Deep Learning Based Intrusion Detection System of IoT Technology: Accuracy Versus Computational Complexity

One of the most popular terms in information technology is IoT. The IoT will turn physical objects into intelligent virtual objects in the future. Many of the things we see around us will be connected to the internet in one way or another under the IoT paradigm [1]. Thanks to this technology, billions of intelligent devices, also referred to as things can gather a wide range of data about themselves and/or their surroundings via a variety of sensors. After that, they can share this information with authorized parties for a variety of uses, like bettering commercial services or operations or managing and monitoring industrial facilities [2]. Threats to the IoT are growing daily as it becomes more widespread. There are billions of appliances on the Internet right now. Attackers will use the IoT as a target to carry out harmful activities and increase the attack surface of IoT networks through exponential growth [3]. Since many businesses lost physical space as a result of cyberattacks, the damage they caused increased. A sophisticated instrument is needed to identify malicious activity in IoT devices' smart architecture [4]. Multiple devices connected to the internet pose a serious security risk [5]. Because certain data transferred across the IoT system is not secure, harmful attacks can occur [6]. Many studies are being conducted to enhance IoT security to create a reliable and secure network [5]. The three basic principles of secrecy, integrity, honesty, and authenticity should be adhered to when creating solutions. It is crucial to develop various security methods for IoT, such as IDS. Network-based and host-based are the two main categories of intrusion detection systems [7]. The enormous amount of traffic data is one of the main barriers to IDS real-time performance on high-speed networks. Conventional intrusion detection systems find it challenging to monitor traffic data quickly because they often focus on enhancing detection performance rather than paying enough attention to timeliness. Attackers now have a window of opportunity. Access to IDS solutions is also essential for processing traffic data in real time [8]. In time series data processing, a Recurrent Neural Network (RNN) is frequently employed as an advanced deep learning model. An RNN's benefit is its capacity to connect past and current data [9]. Specifically, one kind of RNN that can learn from long dependencies is the Long Short-Term Memory (LSTM) network [10]. It resolves the vanishing gradient issue that arises when training standard RNNs [11]. To improve LSTM-based intrusion detection effectiveness, an optimization algorithm like GS is used to choose the best model parameters. This paper proposed an IDS to detect intrusions in IoT systems as illustrated in Figure 1. The performance metrics are the accuracy and classification time. This paper's primary contributions consist of:

-Three RNN detection models are assessed individually including LSTM, Bi-LSTM, GRU, and GRU-based attention mechanism. The goal is to deploy a low classification time algorithm at the highest accuracy.

-The ToN-IoT dataset is more impressive and highly accurate which is utilized in this study, rather than most used datasets like UNSW-NB15 and Edge-IIoT, which have been used in previous studies.

-Model hyperparameters are optimized by using the Grid Search optimization technique. Here the number of hidden units for each layer is optimized, which leads to minimizing complexity and classification time.

picture1.png

Figure 1. Block diagram for IDS

The rest of the paper is arranged as follows. The second section explores work related to the suggested approach. The third section provides the suggested IDS structure for the IoT system. The fourth section defines the ToN_IoT dataset. Section 5 defines the evaluation metrics for model performance. Section 6 discusses the analysis and outcomes of the proposal. In the last section, we provide future direction as we conclude our study.

The goal of this effort is to develop an effective deep learning method to address the issue of cyberattacks in Internet of Things networks. The selection of LSTM, BI-LSTM, GRU, and GRU-based self-attention mechanisms for the IDS was based on their ability to handle sequential data, lightweight models, less complex compared to CNN, more accurate, and it was used in other applications and was of high accuracy. The choice of LSTM was made because of its capacity to recognize long-term dependencies in network traffic, which is an essential component for spotting temporal patterns in intrusion detection. While Bi-LSTM model utilizes data from both past and future sequences to enhance detection accuracy by considering the entire context of network behaviors. Switching to GRU provides a computationally cost-effective alternative to LSTM, which makes it suitable for resource-constrained IoT devices while maintaining effective pattern recognition. It was simpler for the model to concentrate on the most crucial elements of the input sequence when self-attention mechanisms based on GRU were added. By including self-attention, the model can decide to focus on important segments of the network flow, enhancing detection performance. The whole framework of the suggested method is shown in Figure 2. The following subsections contain the design's specifics.

