OPTIMIST Lightweight and Transparent IDS With Optimum Placement Strategy To Mitigate Mixed-Rate DDoS Attacks in IoT Networks

This article has been accepted for publication in IEEE Internet of Things Journal.
This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3234530
OPTIMIST: Lightweight and Transparent IDS with

Optimum Placement Strategy to Mitigate
Mixed-rate DDoS Attacks in IoT Networks
Pradeepkumar Bhale , Student Member, IEEE, Debanjan Roy Chowdhury , Student Member, IEEE,
Santosh Biswas , Senior Member, IEEE, and Sukumar Nandi , Senior Member, IEEE
Abstract—Distributed denial of service (DDoS) attacks are be queried through the Internet for their generated data by
widespread for Internet of things (IoT) systems that aim to external entities, and the obtained data is used for various
disrupt the availability of a system completely (high-rate DDoS) critical/non-critical applications. Therefore, maintaining the
or partially (low-rate DDoS). Design and placement of Intrusion
Detection Systems (IDS) for DDoS attacks on IoT systems are authenticity, integrity, confidentiality, and availability of the
challenging due to the low power and lossy nature of networks. generated data is very crucial, and the violation of any of
Existing IDSs are designed to handle either high-rate or low- them may incur serious consequences. As the IoT nodes
rate DDoS but cannot handle both with good accuracy. Existing are externally accessible through the Internet, any security
IDS placement techniques are mostly non-transparent, making vulnerability of the IoT devices can be exploited. IoT devices
malicious nodes aware of the presence of IDS nodes. Most of
the IDS placement strategies are non-optimal, making them are manufactured by various vendors, which can purposefully
energy inefficient. Accordingly, this work proposes a transparent, insert some backdoor vulnerabilities to launch attacks. For
optimally placed, distributed IDS solution, namely OPTIMIST, example, an IoT device can be compromised and turned into
which can handle both high-rate and low-rate DDoS attacks a bot by an external malicious entity. That bot can be used
with good accuracy. The placement problem is formulated as to launch various kinds of attacks by generating malicious
the weighted minimum vertex cover problem of a K-uniform
hypergraph and solved with an approximation algorithm. The traffic flows. Among these malicious flows, DoS and DDoS
IDS module is based on a LSTM model where a novel offline attacks are very harmful to IoT systems as these attacks
training method for LSTM is proposed using WGAN-generated disrupt the availability of systems. Therefore, internal traffic
artificial flows. Extensive experimentation on simulation and flows also need to be monitored/analyzed by IDS systems
testbed shows that the OPTIMIST can best achieve the balance [2]. DDoS attacks can be classified into high-rate DDoS
between DDoS detection and energy overhead.
(HrDDoS), and low rate DDoS (LrDDoS) attacks. HrDDoS
Index Terms—Internet of Things (IoT), mixed rate distributed aims to disrupt the IoT system completely, whereas LrDDoS
denial of service (MrDDoS) attack, intrusion detection systems aims to partially degrade the IoT system performance, making
(IDS), IDS placement, Wasserstein GAN (WGAN), Long short-
term memory (LSTM). LrDDoS detection more challenging compared to HrDDoS.
Many existing solutions are there to detect HrDDoS, whereas
very few solutions are proposed for LrDDoS. To the best of our
I. I NTRODUCTION efforts, we could not find out existing work which is designed
In the last few years, various sectors like smart health to detect mixed-rate DDoS (MrDDoS) attacks (HrDDoS and
monitoring systems, smart vehicles, smart home appliances, LrDDoS). Motivated by this fact, this paper proposes the IDS
and smart cities have witnessed steady increases in the us- solution OPTIMIST, which can detect and mitigate MrDDoS
ages of IoT [1]. IoT devices are battery-operated, energy- attacks. The OPTIMIST IDS module is based on a LSTM
constrained nodes with limited computation and storage ca- model, which is trained using publicly available as well as
pacities. IoT devices generate data by sensing the environment in-house generated datasets. However, the distribution of the
and send the generated data to a remote server through flows of these datasets exhibits some network-specific bias
the Internet for further analysis/processing. IoT devices can which is used to generate the datasets. As a result, though the
trained model shows high accuracy when tested with the flows
This work is partially funded by the Science and Engineering Research
Board (SERB), Government of India. of the same dataset, the model’s performance fails to meet
This work is partially funded by the Information Security Education the expectation when run in network scenarios whose flow
and Awareness (ISEA), Phase II, Ministry of Electronics and Information distributions are different from the training datasets. Motivated
Technology, Government of India.
P. Bhale, DR Chowdhury, and S. Nandi are with the Department by the above facts, a novel training method is proposed for
of Computer Science and Engineering, Indian Institute of Technology OPTIMIST where WGAN-generated artificial flows from the
Guwahati, Guwahati 781039, India (e-mail:[email protected]; chowd- datasets are mixed with the original flows to reduce the biases
[email protected]; [email protected]).
S. Biswas is with the Department of Electrical Engineering and Computer of the datasets.
Science, Indian Institute of Technology Bhilai, Bhilai 492015, India (e- One crucial design challenge for any IoT solution is the IDS
mail:[email protected]). placement/deployment problem, i.e., where to run an IDS solu-
Copyright (c) 20xx IEEE. Personal use of this material is permitted.
However, permission to use this material for any other purposes must be tion. Few IDS solutions are centralized in nature and run on the
obtained from the IEEE by sending a request to [email protected]. border router, through which all external Internet traffic flows
© 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Kongu Engineering College. Downloaded on January 19,2023 at 10:40:38 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and
are passed. Few existing works have proposed to run IDS on all IDS placement problem formulation and the proposed solution
IoT devices, which is redundant and reduces network lifetime. are described in details. Section V provides a detailed descrip-
An alternative hybrid solution is to run IDS in border router tion on the proposed IDS solution. Performance evaluation
along with few selected nodes, where each node is responsible of the proposed work is given in Section VI with detailed
for monitoring a small subset of the network. In this case, the experimentation setup and competitive result analysis. This
design problem is to select an optimum number of nodes that work is summarized in Section VII.
can balance network coverage and energy. Few cluster-based
solutions have been proposed where the network is divided
into clusters, and cluster heads run IDS. The monitored nodes II. BACKGROUND
are queried by cluster heads for various network statistics, and
the collected statistics are either analyzed locally in cluster This section discusses a few important aspects of IoT
heads or reported to sink. This query-response scheme imposes and IoT security. IoT as low power lossy network (LLN) is
network overhead resulting in energy depletion of the nodes. introduced in Section II-A. The Section II-B discusses about
Moreover, the presence of IDS nodes are exposed in the DDoS attacks on IoT networks.
network and the malicious flows generated by compromised
IoT nodes can easily avoid the IDS nodes. In transparent
IDS solutions, IDS nodes transparently sniff/eavesdrop on A. IoT as low power lossy network
flows surrounding them without making their presence visible IoT are networks of resource-constrained nodes which sense
to other nodes. Though there are very few existing works various environment parameters and report generated data to
on transparent IDS solutions, their placement strategies are sink(s). These nodes are connected to the Internet through a
non-optimal. Motivated by the above discussion, this paper border router (BR/6BR). The underlying network is of low
proposes an optimal IDS placement strategy for a transparent power lossy network (LLN) type comprising interconnected
IDS solution that can balance network coverage and energy nodes of constrained energy (powered by battery), memory,
overhead. and computing capacity. Nodes are interconnected by lossy
The above discussions are the motivations of the pro- wireless links of short communication ranges and low data
posed work, namely, A lightweight and transparent IDS with rates. The IPv6 Routing Protocol for LLNs (RPL), is standard-
optimum placement strategy to mitigate mixed-rate DDoS ized for LLN as a proactive distance-vector routing protocol.
attack in IoT system (OPTIMIST). The contributions of our The routes are formed from 6BR to each node as destination
work are summarized as given below: oriented directed acyclic graph (DODAG). Depending on the
• Unlike existing works which focus either on high-rate or resource constrain, a node may store (storing mode) or may
low-rate DDoS, this work provides a solution for mixed- not store (non-storing mode) routing information locally. In
rate DDoS attack detection, which can detect and mitigate non-storing mode, only 6BR has the entire DODAG topology
both high and low-rate DDoS attacks. information, and all messages are forwarded to 6BR to get
• A novel training method is proposed to build the IDS routed to destinations. As a result, 6BR needs to do source
solution. WGAN is used to generate artificial flows from routing to forward a message toward a destination.
public datasets as well as in-house generated dataset to
reduce the distribution bias of the datasets. The WGAN-
generated flows are mixed with the public and in-house B. Attacks on IoT
generated training datasets and used for LSTM model IoT networks are prone to various attacks due to the end-
training node accessibility through the Internet, the lossy nature of
• A novel hybrid IDS placement algorithm is proposed, networks, and resource constraints of the nodes. A few well-
which runs transparently without incurring any network known attacks are rank attacks, black-hole attacks, sink-hole
overhead. The IDS node selection is optimized, which attacks, version number attacks, buffer reservation attacks, bot
balances energy overhead and IDS coverage. The problem attacks, DoS attacks, and DDoS attacks. The nature of these
is formulated as the weighted minimum vertex cover attacks varies vastly with the varying objectives of the attacks,
problem of a K-uniform hypergraph, and an approxima- like interrupting network traffic, exhausting network resources,
tion solution is provided. disrupting the topology, etc. This paper is focused on DDoS
• Extensive experiments on Contiki and FIT IoT-LAB attacks, which can be broadly classified into two categories,
testbed are done for competitive performance analysis of as given below.
