基于特征选择的物联网轻量级入侵检测方法

doi:10.3969/j.issn.1671-1122.2023.01.008

摘要/Abstract

摘要：

随着物联网的大规模使用，其安全问题也日益严峻，如何在资源有限的物联网环境中准确实时检测网络攻击是亟需解决的关键问题。基于流量特征的入侵检测系统是物联网安全的一种解决方案，但该方案存在流量特征数量繁多、不利于训练快速轻量的检测模型的问题。针对该问题，文章提出一种基于特征选择的物联网轻量级入侵检测方法相关性系数和方差膨胀因子的特征选择方法。该方法在流粒度下对流量特征进行选择，通过机器学习算法对正常流量和恶意流量进行分类。实验结果表明，该方法能在有限的资源下快速有效地识别网络攻击行为，综合精确度与召回率达到99.4%。

关键词: 物联网, 入侵检测, 机器学习, 特征选择

Abstract:

With the large-scale use of the Internet of Things (IoT), the security problem has become increasingly prominent. How to detect network attacks accurately and in real time in the IoT environment with limited resources is a key problem that needs to be solved urgently. Intrusion detection system based on network traffic features is a solution to the security of IoT. This solution remains the problem of the large number of features make training fast and lightweight detection models difficult. To address this issue, this paper proposed a feature selection technique based on Pearson correlation coefficient and variance expansion factor. In this method, traffic characteristics were selected under flow granularity, and normal and malicious traffic were classified by machine learning algorithm. The experimental results show that this method can quickly and effectively detect network attacks with limited resources, and the overall precision and recall reach 99.4%.

Key words: Internet of Things, intrusion detection, machine learning, feature selection

中图分类号:

TP309

刘翔宇, 芦天亮, 杜彦辉, 王靖翔. 基于特征选择的物联网轻量级入侵检测方法[J]. 信息网络安全, 2023, 23(1): 66-72.

LIU Xiangyu, LU Tianliang, DU Yanhui, WANG Jingxiang. Lightweight IoT Intrusion Detection Method Based on Feature Selection[J]. Netinfo Security, 2023, 23(1): 66-72.

图/表 11

图1

表1

表2

表3

表4

表5

表6

表7

表8

表9

表10

参考文献 18

[1]	KOLIAS C, KAMBOURAKIS G, STAVROU A, et al. Ddos in the IoT: Mirai and Other Botnets[J]. Computer, 2017, 50(7): 80-84.
[2]	LIU Hongyu, BO Lang. Machine Learning and Deep Learning Methods for Intrusion Detection Systems: A Survey[EB/OL]. (2019-10-17)[2022-10-01]. https://pdfs.semanticscholar.org/4341/c20c517117c49f0ae37b57790c8b2217eb7a.pdf?_ga=2.57188010.1035881027.1670984266-291098582.1670984266.
[3]	AMOURI A, ALAPARTHY V T, MORGERA S D. Cross Layer-Based Intrusion Detection Based on Network Behavior for IoT[C]// IEEE. 2018 IEEE 19th Wireless and Microwave Technology Conference (WAMICON). New York: IEEE, 2018: 1-4.
[4]	SIVANATHAN A, GHARAKHEILI H H, SIVARAMAN V. Detecting Behavioral Change of Iot Devices Using Clustering-Based Network Traffic Modeling[J]. IEEE Internet of Things Journal, 2020, 7(8): 7295-7309. doi: 10.1109/JIOT.2020.2984030 URL
[5]	HASAN M, ISLAM M M, ZARIF M I I, et al. Attack and Anomaly Detection in IoT Sensors in IoT Sites Using Machine Learning Approaches[EB/OL]. (2019-05-30)[2022-10-01]. https://www.sciencedirect.com/science/article/pii/S2542660519300241.
[6]	PAHL M O, AUBET F X. All Eyes on You: Distributed Multi-Dimensional IoT Microservice Anomaly Detection[C]// IEEE. 2018 14th International Conference on Network and Service Management (CNSM). New York: IEEE, 2018: 72-80.
[7]	LIMA FILHO F S D, SILVEIRA F A, DE MEDEIROS BRITO JUNIOR A, et al. Smart Detection: An Online Approach for DoS/DDoS Attack Detection Using Machine Learning[J]. Security and Communication Networks, 2019, 12: 1-15.
[8]	SHARAFALDIN I, HABIBI LASHKARI A, GHORBANI A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization[C]// ICISSP. International Conference on Information Systems Security and Privacy. Funchal: ICISSP, 2018: 108-116.
[9]	RADFORD B J, RICHARDSON B D, DAVIS S E. Sequence Aggregation Rules for Anomaly Detection in Computer Network Traffic[EB/OL]. (2018-05-14)[2022-10-01]. https://arxiv.org/pdf/1805.03735.pdf.
[10]	EKTEFA M, MEMAR S, SIDI F, et al. Intrusion Detection Using Data Mining Techniques[C]// IEEE. 2010 International Conference on Information Retrieval & Knowledge Management (CAMP). New York: IEEE, 2010: 200-203.
[11]	PAJOUH H H, JAVIDAN R, KHAYAMI R, et al. A Two-Layer Dimension Reduction and Two-Tier Classification Model for Anomaly-Based Intrusion Detection in IoT Backbone Networks[J]. IEEE Transactions on Emerging Topics in Computing, 2019, 7(2): 314-323. doi: 10.1109/TETC.2016.2633228 URL
[12]	AHMAD R, ALSMADI I, ALHAMDANI W, et al. Towards Building Data Analytics Benchmarks for IoT Intrusion Detection[J]. Cluster Computing, 2021, 25: 2125-2141. doi: 10.1007/s10586-021-03388-z URL
[13]	ALHOWAIDE A, ALSMADI I, TANG J. Ensemble Detection Model for IoT Ids[EB/OL]. (2021-12-26)[2022-10-01]. https://www.sciencedirect.com/science/article/abs/pii/S2542660521000792.
[14]	VATCHEVA K P, LEE M, MCCORMICK J B, et al. Multicollinearity in Regression Analyses Conducted in Epidemiologic Studies[EB/OL]. (2016-03-07)[2022-10-01]. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4888898/.
[15]	O’BRIEN R M. A Caution Regarding Rules of Thumb for Variance Inflation Factors[J]. Quality & Quantity, 2007, 41(5): 673-690.
[16]	CIESLAK D A, CHAWLA N V, STRIEGEL A. Combating Imbalance in Network Intrusion Datasets[C]// IEEE. 2006 IEEE International Conference on Granular Computing. New York: IEEE, 2006: 732-737.
[17]	CHAWLA N V, BOWYER K W, HALL L O, et al. Smote: Synthetic Minority Over-Sampling Technique[J]. Journal of Artificial Intelligence Research, 2002, 16: 321-357. doi: 10.1613/jair.953 URL
[18]	SEBASTIAN G, AGUSTIN P, MARIA JOSE E. Iot-23: A Labeled Dataset with Malicious and Benign IoT Network Traffic[EB/OL]. (2020-01-20)[2022-10-01]. https://www.stratosphereips.org/datasets-iot23. .

