A. Contributions of the proposed work

Our work makes the following significant contributions:

• In our paper, various ML algorithms are analyzed to evaluate the efficiency of the IDS process, performing missing data imputation along with feature engineering before classification occurs.

• Datasets are verified for the class imbalance that will mislead to false positives, and classification is performed for linear, tree and ensemble-based machine learning models.

• Classification accuracy is ranked by various MCDM (multi-criteria decision-making) algorithms such as TOPSIS, VIKOR, ARAS, MOORA, and WASPAS.

• A novel security framework is proposed to deal with cyber threats that can dramatically compromise the host-based system.

B. Organization of the paper

In this paper, Section I describes the need for the proposed work as an introduction. Section II discusses the materials and methods through a literature survey and a description of various methods that are used in the proposed work. Section III shows the results of the machine learning algorithms and ranking with efficiency analysis. Section IV illustrates the discussion of our novel security framework, including open challenges and recent findings. Finally, Section V briefly concludes our paper.

A. IoT, IoMT, and IDS

By the end of 2022, it is predicted that 50 billion gadgets will be connected to the Internet worldwide, leading to a surge in IoT-based cyberattacks. In response, the authors in [1] provide a comprehensive analysis of technologies, protocols, architecture, and threats related to compromised IoT devices. The focus is on machine and deep learning techniques for effective intrusion detection systems (IDS). The study emphasizes the growing need for detective control solutions against IoT-based assaults. The Internet of Medical Things (IoMT) poses specific challenges due to the exchange of private medical data. Authors in [2] propose a deep neural network (DNN) for intrusion detection in the IoMT environment, addressing the dynamic and unpredictable nature of cyberattacks. The study evaluates various machine learning techniques on benchmark intrusion detection datasets, providing insights into securing sensitive medical information. With a rapid increase in IoT-based applications generating sensitive data, the authors in [3] employ an ensemble classifier based on crowd-search to classify the UNSW-NB15 dataset. Linear Regression, Random Forest, and XGBoost algorithms are used to enhance the security of applications producing personal data, mitigating the risk of data theft. In the context of IoT-driven smart cities, authors in [4] introduce a Privacy-Preserving and Secure Framework (PPSF). This framework incorporates a two-level privacy system and an intrusion detection technique utilizing blockchain, Principal Component Analysis (PCA), and Gradient Boosting Anomaly Detector (GBAD). The aim is to address challenges such as security, privacy, scalability, and verifiability in smart city infrastructure.

B. ML-Based IDS

The authors in [5] explore the use of machine learning in Network Intrusion Detection Systems (NIDS) across various domains. It provides an analysis of different IDS and ML methods, highlighting the deployment of NIDS in diverse contexts. The focus is on optimizing NIDS to combat the evolving landscape of cyber threats. Authors in [6] investigate the potential of machine learning classification methods to defend IoT against Denial of Service (DoS) attacks. The study evaluates classifier reaction times on Raspberry Pi, emphasizing the importance of selecting optimal classifiers based on application needs to protect IoT networks from malicious activities. To address security concerns in computer networks, authors in [7] concentrate on the application of machine learning techniques in intrusion detection and IoT security. The survey offers a thorough analysis of intelligent techniques and their implementations in intrusion detection structures, emphasizing the intersection of IoT and ML. With the proliferation of IoT gadgets and their integration into daily life, authors in [8] explore machine learning and deep learning techniques for enhancing IoT security. The study emphasizes the application of these techniques and evaluates their effectiveness in addressing IoT-related technology security issues. Authors in [9] consolidate the use of various machine learning algorithms and evaluate their efficiency in Intrusion Detection Systems (IDS) for IoT. The study provides insights into the application of machine learning techniques to enhance the security of IoT devices. Authors in [10] discuss the application of machine learning techniques in coordination with emerging trends like 5G and Blockchain in IoT. The study addresses security concerns in Industrial IoT deployed over 5G and explores the application of machine learning and deep learning in Fog architecture. Authors in [11] propose the use of machine learning algorithms to analyze the efficiency of Drone-Integrated IoT systems. The study explores the challenges and opportunities in integrating drones into various applications, including industrial automation and logistics. Addressing the scalability and security issues in IoT-based systems, authors in [12] systemizes the implementation of various static analysis stages using machine learning algorithms. The study focuses on overcoming performance bottlenecks and security threats in IoT systems. Authors in [13] emphasize the application of machine learning techniques to achieve confidentiality and integrity in IoT-based health monitoring devices. The study addresses privacy concerns and highlights the importance of securing sensitive health data generated by IoT devices. In addressing mental health concerns, authors in [14] utilize essential features and machine learning algorithms for early detection of depression. The study employs feature selection algorithms to enhance accuracy levels and differentiate between normal and depressed individuals. To overcome resource constraints in IoT devices, authors in [15] propose a cloud-assisted security service. The study enables the application of machine learning techniques without compromising memory constraints, ensuring efficient security measures for IoT devices. Authors in [16] consolidate the use of machine learning and deep learning techniques in IoT-based Intrusion Detection systems with case studies. The study explores the role of machine learning in enhancing IoT security across various applications and domains. The application of machine learning algorithms in Smart Health Care (SHC) models is explored by the authors in [17]. The study compares the effectiveness of different machine learning algorithms in analyzing health data generated by wearable devices in SHC.

