- Email: [email protected]
Intrusion detection in Edge-of-Things computing
Journal Pre-proof Intrusion Detection in Edge-of-Things computing Ahmad S. Almogren
PII: DOI: Reference:
S0743-7315(19)30872-X https://doi.org/10.1016/j.jpdc.2019.12.008 YJPDC 4166
To appear in:
J. Parallel Distrib. Comput.
Received date : 8 September 2019 Revised date : 24 November 2019 Accepted date : 9 December 2019 Please cite this article as: A.S. Almogren, Intrusion Detection in Edge-of-Things computing, Journal of Parallel and Distributed Computing (2019), doi: https://doi.org/10.1016/j.jpdc.2019.12.008. This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
© 2019 Elsevier Inc. All rights reserved.
Journal Pre-proof *Highlights (for review)
Highlights
* A review of existing Intrusion detection in Edge-of-Things computing environment is presented
pro of
* Compare various deep learning based IDS system for EoT platform * Designed a hybrid deep learning based IDS system for Edge-of-things platform
Jo
urn a
lP
re-
* The proposed method outperforms other existing works in terms of accuracy and prediction
Journal Pre-proof *Manuscript Click here to view linked References
Intrusion Detection in Edge-of-Things Computing Ahmad S. Almogren
pro of
Research Chair of Cyber Security and Department of Computer Science College of Computer and Information Sciences King Saud University, Riyadh 11633, Saudi Arabia Email: [email protected]
Abstract— Edge-of-Things (EoT) is a new evolving computing model driven by the Internet of Things (IoT). It enables data processing, storage, and service to be shifted from the Cloud to nearby Edge devices/systems such as smartphones, routers, and base stations on the IoT paradigm. However, this architectural shift causes the security and privacy issues to migrate to the different layers of the Edge architecture. Therefore, detecting intrusion in such a distributed environment is difficult. In this scenario, an Intrusion Detection Systems is necessary. Here, we propose
re-
an approach to quickly and accurately detect intrusive activities in the EoT network, to realize the full potential of the IoT. Specifically, we propose a deep belief network (DBN) based on an advanced intrusion detection approach. We studied different detection models, by using different structures of DBNs, and compared them with exiting detection techniques. Test results show that the proposed methodology performs essentially superior to the current
lP
state-of-the-art approaches.
Index Terms— Deep learning, Deep belief network, Edge computing, Intrusion detection, Internet-of-Things
urn a
I. INTRODUCTION
Recently, massive adoption of Internet-of-Things (IoT) solutions, as well as high performance demands of modern end-user applications, make it hard for the current Cloud model to respond to new needs. The Cloud model offers powerful networked and remote computing resources, such as computing and storage resources available to users, thus allowing users not to spend on planning, purchasing, and keeping up these resources [1]. However, right now the Cloud is confronting expanding trouble, to deal with information that the IoT and other related applications create. As billions of already detached gadgets are presently creating multiple exabytes of information every day, the Cloud is trying to guarantee low inertness and system transfer speed utilization, ideal use of computational
Jo
recourses, and versatile and vital productivity of IoT gadgets, while moving all information to the Cloud. To adapt to these difficulties an ongoing pattern is to convey an Edge computing framework, between IoT frameworks and Cloud systems [2]. This new worldview, named as Edge-of-Things (EoT) computing, permits information processing, stockpiling, and administration supply to be moved from the Cloud to nearby Edge gadgets, for instance -- advanced mobile phones, savvy doors or switches, and neighborhood PCs that can offer figuring and capacity abilities on a smaller scale, continuously. The EoT pushes information stockpiling, registering, and controls nearer to the IoT information source(s), and thus empowers another assortment of utilizations and administrations such as gaming, expanded reality, and ongoing video stream handling.
1
Journal Pre-proof
Since the Edge computing system brings the commonplace administrations, offered by Cloud computing, nearer to the end-client, a large portion of its security and protection issues are acquired directly from the Cloud. Specifically, various security and privacy issues from the Cloud are now moved to the different layers of the Edge architecture [3,
pro of
4]. Therefore, detecting intrusion in such a distributed edge-cloud environment is challenging. One of the best strategies to tackle this problem is the insertion of an Intrusion Detection System (IDS), to screen and break down the system traffic and the device behavior, in the edge-cloud platform [5-7]
IDSs are developed to identify malicious activity or attacks that may originate from the web, or a nearby system, and harm the systems in the network [8]. The primary reason for any IDS is to identify assaults/attacks and to avoid that assault if possible. For any IDS the primary prerequisite is the precision or accuracy of the system to identify assaults or attacks. There are many artificial intelligence and machine learning strategies utilized for IDS, such as decision trees, clustering methods, association rule mining, and support vector machines (SVMs) [9].
re-
Notwithstanding, the vast majority of these machine learning (ML) techniques, with shallow structures, are not suited to detecting malicious activity or intrusion. In the Edge computing scenario, the problem is not the same as in the general networking case. Because the Edge computing works in a distributed manner, much noisy data are
lP
available, and it is difficult to detect attacks from these data with the traditional ML algorithm [10-14].
Recently deep learning algorithms are being used in various intrusion detection systems to improve performance [15-27]. In [15] the authors proposed a deep learning approach for intrusion detection using Recurrent Neural Networks (RNNs). RNNs help in improving the accuracy of a classifier to achieve effective intrusion detection. The performance of the proposed approach is evaluated using an NSL-KDD dataset, and is studied for binary and multi-
urn a
class classification, and compared with other ML based approaches, like J48, SVM, ANN, etc. In [9] a deep learning-based methodology is executed, to arrange interruption location, utilizing a denoising auto-encoder (DAE). A weight reduction capacity is incorporated, which aids in choosing a set number of significant highlights for decreasing highlight dimensionality. The chosen information is then ordered, utilizing multilayer perceptron (MLP) as the classifier. Tests are then conducted utilizing the UNSW-NB dataset. Results show the component choice yields agreeable discovery execution, with low memory and computational requirements. The authors in [23] examine the ability to utilize profound learning models for organizing interruption recognition continuously. A
Jo
Cloud facilitated model framework was built, that consolidated a profound learning binomial characterization model, to anticipate if there is an interruption, with a multinomial model to distinguish the assault class. An assessment study was done utilizing the notably benchmarked NSL-KDD dataset.
However, such deep learning-based strategies require huge memory and high registering force in both the information accumulation and basic leadership forms. Hence, their applications to edge networks are still very limited. Here, we propose an advanced intrusive or malicious activity detection model, for the EoT network, using deep belief networks (DBNs) and test it on a public UNSW-NB15 dataset of intrusion [27, 28]. We propose
2
Journal Pre-proof
different architectures for the detection model by using varying structures of DBNs, which have been compared with conventional artificial neural network (ANN) techniques.
The rest of the paper is organized as follows. Section 2 presents the background of the ANNs and DBNs used in our
pro of
study. Section 3 presents the proposed approach for intrusion detection in Edge computing. Section 4 presents the experimental analysis and results. Section 5 describes the conclusion and future direction.
2.