2.png

Figure 2. The entire flowchart of the proposed approach

3.1 The concepts of LSTM

One of the most significant varieties of RNN that can learn from lengthy dependencies is Long Short-Term Memory (LSTM). A typical recurrent cell cannot learn as well as an LSTM cell. In particular, LSTMs are used to preserve long-term data sequences using a memory cell structure [26]. The memory cell, also known as the cell state, is the basic building block of the LSTM. It uses gate activation functions to control the flow of data into, through, and out of the network [27]. As shown in Figure 3, the memory cell has three gates: input, forget, and output gates.

3.png

Figure 3. The architecture of standard LSTM [27]

The forget gate decides which data in the cell state can be removed. When the value is 0, this information is destroyed; however, when the forget gate, ft, equals 1, it is retained. The input gate controls which fresh information can be added to the cell state. Based on the state of the cell, the output gate controls the data that can be output [28]. The mathematical expressions for an LSTM cell are as follows.

3.1.1 Forget gate

It outlines which data from the prior cell state should be removed and which should be retained. Information flow from the preceding cell state is controlled by it. The following equations define it:

$ft=\sigma \left( Wf\left[ ht-1,Xt \right]+bf \right)$    (1)

where, ft represents the output of the Foregate gate, $\sigma$ is the sigmoid function, Wf and ht−1 denote the related weight matrices for the foregate gate, bf is the bias and Xt refers the input to the current timestamp.

3.1.2 Input gate

It controls how much new data enters the LSTM cell.

$It=\sigma \left( Wi\left[ ht-1,Xt \right]+bi \right)$    (2)

$C=\tanh \left( Wc\left[ ht-1,Xt \right]+bc \right)$    (3)

where, $W i$ and $W i$ are wights of the input layer, $b i$, and $b c$ are the bias terms for the input gate and the tanh represents the activation function.

$Ct=ft*Ct-1+it*C$     (4)

where, it is the output of the input gate, $C$ is the cell state, $C t-1$ is the previous cell state and $C t$ represents the current cell state.

3.1.3 Output gate

It controls the flow of data from the modified cell state to the model's output. It is defined by the following equations.

$Ot=\sigma \left( Wo\left[ ht-1,Xt \right]+bo \right)$   (5)

$Ht=Ot*\tanh \left( Ct \right)$   (6)

where, $O t$ is the output vector, $W o$ is the weight of the output gate, bo is the bias, and $\sigma$ is the sigmoid activation function. The proposed structure is outlined in Figure 4.

4.png

Figure 4. The LSTM's proposed structure

3.2 Bi-Directional LSTM

The LSTM model is the basis for the BiLSTM sequence processing model. One of its two LSTMs processes information in a forward direction, while the other does the opposite. The input layer, forward transmission layer, reverse transmission layer, and output layer are the four layers that comprise the BiLSTM. One of the most significant advantages of BiLSTM, which has been designed for speech and handwriting recognition, is that its input sequence is based on previous and upcoming sequences. BiLSTM effectively improves the context provided for the algorithm by increasing the quantity of network information available. It was discovered that, despite its high cost, training the data with BiLSTM models yields more accurate predictions than LSTM models in the normal mode [10]. The performance of the network is harmed by the absence of crucial information since the gates of the LSTM cells mentioned above are not directly connected to the cell state. Gers and Schmidhuber [29] enhanced the LSTM cell by adding a peephole connection to address this issue. The following are the equations for the mathematical expressions:

$ft=\sigma \left( Wfhht-1+Wfxxt+Pf\cdot ct-1+bf \right)$   (7)

         $it=\sigma \left( Wihht-1+Wixxt+Pi\cdot ct-1+bi \right)$   (8)

$\begin{gathered}c t=f t \cdot c t-1 +i t \cdot \tanh (W c h h t-1+W c x x t+b c)\end{gathered}$   (9)

$ot=\sigma \left( Wohht-1+Woxxt+Po\cdot ct+bo \right)$  (10)

$ht=ot\cdot \tanh \left( ct \right)$ (11)

When an LSTM has a peephole connection, it can examine its internal states and acquire precise and reliable timing algorithms without the need for external guidance from its trainer [30]. The BiLSTM represents an upgraded form of the LSTM that operates in two directions to enhance feature extraction abilities as demonstrated in Figure 5.

