attacks as they are the precursor to other attacks and tried to detect them in the first stage. We expect that detecting and preventing reconnaissance attacks will reduce the occurrence of other attacks. In the second stage, we detected other attacks and tried to classify each attack correctly. Thus, in addition to preventing attacks, different applications requiring different actions can be implemented for each attack class. The multiclassification in the second stage was not as successful as the correct classification in the first stage. However, it still achieved high performance in detecting attacks. In addition to this study, further research can be conducted to achieve higher accuracy in the classification of each attack. In this study, classification was made using unbalanced IoT datasets. It would be useful to investigate the results of this study on different balanced datasets. Additionally, learning time during the study was not included in the performance metrics. Research on learning times can be done on different hardware platforms.