A Novel Deep Learning-Based Intrusion Detection System for IoT Networks

Abstract

The impressive growth rate of the Internet of Things (IoT) has drawn the attention of cybercriminals more than ever. The growing number of cyber-attacks on IoT devices and intermediate communication media backs the claim. Attacks on IoT, if they remain undetected for an extended period, cause severe service interruption resulting in financial loss. It also imposes the threat of identity protection. Detecting intrusion on IoT devices in real-time is essential to make IoT-enabled services reliable, secure, and profitable. This paper presents a novel Deep Learning (DL)-based intrusion detection system for IoT devices. This intelligent system uses a four-layer deep Fully Connected (FC) network architecture to detect malicious traffic that may initiate attacks on connected IoT devices. The proposed system has been developed as a communication protocol-independent system to reduce deployment complexities. The proposed system demonstrates reliable performance for simulated and real intrusions during the experimental performance analysis. It detects the Blackhole, Distributed Denial of Service, Opportunistic Service, Sinkhole, and Workhole attacks with an average accuracy of 93.74%. The proposed intrusion detection system’s precision, recall, and F1-score are 93.71%, 93.82%, and 93.47%, respectively, on average. This innovative deep learning-based IDS maintains a 93.21% average detection rate which is satisfactory for improving the security of IoT networks.

1. Introduction

The Internet of Things (IoT) has started a new paradigm of computing that is transforming our lives. IoT devices are employed in various applications, including transportation, smart homes, healthcare [1], industrial production, security, and supply-chain management [2], and Blockchain monitoring [3]. According to Zhao, Y., & Lian, Y., IoT devices are projected to hit 30.9 billion units by 2025. This study shows that the number of IoT devices in 2021 was 13.8 billion [4]. It indicates that this industry has a growth rate of more than 55%. This rapid growth, dependency on IoT devices, and business potential have drawn the attention of researchers, innovators, entrepreneurs, business people, and cybercriminals. The utilities provided by IoT devices have created an extensive demand in the market. This demand has drawn the interest of potential investors. Innovators and entrepreneurs are making this field even more attractive by innovating and marketing different applications of IoT devices to make our lives better and easier [5]. However, it has created the scope for cyber criminals to exploit the weaknesses and vulnerabilities of IoT devices. The business growth and financial opportunities have made IoT an attractive domain to practice cyber attacks. This is the root cause behind the rapid growth of cyber-attacks on IoT devices [6].

According to L. P. Rondon et al. [7], IoT device manufacturing with little, to some extent, no attention to cyber security. A study by R. Williams et al. discloses that many IoT devices currently exist in the market, many of which are fully operational in different services and are vulnerable to cyber attacks [8]. Attacks on IoT devices are not confined to the devices. Usually, IoT devices are connected to other appliances, and systems. As a result, they work as attack vectors which attackers exploit to gain access to anything connected to it. The attack on Dyn through imaging IoT devices caused a devastating effect in 2016, resulting in an internet outage for Amazon, Twitter, and Netflix [9]. One of the fastest-growing IoT sectors is Medical IoT (MIoT). MIoTs are sensitive because it is directly related to healthcare. However, The recent cyber-attack trends show that intrusion on MIoT devices is higher than ever, and the rate is increasing at a dangerous rate [1,10].

One of the significant challenges in IoT security is its various vulnerabilities. There are multiple ways to exploit vulnerabilities and attacks on IoT devices [11]. Every cyber-attack is made through network connectivity unless we consider cyber-physical attacks, which is not within the scope of this research. IoT devices are computationally constrained systems. That is why using traditional cyber-security methods to secure vulnerable IoT environments is impractical [12]. Moreover, the diverse multidimensional scope of vulnerabilities takes the IoT environment beyond the scope of conventional rule-based security methods [13]. IoT environments constantly produce large volumes of data. Identifying anomalous data from these streams of data is a challenging task. And Deep Learning (DL)-based approaches are appropriate in these cases. Deep neural networks are effective in analyzing large volumes of data, discovering patterns, and relations among them, and classifying the data according to defined properties [14].