$\overrightarrow{ht}=LSTM(xt,\overrightarrow{ht}-1)$      (12)

$\overleftarrow{h t}=\operatorname{LSTM}(x t, \overleftarrow{h t}-1)$   (13)

5.png

Figure 5. The proposed Bi-LSTM configuration

3.3 GRU

GRU has a forget gate and is an LSTM variant. To cut down on the number of parameters and training time, the GRU cell integrates the LSTM's forget and input gates as an update gate. Consequently, by reducing the additional parameters. It reduces the computational load. The GRU cell only has two gates: a reset gate and an update gate. The GRU cell's mathematical formulas are as follows: Eq. (14) and Eq. (15) compute the reset gate (rt) and update gate (zt) [31]:

$rt=\sigma \left( Wrhht-1+Wrxxt+br \right)$   (14)

In Eq. (14) the reset gate establishes the appropriate weight to be assigned to previously collected data.

$zt=\sigma \left( Wzhht-1+Wzxxt+bz \right)$  (15)

The update gate in Eq. (15) regulates how much the unit updates its activation or data from the previous step (ht-1) and is sent to the next cell. Where xt is the input vector, Wr, Wz, Wh, Ur, and U refer to weight matrices, br and bz stand for the bias.

6.png

Figure 6. The proposed GRU structure

$ht=\tanh \left( Whh\left( rt\cdot ht-1 \right)+Whxxt+bz \right)$    (16)

$htt=\left( 1-zt \right)\cdot ht-1+zt\cdot ht$  (17)

In Eq. (16) and Eq. (17), ht is the output vector and htt is the candidate output. The other symbols are the same as before. The proposed structure is shown in Figure 6.

3.4 GRU based-attention mechanism

We propose a three-layer GRU architecture with a self-attention mechanism as shown in Figure 7 that is a type of attention mechanism applied to the preprocessing dataset to focus on the most impact feature. Human behavior serves as an inspiration for the creation of the attention mechanism. To some degree, human attention is demonstrated when people concentrate primarily on specific local areas of a picture or words in a sentence. The attention mechanism helps to make the most of a few resources. The interconnected elements of the content are then extracted over long distances using the self-attention technique. By applying the self-attention technique, the suggested model may focus more on the crucial elements of network intrusion in the ToN-IoT dataset. This process may have an impact on the internal components of the source or the target. Therefore, during the training phase, the self-attention mechanism computation can improve the effectiveness of the learning characteristics [32].

7.png

Figure 7. The proposed block diagram of the self-attention-GRU hybrid model

Furthermore, any two pieces of the relevant text can be instantly connected by self-attention through a calculating phase in the calculation process. The significantly shorter distance between them makes it easier to use the long-distance dependent characteristics effectively. The formula for calculating the output result of self-attention is as follows:

$Pt=\tanh \left( W\cdot ht \right)$    (18)

where, Eq. (5), ht acquires the output Pt. Comparing Pt in Eq. (18) yields the allocation coefficient with a trainable parameter matrix Q.

         $\alpha t,i=\frac{\exp \left( score\left( Pt,Q \right) \right)}{\mathop{\sum }_{t=1}^{T}exp\left( score\left( Pt,Q \right) \right)}$   (19)

Ultimately, the concentrated vector S is achieved, as demonstrated by Eq. (20).

$S=\underset{t=1}{\overset{T}{\mathop \sum }}\,at.ht$     (20)

3.5 GS optimization algorithm

GS is the traditional method for optimizing hyperparameters. It consists of doing an exhaustive search over a specific area of the training algorithm's hyperparameter space. Before we can conduct a grid search, we must define a boundary because the parameter space of the machine-learning approach includes spaces with actual or infinite values for some parameters [33]. GS algorithm has been used to optimize the number of hidden units. The algorithm steps are outlined in Figure 8.

8.png

Figure 8. Flowchart of GS for proposed mode

The effectiveness of different models is assessed using a range of indicators, including the classification time. The following definitions apply to the evaluation criteria used.

5.1 Confusion matrix

The performance of a classification model when applied to a set of data whose actual values are known is displayed in a table known as the confusion matrix. Commonly used terms include False Positives (FP), False Negatives (FN), True Positives (TP), and True Negatives (TN). In Table 3, the matrix can be found.

Table 3. Confusion matrix

5.2 Accuracy

The proportion of accurately anticipated cases to all instances.

$Accuracy=\frac{TP+TN}{TP+TN+FP+FN}$  (21)

5.3 Precision

The percentage of accurately predicted positive observations compared to all anticipated positives.

$Precision=\frac{TP}{TP+FP}$   (22)

5.4 Recall

The percentage of accurately predicted positive instances to all observations conducted during the actual class.

$Recall=\frac{TP}{TP+FN}$    (23)

5.5 F1-score

The precision and recall weighted average are called the F1-score.

$F1-Score=2\times \frac{Precision~\times ~Recall}{Precision~\times ~Recall}$      (24)