the proposed scheme. The results show that our proposed
1) High Rate DDoS attack (HrDDoS): In the HrDDoS, the
scheme is most effective in detecting the attacks while
assailants flood the network with malicious flows to interrupt
consuming minimum energy compared with existing
the availability of IoT services. The interruption is created
benchmark protocols.
by exhausting resources like channel bandwidth, router buffer,
The rest of the document is organized as follows. Section CPU, etc. Attacks can be of transport or network layer flooding
II provides some basic background knowledge about IoT, and [3], [4] such as user datagram protocol (UDP) flooding,
attacks on IoT. Existing literature surveys on IDS placement transmission control protocol (TCP) SYN flooding, Internet
and IDS solutions are presented in Section III. In Section IV, control message protocol (ICMP) flooding, etc.
2) Low-rate DDoS Attacks (LrDDoS): A LrDDoS attack subset of LLN nodes run IDS, network-based IDS (NIDS) [10]
is difficult to identify because of its low-rate and intermittent is applicable.
traffic behavior, which is quite similar to the legitimate traffic The task of monitoring can be performed in transparent
[5]. These attacks intend to increase latency and decrease the or non-transparent mode. In non-transparent mode [7], [8],
network’s throughput to some extent for genuine users rather [12], the IDS nodes gather network status by querying or
than disrupting the IoT services entirely. A LrDDoS attack probing monitored nodes making malicious nodes aware of the
model can be described by three parameters which are the presence of IDS nodes in a network. Additionally, these extra
off-time phase, on-time phase, and time interval. In an off- messages increase network congestion and energy overhead. In
time phase, no attack packet is sent. During an on-time phase, transparent mode [9], [11], [13], IDS nodes can sniff/eavesdrop
the assailant sends malignant messages. The time interval ∆ packets to gather network information without adding any
phase maintains time among two successive attack packet network overhead while keeping their presence in the network
generations. Fig.1 shows the LrDDoS attack model with the transparent to malicious nodes. In a transparent IDS placement
three parameters. scheme, there is a trade-off between IDS coverage and energy
overhead. On the one hand, if energy overhead is reduced by
selecting a small number of IDS nodes, the IDS system is
unable to eavesdrop on all traffic flows, resulting in poor IDS
coverage. On the other hand, if IDS coverage is improved by
increasing IDS running nodes, it decreases network lifetime.
Consequently, optimization techniques are needed to balance
IDS coverage and energy overhead.
No existing work was found which provides an optimum
IDS placement solution for transparent monitoring mode.
Accordingly, in this work, we propose a novel IDS placement
algorithm for transparent monitoring, which is able to pro-
Fig. 1: LrDDoS attack model adapted from [5]
vide an optimum balance between IDS coverage and energy
overhead based on system requirements.
3) Mixed-rate DDoS Attacks (MrDDoS): MrDDoS is the
type of attacks which includes both the HrDDoS and LrDDoS
type of attacks. B. IDS solutions
A number of IDS techniques are available in the litera-
III. R ELATED W ORK ture which can be broadly classified into two categories as
This section is organized into two parts. Section III-A signature-based and anomaly-based [2] [14].
reviews existing works on IDS placement while in Section 1) Signature-based IDS [2]: In this strategy, IDS is trained
III-B, various existing IDS solutions are discussed. to learn behavior patterns or signatures of previously known at-
tack flows. The trained model is then used to classify observed
behaviors of network flows. However, signature-based IDS
A. IDS placement cannot detect unknown (zero-day) attacks or modified/evolved
Thakkar et al. [6], and Bruno et al. [2] have surveyed known attacks since their signatures are unknown to the IDS.
various IDS placement strategies and have categorized them Few examples of signature-based IDS solutions for HrD-
into groups of centralized, distributed, and hybrid placement DOS are given next. Li et al. [15] proposed a collaborative
strategies. In a centralized placement strategy, an IDS instance blockchain-enabled IDS framework for the IoT ecosystem.
is run in one dedicated high-resource node like a border This approach incrementally builds and updates the signature
router (6BR). The works [7], [8] are examples of centralized database in the IoT network. It is also verifiable without
placement strategy. Though centralized placement can monitor the requirement of a trusted third party. Yadav et al. [16]
all external traffic, some malicious internal flows generated proposed an automated machine learning (ML) model for IoT-
by compromised LLN devices may remain undetected. In dis- enabled smart energy grids. Results are presented using an
tributed placement strategy, lightweight (like rule or signature- IoT dataset, showing the potential of the proposed approach
based) IDS instances are run in all the LLN nodes. The in smart energy infrastructures.
work [9] is an example of distributed placement strategy. Following are few examples of signature-based IDS solu-
Though this strategy enables host-based IDS (HIDS) [10], tions for LrDDoS. Perez-Diaz et al. [17] proposed a modular
[11], running IDS all the time on all nodes is redundant, architecture that can detect and mitigate LrDDoS attacks
draining energy from low-resourced nodes rapidly. The hybrid in SDN-enabled networks. The IDS module is trained with
placement strategy combines both the benefits of centralized six distinct types of ML models. Even though it is hard
and distributed strategies. In this strategy, a centralized entity to find LrDDoS attacks, the study shows that the suggested
monitors external traffic, while a few of the LLN nodes are approach has a 95% detection rate. Liu et al. [18] proposed a
selected as IDS nodes to perform the role of watchdogs by LrDDoS attack detection method for wireless networks. In this
monitoring the behavior of a subset of the nodes. The works method, the authors built a multidimensional sketch structure
[12], [13] are examples of hybrid placement strategies. As a based on network traffic characteristics. This approach also
preserves the baseline stability of network traffics and correctly both HrDDoS and LrDDoS types of attacks. Accordingly, the
differentiates LrDDoS attack traffics from normal network proposed OPTIMIST IDS is trained with both HrDDoS and
traffics. LrDDoS to detect and mitigate both types of attacks.
2) Anomaly-based IDS [14]: In this strategy, an IDS solu-
tion first profiles the expected behavior of a given system and IV. P ROPOSED OPTIMIST IDS PLACEMENT
then tries to detect any deviant behaviors from the learned This section is divided into two parts. The problem for-
behavior profile. Though anomaly-based IDS can detect zero- mulation for IoT IDS placement is described in Section IV-A
day attacks, it usually suffers from a high false-positive rate as and the solution for IoT IDS placement is proposed in Section
it is difficult to learn all possible normal behaviors of a given IV-B.
system in a finite time.
Few works have proposed anomaly-based IDS solutions for
A. IDS placement problem formulation
HrDDoS attacks. For example, Tabassum et al. [19] proposed a
privacy-preserving IDS based on distributed incremental learn- OPTIMIST proposes a transparent IDS placement strategy
ing. To reduce the computation costs, the work has used a pre- as it reduces network and energy overheads compared to non-
processing method to eradicate redundant features. The work transparent placement strategies. If the presence and locations
used non-negativity constraint-based autoencoders supporting of IDS nodes are unknown to the other IoT nodes, the IDS can
distributed IDS. This approach minimizes and allocates the be termed as transparent. In transparent IDS system, the IDS
loads among IoT devices. Hussain et al. [20] proposed a two- running nodes monitor and process surrounding traffic flows
fold approach to detect DDoS attacks. First, the premature only by eavesdropping, and do not query the monitored nodes
attack activities are scanned, and then the ML model is trained about their traffic/system status. To quantify transparent IDS
for DDoS attack detection in the IoT ecosystem. The model coverage, we define the term K-hop IDS coverage scheme,
is trained with distinct datasets to identify HrDDoS assaults which guarantees to monitor any flow of length K-hops or
exclusively. Abdelmoumin et al. [21] proposed a distributed more. However, in a K-hop IDS coverage scheme, few of
IDS module that incorporates principle component analysis the flows of length less than K may (not necessarily) remain
and 1-SVM AML-IDS. They enhanced 1-SVM AML and PCA unmonitored. There can be two solutions for an IDS system
models using ensemble learning and hyper-parameter tuning to to eavesdrop or transparently monitor (without querying mon-
identify HrDDoS attacks. The authors trained and tested these itored nodes) packets in an IoT network.
improved models on malicious and benign IoT network flows. 1) IDS nodes can monitor any ongoing flow in promiscuous
Saharkhizan et al. [22] proposed an IDS comprising multiple mode within its one-hop neighborhood.
LSTM models for attack detection on IoT systems. The model 2) IDS nodes can eavesdrop a K-hop flow if it is an
reportedly reached 99.91% accuracy. Li et al. [23] proposed a intermediate node in the flow path.
solution using LSTM and Bayes (LSTM-BA) models. DDoS To reduce the total network energy consumption for a
attack detections by LSTM model can be of high or low distributed IDS solution, number of IDS running nodes need
confidence. Low confidence data is further analyzed using to be minimized without compromising the K-hop coverage
the Bayes model to further enhance the accuracy. However, property of the IDS system where K is predetermined by the
the proposed LSTM-BA model is not suitable for resource- network administrator. The value of K is a trade-off between
constrained devices. energy and security. Larger values of K require less number
Few works used anomaly-based IDS for LrDDoS attack of IDS running nodes which saves overall network energy but
mitigation. For example, Garcia. et al. [24] proposed an AI- come with a cost of few unmonitored flows of lengths upto
based method for detecting LrDDoS attacks. This method K − 1. However, periodical selection of different sets of IDS
continuously observes network traffic and organizes packets nodes minimizes the unmonitored flow problem. To achieve
into conversation flows. The LrDDoS security model integrates K-hop coverage property, an IDS node needs to placed in
deep learning and clustering analysis to enhance LrDDoS every possible paths of degree K. An optimum number of IDS
attack detection accuracy. Liu et al. [25] designed a LrDDoS nodes can be selected by finding the K path vertex cover of
attack detection technique. This technique is a combination the IoT network topology graph. In case of promiscuous mode
