DeepDCA: Novel Network-Based Detection of IoT Attacks Using Artiﬁcial Immune System

: Recently Internet of Things (IoT) attains tremendous popularity, although this promising technology leads to a variety of security obstacles. The conventional solutions do not suit the new dilemmas brought by the IoT ecosystem. Conversely, Artiﬁcial Immune Systems (AIS) is intelligent and adaptive systems mimic the human immune system which holds desirable properties for such a dynamic environment and provides an opportunity to improve IoT security. In this work, we develop a novel hybrid Deep Learning and Dendritic Cell Algorithm (DeepDCA) in the context of an Intrusion Detection System (IDS). The framework adopts Dendritic Cell Algorithm (DCA) and Self Normalizing Neural Network (SNN). The aim of this research is to classify IoT intrusion and minimize the false alarm generation. Also, automate and smooth the signal extraction phase which improves the classiﬁcation performance. The proposed IDS selects the convenient set of features from the IoT-Bot dataset, performs signal categorization using the SNN then use the DCA for classiﬁcation. The experimentation results show that DeepDCA performed well in detecting the IoT attacks with a high detection rate demonstrating over 98.73% accuracy and low false-positive rate. Also, we compared these results with State-of-the-art techniques, which showed that our model is capable of performing better classiﬁcation tasks than SVM, NB, KNN, and MLP. We plan to carry out further experiments to verify the framework using a more challenging dataset and make further comparisons with other signal extraction approaches. Also, involve in real-time (online) attack detection.


Introduction
Recently in the academic and industrial circles, Internet of Things (IoT) have became an active area.According to Cisco, 500 billion devices will be connected by the year 2030 [1].Although this technology is promising in many sectors, such as uch as smart homes, health-care, intelligent transportation, power smart grid and numerous areas that not yet even conceived [2], it carries with it many security risks.Easy accessibility and tremendous propagation of IoT devices creates a fertile environment for cyber attacks.Most of these devices are small, inexpensive and have limited memory and computing capacity to run the current existing security software [3].Additionally, the Original Equipment Manufacturers (OEMs) are using commercial embedded Real-Time Operating Systems (RTOS), such as FreeRTOS and OpenRTOS to minimize the cost [4] which makes these end devices vulnerable to be targeted.As stated by a report for Malwarebytes, the IoT attacks will continue at steady levels with increased sophistication [5].For example, recent malware such as Mirai [6] and Ransomware of Things (RoT) [7,8] proven that conventional security methods are ineffective and do not provide decentralized and strong security solutions.In addition to the urgent need for a new paradigm of security commensurate with the changes that have emerged with the IoT ecosystem.Where the security problems inherited from the traditional network alongside the Advanced Persistent Threat (APT).Therefore, to dissolve the obstacles security of IoT we must look at solutions from a comprehensive perspective and take into account new circumstances and requirements.Lately, multiple solutions have been applied to secure the IoT environment and guarantee security requirements like authentication, availability, integrity, confidentiality and privacy [9].
From another aspect, the Artificial Immune System (AIS) is a bionic intelligent system that mimics the biological immune system and its way to protect against foreign or dangerous invaders [10].AIS has proven effective in protecting TCP/IP networks [11,12] , Wireless Sensor Networks (WSN) [13,14], and Mobile Ad Hoc Network (MANET) [15,16].This makes it more suitable for a dynamic and changeable environment such as IoT.Moreover, the human immune system properties make it a perfect approach to resolve IoT security dilemmas.Due to its ability to self-learning, adaptability robustness, resource optimization, dynamic structure, and lightweight [17] make it adapted to various applications such as computer security [18], intrusion detection [19,20], anomaly detection [21], data analysis [22,23], pattern recognition [24] and scheduling [25,26].Over and above, AIS methods solve multi-objective optimization problems successfuly [27,28], control engineering [29,30] and robotics [31].
After extensive IoT attacks, we reviewed the proposed recommendations and solutions to avoid infection.The suggested solutions were generally summed up to change the default passwords for the IoT devices, disable some ports, and guide consumers and manufacturers to use more secure devices.Although these security practices are effective and provide the first line of defense, their application is limited to security management and human interaction.Another challenge in the case of known software vulnerabilities is the delay of download the patches.Under these conditions, intrusion detection techniques become more important.Thus, the motivation for this study is that the traditional detection approaches are not able to efficiently detect new variants of IoT attacks.Consequently, it is urgent to study intrusion detection approaches in depth.Wherefore, the immune-based detection methods consider as a priority option due to its desirable properties.
The artificial immune system has various algorithms detect different types of attacks.The second generation of these algorithms called Dendritic Cell Algorithm (DCA).Greensmith introduced this novel danger-based AIS to detect port-scan attacks over wired networks [32].DCA is inspired by the capability of DCs to receive multiple antigens and signals, as well as reveal the context of each antigen.A novel DeepDCA is introduced in this study by sing an AIS inspired algorithm promises to address the challenges of IoT environment that make it vulnerable to attacks.The DeepDCA is verified and tested in this study to detect DoS, DDoS, Information gathering and theft.DeepDCA can be generalized to detect other types of attacks on IoT.
In this paper, we propose a novel Deep Learning and Dendritic Cell Algorithm based IDS framework; named DeepDCA.To identify IoT intrusion and minimize the false alarm generation.Our contributions can be summarized as follows: The rest of this paper is organized as follows.Section 2 provides a brief background of recent large-scale attacks targeting IoT devices and existing IoT security Approaches.Section 3 describes the dendritic cell algorithm generally and the basic concepts of Self Normalizing Neural Network.Related work for the AIS algorithms in the IoT ecosystem summarizes in Section 4. While Section 5 presents the proposed method based on DCA and SNN for signal selection and categorization.Followed by the evaluation results of the proposed IDS in Section 5. Finally, Section 6 concludes the paper.

