Securing IoT Network against DDoS Attacks using Multi-agent IDS

The crucial issue of Internet of Things (IoT) is vulnerable towards various kinds of security threats, especially on denial-of-service (DoS) attacks as IoT network consists of millions of devices attached to the network. There are plenty of intrusion detection systems (IDSs) available for IoT networks, however, the accuracy detection yet still a big problem. To address the problem, this paper proposes an ensemble IDS for IoT networks. The proposed IDS uses Multi-agent System (MAS) concept and ensemble the Information Gain feature selection algorithm with J48 classifier algorithm for the proposed IDS. Experimental results show the proposed MAS-J48-IDS provides the best accuracy performance of 99.8% for all selected features compared to IDSs that use Naïve Bayesian (NB) and Random Forest (RF) classifiers. Besides, the use of MAS contributes towards the load balancing among the nodes in the network itself.


Introduction
Traffic data in IoT network is created by sensors and then transmitted using wireless or wired communication channel. Thus, IoT communication channel should be able to deal with gigantic traffic volumes produced by a massive collection of devices/sensors with almost zero dropped packets during the transmission and protection on external edges [1,2]. Security/protection mechanisms to such system/network require must be efficient and effective as the nature of the IoT system/network consists of resource limited devices and the environment is unattended operationally. In addition, IoT system/network uses the Internet platform for exchanging information between heterogeneous edge devices, thus, it is susceptible to different security issues [3], [4]. The most needed security service in IoT system is the availability of objects' services. Denial-of-service (DoS) or distributed DoS (DDoS) attacks launch the outbreak to the targeted network with unwanted traffic to affect the services availability. Thus, we need robust IDS to detect early this most common attack on the IoT's Network Layer [5].
Umar et al. [6] have discussed that IDS is timely possible to detect DDoS attack. In this paper, the IDS uses J48 classifier algorithm and is implemented as multi-agent system (MAS), where the agent as a software entity can perform autonomous activities in the environment. The agents perform different task, i.e.: data acquisition and traffic monitoring. The agents cooperate through communication. The proposed IDS is experimented using CICIDS-2017 dataset.

Related Work
DoS or DDoS is considered as the most dangerous type of attack in IoT networks/systems, because this attack may disrupt the services availability of an IoT systems/network. DoS launches attack by flooding targeted network with a massive and integrated traffics with the aim is to consume targeted system's resources, causing legitimate users cannot access to the system services [7], [8]. Two main techniques to launch DDoS attacks in IoT networks/systems, i.e: by sending some crafted packets to the target hosts/nodes to manipulate any running applications or even protocols, or by performing one either: (i) network DDoS attacks that disrupting users on the connectivity [7], or (ii) application-layer DDoS attacks that draining the server resources such as: memory, CPU, sockets, and bandwidth for database accessing and Input/output processing [8], Thus, protecting IoT networks/systems against DDoS attacks becomes remarkable interests for security experts.
Many research works on IoT security have been carried out. Table 1 summarizes some of them that very close to the work in this paper with the consideration of their IoT vision and security aspect they focus on.  [11] 2017 MAS & Encryption √ √ Ali et al [12] 2016 IoT security √ √ Granjal et al [13] 2015 5-Layer architecture √ √ √ √ Note: Id = Identification; Au = Authentication; In = Integrity; Pr = Privacy; Tr = Trust; AC = Access Control; Co = Confidentiality.
[9] have combined MAS and Naïve Bayesian feature classification to develop IDS that protects the IoT networks/systems against the DDOSs attacks, and showed that it has better performance compared to the conventional IDS.
Liao et al. [14] define the intrusion detection as a method implemented to protect systems/networks from the outsider threats. Basically, the method works by matching the captured traffic's feature and features/signatures already stored in a database. If certain features/signatures matched, then trigger an alert. Based on the techniques used for comparing the features, the IDS is categorized into five types, i.e.: statistical/Bayesian, heuristics, pattern matching, rule-based, and state-based. The IDSs should be able to identify distinctive characteristics/features of the intrusion malware, specifically in term, when and where it happened as well as the intrusion variety. Thus, IDS is deployed to enable identification and access prevention of unauthorized as well as misusing and abusing privileges of legitimate users.
The performance of the IDS depends on the classification algorithm used. J48 classifier is a decision tree-based machine learning algorithm. J48 classifier uses the entropy concept in creating its decision tree from a set of training data [15]. The basic steps of J48 classifier are as follows.
• Produce a leaf if the instances fall to the same class, returns the leaf with labeled with the same class. • Calculates the gain in information of every attribute, using the attributes' entropy.
• Determine the best attribute(s) based on the selection criterion and do the branching. Researchers in [16] have reported that J48 provides high accuracy in detecting malicious activities in a network.
With regards to the intrusion detection, implementation of multi agent system (MAS) may decrease dramatically the nodes' workload by allocating the loads among the nodes, as agents in MAS collaborate independently in gathering and communicating the data in the systems/networks. MASs gives autonomic self-management characteristic to sensors attached to IoT systems/networks. Figure 1 illustrates the overall architecture of the experimentation on the proposed IDS. • Information Gain feature selection Information gain transforms a dataset with the aim to reduce entropy or surprise and calculated by comparing the entropy of the dataset before and after a transformation. It is often used in training decision trees.