of the self-adjusting SVM algorithm and APSO optimization. eavesdropping, in addition with the packets for which an IDS
The self-adjusting SVM technique improves the generalization node is an intermediate/destination node, the IDS node also
capabilities. Similarly, the APSO algorithm was employed to needs to capture and process all the on-going transmissions
enhance the attack’s adaptability. The outcomes demonstrated within its communication range. The above reason cause fast
outstanding detection performance and accuracy, varying be- energy depletion of overall energy of an IoT network [12],
tween 92.36% and 96.65%. [26]. To reduce energy consumption, the second IDS solution
None of the above-mentioned works has trained their is preferable where an IDS node processes only the packets for
models with GAN/WGAN generated artificial traffic flows which it is an intermediate/destination node. The flows of an
to reduce the bias of the trained models. In this work, we IoT network follow the routes established by RPL DODAG.
have generated artificial flows from the training datasets with If non-storing mode is used for the DODAG RPL routing, a
WGAN and trained the LSTM model to make the OPTIMIST node can eavesdrop all the packets which are generated from
IDS more robust compared to existing solutions. None of the or destined for a node within its DODAG sub-tree. However,
existing work has proposed an IDS solution that can detect in non-storing mode, packets of most flows take non-optimal
paths via root to reach destinations, which incurs delay and Algorithm 1 K-uniform hypergraph creation from an undi-
consumes network energy unnecessarily. If the storing mode of rected tree
RPL routing is used, though the flow paths are optimal, an IDS Input: Undirected tree graph G = {V, E}, K
Output: K-uniform hypergraph H = {V, E}
node can eavesdrop a flow only if it is an intermediate node in
the path between source and destination. An example with 3- 1: V ← V, E ← ∅
hop IDS placement for DODAG-based IDS placement scheme 2: for all Vi ∈ V do
3: declare QUEUE Q
is illustrated in Fig. 2. For non-storing mode, the flow from {//Create initial 1 hop paths from Vi }
source S to destination D is passed through the IDS node, 4: for all Vj adjacent to Vi sysmodel do
whereas in storing mode, the same flow gets unmonitored. To 5: declare STACK S
6: S.PUSH(Vi )
guarantee that all flows of length greater than or equal to K- 7: S.PUSH(Vj )
hop are monitored by an optimum number of IDS nodes, K 8: Q.ENQUEUE(S)
path vertex cover solution on the DODAG can be used. As a 9: end for
{//Extend the initial 1 hop paths from Vi }
fresh IDS selection happens each time DODAG is re-created, 10: while !Q.EMPTY() do
the problem of undetected flows of K-hop IDS coverage is 11: STACK T S = Q.DEQUEUE()
minimized. However, while selecting IDS nodes, the residual {//If a path is of K-hop, insert into the hyperedge set}
12: if T S.SIZE == K then
energy of the nodes also needs to be considered. Accordingly, 13: declare SET hE
the problem is formulated into a weighted minimum vertex 14: while !T S.EMPTY() do
cover problem of a K-uniform hypergraph as given next. 15: Vt = T S.POP()
16: hE.INSERT(Vt )
17: end while
18: E.INSERT(hE)
19: continue
20: end if
{//Keep growing the paths}
{//Get the last added node of a path}
21: Vl = T S.POP()
{//Get the predecessor node of the last added node}
22: Vl2 = T S.TOP()
23: for all Vm adjacent to Vl do
24: if Vm != Vl2 then
25: declare STACK SC
26: SC ← T S
27: SC.PUSH(Vl )
Fig. 2: An example with 3-hop IDS placement for DODAG 28: SC.PUSH(Vm )
29: Q.ENQUEUE(SC)
based scheme with non-storing and storing mode 30: end if
31: end for
An undirected hypergraph H consists of a vertex set V, and 32: end while
33: end for
a collection of non-empty subsets of V, namely hyperedges,
forming the set E. In hypergraph, a hyperedge can connect
an arbitrary number of vertices. A hypergraph is called K-
cover problem of the hypergraph H defined above. Then the
uniform, if |Em | = K, ∀Em ∈ E. Consider the DODAG as
objective of the minimum weight vertex cover solution is
an undirected tree. For each node/vertex of the undirected tree,
given below.
create a hyperedge for each of the K-hop length paths from
that node. Consequently, each created hyperedge is a set of K
Formulation 1:
vertices. The set of all such hyperedges E, along with the set of
vertices V form the K-uniform hypergraph H. The algorithm P
Minimize (ω(Vi ) · x(Vi ))
for creating K-uniform hypergraph from an undirected tree Vi ∈V
graph is given in Algorithm 1. If an IoT node i has remaining Subject to the constraints:
energy Ei , a weight 1/Ei is assigned to that corresponding
vertex Vi of the hypergraph H. Let the function ω(Vi ) gives
P
1) x(Vj ) ≥ 1, ∀Em ∈ E
the assigned weight of Vi . The minimum weight vertex cover Vj ∈Em
solution V C of H contains the minimum number of vertices 2) x(Vi ) ∈ {0, 1} ∀Vi ∈ V
of H such that Em ∩ S ̸= ∅, ∀Em ∈ E. In other words, V C As integer program is a NP-Hard problem, we apply linear
contains at least one vertex from each of the K-hop paths programming relaxation to remove the integer constraints
from all vertices of the undirected tree, and the total remaining of the decision variables to allow them to be real number
energy of the selected nodes are maximized. Finding vertex in the range [0,1]. The resulting formulation of the linear
cover of a graph is known to be NP-Hard. However, an programming is given below.
approximation solution of a K-uniform hypergraph can be
found with K approximation ratio by solving the problem as Formulation 2:
a binary (integer) program, which is described next. P
Let x(Vi ) ∈ {0, 1} denote the decision variable for vertex Minimize (ω(Vi ) · x(Vi ))
whether to include it in the solution set V C of the vertex Vi ∈V
Subject to the constraints: As seen in the above inequality, the approximation solution
is at most K times the optimal solution. Hence, the provided
solution steps provides a K approximation solution for the
P
1) x(Vj ) ≥ 1, ∀Em ∈ E
Vj ∈Em minimum weighted vertex cover of K-uniform hypergraph H.
2) x(Vi ) ≤ 1 ∀Vi ∈ V The time complexities for each solution steps of the pro-
3) x(Vi ) ≥ 0 ∀Vi ∈ V posed solution are given next. The first step of Solution uses
Algorithm 1. The outer loop of line 2 runs in O(|V |) time. The
B. IDS placement solution number of iterations for the loop from line 10 to 32 is same
The problem of K-hop minimum IDS node selection with as the total number of ENQUEUE operations on the queue
maximum residual energy is solved in two stages as described Q declared in line 3. From a starting vertex, one ENQUEUE
below. operation is done on Q for each new vertex explored along
Solution: a path from that starting vertex. As the input graph is an
1) Create a K-uniform hypergraph from the undirected undirected tree represented in adjacency list format, from a
version of given DODAG using Algorithm 1. starting vertex at most |V | vertices can be explored. Therefore,
2) Formulate the problem of K-hop minimum IDS node for a starting vertex, the combined number of iterations for the
selection with maximum residual energy as shown in loops of lines 4 and 23 can be at-most |V |. Therefore, total
Formulation 2. ENQUEUE operations on Q for a starting vertex is at most
3) Solve the linear programming problem of Formulation O(|V |) and consequently, the loop of line 10 runs O(|V |)
2. iterations. The nested loop of line 14 runs in O(1) as there are
4) For each Vi ∈ V, if x(Vi ) ≥ 1/K, include Vi in the exactly K vertices in a fully explored path. The copy operation
solution set V C. on line 26 takes O(1) time as the maximum size of T S is K.
It can be shown that the solution set V C is a K approx- All other operations used on all statements of the algorithm
imation solution for the minimum weighted vertex cover of take O(1) time. Therefore, the total running time of Algorithm
K-uniform hypergraph H. The proof for 2-uniform graph is 1 is O(|V |2 ). The second step of the solution formulates the
given in [27] which can be easily extended for K-uniform linear programming as Formulation 2. To create the objective
hypergraph. First it needs to be shown that the given solution function, weight assignments for vertices are done in O(|V |)
set V C is a vertex cover of K-uniform hypergraph H. The time. From the analysis of Algorithm 1 it is clear that the
constraint 1 of the Formulation 2 ensures that the step 3 in total number of K-uniform hyperedges created by Algorithm
1 from an undirected graph is bounded by O(|V |2 ). Therefore,
P values of x(Vi ) such that for each hyperedge
Solution assigns
Em ∈ E, x(Vj ) ≥ 1. In a K-uniform hypergraph, all it takes O(|V |2 ) time to create the constrain 1 of Formulation
Vj ∈Em 2. The creation of constraints 2 and 3 takes O(|V |) time. As
the hyperedges contains exactly K vertices. The above two a result, the second step of the solution takes O(|V |2 ) time.
facts imply that for each hyperedge Em , ∃Vj ∈ Em , such that In the third step of the solution, the simplex method is used
x(Vj ) ≥ 1/K. As the step 2 of the given solution includes all to solve the linear programming problem of Formulation 2,
the Vi with x(Vi ) ≥ 1/K in the solution set V C, definitely which takes polynomial time. Finally, the step four of Solution
V C contains atleast one element from each of the hyperedges. takes O(|V |) time. The above-mentioned solution steps are
Thus, V C is a vertex cover for hypergraph H. run centrally in 6BR, which is not resource-constrained. The
Next, it needs to be shown that the solution set V C is a details of the proposed IDS module are described in the next
K approximation of the optimal solution S ∗ for minimum section.
weighted vertex cover of K-uniform hypergraph H. Let Z be
the optimal value of the linear program of Formulation 2
V. P ROPOSED OPTIMIST IDS SOLUTION
obtained by step 3 in Solution. As S ∗ is a feasible solution
of the linear program, clearly, Z ≤ ω(S ∗ ) which gives a This section describes the proposed IDS solution OPTI-
lower bound of ω(S ∗ ), where ω(S ∗ ) is the total weight of MIST for detecting and mitigating mixed-rate DDoS attacks
the optimum solution S ∗ . We have, in IoT networks. Section V-A gives the description of the
proposed model. Pre-processing steps for the proposed model
are given in Section V-B. The training process of the IDS
P
Z= (ω(Vi ) · x(Vi ))
Vi ∈V P model is described in Section V-C. The overall steps for the
=⇒ Z ≥ (ω(Vi ) · x(Vi )) detection and mitigation of MrDDoS attacks of the OPTIMIST
1
Vi ∈V:x(Vi )≥ K
P 1 is given in Section V-D. Section V-E discusses about the
=⇒ Z ≥ (ω(Vi ) · K )
1
Vi ∈V:x(Vi )≥ K
computational complexity of the proposed model.
1
P
=⇒ Z ≥ (ω(Vi ) · K )
Vi ∈S A. Model description
1
P
=⇒ Z ≥K (ω(Vi ))
Vi ∈S A recurrent neural network (RNN) has feedback connec-
1
=⇒ Z ≥ K ω(S) tions to learn the temporal dependencies of the features.
=⇒ ω(S) ≤ K · Z [rearranging the terms] Long short-term memory (LSTM) [28] is a special RNN to
=⇒ ω(S) ≤ K · ω(S ∗ ) [because Z ≤ ω(S ∗ )] overcome the exploding/vanishing gradient issues of RNN.
LSTM models are extensively used for speech/text recognition,
by Goodfellow [29]. GAN consists of two neural networks