The application of Deep Neural Networks (DNN) in IoT security is a promising solution to network data anomaly-based intrusion detection [15]. IoT devices produce a large volume of data. However, the nature of the data maintains a common pattern. Anything that disrupts the typical way may be considered an outlier which is anomalous. Properly trained DNN is a potential solution to identify and classify anomalous data [16]. Based on this hypothesis, we propose a Deep Neural Network-based IoT intrusion detection system from real-time anomalous data. The objective of this research is to develop a communication protocol-independent DNN-based real-time IoT intrusion detection system for safer and more secure IoT environments.

The proposed Deep Intrusion-Detection (DID) system does not require system attributes, communication protocol adjustment, or network structure virtualization. It is a plug-and-play intrusion detection system that identifies the common and anomalous signal flow through the network. Based on the deviation from the regular signal pattern, it detects intrusions. The core contributions of this paper are:

• Deep Neural Network (DNN) design and optimization for IoT network intrusion detection.
• Designing the intrusion detection system components.
• Discovering the effective dataset features for IoT network intrusion detection.
• Deep analysis of DNN-based intrusion detection system through intrusion model of five frequently occurring attacks.
• Achieving an average intrusion detection rate of 93.21%.

The rest of the paper has been organized into five different sections. The Section 2 presents the relevant literature review. The Section 3 of this paper presents the proposed methodology and implementation of the DID. The implementation details and conceptual assessment are presented in the Section 4. The experimental results and performance evaluation are presented in the Section 5. Finally, the paper is concluded in the Section 6.

2. Literature Review

Our daily life has become easier because of the application of IoT devices. It has revolutionized numerous sectors. Although the growth rate of IoT devices is remarkable, cybersecurity concern has become a significant barrier to the faster adoption of this technology [17]. A successful attack on IoT devices not only affects the device but also allows the attacker to explore other services it provides. IoT devices are used at the application level, which is more connected to the personal aspects of human lives. That is why it has become one of the prime targets of cyber-criminals [18]. Moreover, IoT devices are used as the control unit of different manufacturing facilities [19]. An attacker gets access to the entire control system if there is a security breach. Even connected smart phones are vulnerable to such attacks [20,21]. These exciting features of IoT networks attract more cyber criminals to attack IoT environments. That is why it is more important than ever to develop a Deep Learning-based intrusion detection system to minimize the number and effect of attacks on IoT systems.

M. Alajanbi et al. have discussed various methods of intrusion detection in their review paper by emphasizing the effectiveness of these methods [22]. The authors in [23,24,25,26,27,28] exhibit promising performance in intrusion detection. A. Oseni et al. developed an explainable deep learning-based intrusion detection system for IoT networks. They used SHapley Additive exPlanations (SHAP) to explain the network’s operation. One of the main focuses of this method is to comprehend the logical reason behind the decision made by their Deep Learning-based IDS. This framework demonstrates 99.15% accuracy and 98.83% F1 score. However, it is focused on the Internet of Vehicles (IoV), a sub-branch of IoT. Machine learning-based intrusion detection systems work optimally for fog and edge computing environments according to Alzubi et al. [29]. The proposed intrusion detection system is a potential solution to any IoT network regardless of connected devices. At the same time, the 99.15% accuracy achieved by A. Oseni et al. raises suspicion of overfitting which has yet to be addressed through different datasets. The proposed intrusion detection system is much more reliable and robust than this approach.

An explainable Deep Learning-based system developed by M. M. Alani et al. named as DeepIIoT, indented to secure industrial IoT devices, shows 99% accuracy with the testing dataset. They focus on industrial IoT, especially water treatment facilities, nuclear reactors, and power grids. They trained and experimented with the WUSTL-IIOT-2021 dataset [30]. The proposed intrusion detection system is also a deep learning-based approach. However, the innovative intermediate communication system makes it network-independent. The application boundary of the proposed IDS is not confined to industrial IoT only. Moreover, the DeepIIoT depends on the signature and is a rule-based detection system. It suffers from the challenge of frequently updating the signature database. The proposed system has no such limitation. V. Ravi et al. developed an intelligent network intrusion detection system using a recurrent deep learning-based feature fusion approach incorporating an ensemble meta-classifier. This approach achieves 99% accuracy [31]. Although it is superior to the proposed method from the accuracy perspective, the network architecture simplicity makes the proposed system a unique contribution to the intrusion detection research domain. An association rule mining-based Artificial Neural Networks (ANN) dependent intrusion detection methodology developed by F. Safara et al. demonstrates significant improvement in intrusion detection for communication networks [32]. The proposed approach is also based on ANN. However, its network architecture has been specially designed for IoT-network intrusion detection.