Background 2.1 Artificial Neural Network (ANN)
An ANN includes an artificial intelligence technique which is inspired by the biological neural networks of human brains. Such technique can learn to do tasks, by examples, without programming task-specific rules [6]. In
Output
urn a
Input
lP
Bias
re-
general, an ANN consists of three layers: the input layer, hidden layer(s), and output layer, as shown in Figure 1.
Weight
Hidden Layer Output Layer (May be one or more) Fig. 1: An elementary architecture of ANN.
Input Layer
Jo
Each layer has a set of connected units, called neurons or nodes. These neurons integrate the inputs, from the input layer, and process them in the other two layers. The output of each neuron is computed using an activation function of the weighted sum for the previous connected neurons’ weights and inputs [7]. The neurons’ weights can be adjusted by a learning process, governed by a learning rule [8]. ANN models can be defined as mathematical models of the function,
that minimizes another function, called a cost function, computed by using the
following equation [9]:
3
Journal Pre-proof
Where
and
are data pairs that follow some distribution
Mathematically, a neuron with label receiving an input
.
contains of the following components [8]:
An activation , which is the neuron's state that depends on a discrete time parameter. A threshold , which is a certain fixed value for reaction and it may be changed through learning process.
-
An activation function input
-
pro of
-
that is used to compute the new activation at a given time t+1 from
by using the following relation:
And an output function
and the
(2)
that computes the output from the activation,
(3)
re-
Generally, the input neurons have no predecessors and work as an input interface; whereas, the output neurons have no successors and work as an output interface for the entire ANN. Each connection from a neuron to a neuron assigns a weight
and a bias
that can be used to shift the activation function [8]. A propagation function that
lP
computes the input of any neuron from the output of the predecessor neurons can be computed by:
urn a
After adding the bias value to the propagation function, the above equation can be changed as follows:
The parameters of the ANN can be modified in the learning process to give a preferred output [10]. The learning process is typically used to modify the variables within the network such as the weights and thresholds [11].
2.2 Deep Belief Network
Jo
A DBN [8] is a profound neural system classifier. It uses multilayer unaided learning systems named Restricted Boltzmann Machines (RBMs). In DBN the units in each layer are free, given the estimations of the units in the layer above. Fig. 2 shows a general DBN model. From Fig. 2 we can see that in a DBN we have obvious layers and shrouded layers. The preparation of a DBN follows two stages. In the principal stage the RBM of layers are prepared by contrastive difference (CD) calculation [12]. subsequent stage the parameters of the entire DBN are adjusted. The heaps in the undirected relationship, at the top level RBMs, are learned by fitting the back dispersal in the penultimate layer.
4
re-
pro of
Journal Pre-proof
Fig. 2: A general DBN Model
lP
3. Proposed Approach for Intrusion detection in Edge computing Fig. 3 depicts the workflow of the proposed approach for selecting the optimal DBN structure, for intrusion detection in an Edge computing platform. The proposed system consists of three major components: network data collection, feature extraction, and classification. The first component, i.e., the data collector system, collects various network intrusion related data and dived them in training data and test data. The second component of the system,
urn a
i.e. the feature extraction system, extracts important features related to intrusion. Finally, the classification component uses these features to train a DBN, and to try to find the optimal DBN structure for highest accuracy intrusion detection.
Network Flows
Jo
Training Data
Data Collector
Feature Extraction
DBN Classifier
Select the Best DBN Structure Model
Intrusion
Testing Data
Fig 3: Proposed approach of intrusion detection system in edge-of-things computing
5
Journal Pre-proof
3.1 Feature Extraction Feature extraction is an important component of the proposed system. A good feature selection approach can remove the redundant features from the data, and helps to increase the accuracy of the classifier. In our approach we
pro of
first convert all nominal features of the network data traffic to numeric values. This helps the IDS model to process all data easily. Then, we normalize the large feature values to a certain range as described in [3]. We use a min-max scaling method by using the following equation [3]:
represents the value of the feature in row and column of the dataset matrix.
3.2 DBN Training for Intrusion Detection
re-
where;
To train the proposed DBN model the collected features from the network flows are input to the DBN. At the beginning, a low number of hidden layers are considered. We separately train each RBM layer using contrastive
urn a
lP
divergence algorithm as shown in Figure 4.
Fig 4: DBN training procedure
Jo
A generative model is formed by RBM layer and visible (denoted by v) and hidden units (denoted by h) holds an energy [23] as follows:
(7)
The weights of DBN network are updated as follows: = Change of weight matrix
(8)
is the learning rate.
6
Journal Pre-proof
We start with a specific number of hidden layers and units. As time goes by, we increase the number of hidden units and retrain the DBN. This process is continued for several trials and, finally, we select the best DBN structure by the
Experiments and Results 4.1 UNSW-NB15 Dataset Description
UNSW-NB15 [27–28] is a very new dataset that contains normal activities and synthetic contemporary assaults, or attacks, from a network. The crude system bundle of the UNSW-NB15 information collection was made by the tcpdump instrument, at that point with 49 features, with class marks as created by Argus and Bro-IDS apparatus and 12 algorithms [28]. The full dataset contains an aggregate of 25,400,443 records. The segments of the full dataset
re-
are separated into a preparation/training set and a test set, by the various leveled examining techniques, specifically by UNSW_NB15_training-set.csv and UNSW_NB15_testing-set.csv, respectively. The preparation dataset contains 175,341 records; the testing dataset contains 82,332 records. The apportioned informational collection has just 43 features, with the class marks expelling 6 highlights (i.e., dstip, srcip, sport, dsport, Ltime, and Stime) from the full dataset. The divided dataset contains ten classifications, one typical and nine assaults: nonexclusive, misuses,
lP
fuzzers, DoS, observation, examination, secondary passage, shellcode, and worms. Fig. 5 shows in detail the class
urn a
appropriation of the UNSW-NB15 dataset.
Jo
4.
pro of
highest accuracy.
Fig. 5: The class distribution of the UNSW-NB15 dataset in various threat category
From Fig. 5, we can see that training samples of UNSW-NB15 dataset are imbalanced and need oversampling. So we have generated some new records of the specified category using oversampling method to balance the training data, and the results are shown in Fig. 6. 7
Journal Pre-proof
New Records Original Records Worm
pro of
Shellcode Reconnaissance
Category
Normal Generic Fuzzers Exploits DoS Backdoor
0
10000
re-
Analysis 20000
30000
40000
50000
60000
Number of Records
Fig. 6: New training records for balancing the UNSW-NB15 dataset
lP
Next, we have trained our proposed DBN model with the new balanced training dataset. At first, we consider 10 hidden units for DBN layer 1 and Layer 2 and slowly increased the hidden layer numbers up to 850. Also, we have changed the number of hidden units in layer 1 and layer 2 to see the performance variations. Table 1 shows the results of the experiment. From Table 1, we can see that when the hidden unit’s number is 42 in both layer 1 and layer 2 in DBN, we get the best accuracy. It is the DBN structure 28 that gives the best result. The confusion matrix
urn a
of DBN structure 28 is also shown in Table 2.