known as the generator (ζ), and the discriminator/ critic (ϑ).
The generator generates new training data samples from the
distribution of the training data set, adding some random
Gaussian noise. The discriminator module classifies the data
as real (from actual domain) or fake (generated by generator),
and the feedback is fed to the generator as in Fig. 4
Fig. 4: WGAN Network
min max ER ∼P (R) [ϑ (R)] − EF ∼P (F ) [ϑ (ζ (F ))] (1)

ζ ϑ
However, as mentioned by [30], a traditional GAN model

may be unable to produce output because of vanishing gra-
dient, mode collapse problems, etc. Many authors [31] [32]
have proposed enhancements over GAN. Wasserstein GAN
[31] model is one of such improvements. Wasserstein distance
is calculated between fake and real data distributions using Eq
(1). It is also known as Critic loss. The Wasserstein distance
loss function is of two types like Discriminator loss (Dloss ),
and Generator loss (Gloss ) functions. These loss functions are
mathematically represented below [31].
Fig. 3: Flowchart of IDS creation process
Dloss = min ER ∼P (R) [log ϑ (R)] (2)
ϑ
Gloss = min ER ∼P (F ) [log (1 − ϑ (ζ (F )))] (3)

cyber-security, etc. As IoT attack flows have temporal relations ζ
among themselves, LSTM models provide high accuracy for The loss function score depends on real and adversarial data.
intrusion detection in IoT systems. Being lightweight, trained Based on score, WGAN generates high-quality adversarial
LSTM models are suitable for running in resource-constrained data. WGAN discriminator (ϑ) provides a critic score. This
IoT devices. Accordingly, this work uses offline LSTM model score decides the difference between real and fake data. A
training, and the trained model is deployed in a few of the critic score < 0 indicates real traffic data, and a score > 0
selected IoT end devices for online attack detection. This work indicates that the given traffic is fake/adversarial.
assumes that the IoT nodes of the system have the required 2) LSTM model: Long short-term memory (LSTM) is a
amount of computational resources and storage to perform special kind of recurrent neural network (RNN) that can
online detection with the trained LSTM model without ham- overcome the exploding/vanishing gradient issues. A LSTM
pering its primary task of environment sensing. However, the cell includes three types of gates (i.e., forget gate, input gate,
offline training using publicly available datasets induces some and output gate). The internal estimation procedure of LSTM
bias in the trained model towards the distribution of the data cell is shown in the Equations (4) - (6).
points of the used datasets. As a result, the trained model
performs poorly when test inputs belong to some different it = σ (Wi · [ht−1 , xt ] + bi ) ft = σ Wf · [ht−1 , xt ] + bf (4)
distributions. To remove this training bias, we propose a novel
training method. We first train a WGAN model with the Ot = σ (Wo · [ht−1 , xt ] + bo ) C̃ = tanh (Wc · [ht−1 , xt ] + bc ) (5)
datasets to generate artificial new data points and mix the Ct = ft ∗ Ct−1 + it ∗ C̃t

ht = ot ∗ tanh (Ct ) (6)
new data points with the original data points before training
the LSTM model. The overview of the proposed scheme is Where f, i, O represent forget gate, input gate, and output
illustrated in Fig. 3. Brief descriptions of the WGAN and gate, respectively. W and b represent weighted matrices and
LSTM models are given below. biases respectively. The new state and candidate state are C
1) Wasserstein GAN (WGAN): The concept of the Gen- and C̃. Input, output, and input time are denoted as x, h, t.
erative Adversarial Networks (GAN) model is put forward The sigmoid function is denoted as σ (·).
TABLE I: Dataset Information

