An intrusion detection method for internet of things based on suppressed fuzzy clustering

Owing to the rapid development and wide applications of the Internet of Things (IoT) techniques, security of IoT has attracted increasing attentions. IoT is a sensor network consisting of various sensor nodes, which are readily exposed to attacks as they are usually located in sites with no monitoring [1, 2]. To make it worse, attacks on IoT may lead to huge damages in a wide range, compared with computer networks. Hence, security risks in all aspects of IoT and strategies should be analyzed as a whole and the simplification of end security set-up is of IoT great significance [3]. The detection systems should be further optimized based on analysis of risk categories and security structures of IoT [4].

The intrusion detection method judges attacks based on data collected by multiple collection points in a computer network [5, 6]. The intrusion detection is an active protection technique that can intercept and respond to intrusions before they reach the network. However, the huge network data traffic is a huge challenge to intrusion detection systems as it induces high requirements on the detection efficiency so that attacks can be detected in real time. The restricted Boltzmann machine (RBM) network was trained using the greedy algorithm, and low dimension expressions of the RBM network output were classified downwards using the back propagation algorithm [7]. The results indicated that the proposed model shows improved accuracy of intrusion detections, thus suitable for information extractions in high-dimension space. For data compression and low clustering efficiency issues, a modified self-adjustment clustering method is established based on direct correlation to samples close to cluster center [8]. This method effectively reduced clustering sample size and clustering time-space consumption and improves the effectiveness of intrusion detection. Aimed at feature optimization and selection in intrusion detections, a support vector machine (SVM) based two-stage feature selection method was proposed based on feature evaluations of the ratio of detection rate and false alarm rate [9]. In this method, filter noises and irrelevant features were filtered using Fisher classification and information gain in the filtering mode, respectively, to obtain overlapping feature subsets and effectively reduce modeling and detection time. For intrusion detections of internal nodes in wireless sensor networks (WSN), a layer-clustered intrusion detection method for trust value of node a based on the Beta distribution theory and outlier factor was proposed [10]. This method identifies abnormal nodes based on the Mahalanobis distance and exhibits low false alarm rates. Based on classification methods in data mining, optimized solutions were identified by direction calculations of relevant matrices and multi-category network attacks are analyzed by multi-objective mathematical programming model [11]. This method exhibits advantages such as low complexity, effective detections of multi-category attacks, and low false alarm rates. A fuzzy clustering intrusion model based on genetic algorithm and hierarchical algorithm was proposed [12]. Herein, the feature volume was determined by deletion of data set features using the Youden index, the susceptibility to initial cluster centers was relieved, and the local optimization issues in iteration were overcome. Experimental results demonstrated excellent detection performance of the proposed model for network attacks. For Kernel restriction issues in minimum enclosing ball algorithm, an intrusion detection method based on minimum enclosing ball with extensive Kernel was proposed [13]. This method can obtain the minimum enclosing ball of the sample set according to updates of the center and the radius of sphere and categorize network intrusions according to distributions of support vectors. To enhance the accuracy of intrusion detections, an intrusion detection method combining artificial immunity and rough set was proposed for vaccine injections [14]. This method can achieve real time detections of unknown attacks with improved effectiveness and efficiency. Also, a network intrusion detection model was proposed and an alarm system combining multiple proof techniques was established to filter false alarms [15]. An improved multi-objective genetic algorithm-based intrusion detection integrated method has been proposed [16]. This algorithm can effectively solve feature selection issues in intrusion detections, and the method based on this algorithm exhibited excellent detection accuracy and wide applicability to different categories of attacks.

Although intrusion detection technology has been widely used, there are still many problems, such as large number of alerts, high false alarm rate, poor generality, and false report. In this article, an intrusion detection method for IoT was proposed based on suppressed fuzzy clustering (SFC) algorithm [17, 18] and principal component analysis (PCA) algorithm [19, 20]. Simulations demonstrated high detection efficiency and significantly reduced detection time of the proposed method. Section 2 describes the objective prejudgment model of intrusion detections, Section 3 proposes solution of intrusion detections, Section 4 involves simulations, and Section 5 includes a conclusion.

IoT consists of multiple sensor nodes with low communication traffic and short communication range. All nodes are identical and abnormal data packets can be detected by monitoring of wireless ports at all nodes. An intrusion detection system (IDS) for IoT is a solid system consisting of six closely related parts, including data packet monitoring, boundary identification, key management, local detection, voting, and local responses [21].