C. DL-Based IDS

Authors in [18] address the limitations of centralized IDS for resource-constrained devices in IoT networks. The authors propose semi-distributed and distributed techniques with parallel machine learning models, combining effective feature extraction and fog-edge coordinated analytics to enhance scalability and responsiveness. Given the resource constraints of IoT devices, authors in [19] suggest offering Intrusion Detection Systems (IDS) as a service on IoT platforms. The study employs a neural network classifier and Random Forest to detect and categorize intrusions, providing security for IoT devices within the limitations of their processing capacity. Authors in [20] introduce a novel IDS for IoT networks utilizing deep learning to categorize traffic flow. The authors create a feed-forward neural network model for binary and multi-class classification, enhancing the detection of various attacks against IoT devices, including denial of service, distributed denial of service, reconnaissance, and information theft. The emergence of deep learning algorithms for intrusion detection in IoT is explored by the authors in [21]. The study highlights the advantages of anomaly-based IDS in detecting zero-day attacks and overcoming the limitations of signature-based detection for unknown threats. Authors in [22] conduct a thorough examination of deep learning approaches used by various IDS in intrusion detection. The paper critically evaluates public network-based datasets, analyzing various performance criteria to assess the effectiveness of deep learning techniques for IDS. Authors in [23] review various deep learning techniques for IoT intrusion detection, discussing their potential combination for effective cybersecurity solutions. The study addresses the significance of deep learning’s data-driven, anomaly-based methodology in identifying emerging and unidentified IoT-related security threats. Authors in [24] provide a comprehensive review of machine learning and deep learning methods for IoT-based Intrusion Detection Systems (IDS). The study analyzes the efficiency of various IDS methods and their strategic implementations.

A. Requirement of the Proposed System

The presence of IoT-based control systems and networks is required almost everywhere in the world. The security requirements of IoT have also become very essential from home security lockers to parameter monitoring and control for mission-critical applications. The attackers may hijack the entire networks to gain access to the complete system through the interception of gateways, servers, or even both. Hence there is a serious demand in protecting the host machines of the IoT network which are the point of contact for the entire network. These systems are probably the entry or access points for the whole network. The prescribed architecture is a complete solution for addressing attack detection and prevention through an integrated approach with analysis and implementation of the prevention system based on the findings received from the previous analysis about IDS (see Section II).

B. Intrusion Detection System

In general, an IDS is built with the perception of identifying the attackers, by allowing them to intercept and attack the system through a weaker application using a duplicate interface without exposing the original one. It could generally be a honeypot that can record the type, tools and technologies involved in the attack with the information about the location of the attack from where it is initiated. Through the observations acquired, a stronger system with enhanced security implementation will be built. In the case of IoT networks, the challenge is increased because they generally have a small capacity to accommodate enhanced security implementations. But eventually, the attackers may not attack a simple sensor node, since it is not possible to gain access to the complete system. The IoT network has a common gateway server to control the entire network. If attackers gain access to this gateway, they gain access to the entire system. Thus the proposed architecture provides solutions to the host-based attacks initiated on the gateway servers and provides the attack data for classification and prediction using machine learning algorithms. Through the prediction of attacks, an effective intrusion prevention system can be built which is the final part of this section.