Intrusion Detection Systems
Many technologies designed to protect the internet from destruction, breaches and unauthorized access.However, there are many defense technologies designed to protect this environment.IDSs are one of the essential parts that aim to monitor, analyze the network traffic and detect attacks.According to Hernández-Pereira, Elena, et al. [33] Intrusion can be defined as "any set of actions that attempt to compromise the Confidentiality, Integrity, and Availability (CIA) of information resources."Typical IDS have an analysis engine, sensors, and a reporting system.The sensors collect network, and host data then send it to the analysis engine.Hence, the analysis engine investigates the collected data and detect intrusions.If intrusion exists, the network administrator receives an alert from the reporting system [34].

Intrusion Detection Systems Architecture
The architecture of the IDSs functional modules divided into four types: [35] (see Figure 1) • Event-boxes (E blocks): these blocks monitor the target system by sensor elements and acquire the information events.

IoT Security Overview
The dynamic characteristics of the Internet of things and the desire to make devices connected anywhere, anytime, and anyplace creates critical challenges about privacy and security.Researchers from the HP lab addressed that almost 70% of IoT devices are vulnerable to be targeted, which means 25 vulnerabilities per device [36].The vulnerabilities around privacy, lack of encryption standards, authentication/authorization.Additionally, the threats and security problems inherited from the traditional network [37].As shown in Figure 2, the attacks classified on the IoT three layers: perception, network, and application-layer [38].

Algorithm Overview
In 1994, Pollu Matzinger introduced the danger theory and described the immune mechanism through the danger signals activation when damage exists [59,60].It also states that in the absence of tissue-related danger signals, the innate immune mechanism will be suppressed [61].This process derived from the cell death process (apoptosis and necrosis).The dendritic cell algorithm (DCA), presented by Green-Smith et al. which considered as de facto danger theory algorithm.DCA goes through four phases as detailed below [62] for each antigen is used to assess the degree of the anomaly.When the value of MCAV is closer to 1, the antigen probability of been anomalous is higher.The MCAV of antigen is calculated by dividing the number of times an antigen appears in the mature context by the total number of that antigen presentation.When the MCAV is calculated, the classification task starts by comparing the MCAV of each antigen to an anomalous threshold.Antigens with MCAVs greater than the anomaly threshold are classified into the abnormal otherwise are classified into normal.