Methodology
• Pre-processing The pre-processing operations on raw dataset of CICIDS-2017 include data creation, features construction and features reduction, data transferring, replace missing values and discretization, data normalization, and feature selection. The output of this pre-processing is clean dataset. For the experiment purpose, this work use 70% of the data as training dataset and 30% of the data as testing dataset (30%). The algorithm1 illustrates the preliminary stage, consists of pre-processing and the classification steps (adopted from [9]). • Training the IDS with J48 classifier The next step is to train the IDS with the J48 classifier using training dataset. The output of this process is the trained IDS. Lastly, the trained IDS is tested on the testing dataset, and the performances are measured. The implementation of the MAS is illustrated in Figure 2. Four types of agents are implemented. Acquisition Agent that collects the traffic attributes from the dataset and then distributes traffic features. Monitoring Agent controls any information on anomaly/irregularity. Communication Agent is responsible on communication among the agents, and Actuator Agent is an executor for updating occurred events.

Figure 2. MAS implementation
The flowchart of the proposed IDS is shown in Figure 3. It starts with classifying the traffic information. If anomaly/irregular behaviour is identified then more detail analysis is performed to clarify further the circumstances. At the same time, the system will trigger alert and take suitable action to avoid the attacks. The detected attacks information then is dispatched to other agents/routers for the purposed of updating information.

Experimental Setup, Results and Discussion
The J48 feature selection is implemented using WEKA Tool version 3.9 and the whole IDS is implemented in Python Language program on computer with the following specification. Processor: Intel Core i7, RAM: 16 GB, and Operating System: Windows 10. Experiment was conducted and the proposed MAS-J48-IDS performances are recorded.
J48 feature selection produces 15, 23, 34, 52 and 57 features that provide optimum criteria. Table 2 lists the performance in term of accuracy of the proposed IDS compared to IDSs' that use Naïve Bayesian (NB) and Random Forest (RF) feature selection algorithm, for different number of selected features. A screenshot of running J48 classifier on Weka Tool is shown in Figure 4.  Experiment on observing the performance with considering the traffic load also was carried out. Figure 5 depicts the comparison of detection rate performances against the throughput. The figure shows that he proposed IDS outperforms the other IDSs that use Naïve Bayesian and Random Forest feature selection algorithms. The results also show that the higher the throughput, the higher the performance. The experimental results displayed on Table 2 exhibit that the proposed MAS-J48-IDS performs better compared to Naïve Bayesian-based IDS and only slightly better compare to Random Forestbased IDS. The proposed IDS also is able to detect the DoS/DDoS attacks consistently using different number of features.

Conclusions and Future Work
Experimental results show that the proposed MAS-J48-IDS is a promising tool for detecting intrusions in IoT system/network. Intrusion Detection System with ensemble of Information Gain feature selection and J48 classifier, then incorporated into multi-agent system outperforms the IDSs with Naïve Bayesian or Random Forest classifiers. The proposed IDS achieves 99.8% accuracy detection for almost all of the selected feature numbers. The implementation of the MAS as distributed agents on the IDS balances the energy/power consumption as the overall computation load is distributed among all the nodes in the network. This advantage addresses the issue of limited energy/power of devices attached to IoT system/network.
In the future, the author plans to expand the work through an implementation of ensemble IDS using combination of several classifier algorithms. Furthermore, the number, the types, and the natures of the agent can be further elaborated.