C. Intrusion Prevention System

An intrusion prevention system can be hardware or software-based to protect the entire network by monitoring, blocking an attack, reporting an attack and even dropping the entire section when a malicious activity is detected. This system can be easily deployed on the servers so that all the incoming requests can be monitored and processed. Through the identification of the security attacks on the IDS, the IPS can effectively be built to protect the entire network from these attacks. In order to establish the IPS we need the support of the AI which performs the classification of all the attacks through various machine learning algorithms, which are compared for the optimal one for the problem through fuzzy-based ranking and recommendation system. Through these evaluations, we select the suitable machine learning algorithm and classify the attack data set. Through the classification report and findings, we develop and update the policies of the IPS that can protect IoT networks from time to time.

A. Missing Data Imputation

The missing value imputation is performed in the dataset. The below-mentioned figure, Fig. 2 shows the missing values. The various process involved in the IDS is listed as an algorithm in Table 1.

TABLE 1 The Algorithm of Botnet Detection and Analysis

FIGURE 2.

Missing value analysis of the botnet dataset.

Show All

The missing data imputation is quantitatively measured as Y. The estimation of the variance of a feature in a data set is given as $\theta _{x}$ . Where x is the complete data set. $\alpha _{x}$ represents the imputed value for a specific instance. The overall imputation $\alpha _{Y}$ is denoted for analysis of the combined data imputation given in Eqn. 1.

View Source\begin{equation*} \alpha _{Y} = 1/Y\sum {(x-1)} ^{Y} \alpha _{x} \tag{1}\end{equation*}

$$\begin{equation*} \phi _{Y}=\omega _{Y}+(1+1/Y) R_{Y} \tag{2}\end{equation*}$$ View Source\begin{equation*} \phi _{Y}=\omega _{Y}+(1+1/Y) R_{Y} \tag{2}\end{equation*}

$$\begin{equation*} \omega _{Y}= 1/Y \sum {(x-1)}^{Y} \tag{3}\end{equation*}$$ View Source\begin{equation*} \omega _{Y}= 1/Y \sum {(x-1)}^{Y} \tag{3}\end{equation*}

$$\begin{equation*} R_{Y}=1/Y-1\sum {(x-1)}^{Y}*\omega _{x}(\alpha _{x}-\alpha _{Y})^{2} \tag{4}\end{equation*}$$ View Source\begin{equation*} R_{Y}=1/Y-1\sum {(x-1)}^{Y}*\omega _{x}(\alpha _{x}-\alpha _{Y})^{2} \tag{4}\end{equation*}

B. Feature Engineering

After the missing data imputation, the next step is feature engineering. Out of 33 features, two are dropped, which are the source and the destination addresses since they have unique IP addresses. This means that each IP address in these two features is distinct and does not repeat within the dataset. Post-feature engineering, the next step is training and classification.

C. Classification

The classification report of various parameters are represented in Table 2. The diagram that represents the comparative analysis is shown in Fig. 3. The various parameters under consideration are accuracy, precision, recall, and f1-score. The four measured values help us determine these parameters such as

• P_p = True positive

• P_n = True negative

• Q_p = False positive

• $Q_{n}$ = False negative

TABLE 2 Performance Comparison of Various Machine Learning Algorithms

FIGURE 3.

Performance Comparison of various machine learning models.

Show All

The accuracy is estimated as per the Eqn. 5.