M. Abdel-Basset et al. have discussed the scope of applying deep learning techniques in IoT security. They further emphasized the application of deep learning in IoT privacy as well [33]. However, network-specific rule-based intrusion detection systems are easier to develop. They perform well within the intended network. A knowledge-based specific rule-dependent network sinkhole attack intrusion detection system developed by H. G. An et al. [34] demonstrates an attack detection ratio of 81.63%. It performs 7% better than [35], which is a similar approach named INTI. H. Asad et al., in their research on dynamic analysis of variations in rule-based intrusion detection systems for open course networks, discuss the significance of appropriate IDS in diversified configurations [36]. The quantitative analysis presented in this paper aligns with the core idea of the proposed methodology, which is the need for a network protocol-independent intrusion detection system for IoT networks.

3. Methodology

The proposed Deep Learning-based Intrusion Detection (DID) system, illustrated in Figure 1, is an innovative and automatic system that learns from data generated from the host IoT network and detects the intrusion of the network once adequately trained. The dynamic connector of the proposed Intrusion Detection System (IDS) establishes the connection between emulated network and requests from the IoT network. The emulated network communicates with the feature extractor and network classifier through an interface module. The feature extractor extracts the feature of the network packets, which are the dataset for the deep neural network of the proposed methodology. The proposed IDS is dynamic and regularly updated based on newly discovered features through the classifier Updated module. Once the intrusion is detected, the network classifier passes it to the mitigation phase. This phase reduces the impact of the intrusion.

3.1. Components of the Detection System

We have developed the proposed intrusion detection system keeping simplicity in design and ease of deployment in mind. That is why the detection system has been developed using a modular approach. The proposed Deep Intrusion Detection (DID) system consists of three primary modules. They are the Communication Module (CM), Intrusion Detection Module (IDM), and Mitigation Module (MM). These three modules work together. The communication module manages the full-duplex communication between the sender and the receiver. Any form of communication passes through the IDM module. If any intrusion is detected, this module passes the packets to the mitigation module.

3.1.1. Communication Module (CM)

The communication module performs its operation through Dynamic Connection, Network Emulator, and Interface module. One of the core contributions of the proposed system is the communication protocol-independent system. The underlying protocol governing communication among IoT devices is not a constraint for the DID system. It has been done through an innovative design in the communication module. The working principle of the communication module has been discussed in this subsection.

Dynamic Connection

The dynamic connector sends probe signals. It also broadcasts beacons to all IoT devices within the defined network. It also analyzes the broadcast beacons, intercepts the handshake packets, and inspects the session requests to discover the communication protocols. It maintains a protocol table that lists the active communication protocols used in the IoT environment. The dynamic connector dynamically maintains functional network interfaces which intercept communication signals from different devices. The dynamic connector translates the packets received from different network interfaces. It uses secondary storage as the cache memory to store the translated packets. When it receives the bit stream from the IoT devices, it uses the appropriate communication protocols stored in the protocol table to convert the bit stream into network packets using the relevant protocol.

Network Emulator

The underlying network protocols governing the IoT networks are listed in the protocol table. It contains all relevant information about the network. Instead of connecting to the network directly, the proposed methodology uses an innovative way to maintain communication. And that is through a network emulator [37]. It has a Virtual Network Client (VNC) module that fetches the packets stored in the cache memory of the dynamic connector, chooses the appropriate network protocol from the protocol table, processes the packets according to the protocols, and finally transmits them to the intended IoT device.

Interface Module

The interface module creates the interface to exchange the data packets. It controls how data are transmitted and received between the communication module and the intrusion detection module. The interface module controls the dynamic connector and the network emulator.

3.1.2. Intrusion Detection Module (IDM)

Feature Extractor Module (FEM)

The IoT devices communicate over the networks through data packets governed by associated communication protocols. Anything anomalous is related to the data packets. The feature extractor module extracts the features listed and explains in

Table 1. Feature extraction and their roles.