Table 1: Various DBN structure and corresponding accuracies
Number of hidden units (layer-1)
Number of hidden units (layer-2)
Serial number of DBN structure
16
16
4
82.20%
18
5
83.49%.
20
6
73.33%.
22
22
7
84.02%.
24
24
8
80.66%.
26
26
9
83.60%.
28
28
10
81.96%.
30
30
11
84.74%.
32
32
12
84.83%.
34
34
13
83.74%.
36
36
14
81.61%.
18
Jo
20
Accuracy
8
Journal Pre-proof
38
15
82.14%.
40
40
16
82.50%.
42
42
17
82.73%.
44
44
18
83.77%.
46
40
19
83.53%.
48
45
40
50
52
50
50
54
56
50
58
58
60
50
60
62
64
60
pro of
38
83.28%.
21
84.08%.
22
84.17%.
23
84.33%.
24
84.58%.
25
85.22%.
26
85.37%.
27
85.58%.
28
85.73%.
60
29
85.72%.
62 210
30 31
84.56%. 0.75%.
220
32
1.11%.
230
33
0.69%.
240
34
1.21%.
re-
20
65 68 250
lP
460 660 850
Analysis Backdoor DoS Exploits Fuzzers
Normal
Reconna i -ssance
Shellcod e
Wor m
3
12
1
0
0
168
3
10
28
0
0
3455
338
32
65
138
0
0
90
9682
863
23
96
378
0
0
0
62
1011
3471
5
1172
341
0
0
0
6
459
176
18168
14
48
0
0
Analysis
Backdoo r
DoS
Exploit s
Fuzzers
Generic
0
0
31
472
158
0
0
31
343
0
0
61
0
0
0 0
Jo
Generic
urn a
Table 2: Confusion matrix for DBN structure-28
Normal Reconnaissanc e
0
0
59
1722
7800
8
25943
1468
0
0
0
0
11
604
195
28
98
2560
0
0
Shellcode
0
0
0
95
82
0
12
189
0
0
Worm
0
0
0
36
6
0
1
1
0
0
As Table 1 shows, the accuracies vary as we increase the number of hidden units. However, after some point the accuracy decreases as we increase the number of hidden units. For instance, when the number of hidden units in layer 1 is 250 and 210 in layer 2, the accuracies decrease sharply. So the optimal or best DBN structure is 28 where 9
Journal Pre-proof
the accuracy is 85.73%. From Table 1, we can also find three different structures of DBN with different accuracy levels. First structure or class category contains an equal number of hidden units in both layer 1 and layer 2. For instance, L1(20)-L2(20) gives accuracy of 73.3%. The second structure category has more hidden units in L1 and less hidden units in L2. For instance, L1(46)-L2(40) provides accuracy of 81.53%. The third structure category
pro of
contains more units in layer 2 and less hidden units in layer 1. For instance, L1(64)-L2(60) structure has the accuracy level of 85.73%. We also did several experiments by varying the number of epochs from 40 to 400 to test whether the higher epoch number increases better accuracy as compared to the lower number of epochs. Fig. 7 shows the result of the experiment. We can see that when the epoch number increases, the proposed DBN model shows better accuracy. In addition, it is also evident that when the number of hidden layers increases to some point,
urn a
lP
re-
the DBN model performs better.
Fig. 7: Performance measurement by varying the number of epochs with various DBN structure type
We also compare the detection performance of the proposed DBN with ANN and SVM in each threat category of the UNSW-NB15 dataset. For initial weight of ANN, we have used the weight matrix from the trained DBN. The output of the ANN is similar to the no. of activity types. Back rogation training algorithm is used to train the ANN.
Jo
For the activation function for ANN, we have used optimal tan hyperbolic. For SVM, we have used the standard approach. The results are shown in Fig. 8 and Fig. 9. From Fig. 8, we can see that DBN has the best overall performance as compared to ANN and SVM. In particular, DBN has performed better detection rate in threat category Normal, Generic, Fuzzers, Exploits and DOS cases. It has the highest detection rate in Generic threat category (96.34%). In addition, it is also evident from Fig. 9 that DBN, ANN and SVM have lower detection rate in case of Worm, Backdoor and Analysis threat category.
10
Journal Pre-proof
ANN SVM DBN
Worm Shellcode Reconnaissance Normal
pro of
Category
Generic Fuzzers Exploits DoS Backdoor Analysis 0
10
20
30
40
50
60
70
80
90
100
Detection Performance (%)
re-
Fig.8: Detection performance in each threat category of UNSW-NB15 dataset 90 80
Accuracy (%)
60 50 40 30
urn a
20
lP
70
10
0
DBN
SVM
ANN
Fig. 9: Detection performance accuracy comparison with DBN, SVM and ANN Fig. 9 shows the detection performance accuracy of the DBN, ANN and SVM. It is clear that DBN with its various numbers of hidden layers and epochs performs much better as compared to ANN and SVM. The reason is that the
accuracy.
5.
Jo
higher number of hidden layers in DBN reduces the false positive and false-negative rate which improves the overall
Conclusion
Here, we focus on finding suitable IDS solutions for EoT platforms. As this EoT paradigm is distributed in nature, and has security and privacy problems inherited from the Cloud model, there is need for an accurate intrusion detection system. Specifically, we proposed a deep belief network (DBN) based advanced intrusion detection approach, for detecting intrusive or malicious activity in an edge-cloud platform. We have experimented with various DBN structure
11
Journal Pre-proof
with varying epochs to find the best model of DBN which increased the accuracy. In addition, we have compared the detection performance rate of the proposed DBN model with other methods such as ANN and SVM. We used a public data set, called the UNSW-NB15 dataset of intrusions, to test our proposed approach. In addition, we have compared our work with ANN and SVM applications. Experimental results demonstrated that the proposed approach
pro of
outperformed both in terms of accuracy. In the future, other deep learning methods could be used to increase accuracy
Acknowledgement
The authors are grateful to the Deanship of Scientific Research, king Saud University for funding through the Vice Deanship of Scientific Research Chairs: Chair of Cyber Security. The author also would like to thank the RSSU at King Saud University for their technical support.
re-
References
Yu, Wei, Fan Liang, Xiaofei He, William Grant Hatcher, Chao Lu, Jie Lin, and Xinyu Yang. "A survey on the edge computing for the Internet of Things." IEEE access 6 (2017): 6900-6919.
2.
El-Sayed, Hesham, Sharmi Sankar, Mukesh Prasad, Deepak Puthal, Akshansh Gupta, Manoranjan Mohanty, and Chin-Teng Lin. "Edge of things: The big picture on the integration of edge, IoT and the cloud in a distributed computing environment." IEEE Access 6 (2017): 1706-1717.
3.
Raponi, Simone, Maurantonio Caprolu, and Roberto Di Pietro. "Intrusion Detection at the Network Edge: Solutions, Limitations, and Future Directions." In International Conference on Edge Computing, pp. 59-75. Springer, Cham, 2019.
4.