View Source\begin{equation*} accuracy= (P_{p}+P_{n})/(P_{p}+P_{n}+Q_{p}+Q_{n}) \tag{5}\end{equation*}

$$\begin{equation*} precision= P_{p}/(P_{p}+Q{p}) \tag{6}\end{equation*}$$ View Source\begin{equation*} precision= P_{p}/(P_{p}+Q{p}) \tag{6}\end{equation*}

$$\begin{equation*} re-call= P_{p}/(P_{p}+Q{n}) \tag{7}\end{equation*}$$ View Source\begin{equation*} re-call= P_{p}/(P_{p}+Q{n}) \tag{7}\end{equation*}

$$\begin{align*} &f1-score \\ &= 2 *(precision*re\!-\!call)/(precision\!+\!re\!-\!call) \tag{8}\end{align*}$$ View Source\begin{align*} &f1-score \\ &= 2 *(precision*re\!-\!call)/(precision\!+\!re\!-\!call) \tag{8}\end{align*}

From the tabulated values, we were able to find out that the ensemble models such as decision tree, random forest and Ada boost classifiers provide maximum accuracy, precision, recall, and F1-score. Table 3 displays the false alarm rates, i.e true positive rate, false positive rate, true negative rates and false negative rates.

TABLE 3 False Alarm Rates for Various Machine Learning Algorithms

D. Ranking and Recommendation Systems

Since we need to ascertain these values to identify the best machine model, we apply fuzzy-based models such as TOPSIS VIKOR MOORA, ARAS and WASPAS. These algorithms provide the ranking for these models based on the multi-criteria decision making (MCDM) technique.

1) TOPSIS

The recommendation given by TOPSIS is shown in Table 4

TABLE 4 Ranking of Various Machine Learning Algorithms Using TOPSIS

TOPSIS develops a rank priority pattern which is denoted as P in Table 4. This is obtained from the similarity to the positive and negative ideal solutions S+ and S−. According to the TOPSIS recommendation, a decision tree is selected as the best of all the models with the highest ranking. The four attributes such as accuracy, f1-score, precision and recall are the maximum the better functions. Hence The final ranking is done using this similarity estimation to the ideal solution for ranking such as in Eqn. 9.

$$\begin{equation*} R_{y} ^{*}= S^{+}/(S^{-}-S^{+}) \tag{9}\end{equation*}$$ View Source\begin{equation*} R_{y} ^{*}= S^{+}/(S^{-}-S^{+}) \tag{9}\end{equation*}

2) VIKOR

The next method of ranking is VIKOR which has three parameters for ranking Di, Ei and Qi. Si is the manhattan distance to the ideal solution and Ei is the Chebyshev distance to the ideal solutions Qi determines the final ranking by the value of weights. The estimation of Qi is determined by the below Eqn. 10.

$$\begin{align*} Q_{i}\!=\! x(D_{i}\!-\!D^{*})/(D^{+}\!-\!D^{*})\!+\!(1\!-\!x)(E_{i}\!-\!E^{*})/(E^{+}\!-\!E^{*}) \tag{10}\end{align*}$$ View Source\begin{align*} Q_{i}\!=\! x(D_{i}\!-\!D^{*})/(D^{+}\!-\!D^{*})\!+\!(1\!-\!x)(E_{i}\!-\!E^{*})/(E^{+}\!-\!E^{*}) \tag{10}\end{align*} The parameters $\text{D}^{*}$ tell about the minimum value of distance Di and $\text{D}^{+}$ tells about the maximum value of Di. Similarly the parameters $\text{E}^{*}$ tell about the minimum value of distance Ei and $\text{E}^{+}$ tells about the maximum value of Ei. The value of weight v is considered as 0.5 with the maximum being the better assumption. Finally, the alternatives are ranked in descending order. According to VIKOR ranking, decision tree, random forest and XGB are the best botnet detection algorithms The rank values are tabulated in Table 5

TABLE 5 Ranking of Various Machine Learning Algorithms Using VIKOR

3) MOORA

The next method is called MOORA which has a set of ratios that have the square root of the sum squared value of the denominators. These dimensionless ratios are between the values of zero to one. They are added up in the case of maximization and subtracted in the case of minimization. The ratio is denoted as Yi. Both Yi and the ranking are listed below in Table 6. The weighted standard decision matrix of Moora Y_ij is denoted by the below-mentioned equation. Eqn. 11.

