1 Introduction
2 Methods
3 Related works
3.1 Signature-based IDS
3.2 Anomaly-based IDS
4 Problem formulation
4.1 Background
4.1.1 Threat model
4.2 Attack scenario
4.3 Design goals
5 Proposed IDS architecture
-
The fuzzy module consists of fuzzy computation and fuzzy verification sub-modules namely fuzzification, fuzzy inference engine, and defuzzification. Fuzzification estimates the fuzziness of the MQTT message traffic analysis of the device based on Connection Message Ratio (CMR) and Connection Acknowledgment Message Ratio (CAMR). The fuzzy rule engine selects the appropriate rule and decides whether the request is a legitimate request or not. Defuzzification converts the fuzzified inputs into crisp output.
-
Rule base stores the fuzzy rules which are formulated from the training network traffic dataset.
-
Fuzzy rule interpolation [23] is applied to the rule base to reduce the complexity in the fuzzy inference engine by deriving new appropriate rules in the rule base.
-
The network analyzer consists of traffic statistics and training dataset. The traffic statistics store the history of network traffic behavior for specified time frames. The training dataset stores network traffic features and it is used to train the fuzzy module.
5.1 Feature selection
Feature name | Description |
---|---|
Connect | Connect command |
ConnectAck | Acknowledgment to Connect command |
ConnectRate | Percentage of Connect requests arrived at broker |
ConnectAckRate | Percentage of ConnectAckRate |
PublishMessage | Publish message from publishing client to broker |
ConnAck | Request for subscribing message |
DisconnectReq | Request to disconnect |
5.2 Membership function
5.3 Fuzzy inference system
CMR | Low | Low | Low | Medium | Medium | Medium | High | High | High |
CAMR | Low | Medium | High | Low | Medium | High | Low | Medium | High |
Anomaly | Normal | Abnormal | Attack | Normal | Normal | Abnormal | Attack | Attack | Attack |
5.4 Fuzzy rule interpolation
-
Find the nearest rule for new observation: The aggregate distance of all xj determines the distance between Ri and the observation O and it is calculated as follows:$$ \mathrm{dist}\left({R}_{\mathrm{i}},O\right)=\sqrt{\sum \limits_{j=1}^N{\mathrm{dist}}_{\mathrm{j}}}\ \mathrm{and}\kern0.5em {\mathrm{dist}}_{\mathrm{j}}=\frac{\mathrm{dist}\left({A}_{\mathrm{i}\mathrm{j}},{A}_{\mathrm{oj}}\right)}{{\mathrm{Range}}_{{\mathrm{x}}_{\mathrm{j}}}} $$(4)where dist(Aij,Aoj) gives the distance between Aij and Aoj, with Rangexj for jth antecedent. Then, P rules, M ≥ 2 with respect to observed value Aoj, are selected for interpolation operation to achieve the conclusion Co.
-
Design the transitional rules: The approximate value of the final consequent can be derived from the transitional rules using the new observations. This is achieved by applying linear interpolation to the P rules identified. The expected antecedents of the new rule are computed using the antecedents of P rules as follows:$$ {A_{\mathrm{j}}}^{\hbox{'}}=\sum \limits_{i=1}^P{W}_{\mathrm{ij}}{A}_{\mathrm{ij}} $$(5)where \( {W}_{\mathrm{ij}}=\frac{W{\hbox{'}}_{\mathrm{ij}}}{\sum \limits_{k=1}^P{W^{\hbox{'}}}_{\mathrm{ij}}} \), W’ij = exp−d(Aij − Aoj)Then, Aj′ is mapped to Aj″ = Aj′ + βjRangexj.where βj is the difference between Aoj and A″j and is calculated as:$$ {\beta}_{\mathrm{j}}=\frac{\mathrm{REP}\left({A}_{\mathrm{oj}}\right)-\mathrm{REP}\left({A_{\mathrm{j}}}^{\hbox{'}\hbox{'}}\right)}{{\mathrm{Range}}_{\mathrm{xj}}} $$(6)
-
Scaling and moving transformations: The REP values of antecedents of a transitory rule are matches with those of observation. Also, we have to make sure that the fuzzy values in the transitory rule should be the same as the observation scale and move transformation.The scaled value (l*,r*) is determined such that r∗ − l∗ = δj(r'' − l'')$$ {s}_j=\frac{r^{\ast }-{l}^{\ast }}{r^{\hbox{'}}-{l}^{\hbox{'}}} $$(8)Similarly, the consequent’s scaling factor is computed as follows:$$ \delta B=\frac{j\sum \limits_{j=1}^N\delta j}{N} $$(9)The function move is applied to the resulting fuzzy values if the mapped fuzzy set is the same as that of observation’s and is defined as follows:$$ \left\{\begin{array}{cc}{\mathrm{move}}_{\mathrm{j}}=\frac{3\left(l-{l}^{\ast}\right)}{n^{\ast }-{l}^{\ast }}&, n\ge {n}^{\ast}\\ {}{\mathrm{move}}_{\mathrm{j}}=\frac{3\left(l-{l}^{\ast}\right)}{r^{\ast }-{n}^{\ast }}&, \mathrm{Otherwise}\end{array}\right. $$From the above equation, the move function of the consequent can be derived as follows:$$ {\mathrm{move}}_{\mathrm{B}}=\frac{\sum \limits_{j=1}^N{\mathrm{move}}_{\mathrm{j}}}{N} $$The scale and move mapping are applied to B″ using δB and moveB in order to obtain Bo.
5.5 Defuzzification
5.6 Proposed anomaly detection algorithm
6 Results and discussion
6.1 IDS evaluation metrics
6.1.1 Attack detection efficiency (ADE)
6.1.2 Attack detection rate (ADR)
6.1.3 Attack detection accuracy (ADA) ratio
6.1.4 False-positive ratio (FPR)
Scenario | Positive | False negative | False positive | Precision | Recall | F-score |
---|---|---|---|---|---|---|
1 | 20 | 2 | 2 | 0.9090 | 0.9090 | 0.9090 |
2 | 15 | 3 | 2 | 0.8823 | 0.8333 | 0.8571 |
3 | 11 | 4 | 3 | 0.7857 | 0.7333 | 0.7586 |
4 | 12 | 4 | 2 | 0.8571 | 0.75 | 0.80 |