Wang, Yu, Weizhi Meng, Wenjuan Li, Zhe Liu, Yang Liu, and Hanxiao Xue. "Adaptive machine learning‐ based alarm reduction via edge computing for distributed intrusion detection systems." Concurrency and Computation: Practice and Experience (2019): e5101
5.
Roman, Rodrigo, Javier Lopez, and Masahiro Mambo. "Mobile edge computing, fog et al.: A survey and analysis of security threats and challenges." Future Generation Computer Systems 78 (2018): 680-698.
6.
Hosseinpour, Farhoud, Payam Vahdani Amoli, Juha Plosila, Timo Hämäläinen, and Hannu Tenhunen. "An intrusion detection system for fog computing and IoT based logistic systems using a smart data approach." International Journal of Digital Content Technology and its Applications 10 (2016).
7.
Md Golam Rabiul Alam, Mohammad Mehedi Hassan, Md ZIa Uddin, Ahmad Almogren, and Giancarlo Fortino. "Autonomic computation offloading in mobile edge for IoT applications." Future Generation Computer Systems 90 (2019): 149-157.
8.
Selvakumar, K., Marimuthu Karuppiah, L. SaiRamesh, SK Hafizul Islam, Mohammad Mehedi Hassan, Giancarlo Fortino, and Kim-Kwang Raymond Choo. "Intelligent temporal classification and fuzzy rough set-based feature selection algorithm for intrusion detection system in WSNs." Information Sciences 497 (2019): 77-90.
9.
Zhang, Hongpo, Chase Q. Wu, Shan Gao, Zongmin Wang, Yuxiao Xu, and Yongpeng Liu. "An effective deep learning based scheme for network intrusion detection." In 2018 24th International Conference on Pattern Recognition (ICPR), pp. 682-687. IEEE, 2018.
Jo
urn a
lP
1.
12
Journal Pre-proof
10. Sudqi Khater, Belal, Ainuddin Abdul Wahab, Mohd Idris, Mohammed Abdulla Hussain, and Ashraf Ahmed Ibrahim. "A lightweight perceptron-based intrusion detection system for fog computing." Applied Sciences 9, no. 1 (2019): 178.
pro of
11. Rawat, Shisrut, and Aishwarya Srinivasan. "Intrusion detection systems using classical machine learning techniques versus integrated unsupervised feature learning and deep neural network." arXiv preprint arXiv:1910.01114 (2019). 12. Ramaki, Ali Ahmadian, Abbas Rasoolzadegan, and Abbas Ghaemi Bafghi. "A systematic mapping study on intrusion alert analysis in intrusion detection systems." ACM Computing Surveys (CSUR) 51, no. 3 (2018): 55. 13. Rathore, M. Mazhar, Awais Ahmad, and Anand Paul. "Real time intrusion detection system for ultra-highspeed big data environments." The Journal of Supercomputing 72, no. 9 (2016): 3489-3510.
re-
14. Yang, Yanqing, Kangfeng Zheng, Chunhua Wu, and Yixian Yang. "Improving the Classification Effectiveness of Intrusion Detection by Using Improved Conditional Variational AutoEncoder and Deep Neural Network." Sensors 19, no. 11 (2019): 2528. 15. Yin, Chuanlong, Yuefei Zhu, Jinlong Fei, and Xinzheng He. "A deep learning approach for intrusion detection using recurrent neural networks." Ieee Access 5 (2017): 21954-21961.
lP
16. Karatas, Gozde, Onder Demir, and Ozgur Koray Sahingoz. "Deep learning in intrusion detection systems." In 2018 International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism (IBIGDELFT), pp. 113-116. IEEE, 2018. 17. B. Dong and X. Wang, “Comparison deep learning method to traditional methods using for network intrusion detection,” in 8th IEEE International Conference on Communication Software and Networks (ICCSN), Beijing, China, pp. 581–585, 2016.
urn a
18. Alom, Zahangir, Venkata Ramesh Bontupalli, and Tarek M. Taha. "Intrusion detection using deep belief network and extreme learning machine." International Journal of Monitoring and Surveillance Technologies Research (IJMSTR) 3, no. 2 (2015): 35-56. 19. Javaid, Ahmad, Quamar Niyaz, Weiqing Sun, and Mansoor Alam. "A deep learning approach for network intrusion detection system." In Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), pp. 21-26. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2016. 20. Potluri, Sasanka, and Christian Diedrich. "Accelerated deep neural networks for enhanced Intrusion Detection System." In 2016 IEEE 21st International Conference on Emerging Technologies and Factory Automation (ETFA), pp. 1-8. IEEE, 2016.
Jo
21. Karatas, Gozde, and Ozgur Koray Sahingoz. "Neural network based intrusion detection systems with different training functions." In 2018 6th International Symposium on Digital Forensic and Security (ISDFS), pp. 1-6. IEEE, 2018. 22. Gao, Ni, Ling Gao, Quanli Gao, and Hai Wang. "An intrusion detection model based on deep belief networks." In 2014 Second International Conference on Advanced Cloud and Big Data, pp. 247-252. IEEE, 2014. 23. Keegan, Nathan, Soo-Yeon Ji, Aastha Chaudhary, Claude Concolato, Byunggu Yu, and Dong Hyun Jeong. "A survey of cloud-based network intrusion detection analysis." Human-centric Computing and Information Sciences 6, no. 1 (2016): 19.
13
Journal Pre-proof
24. Almogren, Ahmad. "An automated and intelligent Parkinson disease monitoring system using wearable computing and cloud technology." Cluster Computing 22, no. 1 (2019): 2309-2316. 25. Mohiuddin, Irfan, and Ahmad Almogren. "Workload aware VM consolidation method in edge/cloud computing for IoT applications." Journal of Parallel and Distributed Computing 123 (2019): 204-214.
pro of
26. AlMajed, Hisham N., and Ahmad S. AlMogren. "Simple and Effective Secure Group Communications in Dynamic Wireless Sensor Networks." Sensors 19, no. 8 (2019): 1909. 27. Mahmud, Md Tareq, Md Obaidur Rahman, Mohammad Mehedi Hassan, Ahmad Almogren, and Mengchu Zhou. "An Efficient Cooperative Medium Access Control Protocol for Wireless IoT networks in Smart World System." Journal of Network and Computer Applications 133 (2019): 26-38.
Jo
urn a
lP
re-
28. N. Moustafa and J. Slay, “UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set),” in Military Communications and Information Systems Conference (MilCIS), Canberra, Australia, pp. 1–6, 2015.
14
Journal Pre-proof
pro of
*Author Biography & Photograph
Jo
urn a
lP
re-
Ahmad Almogren has received PhD degree in computer sciences from Southern Methodist University, Dallas, Texas, USA in 2002. Previously, he worked as an assistant professor of computer science and a member of the scientific council at Riyadh College of Technology. He also served as the dean of the college of computer and information sciences and the head of the council of academic accreditation at Al Yamamah University. Presently, he works as Full professor and the vice dean for the development and quality at the college of computer and information sciences at King Saud University in Saudi Arabia. He has served as a guest editor for several computer journals. His research areas of interest include mobile and pervasive computing, computer security, sensor and cognitive network, and data consistency.