$$\begin{equation*} Y_{ij}=w_{i}*\theta _{ij} \tag{11}\end{equation*}$$ View Source\begin{equation*} Y_{ij}=w_{i}*\theta _{ij} \tag{11}\end{equation*} where w_i is the input weight and the $\theta _{i,j}$ is the normalized value of the input. The same equation is expressed in benefit and cost criteria in Eqn. 12 and Eqn. 13 respectively $$\begin{align*} Y_{i}&=\sum _{n=1}^{x} [Yi] \tag{12}\\ Y_{j}&=\sum _{n=x+1}^{m} [Yj] \tag{13}\end{align*}$$ View Source\begin{align*} Y_{i}&=\sum _{n=1}^{x} [Yi] \tag{12}\\ Y_{j}&=\sum _{n=x+1}^{m} [Yj] \tag{13}\end{align*} Finally, the contribution index $\delta _{ij}$ is calculated as in Eqn. 14. $$\begin{equation*} \delta _{ij}= \sum _{n=1}^{x} [Yi]-\sum _{n=x+1}^{m} [Yj] \tag{14}\end{equation*}$$ View Source\begin{equation*} \delta _{ij}= \sum _{n=1}^{x} [Yi]-\sum _{n=x+1}^{m} [Yj] \tag{14}\end{equation*}

TABLE 6 Ranking of Various Machine Learning Algorithms Using MOORA

From the value of $\delta {ij}$ , we predict the ratio and select the suitable machine learning model by ranking. MOORA based on ratios, predicts SVM as the best of all models followed by Light GB and Ada boost.

4) WASPAS

The next method of ranking to be discussed is WASPAS. This method solves complex decision-making problems using the concept of selecting the best alternative through the relative degree called the utility degree. The utility vector Ki and the ranking values are tabulated in Tab. 7. Finally, the WASPAS is a method which estimates the ranking through ratio analysis and weighted aggregated sum product assessment. The ranking of WASPAS is tabulated in Tab. 7. The weighted aggregated sum product assessment is given as Q which is the average of the alternatives Q₁ and Q₂ respectively.

TABLE 7 Ranking of Various Machine Learning Algorithms Using WASPAS

Using WASPAS the optimal value of $\lambda$ with the following expression in Eqn. 15.

$$\begin{equation*} \lambda = \sigma ^{2}(Q_{i}^{2})/\sigma ^{2}(Q_{i}^{1})+\sigma ^{2}(Q_{i}^{2}) \tag{15}\end{equation*}$$ View Source\begin{equation*} \lambda = \sigma ^{2}(Q_{i}^{2})/\sigma ^{2}(Q_{i}^{1})+\sigma ^{2}(Q_{i}^{2}) \tag{15}\end{equation*} The initial normalized criteria for variance is estimated as per the Eqn. 16. $$\begin{equation*} \sigma ^{2}*\bar {x}_{ij}= 0.05*\bar {x}_{ij}^{2} \tag{16}\end{equation*}$$ View Source\begin{equation*} \sigma ^{2}*\bar {x}_{ij}= 0.05*\bar {x}_{ij}^{2} \tag{16}\end{equation*}

WASPAS uses the variances obtained from WSM and WPM approaches and $\lambda$ to provide the ranking solution. If the value of the $\lambda$ is optimal then this means the accuracy is optimal.

A. Comparative Analysis of the Ranking Systems

The comparative analysis of all the recommender systems is shown in Fig. 4. The weight evaluations corresponding to the rank are considered for the comparisons. SVM is said to provide consistent results among the other methods but the decision tree provides accuracy and predictability with fewer executions compared with ensemble models. Hence, it is much preferred for our prediction of a botnet dataset. From the performance and ranking, a decision tree is preferred compared to the other algorithms for intrusion detection of IoT through botnet datasets.

FIGURE 4.

Comparison of the ranking system.

Show All

Based on the observations, the proposed system is reporting most of the vulnerabilities due to the following concerns.