Serial	Feature	Symbol	Role
1	Source IP	$I{P}_s$	Authentic source verification
2	Destination IP	$I{P}_d$	Integrity of the destination
3	Information	$I_d$	The value of the data
4	Active Session	$A_s$	Active time duration of the devices
5	Transmission Mode	$T_m$	Suspicious communication from unauthorized devices
6	Transmission Rate	$T_r$	Anomalous rate of data transmission
7	Reception Rate	$R_r$	Anomalous rate of data reception
8	Transmission to Reception Ratio	$TRR$	A ratio expresses the usual or anomalous bandwidth usage

from the data packets using Algorithm 1. This module intercepts data packets. Features expect $I_d$, $T_r$, $R_r$, and $TRR$ are available in the header of the packets. The information ($I_d$) of the packets is carried in terms of the data field. The transmission rate ($T_r$), and reception rate ($R_r$) are sent by the interface module of the Communication Module (CM). The transmission to reception ratio ($TRR$) is measured as the ratio of $T_r$ and $R_r$.

Network Classifier

One reason behind the proposed system’s outstanding performance is the anomalous network before intrusion detection using Deep Learning. We used machine learning-based anomaly detection to classify malignant and benign networks. A Support Vector Machines (SVM) model has been used in this paper to classify the network. The loss function of the SVM model is defined by Equation (1).    

$$c(x,y,f\left(x\right))=\left\{\begin{array}{c}0,ify*f\left(x\right)\ge 1\hfill \\ 1-y*f\left(x\right),else\hfill \end{array}\right.$$

(1)

To prevent the SVM from overfitting, a regularization parameter has been added to the cost function of the Equation (1), which is expressed using the Equation (2).

$$LossFunction=mi{n}_w{\lambda \left|\right|w\left|\right|}^2+\sum _{i=1}^n(1-y_i\langle x_i,w\rangle )$$

(2)

Finally, the gradient of the SVM is updated using Equations (3) and (4) for correct and incorrect prediction, respectively.

$$w=w-\alpha \times (2\times \lambda \times w)$$

(3)

$$w=w-\alpha \times (y_i\times x_i-2\times \lambda \times w)$$

(4)

The weights are updated during the training phase of the SVM model. The model is trained using the dataset created from the experimenting network based on the features explained in Table 1. Training the model is a manual process. The dataset has been prepared by manual observation over various intervals of time. During the observation, the dataset is labeled malignant and benign.

Algorithm 1 Feature Extraction Algorithm

Require:  $H\leftarrow Listofpacketheaders$  $FunctionFeatureExtractor(packet,interface)$  Extract $HeaderInformation$  Divide the $HeaderInformation$ for each Layer  for every Layer in packet do      $N\leftarrow LayerName\left(packet\right)$      if $N\ne Empty$ then          $F\leftarrow split\left(HeaderInformation\right)$      end if      for every F do          Add the F to feature list      end for      Assign the features to Layer  end for  $EndFunction$

Classifier Updater

One of the innovative approaches of this proposed intrusion detection system is the Classifier Updated. This module has been designed to reduce the necessity of human intervention to update the network classifier. This module has tasks. The first task is to keep track of the signals from the network which are not part of the training dataset. And the second task is to monitor the accuracy of the SVM constantly. When the accuracy of the SVM falls below 90% multiple times, the Classifier Updated raises the alarm. After it receives the labeled dataset, it automatically updates the SVM on the dataset that caused performance degradation along with the previous dataset.

3.1.3. Mitigation Module

The proposed intrusion detection system detects the intrusion using a deep neural network, and it mitigates the attack. At the same time, it generates a system response to generate an alert. The entire process consists of two activities. The first activity is sensing the nature of the attack, and the second phase prompts a relevant scheme to minimize the impact of the intrusion. There are two components to these two activities. The first component is the proposed deep neural network that classifies the attack and the second component is a controller that chooses an appropriate option from a set of options to mitigate the impact of the attack. The set of options is defined by Equation (5).

$$C_i=\left\{(x,y)\right|x\in intrusion,y\in mitigation\}$$

(5)

The $C_i$ in Equation (5) is an `intrusion-mitigation’ pair that is pre-selected during the deployment of the proposed IDS. The `intrusion-mitigation’ pair changes depending on the need, goal, and priority of the network. This experiment deals with five sets of intrusions defined in the intrusion model of Section 4.1.