PII: DOI: Reference:
S0743-7315(19)30872-X https://doi.org/10.1016/j.jpdc.2019.12.008 YJPDC 4166
To appear in:
J. Parallel Distrib. Comput.
Received date : 8 September 2019 Revised date : 24 November 2019 Accepted date : 9 December 2019 Please cite this article as: A.S. Almogren, Intrusion Detection in Edge-of-Things computing, Journal of Parallel and Distributed Computing (2019), doi: https://doi.org/10.1016/j.jpdc.2019.12.008. This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
© 2019 Elsevier Inc. All rights reserved.
Journal Pre-proof *Highlights (for review)
Highlights
* A review of existing Intrusion detection in Edge-of-Things computing environment is presented
pro of
* Compare various deep learning based IDS system for EoT platform * Designed a hybrid deep learning based IDS system for Edge-of-things platform
Jo
urn a
lP
re-
* The proposed method outperforms other existing works in terms of accuracy and prediction
Journal Pre-proof *Manuscript Click here to view linked References
Intrusion Detection in Edge-of-Things Computing Ahmad S. Almogren
pro of
Research Chair of Cyber Security and Department of Computer Science College of Computer and Information Sciences King Saud University, Riyadh 11633, Saudi Arabia Email: [email protected]
Abstract— Edge-of-Things (EoT) is a new evolving computing model driven by the Internet of Things (IoT). It enables data processing, storage, and service to be shifted from the Cloud to nearby Edge devices/systems such as smartphones, routers, and base stations on the IoT paradigm. However, this architectural shift causes the security and privacy issues to migrate to the different layers of the Edge architecture. Therefore, detecting intrusion in such a distributed environment is difficult. In this scenario, an Intrusion Detection Systems is necessary. Here, we propose
re-
an approach to quickly and accurately detect intrusive activities in the EoT network, to realize the full potential of the IoT. Specifically, we propose a deep belief network (DBN) based on an advanced intrusion detection approach. We studied different detection models, by using different structures of DBNs, and compared them with exiting detection techniques. Test results show that the proposed methodology performs essentially superior to the current
lP
state-of-the-art approaches.
Index Terms— Deep learning, Deep belief network, Edge computing, Intrusion detection, Internet-of-Things
urn a
I. INTRODUCTION
Recently, massive adoption of Internet-of-Things (IoT) solutions, as well as high performance demands of modern end-user applications, make it hard for the current Cloud model to respond to new needs. The Cloud model offers powerful networked and remote computing resources, such as computing and storage resources available to users, thus allowing users not to spend on planning, purchasing, and keeping up these resources [1]. However, right now the Cloud is confronting expanding trouble, to deal with information that the IoT and other related applications create. As billions of already detached gadgets are presently creating multiple exabytes of information every day, the Cloud is trying to guarantee low inertness and system transfer speed utilization, ideal use of computational
Jo
recourses, and versatile and vital productivity of IoT gadgets, while moving all information to the Cloud. To adapt to these difficulties an ongoing pattern is to convey an Edge computing framework, between IoT frameworks and Cloud systems [2]. This new worldview, named as Edge-of-Things (EoT) computing, permits information processing, stockpiling, and administration supply to be moved from the Cloud to nearby Edge gadgets, for instance -- advanced mobile phones, savvy doors or switches, and neighborhood PCs that can offer figuring and capacity abilities on a smaller scale, continuously. The EoT pushes information stockpiling, registering, and controls nearer to the IoT information source(s), and thus empowers another assortment of utilizations and administrations such as gaming, expanded reality, and ongoing video stream handling.
1
Journal Pre-proof
Since the Edge computing system brings the commonplace administrations, offered by Cloud computing, nearer to the end-client, a large portion of its security and protection issues are acquired directly from the Cloud. Specifically, various security and privacy issues from the Cloud are now moved to the different layers of the Edge architecture [3,
pro of
4]. Therefore, detecting intrusion in such a distributed edge-cloud environment is challenging. One of the best strategies to tackle this problem is the insertion of an Intrusion Detection System (IDS), to screen and break down the system traffic and the device behavior, in the edge-cloud platform [5-7]
IDSs are developed to identify malicious activity or attacks that may originate from the web, or a nearby system, and harm the systems in the network [8]. The primary reason for any IDS is to identify assaults/attacks and to avoid that assault if possible. For any IDS the primary prerequisite is the precision or accuracy of the system to identify assaults or attacks. There are many artificial intelligence and machine learning strategies utilized for IDS, such as decision trees, clustering methods, association rule mining, and support vector machines (SVMs) [9].
re-
Notwithstanding, the vast majority of these machine learning (ML) techniques, with shallow structures, are not suited to detecting malicious activity or intrusion. In the Edge computing scenario, the problem is not the same as in the general networking case. Because the Edge computing works in a distributed manner, much noisy data are
lP
available, and it is difficult to detect attacks from these data with the traditional ML algorithm [10-14].
Recently deep learning algorithms are being used in various intrusion detection systems to improve performance [15-27]. In [15] the authors proposed a deep learning approach for intrusion detection using Recurrent Neural Networks (RNNs). RNNs help in improving the accuracy of a classifier to achieve effective intrusion detection. The performance of the proposed approach is evaluated using an NSL-KDD dataset, and is studied for binary and multi-
urn a
class classification, and compared with other ML based approaches, like J48, SVM, ANN, etc. In [9] a deep learning-based methodology is executed, to arrange interruption location, utilizing a denoising auto-encoder (DAE). A weight reduction capacity is incorporated, which aids in choosing a set number of significant highlights for decreasing highlight dimensionality. The chosen information is then ordered, utilizing multilayer perceptron (MLP) as the classifier. Tests are then conducted utilizing the UNSW-NB dataset. Results show the component choice yields agreeable discovery execution, with low memory and computational requirements. The authors in [23] examine the ability to utilize profound learning models for organizing interruption recognition continuously. A
Jo
Cloud facilitated model framework was built, that consolidated a profound learning binomial characterization model, to anticipate if there is an interruption, with a multinomial model to distinguish the assault class. An assessment study was done utilizing the notably benchmarked NSL-KDD dataset.
However, such deep learning-based strategies require huge memory and high registering force in both the information accumulation and basic leadership forms. Hence, their applications to edge networks are still very limited. Here, we propose an advanced intrusive or malicious activity detection model, for the EoT network, using deep belief networks (DBNs) and test it on a public UNSW-NB15 dataset of intrusion [27, 28]. We propose
2
Journal Pre-proof
different architectures for the detection model by using varying structures of DBNs, which have been compared with conventional artificial neural network (ANN) techniques.
The rest of the paper is organized as follows. Section 2 presents the background of the ANNs and DBNs used in our
pro of
study. Section 3 presents the proposed approach for intrusion detection in Edge computing. Section 4 presents the experimental analysis and results. Section 5 describes the conclusion and future direction.
2.