As the sensor nodes in IoT are readily exposed to attacks, IDS proxy was designed for each node in IoT to realize network monitoring, group decision, and other operations. However, current algorithms are limited by drawbacks such as late alarms, high false alarm rate, and low detection efficiency [22]. This study focuses on optimization of efficiency and effectiveness of intrusion detections. Owing to the rapidly increasing data transmission size in IoT, feature extraction can be extremely time consuming and its efficiency has a severe effect on detections. To guarantee good efficiency and effectiveness of intrusion detections, extractions of feature vectors of the data obtained were achieved by the PCA algorithm. In this way, the efficiency and effectiveness intrusion detection algorithm were significantly improved.

With one sample size, p variables of n groups of data were monitored (e.g., abnormal request data packets, missing data packets). The sample monitoring data matrix X can be described by:where X is a matrix consisting of p column vectors, n is the size of data to be monitored, and each data is a coordinate in the nth dimension. The monitoring data of original samples were standardized:

Then, X was projected to the low dimension space vector (T), as follows:where W refers to the projection matrix, which is an orthogonal matrix consisting of covariance matrices (V(x _j )), it can be calculated by:where the covariance matrix (W _i ) is located in the ith column of W, and \( \overrightarrow{{\mathrm{W}}_{\mathrm{i}}} \) is the feature vector corresponding to one specific feature (λ _i ) of V. To achieve rapid detections, features with ambiguous values were eliminated to enhance the detection efficiency. The feature vectors with relatively large values were selected. Herein, an objective prejudgment-based intrusion detection, frequency self-adjustment algorithm for IoT was proposed. In this algorithm, the huge data flow is integrated and analyzed. More specifically, the data is classified using the clustering algorithm: the data sent to potential objectives to be attacked is classified as high-risk data, while other data is classified as low-risk data. The high-risk data and the low-risk data are detected under high frequency and low frequency, respectively.

Define the data set to be clustered as X = {x₁, x₂, …, x _n }, where each sample x _k (1, 2, …, n) has several features, including data transmission rate, average length of data packets, and intervals of data emission. x_k = (x_k1, x_k2, …, x_kj)^T ∈ R^j is the corresponding feature vector, which represents a point in the data feature space, and x _kj is the feature vector in the jth dimension. In this way, data in X is categorized as high-risk data or low-risk data. The result is denoted as a matrix in order of c*n (U = [u_ij]_c*n), which satisfies

The weight distances from samples to the cluster center are defined as objective functions, which can be calculated bywhere U = [u_ij]_2*n is fuzzy classification matrix (u_ij ∈ [0, 1]), m is the weighed index, m ∈ [1, ∞], d _ij is the Euclidean distance (d _ij ) between x _j , and the ith cluster center v _i (i = 1, 2, …, c). d_ij can be calculated by Eq. (11).

To ensure rapid and effective detections of attacks, an objective prejudgment-based intrusion detection, frequency self-adjustment method for IoT is proposed. With no distortions of original data guaranteed, the PCA algorithm can reduce the number of variables and eliminate features with low discriminations. The dimension reduced data was divided by SFC algorithm as high-risk and low-risk data, which are detected using different frequencies to achieve enhanced detection efficiency and accuracy. The procedures are as follows:

The objective function was calculated using Eq. (10). If the value of objective function was no lower than the given optimized classification threshold, the process was repeated; if the value of objective function was lower than the given optimized classification threshold and no changes of any cluster was observed, the process ends.

Due to the slow converging rates of conventional fuzzy clustering algorithms, a suppressor λ _ij (0 < λ_ij < 1) was introduced to d _ij for the purpose of correction. Define the corrected distance as \( {d}_{ij}^{\hbox{'}} \)

It satisfies

where n is the quantity of monitored objective machines, n′ is the quantity of monitored objective machines before application of objective prejudgment, and Δn is the quantity of monitored objective machines after application of objective prejudgment.

The total number (N) of data packets that can be detected per second can be obtained by:where l_min refers to the minimum detection frequency of low-risk data, l_max refers to the maximum detection frequency of high-risk data, and t (0 ≤ t ≤ n) refers to the total number of objective data under attack. In cases of no attacks to the IoT system, the detection frequency of low-risk data (P′) to each objective with detection effectiveness guaranteed is defined as

The detection frequency can be neither over-adjusted (high-risk data is identified as low-risk data) nor under-adjusted (high-risk data cannot be detected) and an appropriate frequency difference is of great significance. With detection effectiveness and accuracy guaranteed, the adjustable data detection frequency difference is defined as

In this way, detection frequencies of high-risk data (P ⁱ _max) and low-risk data (P ⁱ _low) of the ith objective machine by the NIDS system can be obtainedwhere η _i is the ratio of abnormal data sent to the ith objective machine in Δt, A _i refers to the detected abnormal data sent to ith potential target in Δt, and C _i refers to all detected abnormal data sent to ith potential target in Δt. In detections, the detection frequency of the objective was adjusted in real time according to η _i to optimize the detection accuracy.