Dataset Name ToN IoT(2020) [33] IoT-23 (2020) [34] Kitsune (2019) [35] BoT-IoT (2018) [36] Generated Data (GD)
Simulation/Testbed Simulation Simulation Simulation Simulation Simulation and Testbed
Num of attack types 9 15 9 6 2
Data format Raw, Log & sensor Raw & Log Raw Sensor Pcap file
Num of features 46 22 23 10 10
Dataset size 64GB 23 GB 20GB 69.3GB 17295 packet flow
TABLE II: Feature selection using SHAP from five datasets 1) Local Interpretability (LI): Each feature gets a SHAP
Datasets Selected features score. This score indicates the impact of the feature
src pkts, src ip bytes, dst pkts, dst ip bytes, ts, src ip, across the complete dataset.
TON IoT src port, dst ip, dst port, service, duration, src bytes,
dst bytes, conn state
2) Global Interpretability (GI): It exhibits how much a
ts, id orig.h, id orig.p, id resp.h, id resp.p, service, particular feature contributes towards the target (attacks).
IoT-23 duration, orig bytes, resp bytes, conn state, local orig, TABLE II shows the extracted features by SHAP method
local resp, missed bytes, history, orig pkts, orig ip bytes.
Src mac-ip bw obt, src ip bw obt, channel bw obt, form five datasets.
Kitsune sock bw obt, cl ibt obt, socket ibt obt, src mac pr obt,
src ip pr obt, cl pr obt, sock pr obt
Time, Bytes, src mac, src Ip, des mac, des Ip, src Port, C. Model training
BoT-IoT
dst Port, conn state
src ip, dst ip, src pkts, service, duration, src bytes,
The model training of OPTIMIST has two phases. In the
GD first phase, a WGAN model is trained on the datasets (refer to
dst bytes, id resp.p, id resp.h, conn state
Section V-B1) to generate artificial data points. Table IV shows
the WGAN network setup, and Table III shows the training
B. Model pre-processing parameters. The Gradient Penalty helps with training stability.
The pre-processing steps for the proposed OPTIMIST IDS Leaky ReLU increases the training process’s resilience and
model comprise three phases which are data acquisition, prevents a vanishing gradient.
feature normalization, and feature selection. All of the phases
TABLE IV: WGAN Configu-
are described subsequently.
ration
1) Data acquisition: This work has used publicly available
TABLE III: WGAN parameters
mixed-rate DDoS (LRDDoS and HRDDoS) attack datasets Layer (Type) CONFIG
[33], [34], [35], [36]. The descriptions of the data sets are HP Name Value IP Noise () (N, 20)
B size 64 IP N MrDDoS () (N, 41)
given in TABLE I. It is observed that the procured datasets Concat Input () (N, 61)
Critic iters 3
contain very few Low-rate DDoS data samples. Accordingly, Learning rate 0.002 Dense (N, 32)
a number of flows with low rate DDoS attack and non-attack Optimizer RMSprop Leaky ReLu (0.2) (N, 32)
Lambda 10 Dense (N, 8)
are generated in-house using Contiki cooja and FIT IoT-LAB Leaky ReLu (0.2) (N, 8)
HL AF LeakyReLU
[37]. The flow packets are captured using the Wireshark tool HP: Hyper-parameter; Dense (N, 2)
[38]. The attack and non-attack experiments are described in B: Batch; HL : Hidden layer; Leaky ReLu (0.2) (N, 2)
AF: Activation Function IP Noise () (N, 20)
Section VI-A. An additional dataset is created by the data IP N MrDDoS () (N, 41)
points generated by extracting features (refer Section V-B2 B: Batch; N: None;
and V-B3) from the captured flows. Further, additional data CONFIG: Configuration
points for each dataset are generated by the WGAN model to
make the LSTM model training more robust. WGAN model In the second phase of the training, the LSTM model is
training description is given in Section V-C. trained with the datasets (real and artificial) to classify mixed-
2) Feature normalization: As the data sets are acquired rate DDoS attacks. To mitigate the over-fitting issue, dropout
from various sources, they have irregular central tendencies. and batch normalization strategies are used. These strategies
Therefore, we normalize all data attributes using the min-max change the network design in each training epoch to reduce the
normalization method given below. chance of overfitting and increase the training speed. LSTM
model comprises an input layer, three hidden layers, and an
Xreal − Xmin
Xnorm = (7) output layer. The detailed structure and hyper-parameters of
Xmax − Xmin
the proposed LSTM model are shown in Table VI and V,
Where Xreal is the real value, Xnorm is the normalized value, respectively. The LSTM input layer contains 16 neurons. There
and the Xmin and Xmax are the smallest and highest values are 3 LSTM layers composed of 32 memory blocks. The
from real values, respectively. hidden layers of LSTM have the ReLu activation function.
3) Feature selection (FS): The features having significant The output layer uses a sigmoid activation function.
contributions to the mixed-rate DDoS attacks are chosen, while
the redundant and insignificant features are discarded to reduce
computation. This work used the SHAP (SHapley Additive D. OPTIMIST IDS solution
exPlanations) method [39] for feature selection from mixed- The topological ordering of the OPTIMIST IDS solution
rate DDoS attack datasets. The advantages of this method are for detection and mitigation is given in Fig. 5. The heavy task
as follows: of IDS model training for OPTIMIST is done offline with the
TABLE VI: LSTM Configura-

TABLE V: LSTM parameters 2IIOLQH WUDLQLQJ RI WKH /670
tion PRGHO ZLWK WKH FRPELQDWLRQ RI 53/ FUHDWHV QHZ YHUVLRQ RI
HP Name Value SXEOLF GDWDVHWV DQG :*$1 '2'$*
A F Input ReLu Layer (Type) Configuration
LSTM 1 (N, N, 32) JHQHUDWHG DUWLILFLDO WUDIILF IORZV
A F Output Sigmoid
Epoch 100 B norm 1 (B (N, N, 32))
Learning Rate 0.002 Dropout 1 (N, N, 32)
Window size 5 LSTM 2 (N, N, 32)
Optimizer RMSprop B norm 2 (B (N, N,32)) 'HSOR\ WKH WUDLQHG ,'6 PRGXOH LQ 237,0,67 ,'6 SODFHPHQW
Dropout prob. 0.2 Dropout 2 (N, N, 32) DOO ,R7 QRGHV DQG %5 DV LQDFWLYH DOJRULWKP LV UXQ LQ %5
Train data 64% dataset LSTM 3 (N, N, 32) PRGH GHSHQGLQJ RQ FXUUHQW '2'$*
Validation data 16% dataset B norm 3 (B (N, N, 32))
Test data 20% dataset Dropout 3 (N, 32)
HP: Hyper-parameter; Dense 1 (N, 1)
A F: Activation Function Activation 1 (N,1)
B: Batch; N: None $FWLYDWH WKH ,'6 PRGXOH LQ WKH
VHOHFWHG ,R7 QRGHV DQG LQ %5
novel method described in Section V-C. The trained LSTM