Background 2.1 Artificial Neural Network (ANN)
An ANN includes an artificial intelligence technique which is inspired by the biological neural networks of human brains. Such technique can learn to do tasks, by examples, without programming task-specific rules [6]. In
Output
urn a
Input
lP
Bias
re-
general, an ANN consists of three layers: the input layer, hidden layer(s), and output layer, as shown in Figure 1.
Weight
Hidden Layer Output Layer (May be one or more) Fig. 1: An elementary architecture of ANN.
Input Layer
Jo
Each layer has a set of connected units, called neurons or nodes. These neurons integrate the inputs, from the input layer, and process them in the other two layers. The output of each neuron is computed using an activation function of the weighted sum for the previous connected neurons’ weights and inputs [7]. The neurons’ weights can be adjusted by a learning process, governed by a learning rule [8]. ANN models can be defined as mathematical models of the function,
that minimizes another function, called a cost function, computed by using the
following equation [9]:
3
Journal Pre-proof
Where
and
are data pairs that follow some distribution
Mathematically, a neuron with label receiving an input
.
contains of the following components [8]:
An activation , which is the neuron's state that depends on a discrete time parameter. A threshold , which is a certain fixed value for reaction and it may be changed through learning process.
-
An activation function input
-
pro of
-
that is used to compute the new activation at a given time t+1 from
by using the following relation:
And an output function
and the
(2)
that computes the output from the activation,
(3)
re-
Generally, the input neurons have no predecessors and work as an input interface; whereas, the output neurons have no successors and work as an output interface for the entire ANN. Each connection from a neuron to a neuron assigns a weight
and a bias
that can be used to shift the activation function [8]. A propagation function that
lP
computes the input of any neuron from the output of the predecessor neurons can be computed by:
urn a
After adding the bias value to the propagation function, the above equation can be changed as follows:
The parameters of the ANN can be modified in the learning process to give a preferred output [10]. The learning process is typically used to modify the variables within the network such as the weights and thresholds [11].
2.2 Deep Belief Network
Jo
A DBN [8] is a profound neural system classifier. It uses multilayer unaided learning systems named Restricted Boltzmann Machines (RBMs). In DBN the units in each layer are free, given the estimations of the units in the layer above. Fig. 2 shows a general DBN model. From Fig. 2 we can see that in a DBN we have obvious layers and shrouded layers. The preparation of a DBN follows two stages. In the principal stage the RBM of layers are prepared by contrastive difference (CD) calculation [12]. subsequent stage the parameters of the entire DBN are adjusted. The heaps in the undirected relationship, at the top level RBMs, are learned by fitting the back dispersal in the penultimate layer.
4
re-
pro of
Journal Pre-proof
Fig. 2: A general DBN Model
lP
3. Proposed Approach for Intrusion detection in Edge computing Fig. 3 depicts the workflow of the proposed approach for selecting the optimal DBN structure, for intrusion detection in an Edge computing platform. The proposed system consists of three major components: network data collection, feature extraction, and classification. The first component, i.e., the data collector system, collects various network intrusion related data and dived them in training data and test data. The second component of the system,
urn a
i.e. the feature extraction system, extracts important features related to intrusion. Finally, the classification component uses these features to train a DBN, and to try to find the optimal DBN structure for highest accuracy intrusion detection.
Network Flows
Jo
Training Data
Data Collector
Feature Extraction
DBN Classifier
Select the Best DBN Structure Model
Intrusion
Testing Data
Fig 3: Proposed approach of intrusion detection system in edge-of-things computing
5
Journal Pre-proof
3.1 Feature Extraction Feature extraction is an important component of the proposed system. A good feature selection approach can remove the redundant features from the data, and helps to increase the accuracy of the classifier. In our approach we
pro of
first convert all nominal features of the network data traffic to numeric values. This helps the IDS model to process all data easily. Then, we normalize the large feature values to a certain range as described in [3]. We use a min-max scaling method by using the following equation [3]:
represents the value of the feature in row and column of the dataset matrix.
3.2 DBN Training for Intrusion Detection
re-
where;
To train the proposed DBN model the collected features from the network flows are input to the DBN. At the beginning, a low number of hidden layers are considered. We separately train each RBM layer using contrastive
urn a
lP
divergence algorithm as shown in Figure 4.
Fig 4: DBN training procedure
Jo
A generative model is formed by RBM layer and visible (denoted by v) and hidden units (denoted by h) holds an energy [23] as follows:
(7)
The weights of DBN network are updated as follows: = Change of weight matrix
(8)
is the learning rate.
6
Journal Pre-proof
We start with a specific number of hidden layers and units. As time goes by, we increase the number of hidden units and retrain the DBN. This process is continued for several trials and, finally, we select the best DBN structure by the
Experiments and Results 4.1 UNSW-NB15 Dataset Description
UNSW-NB15 [27–28] is a very new dataset that contains normal activities and synthetic contemporary assaults, or attacks, from a network. The crude system bundle of the UNSW-NB15 information collection was made by the tcpdump instrument, at that point with 49 features, with class marks as created by Argus and Bro-IDS apparatus and 12 algorithms [28]. The full dataset contains an aggregate of 25,400,443 records. The segments of the full dataset
re-
are separated into a preparation/training set and a test set, by the various leveled examining techniques, specifically by UNSW_NB15_training-set.csv and UNSW_NB15_testing-set.csv, respectively. The preparation dataset contains 175,341 records; the testing dataset contains 82,332 records. The apportioned informational collection has just 43 features, with the class marks expelling 6 highlights (i.e., dstip, srcip, sport, dsport, Ltime, and Stime) from the full dataset. The divided dataset contains ten classifications, one typical and nine assaults: nonexclusive, misuses,
lP
fuzzers, DoS, observation, examination, secondary passage, shellcode, and worms. Fig. 5 shows in detail the class
urn a
appropriation of the UNSW-NB15 dataset.
Jo
4.
pro of
highest accuracy.
Fig. 5: The class distribution of the UNSW-NB15 dataset in various threat category
From Fig. 5, we can see that training samples of UNSW-NB15 dataset are imbalanced and need oversampling. So we have generated some new records of the specified category using oversampling method to balance the training data, and the results are shown in Fig. 6. 7
Journal Pre-proof
New Records Original Records Worm
pro of
Shellcode Reconnaissance
Category
Normal Generic Fuzzers Exploits DoS Backdoor
0
10000
re-
Analysis 20000
30000
40000
50000
60000
Number of Records
Fig. 6: New training records for balancing the UNSW-NB15 dataset
lP
Next, we have trained our proposed DBN model with the new balanced training dataset. At first, we consider 10 hidden units for DBN layer 1 and Layer 2 and slowly increased the hidden layer numbers up to 850. Also, we have changed the number of hidden units in layer 1 and layer 2 to see the performance variations. Table 1 shows the results of the experiment. From Table 1, we can see that when the hidden unit’s number is 42 in both layer 1 and layer 2 in DBN, we get the best accuracy. It is the DBN structure 28 that gives the best result. The confusion matrix
urn a
of DBN structure 28 is also shown in Table 2.