In this study, the objective prejudgment-based intrusion detection system for IoT was employed. The data was pre-processed using SFC algorithm and PCA algorithm and then detected by frequency self-adjustment. The results indicated that the proposed algorithm can not only enhance the detection efficiency but also reduce the false alarm rate. The accuracy index is the most important performance index of the intrusion detection system, and its value depends on the sample set and the test environment used in the test. The three parameters of detection duration, accuracy rate, and false alarm rate are usually used as evaluation indexes. Therefore, in this study, detection duration (T), accuracy (P), and false alarm rate (F) were employed as evaluation parameters:where N _t is the size of attack samples that are accurately detected, N _f is the size of false alarms, and N′ is the size of overall attacks identified by the system, and N is the size of overall real attacks.

Table 1 summarizes detection results of the proposed algorithm, the neural network algorithm, and the Bayesian algorithm. As observed, the accuracy of the proposed algorithm is higher than those of the other two algorithms. This can be attributed to data dimension reduction by PCA algorithm, which eliminates interferences by irrelevant factors. Additionally, the false alarm rate of the proposed algorithm is lower than those of the other two algorithms. Hence, it can be concluded that the proposed algorithm is viable.

Figure 1 summarizes the effects of the overall data size on the detection efficiency using different algorithms. As observed, detection efficiencies of the three algorithms decreased as the data size increased, while the detection efficiency of the proposed algorithm is lower than those of the other two algorithms. The detection efficiency of the proposed algorithm is higher than those of the other two algorithms, regardless of the overall data size. Therefore, it can be concluded that the proposed algorithm can enhance detection efficiency.

Table 2 summarizes detection results of the proposed algorithm. As observed, the detection rate of abnormal data increased as the time increased. This can be attributed to the continuous self-adjustment of detection frequency according to the responses received.

The accuracy is a key indicator for intrusion detections. The effects of overall data size on the detection accuracy were investigated using different algorithm models, and the results are shown in Fig. 2. As observed, the detection accuracy degraded as the data size increased in all three cases, as the increasing data size leads to decreasing detection efficiency. However, the decreasing rate of the proposed algorithm model was lower than those of the other two algorithms and the accuracy of the proposed algorithm model was higher than those of the other two algorithms in all cases. Therefore, the proposed algorithm model is viable.

With the rapid development of the IoT technology, the security problem is becoming more and more serious. All sensor nodes in IoT are vulnerable to external attacks. The huge network data traffic is a huge challenge to intrusion detection systems as it induces high requirements on the detection efficiency so that attacks can be detected in real time. However, current algorithms are limited by drawbacks such as late alarms, high false alarm rate, and low detection efficiency. Aimed at low effectiveness of intrusion detections for IoT, an intrusion detection method for IoT based on SFC algorithm and PCA algorithm is proposed. In this method, the data obtained are classified by objective prejudgment into high-risk data and low-risk data, which are detected at high frequency and low frequency, respectively. Meanwhile, the self-adjustment of detection frequency is achieved by employing the SFC algorithm and the PCA algorithm. Experimental results revealed improved applicability of the proposed method, compared with conventional methods (e.g., neural network algorithm, Bayesian algorithm). The innovation of this paper is to propose an objective prejudgment-based intrusion detection, frequency self-adjustment method for IoT. With no distortions of original data guaranteed, the PCA algorithm can reduce the number of variables and eliminate features with low discriminations. The dimension reduced data was divided as high-risk and low-risk data, and then tested at different frequencies, which are detected using different frequencies to achieve enhanced detection efficiency and accuracy. This method can quickly improve the effectiveness and accuracy of intrusion detection.

In this study, the number of samples and the detection time are several important factors that affect the efficiency of the algorithm. The key factors affecting this algorithm are analyzed by simulations. Experimental results show that with the increase of data volume, the efficiency and accuracy of intrusion detection algorithm will gradually decrease. Compared with Bayesian algorithm and neural network algorithm, the new algorithm in this paper still has better detection efficiency.

With the continuous development of related research, new intrusion detection models of IOT will be more and more, and the evaluation index will also continue to expand. In subsequent research, we can consider the combination of other indicators and new features of IOT to improve the intrusion detection model.