model is deployed in all IoT nodes. However, the IDS modules
,'6 QRGHV WUDQVSDUHQWO\ PRQLWRU
in all IoT nodes are in an idle state initially. Once a DODAG DQG FODVVLI\ WKH IORZV SDVVLQJ
is created for the IoT network, the OPTIMIST IDS placement WKURXJK WKHP
algorithm is executed in the 6BR to select the IoT nodes to act
as IDS nodes. 6BR unicasts a message to each of the selected
nodes to activate their respective OPTIMIST IDS modules. If
,I +U''R6 DQG /U''R6 IORZ LV GHWHFWHG E\ DQ ,'6 QRGH LW ZLOO
a new instance of DODAG is created, the 6BR instructs the UHSRUW WR %5 7KH %5 EURDGFDVWV LQIRUPDWLRQ DERXW WKH
current IDS nodes to put their IDS module in an idle state and PDOLFLRXV VRXUFH WR DOO WKH ,R7 QRGHV DQG LQVWUXFWV WKHP WR EORFN
instructs the newly selected IDS nodes to activate their IDS DOO WKH IORZV RULJLQDWLQJ IURP WKH PDOLFLRXV QRGH
modules. For the duration when the IDS module is active, an
IDS node eavesdrops flows, extracts features, and classifies Fig. 5: Topological order of OPTIMIST IDS
them with the trained LSTM model. If a DDoS (high-rate or
low-rate) attack is detected, the IDS node reports the attack
information to the 6BR node. The 6BR node broadcasts the A. Experiment environments and setups
malicious node information to all other nodes of the network An IoT scenario is considered for performance evaluation
and instructs them to block all the traffic flows originating of the OPTIMIST, as shown in Fig. 6. LLN nodes are ran-
from the malicious sources. domly deployed for sensing purposes that have multi-hop path
connectivity among themselves. LLN nodes are connected
to the Internet through a 6BR node of ample storage and
E. Time complexity of LSTM computation power. The internal LLN nodes of the IoT system
are accessible by external nodes through the 6BR node using
The LSTM algorithm is local in space and time. Hence, acti- the Internet. As shown in the figure, both internal, as well
vation values aren’t stored. They only store and update deriva- as external nodes can be malicious in nature. The scenario is
tives based on Mozer’s recurrent back-propagation method created and run in Contiki cooja [41] simulation, and FIT IoT-
[40]. As a result, the LSTM method is extremely efficient. The LAB [37] test-bed environment. The experimental parameters
time complexity of the LSTM is O((Nou × Nhu ) + (Nou × of Contiki cooja and FIT IoT-LAB are presented in Table VII.
Nmcb ×Smcb )+(Nhu ×Nf c )+(Nmcb ×Smcb ×Nf c ) = O(W ),
where Nf c is the number of units connected in a forward
direction to hidden units, gate units, and memory cells. Nhu
= number of hidden units, Smcb = memory cell block size,
Nmcb = number of memory cell blocks, and Nou = number of
output units. As a result, the storage complexity of the LSTM
model is also O(W ) and independent of the length of the input
sequence.
VI. P ERFORMANCE EVALUATION
This section is divided into three subsections. Section VI-A

describes the experiment environments and setups. Section Fig. 6: IoT network setup for experimentation
VI-B defines the metrics to evaluate the performances of
OPTIMIST. In Section VI-C, the performance of OPTIMIST Simulation and test-bed are used to generate a in-house
is evaluated, and the competitive result analysis is done. dataset which includes normal and LrDDoS attack flows using
10
TABLE VII: Simulation and real-time test-bed parameters • Recall (REC): It indicates the percentage of predicted
Parameter name Simulation Real time testbed MrDDoS attack flows by the classifier out of all real
Contiki 3.0, MrDDoS attack flows of the system. Recall, also known
Operating system Contiki-NG
Contiki 4.5
Simulator/Testbed Cooja Cooja FIT IoT-LAB
as sensitivity, and is estimated by
Network size 8,16, 32, 64 nodes TP
Radio Environment UDGM REC = × 100 (10)
Node Type Tmot Sky IoT-Lab A8 TP + FN
Routing Protocol RPL RPL Lite • F1-score: It indicates the overall efficiency of the pro-
MRHOF - ETX,
RPL Objective Function
OF0
MRHOF - ETX posed OPTIMIST combining PREC and REC. It is the
MAC/adaptation layer Contiki MAC/6LoWPAN harmonic mean of the PREC and REC as given below.
Transmitter output power (dBm) 0 to -25
Receiver sensitivity (dBm) -94 PREC × REC
F 1 − score = 2 × × 100 (11)
Radio frequency 2.4GHz PREC + REC
Attack Modeled Mixed Rate DDoS attack
Experiment Duration 60 minutes • Memory Consumption (MEMC): It shows the percentage
of memory utilization of the IoT devices to run OPTI-
MIST throughout the experimentation.
8, 16, 32, and 64 IoT nodes. In attack scenarios, 25% of the • CPU energy (ENEC): The metric measures the energy
nodes are deployed as malicious nodes. consumed by CPU in IoT devices throughout the exper-
imentation.
• Throughput (THP): This metric measures the ratio of
the network throughput in the presence of MrDDoS
attacks with respect to the observed network throughput
in the absence of MrDDoS attacks. The ratio is shown as
percentage.
throughput in M rDDoS sneraio
T HP = × 100 (12)
throughput in normal sneraio
C. Result Analysis
For the evaluation of the OPTIMIST IDS solution, ex-
Fig. 7: Snapshot of 4, 6 malicious nodes during mixed rate periments are run on simulation as well as a testbed (refer
DDoS attack to Section VI-A). The results are presented in two parts as
follows. Section VI-C1 shows the performances of the offline
During the performance evaluation of the OPTIMIST, the training process of the IDS model, and Section VI-C2 presents
malicious nodes are used to launch MrDDoS attacks. Based the competitive analysis of online OPTIMIST performances
on the proposed IDS placement algorithm, a few of the IoT on placement strategy and attack detection with existing pro-
nodes are selected to activate the OPTIMIST IDS solution to tocols.
detect mixed-rate DDoS attacks. The IDS running nodes are 1) Offline training performance evaluation: First, we as-
changed over time with each newly created DODAG versions sessed the performances of different ML models like Sup-
by RPL. port Vector Machine (SVM), Gated Recurrent Unit (GRU),
Convolution Neural Network (CNN), and Transformer, on the
IoT-23 [34] and in-house generated datasets. Fig. 8 shows
B. Performance metrics the comparative performances of different ML models with
The following metrics are defined to evaluate the perfor- respect to the metrics ACC, PREC, REC, and F1-score. As
mance of OPTIMIST IDS solution. LSTM model outperforms other ML models, it is chosen for
the OPTIMIST IDS.
• Accuracy (ACC): It denotes the percentage of correctly
Consequently, the LSTM model is trained and tested with
classified flows as true attack or true legitimate flows with
other publicly available datasets [33], [34], [35], [36] and the
respect to total number of flows. Accuracy is given by:
test results for each datasets are depicted in Fig. 9. As shown
ACC =
TP + TN
× 100 (8)
in Fig. 9, the ACC and PREC scores of the trained model
TP + FN + FP + TN are (94.12%-95.49%) and (92.56%-94.93%) respectively. For
where, FP=Legitimate flow wrongly classified; REC and F1 scores, the scores are (89.64%-93.49%) and
FN=Attack wrongly classified; TP=Attack recognized (89.7%-93.34%), respectively. However, when the model is
accurately; TN=Legitimate flow recognized accurately. tested with artificial data generated from the WGAN model
• Precision (PREC): It is the percentage of correctly pre- (described in Section V-A1), the LSTM performance degraded
dicted MrDDoS attack flows out of all predicted MrDDoS drastically, as shown in Fig. 10. This is because the trained
attack flows. It is calculated as below. model is biased with the distributions of the training datasets.
However, the distribution of WGAN-generated artificial data
TP
P REC = × 100 (9) points (attack flows) is a little different from the distribution
TP + FP
11
Fig. 11: Model performance evolution with Epochs

Fig. 8: Training performances of ML models on IoT-23 and
generated dataset
PREC = 95.40%, REC = 96.49%, and F-score = 96.30% as
depicted in Fig. 13.
of the training datasets. Fig. 11 shows the comparative accu-
racy trends when tested with and without adversarial traffic
samples.
Fig. 12: Training testing loss and Accuracy
Fig. 9: Performance of LSTM model over public datasets
Fig. 13: WGAN-LSTM based result
2) Online performance evaluation: In this section, the