3.2. Intrusion Detection Using Deep Learning

3.2.1. Dataset

A dataset with 25,000 instances has been prepared for and used in this experiment. The Regular ($R_D$) and Malicious ($M_D$) instance ratio of the dataset is 82:18. That means 82% of 25,000 instances are regular data, and 18% instances are malicious data. The $R_D$ and $M_D$ are randomly mixed, and there is no intentional pattern has been created. This dataset has been divided into training, testing, and validation dataset with a ratio of 70:15:15. The training and validation datasets have been used during the training phase. The testing dataset is untouched during the training and validation phase and used during the experimental evaluation only. Proper feature selection and feature reduction are two essential phases in automatic intrusion detection systems [38]. That is why the dataset for this experiment contains the features mentioned in Table 1, which are considered the most influential features in detecting intrusion using machine learning algorithms.

3.2.2. Feature Engineering

The features listed in Table 1 consist of qualitative and quantitative features. In the IoT network, there are senders and receivers. IoT devices are resource constraint devices. That is why they are designed to communicate in the simplest possible way. Usually, the transmission rate of the senders and receivers are the same to avoid the necessity of installing extended buffer memory. A significant difference between the transmission and distribution rates indicates a Denial-of-Service (DoS) attack [39].

The IoT network is safe if the transmission-to-reception ratio is close to unity. However, significant deviation from unity means the sender is not sending the data to the correct destination or the receiver is not receiving the data from the intended source. It is an indication of spoofing. There is a possibility that some intermediate device, which is not enlisted in the network, has breached the network security and manipulated the sender and the receiver. The transmission mode determines the communication protocol, the current status of the communication cycle, and the next phase of the cycle. A Deep Neural Network trained on the nature of communication at different transmission modes identifies an intrusion if any device behaves differently under a certain transmission mode. The quantitative analysis leads to qualitative results used to determine the intrusion in an IoT network. The features listed in Table 1 are used to perform the quantitative analysis to generate qualitative results. The proposed system uses the cache memory of the Communication Module to temporarily store these features and process them to detect intrusion if there is any. The process starts with the probability distribution calculation using Equation (6).

$$P_d=P\left(f_o\right),P\left(f_1\right),P\left(f_2\right),\dots ,P\left(f_7\right)$$

(6)

Here is Equation (6), $P\left(f_i\right)$ is the probability of each data packet value of unity observed in the $i^{th}$ feature. If the $P\left(f_i\right)$ is greater than 50% of the mean, the data is benign or otherwise malignant.

3.2.3. Deep Neural Network Design

A six-layer deep neural network has been designed and optimized to detect intrusion in this experiment. We started with a network architecture with 2 hidden layers. However, the experimental observation shows that the network performance is not satisfactory with 2 hidden layers. That is why we experimented with different numbers of hidden layers, and the six-layer deep neural network generates the best result. We used a Fully Connected Feed Forward Neural Network (FCFFN) architecture [40], which is illustrated in Figure 2. Every neuron of a layer is connected to every other neuron of the subsequent layer in FCFFN architecture. There is no additional implementation complexity of emphasizing and omitting connections. We used the FCFFN architect for simplicity and ease of implementation. It has eight input nodes for the eight features listed in Table 1. Each input node receives one feature. The features are extracted using the feature extraction module. The features are stored in the dataset, each row containing eight features. These rows are transposed using the Equation (7) before being transmitted to the proposed network.

$$F_{input}={[F_1,F_2,F_3,F_4,F_5,F_6,F_7,F_8]}^T$$

(7)

The output vector of the network is defined by Equation (8) where $y^l$ is the output vector, ${\sigma }^l$ represents the activation function, $B^l$ is the bias vector, and $K^{l-1}$ represents the previous layer to layer l.

$$y^l={\sigma }^l(B^l+W^l{K}^{l-1})$$

(8)