Self-Normalizing Neural Networks
Self-normalizing neural networks are introduced in 2017 by Gnter Klambauer [63].It is a higher-level abstraction neural networks where the neuron activations automatically concentrate on a fixed mean and variance.Unlike other neural networks algorithms that lack the ability to normalizing the outputs and need further layers such as batch normalization [64]

SELU Activations
The activation function proposed in SNN is Scaled exponential linear units (SELU).It is similar to the Rectified Linear Units (ReLU) but with a simple exponential function.The SELU activation function is defined as: where x denotes input α (α = 1.6733), λ (λ = 1.0507) are hyper parameters which control the mean and variance of the output distribution.

Alpha Dropout
Ordinarily, the neurons are dropout in a random way by setting his weight to zero with probability 1 − p.In doing this the network is prevented to set mean and variance to an expected value.The ReLUs works very well with the standard dropout for the following reason: zero goes down to the low variance region which is the default value.In the case of SELU, we have that the default low variance is given by lim x→∞ selu(x) = −λα = α and for this reason the standard dropout does not fill well.Then for sets that the input values randomly to α , alpha dropout is the proposed to fit them well.The original values of mean and variance are restored by alpha dropout and the self-normalizing property is preserved too.Therefore by making activation into negative values saturation at random alpha dropout suits SELU.

Related Work: AIS and IoT
The using of AIS approaches to secure the IoT started in 2010, in this section, we will address the AIS methods that have been used to secure the IoT area based on the IoT layers.

Sense Layer
Many solutions based on AIS have been applied to secure the physical layer communication.The work of Chmielewski and Brzozowski [65], presented a "support system for existing solutions" embedded in a re-programmable FPGA (Field Programmable Gate Array).This model based on hybrid negative selection algorithm, called b-v model to detect the zero-day attacks.Besides, Chen et al. [66] investigated and computed the intensity value of security threats faced by IoT.They addressed a theoretical security situation sense model.This model consists of a security threat sense sub-model (STS) and a security situation assessment sub-model (SSA).This work introduced a notable mathematical theoretical model but this would be more interesting if it describes how to apply it within IoT and what type of data could be used.

Network Layer
So far, most of the AIS-based studies have been carried out in the network layer to handle the IoT security.A signature-based IDS proposed by Liu et al. [67].This IDS contains memory detectors that simulate the antigens in the human body and classify datagrams as normal and malicious.In spite of that theory mathematically analyzed and detected a various number of intrusions, it has a high computational running and the researchers did not specify how to implement it in limited resources devices.Additionally, a dynamic approach called Artificial Immune System Response Model (AISRM) was produced by Liu et al. [68].The proposed model captures the IoT data packets and transforms them into immune antigens then detects and responds to attacks.Although this is an adaptable model proven through a simulation experiment, the central server scalability is a significant problem where all communication passes through.

Application Layer
For the application layer, smart homes represented the majority.
In this context Arrignton et al. [69] proposed a Behavioral Intrusion Detection System based on positive and negative selection algorithms.This work provides an important insight into the process of detecting abnormal behavior related to non-playing characters such as a human.Nonetheless, due to the expanding of IoT network, this would delays the performance and leads to consume the resources.And conversely, in order to reduce the cost and time and provide the optimal solution, Yang et al. [70] developed a multi-objective optimization model.

DeepDCA: Deep Learning Dendritic Cell Algorithm
This Section presents the DeepDCA model for the automate DCA data pre-processing phase.As shown in Figure 3, the framework consists of three main steps, namely: Features Selection, Signals Categorization, and Deterministic Dendritic Cell algorithm.The proposed approach functions will mainly focus on the pre-processing phase.