• TCP-based SPAM attacks

• Insecure HTTP access

• UDP DDoS attacks

• SMTP un encrypted attacks

Fig. 5 displays the graph for comparative analysis after 10 fold cross validation for various machine learning algorithms.

FIGURE 5.

Comparative Analysis after 10 fold cross validation.

Show All

B. Challenges

• It is exceedingly difficult to define or get a verification of the accuracy and completeness of any suggested IDS. A complete IDS that can provide good accuracy, scalability, robustness, and protection from all forms of attacks is quite difficult to develop.

• A high-quality IoT IDS dataset is crucial for testing and validating the proposed Network Intrusion Detection System (NIDS). A substantial amount of network flow data spanning both attacks and typical behaviour should be present in such a dataset, along with the accompanying label. Additionally, other than the attack data for NIDS testing, regular traffic data from each type of IoT device is needed to capture typical behaviour. The majority of publicly accessible datasets are deficient in delivering the necessary features, such as missing labels, incomplete network features, missing raw PCAP files, difficult to understand, and/or incomplete CSV files.

• It is extremely difficult to create an anomaly-based, live, real-time ID for IoT networks. This is so that an IDS could detect anomalous or malicious behaviour without first having to learn a normal behaviour. The learning phase makes the unassailable assumption that there won’t be any noise or attack traffic during this time. If these problems are not resolved, an IDS like this can raise false alarms.

• Computational complexity rises during many stages of the design and implementation of NIDS, such as feature reduction and data pre-processing, model training, and deployment—in particular, ML and DL-based NIDS. Consequently, creating an effective NIDS with minimal computational demands is a challenge.

C. Solutions

• HTTP unencrypted data protection: Usage of the open Secured Socket Layer or any other tools to encrypt the data which is sent can provide the protection. Implementation of HSTS will improve security.

• DDoS attack: The mitigation of the attacks by having a robust firewall which performs a stateful inspection of packets. Later the mitigation of the DDoS requests to another server so that the actual server stays safe.

• Botnet detection: First the behaviour of the incoming packets is detected. Then immediately flagged if found with any unusual behaviour. We apply a challenge response or any other verification method. If verification failed, then we need to deny the requests and send the packets for analysis and add them to the training model so that the intrusion detection and prevention system will be able to detect and restrict intrusions in future.

• SMTP (Simple Mail Transfer Protocol)unencrypted data: It has been flagged that the mail server is running without encryption. SMTP sends data without encryption by default. Hence SMTP is highly vulnerable to MITM attacks. Enabling encryption for a secure connection is the best solution.

• Input validation: It is always better to validate the input before allowing it to get into the system. As there are many DDoS (Distributed Denial of Service Attacks) attempts logged having an input validation increases the vector of security. Reducing the packet window size and firewall would be able to mitigate the DDoS attacks in IoT reasonably.

• Class imbalance: In IoT-based botnet datasets, the common problem is class imbalance. The system that is trained with such datasets will provide results with over-fitting. Further techniques that provide security such as Signature based encryption would also be capable of increasing the class imbalance. To avoid this phenomenon, we can balance the data set with near miss pre-processing algorithm to avoid the class imbalance.

D. Research Findings

• The prescribed work compares the performance of the machine learning algorithms used for botnet classification and provides the best algorithm through ranking using various MCDM techniques. The decision tree provides better accuracy with less time complexity.

• The prescribed work provides solutions for host-based intrusion detection for IoT-based environments

• The proposed work provides a solution for handling the class imbalance which is a potential problem in the IoT-based IDS datasets.

• Implementation of IPS on IoT devices, especially on small-scale devices is extremely difficulty

• The similar class imbalance may occur as the outcome of techniques like Signature-based authentication. The best solution for this is to apply near miss algorithm for pre-processing.

E. Future Directions

• The efforts of near and random miss can be combined with signature-based authentication to increase the performance and decrease the class imbalance.

• Attribute-based secured access may protect the specific sensitive attributes by preventing them from global access.

• Bio-metric authentication systems for IoT-based networks can be handled using deep learning algorithms with multimedia encryption techniques.

• Complex algorithm transformation techniques are required to make them suitable for IoT-based devices