online performances of OPTIMIST regarding the placement
Fig. 10: Effect of adversarial data on LSTM strategy and attack detection are evaluated. The experiments
are conducted with 8, 16, 32, and 64 nodes with a malicious
To increase the robustness of the OPTIMIST IDS for any node ratio of 25%. System and network level metrics are
distribution of attack flows, WGAN-generated artificial traffic measured in two scenarios when no IDS module is running
flows of MrDDoS attacks are mixed with the existing training on nodes and when optimally selected nodes are running the
samples, and then the model is again trained and tested. It took IDS module. For both cases, the duration of these experiments
less than 100 epochs for the model to converge. Fig. 12 shows is 5400 seconds. The size command and powertrac tool
the trend of loss and accuracy with increasing epochs. The are used to extract memory usage and energy consumption
model performance is quite satisfactory with ACC = 98.40%, information respectively from the Contiki cooja simulation
12
TABLE VIII: Comparison of the proposed strategy with the closely related works
Ref IDS placement Target Attacks Mitigation ENEC (mJ) MEMU (Byte) THP(Kbps) ACC PREC REC F1 Score
[42] Centralised DoS No 9482 N/A N/A 98.20% N/A N/A N/A
[23] Centralised HrDDoS No 6745 55184 N/A 98.03% 98.21% 97.55% 97.87%
[17] Distributed LrDDoS Yes 10869 63940 N/A 95.01% 95.46% 94.51% 94.98%
[43] Distributed HrDDoS Yes 5128 N/A 52961 96.30% 93.24% 92.40% 96.20%
[22] Distributed HrDDoS No 12814 68315 56531 98.99% 96.51% N/A 95.67%
[25] Centralised LrDDoS No N/A N/A N/A 94.19% 95.85% 95.33% 95.56%
[20] Centralised HrDDoS No 16439 N/A N/A 98.89% 99.01% 98.74% 98.87%
[24] Distributed LrDDoS No N/A N/A N/A 97.00% 96.00% 96.65% 96.98%
[21] Distributed HrDDoS No N/A N/A N/A 96.70% 100% 77.80% 87.50%
OPTIMIST Distributed MrDDoS Yes 5407 45296 53824 98.40% 95.40% 96.49% 96.30%
ENEC: ENErgy Consumption, MEMU: MEMory Usage, ACC: ACCuracy, PREC:Precision, REC: RECall, THP: Throughput, N/A: Not Applicable
experiments. Similarly, for the FIT IoT-LAB testbed exper-

iments, the Sysstat [44] tool is used to get the system level
information like energy consumption and memory usage while
iperf [45] tool is used to get throughput information of
the experiments. Fig. 14 shows the comparative performances
of system and network level metrics for the two cases of
experiments. The results show that THP metric performance
is improved at the cost of increased energy and memory
overheads in the scenarios with IDS running nodes. This
is because OPTIMIST IDS detects and mitigates malicious
flows, which helps normal flows increase network bandwidth
utilization.
Fig. 16: Attack detection rate in (%)
on placement strategies. In [11], all nodes run IDS. Though the

IDS monitors flows transparently and has a high detection rate,
running IDS in all nodes results in high energy consumption.
The placement strategy of the work [12] is cluster-based,
which relies on query-response messages between IDS nodes
and monitored nodes. Though only a few nodes (cluster
heads) run IDS, energy consumption is still higher due to
the query-response message overhead. The non-transparent
nature of the proposed IDS also causes a low detection rate
Fig. 14: Contiki and FIT IoT-LAB result as malicious nodes create malicious flows avoiding the IDS
nodes or can send false status reports. The work [13] has
an optimum 1-hop vertex cover placement strategy where
the IDS nodes monitor flows transparently. The optimum
placement strategy has resulted in low energy consumption
and a high detection rate compared to the previous two works.
OPTIMIST IDS placement strategy has a K-hop vertex cover
strategy, further reducing energy consumption. The detection
rate of OPTIMIST is compatible with [13] as the placement
algorithm is run using RPL DODAG structure rather than
network topology, making most of the flows pass through the
IDS nodes. However, few flows of length less than K can evade
IDS nodes and remain undetected.
The online model performances of OPTIMIST on attack
detection, along with system parameters, are compared with
Fig. 15: Average energy consumption comparison existing IDS models and the results are given in tabular format
in the TABLE VIII. The work of Mahdis et al. [22] has the
Fig. 15 and Fig. 16 depict the comparative results of best scores for attack detection but at the cost of huge system
the IDS placement strategies with the works [11]–[13]. The overheads. The proposed IDS of the work [43] consumes lesser
IDS modules of the compared works are replaced by the energy as the flows of IoT devices are SDN managed where
OPTIMIST IDS model to assess the performances solely based the IDS is distributed among switches. The IoT devices are
13
directly connected to SDN switches with singe-hop links. As [12] A. Le, J. Loo, K. K. Chai, and M. Aiash, “A specification-based IDS for
the flow packets are forwarded by switches, IoT devices are re- detecting attacks on RPL-based network topology,” Information, vol. 7,
no. 2, p. 25, 2016.
lieved from the task of packet forwarding, which saves energy. [13] M. Al Qurashi, C. M. Angelopoulos, and V. Katos, “An Architecture
However, the model performs poorly in attack detection. It can for Resilient Intrusion Detection in IoT Networks,” in IEEE Int. Conf.
be observed from the table that OPTIMIST can best balance Commun. (ICC), 2020, pp. 1–7.
[14] I. Martins, J. S. Resende, P. R. Sousa, S. Silva, L. Antunes, and J. Gama,
detection performances and resource overheads. OPTIMIST “Host-based IDS: A review and open issues of an anomaly detection
is the only solution that can detect MrDDoS attacks with system in IoT,” Future Gener. Comput. Syst., 2022.
competitive accuracy, whereas other protocols are focused only [15] W. Li, S. Tug, W. Meng, and Y. Wang, “Designing collaborative
blockchained signature-based intrusion detection in IoT environments,”
on HrDDoS attacks. Future Gener. Comput. Syst., vol. 96, pp. 481–489, 2019.
[16] N. Yadav, L. Truong, and E. Troja, “Machine Learning Architecture
VII. C ONCLUSIONS for Signature-based IoT Intrusion Detection in Smart Energy Grids,” in
IEEE Mediterr. Electrotech. Conf. (MELECON), 2022, pp. 671–676.
This work has proposed a lightweight distributed IDS solu- [17] J. A. Perez-Diaz, I. Valdovinos, and Amezcua, “A flexible SDN-based
architecture for identifying and mitigating low-rate DDoS attacks using
tion, OPTIMIST, for IoT networks with an optimum placement machine learning,” IEEE Access, vol. 8, pp. 155 859–155 872, 2020.
strategy. OPTIMIST is trained to detect both high-rate and [18] X. Liu, J. Ren, H. He, Q. Wang, and C. Song, “Low-rate DDoS attacks
low-rate DDoS attacks on IoT systems. The placement prob- detection method using data compression and behavior divergence
lem of OPTIMIST is formulated as the weighted minimum measurement,” Computers & Security, vol. 100, p. 102107, 2021.
[19] A. Tabassum, A. Erbad, A. Mohamed, and M. Guizani, “Privacy-
vertex cover problem of a K-uniform hypergraph, and an ap- preserving distributed IDS using incremental learning for IoT health
proximation algorithm is used as the solution. The placement systems,” IEEE Access, vol. 9, pp. 14 271–14 283, 2021.
strategy is transparent in nature to reduce network overhead [20] F. Hussain, S. G. Abbas, I. M. Pires, S. Tanveer, U. U. Fayyaz, and N. M.
Garcia, “A Two-Fold Machine Learning Approach to Prevent and Detect
and to make other IoT nodes unaware of the presence of IoT Botnet Attacks,” IEEE Access, vol. 9, pp. 163 412–163 430, 2021.
IDS nodes. The K-coverage strategy is proposed to reduce the [21] G. Abdelmoumin, D. B. Rawat, and A. Rahman, “On the Performance
redundancy of IDS nodes and energy consumption. To build of Machine Learning Models for Anomaly-Based Intelligent Intrusion
Detection Systems for the Internet of Things,” IEEE Internet of Things
the IDS model, WGAN-generated artificial training samples Journal, vol. 9, no. 6, pp. 4280–4290, 2022.
are used along with the real training data to train a LSTM [22] M. Saharkhizan, A. Azmoodeh, and Dehghantanha, “An ensemble of
model. This novel method of training is able to remove the deep recurrent neural networks for detecting IoT cyber attacks using
network traffic,” IEEE Internet of Things Journal, vol. 7, no. 9, pp.
model bias for dataset distributions. Extensive evaluations are 8852–8859, 2020.
done both on simulation and testbed platforms. The results [23] Y. Li and Y. Lu, “LSTM-BA: DDoS detection approach combining
show that the OPTIMIST IDS system can efficiently detect LSTM and Bayes,” in IEEE Int. Conf. Adv. Cloud and Big Data (CBD),
2019, pp. 180–185.
both high-rate and low-rate DDoS traffic flows while having [24] N. Garcia, T. Alcaniz, A. González-Vidal, and J. Bernabe, “Distributed
a comparatively low system overhead. real-time SlowDoS attacks detection over encrypted traffic using Artifi-
cial Intelligence,” J. Netw. Comput. Appl., vol. 173, p. 102871, 2021.
[25] B. Liu, D. Tang, Y. Yan, and Z. Zheng, “TS-SVM: Detect LDoS Attack
R EFERENCES in SDN Based on Two-step Self-adjusting SVM,” in IEEE 20th Int.
[1] L. Chettri and R. Bera, “A comprehensive survey on Internet of Things Conf. Trust, Sec. Pri. Comp. Commun. (TrustCom), 2021, pp. 678–685.
(IoT) toward 5G wireless systems,” IEEE Internet of Things Journal, [26] R. H. Jhaveri, “MR-AODV: A Solution to Mitigate Blackhole and
vol. 7, no. 1, pp. 16–32, 2019. Grayhole Attacks in AODV Based MANETs,” in 3rd Int. Conf. Advan.
[2] B. B. Zarpelão, R. S. Miani, C. T. Kawakani, and de Alvarenga, “A Comput. and Commun. Tech. (ACCT), 2013, pp. 254–260.
survey of intrusion detection in Internet of Things,” J. Netw. Comput. [27] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein, “Chapter
Appl., vol. 84, pp. 25–37, 2017. 35.4, Introduction to algorithms (Third Edition),” pp. 1123–1127, 2009.
[3] H. Li, J. Zhu, Q. Wang, T. Zhou, H. Qiu, and H. Li, “LAAEM: A [28] X. Zhou, Y. Hu, W. Liang, J. Ma, and Q. Jin, “Variational LSTM
method to enhance LDoS attack,” IEEE Commun. Lett., vol. 20, no. 4, enhanced anomaly detection for industrial big data,” IEEE Trans. Ind.
pp. 708–711, 2016. Informat., vol. 17, no. 5, pp. 3469–3477, 2020.
[4] H. Griffioen, K. Oosthoek, P. van der Knaap, and C. Doerr, “Scan, Test, [29] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley,
Execute: Adversarial Tactics in Amplification DDoS Attacks,” in Proc. S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial nets,”
ACM Conf. Comput. Commun. Secur., 2021, pp. 940–954. Adv Neural Inf Process Syst, vol. 27, 2014.
[5] J. Luo, X. Yang, J. Wang, J. Xu, J. Sun, and K. Long, “On a math- [30] A. Aggarwal, M. Mittal, and G. Battineni, “Generative adversarial
ematical model for low-rate shrew DDoS,” IEEE Trans. Inf. Forensics network: An overview of theory and applications,” Int. J. Inf. Manag.
Secur., vol. 9, no. 7, pp. 1069–1083, 2014. Data Insights, vol. 1, no. 1, p. 100004, 2021.
[6] A. Thakkar and R. Lohiya, “A review on ML and DL perspectives [31] M. Arjovsky, S. Chintala, and L. Bottou, “Wasserstein generative ad-
of IDS for IoT: recent updates, security issues, and challenges,” Arch. versarial networks,” in International conference on machine learning.
Comput. Methods Eng., vol. 28, no. 4, pp. 3211–3243, 2021. PMLR, 2017, pp. 214–223.
[7] P. Kasinathan, G. Costamagna, C. Pastrone, and M. A. Spirito, “DEMO: [32] M. Ring, D. Schlör, D. Landes, and A. Hotho, “Flow-based network
An IDS Framework for Internet of Things Empowered by 6LoWPAN,” traffic generation using generative adversarial networks,” Computers &
in Proc. ACM Conf. Comput. Commun. Secur., 2013, pp. 1337–1340. Security, vol. 82, pp. 156–172, 2019.
[8] L. Wallgren, S. Raza, and T. Voigt, “Routing Attacks and Countermea- [33] N. Moustafa, “ToN IoT datasets,” 2019. [Online]. Available: https:
sures in the RPL-Based Internet of Things,” Int. J. Distrib. Sens. Netw., //dx.doi.org/10.21227/fesz-dm97
vol. 9, no. 8, p. 794326, 2013. [34] M. J. Sebastian Garcia, Agustin Parmisano, “IoT-23: A labeled dataset
[9] C. Cervantes, D. Poplade, and Nogueira, “Detection of sinkhole attacks with malicious and benign IoT network traffic (Version 1.0.0) [Data
for supporting secure routing on 6LoWPAN for Internet of Things,” in set],” 2020. [Online]. Available: http://doi.org/10.5281/zenodo.4743746
IEEE/IFIP Int. Symp. Intg Netw. Manag., 2015, pp. 606–611. [35] T. D. Yisroel Mirsky, “Kitsune: An Ensemble of Autoencoders
[10] C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel, and M. Rajarajan, for Online Network Intrusion Detection,” 2018. [Online]. Available:
“A survey of intrusion detection techniques in cloud,” J. Netw. Comput. http://arxiv.org/abs/1802.09089
Appl., vol. 36, no. 1, pp. 42–57, 2013. [36] N. Koroniotis and N. Moustafa, “Towards the Development of Realistic
[11] J. P. Amaral, L. M. Oliveira, and Rodrigues, “Policy and network-based Botnet Dataset in the Internet of Things for Network Forensic Analytics:
intrusion detection system for IPv6-enabled wireless sensor networks,” Bot-IoT Dataset,” Future Gener. Comput. Syst., vol. 100, pp. 779–796,
in IEEE Int. Conf. Commun. (ICC), 2014, pp. 1796–1801. 2019.
14
[37] C. Adjih, E. Baccelli, E. Fleury, G. Harter, N. Mitton, and T. Noel, “FIT