Feature Selection
This framework adopted the Information Gain (IG) approach to decide which features are more important.The IG(F) is a measure of the reduction in entropy of variable F that is archived by learning after the value for the feature is observed.In Data Science the information gain used for ranking the features.A feature with high information gain ranked higher than others and has a strong power in the classification process.The IG can be obtained by [71]: where IG is the gain, values(S) is symbolize all the possible values of an attribute S.Moreover, F v is a subset generated by partitioning S based on feature F, and E(F) is the entropy which computed as the following:

The SNN Signal Categorization
The SNN module assign each selected attribute to specific signal category (see Figure 4).The guidelines for signal categorization are presented below: • Danger Signal: this signal indicates to the presence of anomalous situation or attack circumstances • Safe Signal: this signal indicates to the presence of normal behavior or non-attack circumstances

Generation of DCA Signals
The SNN is designed to extract the signals as safe (SS) and danger (DS) signal form the features (f_1, f_2, ..., f_N) as the following parametrized: where w S,i and w D,i >= 0 (6) The sigmoid activation function at the output neurons assures that the signals are contained in the range 0-100.Where the selu activation function at the hidden layer neurons admits to cut off high or low values of the feature attributes-depending on the signs of the parameters v S,i or v D,i .The positivity restriction on the weights w S,i and w D,i breaks the symmetry between the formulae for the two signals.It prohibits the SNN from choosing a solution where w S,i = −w D,i .These steps illustrate using the Algorithm 1.

Signal Processing
The combined signals to produce the intermediate output values of K and csm.The value K is a measure of the anomaly or irregularity in the cell, by other hands, the csm value represents the concentration of the complete signal that a cell exposes in all its useful life.When the cell depletes its shelf life will migrate and will be ready to classify all of the antigens collected in his past useful life, at this time produce the classification as normal or abnormal.The addition of safe signals with the danger signals gives the value csm.Therefore, the value K is obtained subtracting of the danger signals twice the safe signal.The following equation gives the values: (7)

Costimulation (CSM)
The generated signals from the SSN module combine to produce two intermediate output values CSM and K.By Costimulation we mean the process of cumulative concentration of signals within its environment by a DC in a period of time of his life.For a DC in the moment that his life span expires, it immediately migrates to the lymph node and exhibits antigens in certain circumstances.With the following equation the calculation of the value csm is performed: where S and D are the input value for the safe and danger signals.

Lifespan
By mean of the term lifespan of a DC we signify the total time that a DC takes to collect all of the signal concentration on its environment previous to the migration to the lymph node.When the value of lifespan results in less than the sum of the concentration the lifespan of the DC stops of subtracting the accumulated concentration of signals over time.Thus, the value of lifespan is a fixed quantity, but overtime this value is decreasing as the following Equation ( 9) assures-where i = 1, ..., N-: li f espan = li f espanSS i + DS i (9)

Anomaly Metrics: MCAV and K α
Once all data are processed it is possible to calculate the metric MCAV, the mature context antigen value obtained from the output of the cell that comes out from the run-time process.The value is calculated for each antigen of type α, where the symbol α is associated with a collection of antigens that has in common the same value.Clearly we could think by its name that MCAV is indeed a measure of the proportion of antigen contained in a completely mature cell whose value is given by the following equation: where MCAV α represents the antigen MCAV of the collection α, M is the number of the mature antigen of type α, and Ag is the total quantity of antigen presented for the collection of an antigen of type α.This is a probabilistic metric with values between zero and one, when the value of this metric goes to one, the probability of maturity of the cell increase.The classification rule applied on as follows in Equation ( 11) and the deterministic DCA could be described by mean of the Algorithm 2.

Input Antigens and Signals;
Output Antigens Types and accumulative k values

Experimental Setup
To conduct this experiment, we performed it on the High-Performance Computing (HPC) called Aziz.Aziz is a Fujitsu PRIMERGY CX400, Intel True Scale QDR, Intel Xeon E5-2695v2 12C 2.4GHz which provides a distributed computing facility.Moreover, for data exploration and visualization we used ggplot framework [72] and Seaborn [73].For preprocessing steps and feature engineering, Pandas framework [74] and Numpy framework [75] have been used.To calculate performance metrics, scikit-learn [76] was used, and finally, for data analysis, scikit-learn framework and Keras [77] were used.We followed the Cross-Industry Standard Process (CRISP) methodology [78].CRISP is a structured methodology for Data Mining projects conceived in 1996.which contain the following steps: Business Understanding, Data Understanding, Data Preparation, Modeling, Evaluation, and Deployment.

