物联网(IoT)是一个大规模的环境,可以管理许多不同的应用程序。由于潜在的恶意威胁和连接的多样性,安全性至关重要。设备可以使用入侵检测系统(IDS)保护自己并检测威胁。IDS通常使用以下两种方法之一:基于异常或基于签名。本文提出了一种模型(称为“ AS-IDS”),该模型结合了这两种方法来检测IoT网络中的已知和未知攻击。所提出的模型分为三个阶段:流量过滤,预处理和混合IDS。在第一阶段,通过匹配数据包功能在物联网网关过滤到达流量,然后在预处理阶段应用目标编码器,Z分数和离散黑森本征图(DHE)进行编码,归一化和消除冗余,分别。在最后阶段,混合IDS集成了签名和异常。基于签名的IDS子系统使用轻量级神经网络(LightNet)调查数据包,该轻量级神经网络使用人类心理搜索(HMS)在隐藏层中进行流量聚类,而Boyer Moore用于在输出层中搜索特定的签名,该签名可以通过使用通用后缀树(GST)算法并通过匹配签名将攻击分类为正常或未知入侵者。基于异常的IDS子系统采用Deep Q学习来识别未知攻击,并使用信噪比(SNR)和带宽将攻击分为五类:拒绝服务(DoS),探测,用户到根( U2R),远程到本地(R2L)和正常流量。然后使用新的签名生成检测到的数据包,使用位置感知分布签名(PADS)算法。拟议的AS-IDS与NSL-KDD数据集一起在实时流量中实现,并根据检测率(DR),误报率(FAR),特异性,F量度和计算时间对结果进行评估。
The Internet of Things (IoT) is a massively extensive environment that can manage many diverse applications. Security is critical due to potential malicious threats and the diversity of the connectivity. Devices can protect themselves and detect threats with the Intrusion Detection System (IDS). IDS typically uses one of two approaches: anomaly-based or signature-based. This paper proposes a model (known as “AS-IDS”) that combines these two approaches to detect known and unknown attacks in IoT networks. The proposed model has three phases: traffic filtering, preprocessing and the hybrid IDS. In the first phase, the arrival traffic is filtered at the IoT gateway by matching packet features, after which the preprocessing phase applies a Target Encoder, Z-score and Discrete Hessian Eigenmap (DHE) to encode, normalize and eliminate redundancy, respectively. In the final phase, the hybrid IDS integrates signatures and anomalies. The signature-based IDS subsystem investigates packets with Lightweight Neural Network (LightNet), which uses Human Mental Search (HMS) for traffic clustering in the hidden layer and Boyer Moore is used to search for a particular signature in the output layer that is accelerated by using the Generalized Suffix Tree (GST) algorithm and by matching the signatures it classifies the attacks as intruder, normal or unknown. The anomaly-based IDS subsystem employs Deep Q-learning to identify unknown attacks, and uses Signal to Noise Ratio (SNR) and bandwidth to classify the attacks into five classes: Denial of Service (DoS), Probe, User-to-Root (U2R), Remote-to-Local (R2L), and normal traffic. Detected packets are then generated with new signatures, using the Position Aware Distribution Signature (PADS) algorithm. The proposed AS-IDS is implemented in real-time traffic with the NSL-KDD dataset, and the results are evaluated in terms of Detection Rate (DR), False Alarm Rate (FAR), Specificity, F-measure and computation time.