خرید و دانلود نسخه کامل کتاب International Conference on Cyber Security, Privacy and Networking (ICSPN 2022) – Original PDF

Data Mining Techniques for Intrusion Detection on the Internet of Things Field Marco Carrat`u, Francesco Colace, Angelo Lorusso, Antonio Pietrosanto, Domenico Santaniello, and Carmine Valentino(B) DIIn, University of Salerno, Fisciano, SA, Italy {mcarratu,fcolace,alorusso,pietrosanto,dsantaniello,cvalentino}@unisa.it Abstract. Over the years, the Internet of Things (IoT) paradigm has acquired great importance due to various application possibilities. The need for Intrusion Detection System (IDS) arises related to the widespread of smart tools connected to each other. This paper aims to present a methodology based on data mining techniques to improve the protection of the connection in an Internet of Things application. In particular, this paper exploits machine learning techniques and Rec- ommender Systems. The K-Nearest Neighbor method and a Context- Aware Recommender System allow the identification of attacks. A mul- ticlassification module based on binary perceptron classifiers with a one- versus-one strategy allows the identification of the attack typology. The obtained numerical results are promising. Keywords: Internet of Things · Intrusion detection system · Data mining · Machine learning · Classification · Recommender Systems 1 Introduction Over the years, the Internet of things (IoT) [1,2] paradigm has empowered people to improve their daily life and develop a lot of new possibilities. The acronym IoT refers to a set of connected smart tools able to exchange information with each other. This information allows providing services to users that can interact with them. The services and the interaction allow applying IoT to various fields such as smart cities [3], smart buildings [4], smart homes [5], Industry 4.0 [6], or cultural heritage fields [7,8]. The possibility of managing smart sensors through a central device connected to the Internet and of being able to transfer sensitive information introduces a security problem. The cyber-security [9–12] issue arose with the diffusion of the Internet to the public and implied the rise of cyber crimes, which consist of illicit activity to achieve criminal purposes through a computer or a computing device. Cyber crimes can be classified into various categories, such as cyberstalk- ing, cyber terrorism, phishing, and cybersquatting, and are achieved through a cyber attack, indeed the attempt of non-authorized access. The cyber attack, strictly related to cyber crimes, can be divided into two typologies: insider or c© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 N. Nedjah et al. (Eds.): ICSPN 2021, LNNS 599, pp. 1–10, 2023. https://doi.org/10.1007/978-3-031-22018-0_1 2 M. Carrat`u et al. external attack. Moreover, cyber-attacks can be performed by an organization with specific objectives, such as money or cyber-espionage, or they can be per- formed by an individual that aims for revenge or recognition. Cyber-attacks exploit malware (malicious software) [13–17] that can assume various forms, such as adware, spyware, virus, worms, and trojan horse. The evolution of malware increases the network vulnerability and raises the security requirement on the Internet of Things paradigm to guarantee sensitive data protection [18]. The introduction of Intrusion Detection Systems aims to identify data traffic anomalies and illicit activities through the network [19]. Because of the evolution of malware and its variety, there are four main Intrusion Detection techniques [20–22]: – Signature-based approaches [23] require a dataset that collects the main fea- tures of attacks to identify patterns and similarities with the possible new attacks. These approaches return a low level of false alarms. On the other hand, the principal limit of these approaches consists of the inability to rec- ognize new attack typologies that the database does not include. – Anomaly-based approaches [23] exploit every change of the usual behaviors in the network to identify possible attacks. The principal limit of anomaly-based techniques consists of the high percentage of false alarms caused by identifying anomalies even in new behaviors that are not illegal. These approaches can be further divided into: • Statistical-based approaches [20]; • Knowledge-based approaches [20]; • Anomaly-based approaches through machine learning techniques [20]. – Specification-based approaches, similar to anomaly-based ones, aim to iden- tify behaviors that are different from usual ones. But the main difference with anomaly-based approaches consists of using roles and thresholds determined by experts. Indeed, the ability to identify attacks does not exploit automatic techniques but the knowledge of humans that allows the system to understand behavior changes. – Hybrid approaches take advantage of Signature-based, anomaly-based, and specification-based techniques to improve the limits of the singular method and identify attacks. Developing reliable detection techniques allows for protecting sensitive data in the Internet of Things paradigm. In particular, this paper aims to create a detection technique based on two data mining methods: K-Nearest Neighbor, Context-Aware Recommender Systems (CARSs), and the Perceptron [24] algo- rithm for multiclassification. The K-Nearest Neighbor (KNN) [25] represents an instance-based machine learning technique that exploits similarity measures to make predictions. It falls into the classification algorithms and takes advantage of a straightforward imple- mentation phase. The similarity measure, that KNN exploits, is the Minkowski distance [26]: Data Mining Techniques for Intrusion Detection 3 dp(x, y) = (∑n i=1 |xi − yi|p) 1 p x, y ∈ Rn () This distance becomes the Manhattan distance when p = 1, and the Euclidean one when p = 2. Recommender Systems (RSs) [27–29], instead, are data filtering and analysis tools able to provide suggestions to users according to their preferences. In par- ticular, CARSs [30] exploit context [31,32] to improve the provided forecasts, where the context is defined as any information able to influence system entities (users and items) and their interaction with the system. These two tools will be exploited to develop an intrusion detection [35] method in an Internet of Things application. Instead, the multiclassification through the Perceptron algorithm allows identifying the attack typology. In par- ticular, this paper is structured as follows: Sect. 2 contains the related works, Sect. 3 describes the proposed approach and presents the related architecture, Sect. 4 introduces the experimental results, and, finally, Sect. 5 contains conclu- sions and future improvements.