Table 1: Various DBN structure and corresponding accuracies
Number of hidden units (layer-1)
Number of hidden units (layer-2)
Serial number of DBN structure
16
16
4
82.20%
18
5
83.49%.
20
6
73.33%.
22
22
7
84.02%.
24
24
8
80.66%.
26
26
9
83.60%.
28
28
10
81.96%.
30
30
11
84.74%.
32
32
12
84.83%.
34
34
13
83.74%.
36
36
14
81.61%.
18
Jo
20
Accuracy
8
Journal Pre-proof
38
15
82.14%.
40
40
16
82.50%.
42
42
17
82.73%.
44
44
18
83.77%.
46
40
19
83.53%.
48
45
40
50
52
50
50
54
56
50
58
58
60
50
60
62
64
60
pro of
38
83.28%.
21
84.08%.
22
84.17%.
23
84.33%.
24
84.58%.
25
85.22%.
26
85.37%.
27
85.58%.
28
85.73%.
60
29
85.72%.
62 210
30 31
84.56%. 0.75%.
220
32
1.11%.
230
33
0.69%.
240
34
1.21%.
re-
20
65 68 250
lP
460 660 850
Analysis Backdoor DoS Exploits Fuzzers
Normal
Reconna i -ssance
Shellcod e
Wor m
3
12
1
0
0
168
3
10
28
0
0
3455
338
32
65
138
0
0
90
9682
863
23
96
378
0
0
0
62
1011
3471
5
1172
341
0
0
0
6
459
176
18168
14
48
0
0
Analysis
Backdoo r
DoS
Exploit s
Fuzzers
Generic
0
0
31
472
158
0
0
31
343
0
0
61
0
0
0 0
Jo
Generic
urn a
Table 2: Confusion matrix for DBN structure-28
Normal Reconnaissanc e
0
0
59
1722
7800
8
25943
1468
0
0
0
0
11
604
195
28
98
2560
0
0
Shellcode
0
0
0
95
82
0
12
189
0
0
Worm
0
0
0
36
6
0
1
1
0
0
As Table 1 shows, the accuracies vary as we increase the number of hidden units. However, after some point the accuracy decreases as we increase the number of hidden units. For instance, when the number of hidden units in layer 1 is 250 and 210 in layer 2, the accuracies decrease sharply. So the optimal or best DBN structure is 28 where 9
Journal Pre-proof
the accuracy is 85.73%. From Table 1, we can also find three different structures of DBN with different accuracy levels. First structure or class category contains an equal number of hidden units in both layer 1 and layer 2. For instance, L1(20)-L2(20) gives accuracy of 73.3%. The second structure category has more hidden units in L1 and less hidden units in L2. For instance, L1(46)-L2(40) provides accuracy of 81.53%. The third structure category
pro of
contains more units in layer 2 and less hidden units in layer 1. For instance, L1(64)-L2(60) structure has the accuracy level of 85.73%. We also did several experiments by varying the number of epochs from 40 to 400 to test whether the higher epoch number increases better accuracy as compared to the lower number of epochs. Fig. 7 shows the result of the experiment. We can see that when the epoch number increases, the proposed DBN model shows better accuracy. In addition, it is also evident that when the number of hidden layers increases to some point,
urn a
lP
re-
the DBN model performs better.
Fig. 7: Performance measurement by varying the number of epochs with various DBN structure type
We also compare the detection performance of the proposed DBN with ANN and SVM in each threat category of the UNSW-NB15 dataset. For initial weight of ANN, we have used the weight matrix from the trained DBN. The output of the ANN is similar to the no. of activity types. Back rogation training algorithm is used to train the ANN.
Jo
For the activation function for ANN, we have used optimal tan hyperbolic. For SVM, we have used the standard approach. The results are shown in Fig. 8 and Fig. 9. From Fig. 8, we can see that DBN has the best overall performance as compared to ANN and SVM. In particular, DBN has performed better detection rate in threat category Normal, Generic, Fuzzers, Exploits and DOS cases. It has the highest detection rate in Generic threat category (96.34%). In addition, it is also evident from Fig. 9 that DBN, ANN and SVM have lower detection rate in case of Worm, Backdoor and Analysis threat category.
10
Journal Pre-proof
ANN SVM DBN
Worm Shellcode Reconnaissance Normal
pro of
Category
Generic Fuzzers Exploits DoS Backdoor Analysis 0
10
20
30
40
50
60
70
80
90
100
Detection Performance (%)
re-
Fig.8: Detection performance in each threat category of UNSW-NB15 dataset 90 80
Accuracy (%)
60 50 40 30
urn a
20
lP
70
10
0
DBN
SVM
ANN
Fig. 9: Detection performance accuracy comparison with DBN, SVM and ANN Fig. 9 shows the detection performance accuracy of the DBN, ANN and SVM. It is clear that DBN with its various numbers of hidden layers and epochs performs much better as compared to ANN and SVM. The reason is that the
accuracy.
5.
Jo
higher number of hidden layers in DBN reduces the false positive and false-negative rate which improves the overall
Conclusion
Here, we focus on finding suitable IDS solutions for EoT platforms. As this EoT paradigm is distributed in nature, and has security and privacy problems inherited from the Cloud model, there is need for an accurate intrusion detection system. Specifically, we proposed a deep belief network (DBN) based advanced intrusion detection approach, for detecting intrusive or malicious activity in an edge-cloud platform. We have experimented with various DBN structure
11
Journal Pre-proof
with varying epochs to find the best model of DBN which increased the accuracy. In addition, we have compared the detection performance rate of the proposed DBN model with other methods such as ANN and SVM. We used a public data set, called the UNSW-NB15 dataset of intrusions, to test our proposed approach. In addition, we have compared our work with ANN and SVM applications. Experimental results demonstrated that the proposed approach
pro of
outperformed both in terms of accuracy. In the future, other deep learning methods could be used to increase accuracy
Acknowledgement
The authors are grateful to the Deanship of Scientific Research, king Saud University for funding through the Vice Deanship of Scientific Research Chairs: Chair of Cyber Security. The author also would like to thank the RSSU at King Saud University for their technical support.
re-
References
Yu, Wei, Fan Liang, Xiaofei He, William Grant Hatcher, Chao Lu, Jie Lin, and Xinyu Yang. "A survey on the edge computing for the Internet of Things." IEEE access 6 (2017): 6900-6919.
2.
El-Sayed, Hesham, Sharmi Sankar, Mukesh Prasad, Deepak Puthal, Akshansh Gupta, Manoranjan Mohanty, and Chin-Teng Lin. "Edge of things: The big picture on the integration of edge, IoT and the cloud in a distributed computing environment." IEEE Access 6 (2017): 1706-1717.
3.
Raponi, Simone, Maurantonio Caprolu, and Roberto Di Pietro. "Intrusion Detection at the Network Edge: Solutions, Limitations, and Future Directions." In International Conference on Edge Computing, pp. 59-75. Springer, Cham, 2019.
4.