Data Acquisition
To illustrate the effectiveness of our model we selected The BoT-IoT dataset [79].This data was created in the Cyber Range Lab of The center of UNSW Canberra Cyber and has more than 72,000,000 records which include DDoS, DoS, OS and Service Scan, Keylogging and Data exfiltration attacks.Table 3 illustrate the statistics distribution of considered features.

Exploratory Data Analysis (Understating the Data)
Exploratory Data Analysis (EDA) is "the process of examining a dataset without preconceived assumptions about the data and its behavior" [80].The goal of the EDA is to evaluate the cleanliness and missing data and explorer the relationships among variables which give us a deep insight (see Table 4).

Feature Selection
Feature selection is a primary step to enhance IDS performance, reduce the computational cost and improve accuracy.In the original dataset, a selection of the 10 best features has been provided (see Table 5).In this work, we used the best 10 features and adopted the Information Gain (IG) approach to decide which features are more important.Figure 5 shows information gain for each feature.The features ('seq', 'DstIP', 'srate', 'SrcIP', 'max'), are the most discriminative attribute.While the rest ('mean', 'stddev', 'min', 'state_number', 'drate') have small maximum information gain (smaller than 0.5), which little contribute to intrusion detection.In this phase, we initialized the population of DCA with size up to a limit of 100 cells.Then, an array size named antigens set to store antigen per iteration.Finally, initialize the output parameters K and CSMK to zero.

Signals and Antigen
The antigen represented by an attribute of the dataset which identifies the traffic packets uniquely, in our case the antigen is "pkSeqID" attribute.For the Signals, SNN models meant to implement a parametrized signal extraction process for the DCA.It defined to have 1 input layer with six neurons equal to the number of input features, one hidden layer, and 1 output neuron for the binary classification..The Model was trained in 125 epochs.The task of the hidden layer neurons would be to encode the decision for a threshold and transform the input attributes into signals normalized into the interval [0, 1] (hence, sigmoid activation).Therefore, the hidden layer neurons should decide for a sign and threshold for each feature.Then, we used selu activation functions for the hidden layer and an al pha − dropout layer between the hidden layer and the output neurons.The output neurons can choose a sign and weight per input signal, and would again yield signals within the interval [0, 1]. Figure 6 represents the accuracy and loss of SNN model.

Dendritic Cell Algorithm Module
Once the data pre-processing phase is performed, the model moves to the next stages -as described in Section 3, which are the Signal Processing, the Context Assessment, and the Classification Procedure.

Evaluation Criteria
The confusion matrix is usually used to evaluate the performance of the classification model.The confusion matrix relies on the four terms of True Positive (TP), True Negative (TN), False Negative (FN) and False Positive (FP) [81] as shown in Table 6.
• TP: is the number of actual malicious records classified as attacks.

Result and Analysis
This section presents the results obtained when applying the DeepDCA model for intrusion detection.Several hyper-parameters are examined such as the selected features and the attack types.

Impact of Features
Table 7 illustrate the influence of the features employed in the learning process.The first three records in the table represent the result of the imbalanced data.We examined all features of the BoT-IoT then the best 10 features, and finally, the selected features using information gain (see Section 7.4).As the accuracy is misleading metrics when dealing with imbalanced classes problem, Recall, Precision F-measure are telling a more truthful story.Precision is a measure of (exactness), recall for (completeness) of a model and the F-measure is a harmonic mean of the two.As shown in Table 7, even though the accuracy for all features of the imbalanced classes gets a better result, the rest of the metrics are not in line with it.The IG-selected features have the best indication of detection performance for imbalanced classes.On the other hand with balanced data, as expected fewer features render better results in general.The results produce slightly worse when added to the full features set.Consequently, DeepDCA yields a better result when dealing with balanced classes and features that have a higher importance in the detection process.For make it easier to compare the result, Figure 7 shows the same results in a different format.