IoT-LAB: A large scale open experimental IoT testbed,” in World Forum
on Internet of Things (WF-IoT), 2015, pp. 459–464.
[38] C. Sanders, Practical Packet Analysis, 3E: Using Wireshark to Solve
Real-World Network Problems. No Starch Press, 2017.
[39] L. Antwarg, R. M. Miller, B. Shapira, and L. Rokach, “Explaining
anomalies detected by autoencoders using Shapley Additive Explana-
tions,” Expert Systems with Applications, vol. 186, p. 115736, 2021.
[40] S. Hochreiter and J. Schmidhuber, “Long Short-Term Memory,” Neural
computation, vol. 9, no. 8, pp. 1735–1780, 1997.
[41] A. Dunkels, B. Gronvall, and T. Voigt, “Contiki-a lightweight and
flexible operating system for tiny networked sensors,” in International
conference on local computer networks, 2004, pp. 455–462.
[42] N. Moustafa, B. Turnbull, and K. Choo, “An ensemble intrusion detec-
tion technique based on proposed statistical flow features for protecting
network traffic of internet of things,” IEEE Internet of Things Journal,
vol. 6, no. 3, pp. 4815–4830, 2018.
[43] N. Ravi and S. M. Shalinie, “Learning-driven detection and mitigation
of DDoS attack in IoT via SDN-cloud architecture,” IEEE Internet of
Things Journal, vol. 7, no. 4, pp. 3559–3570, 2020.
[44] S. Godard, “SYSSTAT utilities home page,” Information and code
available at http://sebastien. godard. pagesperso-orange. fr/index. html,
2015.
[45] A. Tirumala, “Iperf: The TCP/UDP bandwidth measurement tool,”
http://dast. nlanr. net/Projects/Iperf/, 1999.

OPTIMIST Lightweight and Transparent IDS With Optimum Placement Strategy To Mitigate Mixed-Rate DDoS Attacks in IoT Networks

Uploaded by

Copyright:

Available Formats

OPTIMIST Lightweight and Transparent IDS With Optimum Placement Strategy To Mitigate Mixed-Rate DDoS Attacks in IoT Networks

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OPTIMIST Lightweight and Transparent IDS With Optimum Placement Strategy To Mitigate Mixed-Rate DDoS Attacks in IoT Networks

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in IEEE Internet of Things Journal.

OPTIMIST: Lightweight and Transparent IDS with

by Goodfellow [29]. GAN consists of two neural networks

Fig. 4: WGAN Network

min max ER ∼P (R) [ϑ (R)] − EF ∼P (F ) [ϑ (ζ (F ))] (1)

However, as mentioned by [30], a traditional GAN model

Gloss = min ER ∼P (F ) [log (1 − ϑ (ζ (F )))] (3)

TABLE I: Dataset Information

TABLE VI: LSTM Configura-

novel method described in Section V-C. The trained LSTM

VI. P ERFORMANCE EVALUATION

This section is divided into three subsections. Section VI-A

Fig. 11: Model performance evolution with Epochs

Fig. 12: Training testing loss and Accuracy

Fig. 9: Performance of LSTM model over public datasets

Fig. 13: WGAN-LSTM based result

2) Online performance evaluation: In this section, the

experiments. Similarly, for the FIT IoT-LAB testbed exper-

Fig. 16: Attack detection rate in (%)

on placement strategies. In [11], all nodes run IDS. Though the

[37] C. Adjih, E. Baccelli, E. Fleury, G. Harter, N. Mitton, and T. Noel, “FIT

You might also like