Wang, Yu, Weizhi Meng, Wenjuan Li, Zhe Liu, Yang Liu, and Hanxiao Xue. "Adaptive machine learning‐ based alarm reduction via edge computing for distributed intrusion detection systems." Concurrency and Computation: Practice and Experience (2019): e5101
5.
Roman, Rodrigo, Javier Lopez, and Masahiro Mambo. "Mobile edge computing, fog et al.: A survey and analysis of security threats and challenges." Future Generation Computer Systems 78 (2018): 680-698.
6.
Hosseinpour, Farhoud, Payam Vahdani Amoli, Juha Plosila, Timo Hämäläinen, and Hannu Tenhunen. "An intrusion detection system for fog computing and IoT based logistic systems using a smart data approach." International Journal of Digital Content Technology and its Applications 10 (2016).
7.
Md Golam Rabiul Alam, Mohammad Mehedi Hassan, Md ZIa Uddin, Ahmad Almogren, and Giancarlo Fortino. "Autonomic computation offloading in mobile edge for IoT applications." Future Generation Computer Systems 90 (2019): 149-157.
8.
Selvakumar, K., Marimuthu Karuppiah, L. SaiRamesh, SK Hafizul Islam, Mohammad Mehedi Hassan, Giancarlo Fortino, and Kim-Kwang Raymond Choo. "Intelligent temporal classification and fuzzy rough set-based feature selection algorithm for intrusion detection system in WSNs." Information Sciences 497 (2019): 77-90.
9.
Zhang, Hongpo, Chase Q. Wu, Shan Gao, Zongmin Wang, Yuxiao Xu, and Yongpeng Liu. "An effective deep learning based scheme for network intrusion detection." In 2018 24th International Conference on Pattern Recognition (ICPR), pp. 682-687. IEEE, 2018.
Jo
urn a
lP
1.
12
Journal Pre-proof
10. Sudqi Khater, Belal, Ainuddin Abdul Wahab, Mohd Idris, Mohammed Abdulla Hussain, and Ashraf Ahmed Ibrahim. "A lightweight perceptron-based intrusion detection system for fog computing." Applied Sciences 9, no. 1 (2019): 178.
pro of
11. Rawat, Shisrut, and Aishwarya Srinivasan. "Intrusion detection systems using classical machine learning techniques versus integrated unsupervised feature learning and deep neural network." arXiv preprint arXiv:1910.01114 (2019). 12. Ramaki, Ali Ahmadian, Abbas Rasoolzadegan, and Abbas Ghaemi Bafghi. "A systematic mapping study on intrusion alert analysis in intrusion detection systems." ACM Computing Surveys (CSUR) 51, no. 3 (2018): 55. 13. Rathore, M. Mazhar, Awais Ahmad, and Anand Paul. "Real time intrusion detection system for ultra-highspeed big data environments." The Journal of Supercomputing 72, no. 9 (2016): 3489-3510.
re-
14. Yang, Yanqing, Kangfeng Zheng, Chunhua Wu, and Yixian Yang. "Improving the Classification Effectiveness of Intrusion Detection by Using Improved Conditional Variational AutoEncoder and Deep Neural Network." Sensors 19, no. 11 (2019): 2528. 15. Yin, Chuanlong, Yuefei Zhu, Jinlong Fei, and Xinzheng He. "A deep learning approach for intrusion detection using recurrent neural networks." Ieee Access 5 (2017): 21954-21961.
lP
16. Karatas, Gozde, Onder Demir, and Ozgur Koray Sahingoz. "Deep learning in intrusion detection systems." In 2018 International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism (IBIGDELFT), pp. 113-116. IEEE, 2018. 17. B. Dong and X. Wang, “Comparison deep learning method to traditional methods using for network intrusion detection,” in 8th IEEE International Conference on Communication Software and Networks (ICCSN), Beijing, China, pp. 581–585, 2016.
urn a
18. Alom, Zahangir, Venkata Ramesh Bontupalli, and Tarek M. Taha. "Intrusion detection using deep belief network and extreme learning machine." International Journal of Monitoring and Surveillance Technologies Research (IJMSTR) 3, no. 2 (2015): 35-56. 19. Javaid, Ahmad, Quamar Niyaz, Weiqing Sun, and Mansoor Alam. "A deep learning approach for network intrusion detection system." In Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), pp. 21-26. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), 2016. 20. Potluri, Sasanka, and Christian Diedrich. "Accelerated deep neural networks for enhanced Intrusion Detection System." In 2016 IEEE 21st International Conference on Emerging Technologies and Factory Automation (ETFA), pp. 1-8. IEEE, 2016.
Jo
21. Karatas, Gozde, and Ozgur Koray Sahingoz. "Neural network based intrusion detection systems with different training functions." In 2018 6th International Symposium on Digital Forensic and Security (ISDFS), pp. 1-6. IEEE, 2018. 22. Gao, Ni, Ling Gao, Quanli Gao, and Hai Wang. "An intrusion detection model based on deep belief networks." In 2014 Second International Conference on Advanced Cloud and Big Data, pp. 247-252. IEEE, 2014. 23. Keegan, Nathan, Soo-Yeon Ji, Aastha Chaudhary, Claude Concolato, Byunggu Yu, and Dong Hyun Jeong. "A survey of cloud-based network intrusion detection analysis." Human-centric Computing and Information Sciences 6, no. 1 (2016): 19.
13
Journal Pre-proof
24. Almogren, Ahmad. "An automated and intelligent Parkinson disease monitoring system using wearable computing and cloud technology." Cluster Computing 22, no. 1 (2019): 2309-2316. 25. Mohiuddin, Irfan, and Ahmad Almogren. "Workload aware VM consolidation method in edge/cloud computing for IoT applications." Journal of Parallel and Distributed Computing 123 (2019): 204-214.
pro of
26. AlMajed, Hisham N., and Ahmad S. AlMogren. "Simple and Effective Secure Group Communications in Dynamic Wireless Sensor Networks." Sensors 19, no. 8 (2019): 1909. 27. Mahmud, Md Tareq, Md Obaidur Rahman, Mohammad Mehedi Hassan, Ahmad Almogren, and Mengchu Zhou. "An Efficient Cooperative Medium Access Control Protocol for Wireless IoT networks in Smart World System." Journal of Network and Computer Applications 133 (2019): 26-38.
Jo
urn a
lP
re-
28. N. Moustafa and J. Slay, “UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set),” in Military Communications and Information Systems Conference (MilCIS), Canberra, Australia, pp. 1–6, 2015.
14
Journal Pre-proof
pro of
*Author Biography & Photograph
Jo
urn a
lP
re-
Ahmad Almogren has received PhD degree in computer sciences from Southern Methodist University, Dallas, Texas, USA in 2002. Previously, he worked as an assistant professor of computer science and a member of the scientific council at Riyadh College of Technology. He also served as the dean of the college of computer and information sciences and the head of the council of academic accreditation at Al Yamamah University. Presently, he works as Full professor and the vice dean for the development and quality at the college of computer and information sciences at King Saud University in Saudi Arabia. He has served as a guest editor for several computer journals. His research areas of interest include mobile and pervasive computing, computer security, sensor and cognitive network, and data consistency.