Impact of Attack Scenarios
We evaluated the proposed IDS by measuring the performance metrics in different attack scenarios as shown in Table 8.The results illustrated that DeepDCA performed well in detecting various attack types although its performance was better in DDoS/DoS attacks which may be due to the abundance of data about this attack in the BoT-IoT dataset.

Comparison with Classifiers
The performance evaluation results of the DeepDCA model are compared with four commonly used methods for intrusion detection, namely the Support-Vector Machines (SVM), Naive Bayes (NB), K Nearest Neighbor (KNN) and Multilayer Perceptron (MLP).The comparison made is in terms of Accuracy, F-measure, Recall/sensitivity and Precision.Table 9 shows that DeepDCA slightly better than MLP and outperformed other classifiers SVM , NB and KNN.To sum up, applying the DeepDCA for the Intrusion detection system was validated against an IoT dataset demonstrating over 98.73% accuracy.It was able to identify successfully different types of attacks and showed good performances in terms of detection rate and false-positive rates.

Conclusions
In this research, we develop a Deep Learning Dendritic Cell Algorithm (DeepDCA).Our framework adopts DCA and Self Normalizing Neural Network.The aim of this research is to classify IoT intrusion and minimize the false alarm generation.Also, automate and smoothe the signal extraction phase which improves the classification performance.The proposed IDS selects the convenient set of features from the IoT-Bot dataset and to perform their signal categorization using the SNN.The experimentation results show that our DeepDCA performed well in detecting the IoT attacks with a high detection rate demonstrating over 98.73% accuracy and low false-positive rate.Also, capable of performing better classification tasks than SVM, NB, KNN and MLP classifiers.We plan to carry out further experiments to verify the framework using more challenging datasets with missing and noisy data and make further comparisons with other signal extraction approaches.Also, involve in real-time (online) attack detection.

•
Database-boxes (D blocks): these blocks store information from E blocks.• Analysis-boxes (A blocks): these blocks analyze events and detect potential abnormal behavior.• Response-boxes (R blocks): these blocks execute in case an intrusion occurs.

Figure 1 .
Figure 1.General architecture for IDS systems.

2. 3 .
Existing IoT Security Approaches 2.3.1.Non Artificial Intelligence-Based Security Method Many of non-artificial intelligence-based security methods have been implemented to secure the IoT environment.A good example of these methods: identity-based encryption, watchdog, reputation and trust mechanisms, Complex Event Processing (CEP) and lightweight cryptography.

Figure 5 .
Figure 5. Features Ranking Based on Information Gain.

Figure 7 .
Figure 7.Comparison of Features Impact in Classification Process (Im = Imbalanced Data, Ba = Balanced Data).

Table 1
summarize the presented techniques.

Table 1 .
Non-Artificial Intelligence-based Security Method.Artificial Intelligence-Based Security Method Artificial intelligence has attracted attention in recent years, especially in the field of IoT security.The following Table2summarizes the leading technologies that have been introduced to protect the IoT ecosystem.
this phase includes two main steps: feature reduction and signal categorization.First, feature reduction which selects the most important attributes from the training set.Next, the selected features classify to signal category: safe, danger and PAMP.• Phase 2. Detection : in this phase, the DCA has to generate a signal database by combining the input signals with the antigens to obtain cumulative output signals.
• Phase 3. Context Assessment: the generation of cumulative output signals from the detection phase are used to perform context assessment of antigens.If the collected antigens by a DC has a greater Mature DCs (mDC) than its Semi-Mature DCs (smDC) value, it is labeled as 1, otherwise 0. • Phase 4. Classification: the calculated value deriving from the Mature Context Antigen Value (MCAV) Connect it with H S,i , i = 1, ..., Number o f inputs; Connect it with H D,i , i = 1, ..., Number o f inputs;

Table 3 .
Statistical Description for The Dataset.

Table 4 .
Frequency distribution of considered features.

Table 7 .
DeepDCA performance based on Features Impact among Imbalanced and Balanced Data.

Table 8 .
DeepDCA Performance Evaluation Metrics in Different Attack Categories.

Table 9 .
Comparison of Classifiers Performance.