模型	超参数
KNN	Euclidean distance, n_neighbors = 3
决策树	criterion = gini, min samples split =2
随机森林	number_of_trees =100, max_depth = 3
梯度提升	learning_rate=0.1, min_samples_split = 2
AdaBoost	n_estimators=100

	特征	描述
1	uid	流的唯一ID
2	id.orig_h	源IP地址
3	id.orig_p	源端口号
4	id.resp_h	目的IP地址
5	id.resp_p	目的端口号
6	proto	协议
7	service	dhcp, dns, http, ssh
8	duration	流的持续时间
9	orig_bytes	源发送载荷字节数
10	resp_bytes	目的发送载荷字节数
11	conn_state	连接状态
12	local_orig	本地源地址标志位为T 远端源地址标志位为F
13	local_resp	本地目的地址标志位为T 远端目的地址标志位为F
14	missed_bytes	丢失的字节数
15	orig_pkts	源地址发送的包数量
16	orig_ip_bytes	源地址发送的IP层字节数
17	resp_pkts	目的地址发送的包数量
18	resp_ip_bytes	目的地址发送的IP层字节数

标签	原始	去重后
Benign	30860691	115914
DDoS	19538713	1643282
PartOfAHorizontalPortScan	213852924	79652
Okiru	60990708	14994
C&C-Heartbeat	33673	10239
C&C	21995	8940
Attack	9398	9366
C&C-PartOfAHorizontalPortScan	888	327
C&C-HeartBeat-Attack	834	743
C&C-FileDownload	53	53
C&C-Torii	30	17
FileDownload	18	18
C&C-HeartBeat-FileDownload	11	11
PartOfAHorizontalPortScan-Attack	5	5
Okiru-Attack	3	3
C&C-Mirai	2	2

	proto	service	duration	orig_bytes	resp_bytes	conn_state	missed_bytes	orig_pkts	orig_ip_butes	resp_pkts	resp_ip_bytes
proto	1.00	0.13	0.36	-0.04	0.00	-0.56	0.00	0.01	0.01	0.00	0.00
service	0.13	1.00	0.00	-0.01	0.00	-0.08	0.00	0.00	0.00	0.02	0.02
duration	0.36	0.00	1.00	0.13	0.00	-0.17	0.00	0.06	0.05	0.03	0.00
orig_bytes	-0.04	-0.01	0.13	1.00	0.00	0.33	0.00	0.00	0.00	0.00	0.00
resp_bytes	0.00	0.00	0.00	0.00	1.00	0.00	0.05	0.00	0.00	0.01	0.01
conn_state	-0.56	-0.08	-0.17	0.33	0.00	1.00	0.00	-0.01	-0.01	0.00	0.00
missed_bytes	0.00	0.00	0.00	0.00	0.05	0.00	1.00	0.00	0.00	0.00	0.00
orig _bytes	0.01	0.00	0.06	0.00	0.00	-0.01	0.00	1.00	0.81	0.00	0.00
orig_ip_bytes	0.01	0.00	0.05	0.00	0.00	-0.01	0.00	0.81	1.00	0.00	0.00
resp_bytes	0.00	0.02	0.03	0.00	0.01	0.00	0.00	0.00	0.00	1.00	1.00
resp_ip_bytes	0.00	0.02	0.00	0.00	0.01	0.00	0.00	0.00	0.00	1.00	1.00

特征	VIF
proto	0.222626
service	1.021842
duration	1.775417
orig_bytes	1.194968
resp_bytes	1.003141
conn_state	0.672712
missed_bytes	1.003002
orig_pkts	2.853281
orig_ip_bytes	2.847739
resp_pkts	660.558448
resp_ip_bytes	659.803025