We used the Rectified Linear Activation Unit (ReLU) function for the hidden nodes [41] and the Sigmoid function for the output nodes [42]. These two activation functions are defined by Equations (9) and (10).

$${\sigma }_{ReLU}=max(0,x)$$

(9)

$${\sigma }_{sigmoid}=\frac{1}{1+e^{-x}}$$

(10)

The Gradient Descent algorithm has been used as the loss function of the proposed network to minimize the error defined by Equation (11) [43]. Based on the loss function, the weight of the hidden nodes of the hidden layers of the network is updated. The back-propagation algorithm governed by Equation (12) has been used to update weights of the hidden nodes [44].

$$E(x,\theta )=\frac{1}{2N}\sum _{i=1}^N{(y_i^{{}^{\prime }}-y_i)}^2$$

(11)

$$g^{{}^{\prime }}\left(x\right)=\frac{\delta \sigma \left(x\right)}{\delta \left(x\right)}=\sigma \left(x\right)(1-\sigma \left(x\right))$$

(12)

4. Implementation and Result Evaluation

The proposed Deep Learning-based Intrusion Detection (DID) system for IoT networks has been implemented in python using the TensorFlow library. We used Cooja Network Simulator (CNS) [45] and experimented with it in Contiki Operating System (COS) [46]. The Raspberry Pi 4 Model B with 2 GB primary memory has been used as the IoT device.

4.1. Intrusion Model

The most frequent and damaging attacks on IoT networks are Blackhole Attack, Distributed Denial-of-Service (DDoS) Attack, Opportunistic Service Attacks, Sinkhole Attack, and Wormhole Attack [47]. The performance of the proposed intrusion detection system has been evaluated based on these five attacks. A. Thakkar and R. Lohiya have conducted a rigorous study and presented the different aspects of the intrusion detection model in their review paper. This review, published in 2022, shows the gradual fall in intrusion detection rate for the five attacks mentioned in our attack model. The reason behind it is the change in the nature of the data. The rate of data flow, nature of the attack, and target of the attackers have changed. As a result, traditional rule-based systems are no longer as effective as they used to be before the revolution of IoT [48]. That is why this paper proposes deep neural networks, which are state-of-the-art techniques to handle big data, discover patterns, and make appropriate predictions.

Blackhole Attack (BHA)

In a blackhole attack, the malicious device first advertises erroneously that it is on the quickest route to the target, and then it drops all packets that are traveling along its path in silence, therefore creating a blackhole in the network [49].

Distributed Denial-of-Service (DDoS) Attack

A distributed denial-of-service attack, also known as a DDoS attack, is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This type of attack is known as a distributed denial-of-service attack (DDoS) [50].

Opportunistic Service Attacks (OSA)

In an opportunistic service attack, the malicious device builds up its trustworthiness by first providing services that are extremely trustworthy, but it subsequently switches to offering services that are of lower quality for the purpose of increasing its own profits [51].

Sinkhole Attack (SHA)

A sinkhole attack is a form of attack in which a hacked node attempts to attract network traffic by advertising its own bogus routing update. Sinkhole attacks have a number of negative effects, one of which is that they may be used to launch further attacks, such as selective forwarding attacks, acknowledgment spoofing attacks, drops, or attacks that modify routing information [52].

Wormhole Attack (WHA)

Using a virtual private connection, two attacking devices communicate with one other in order to carry out an attack known as a wormhole tunnel attack. The network packets that are received by the victim device are initially sent via the wormhole, and then they are replayed at a later time. This causes the routes to be less efficient [53].

4.2. Evaluation Metrics

The state-of-the-art machine learning evaluation metrics have been used in this experiment to evaluate the performance of the proposed intrusion detection system. It has been observed from the literature review that accuracy, precision, recall, and F1-score are the most widely used ML evaluation metrics. These metrics have been defined by Equations (13)–(16), respectively. These evaluation metrics are measured from True Positive (TP), True Negative (TN), False Positive (FP), and False Negative (FN) [54]. These values are retrieved from the confusion matrix analysis, which is presented in the next subsection. We have also evaluated the performance of the proposed network based on the Intrusion Detection Rate (IDR) of the system, which is defined by the Equation (17) where DI stands for Detected Intrusion and TI stands for Total Intrusion.

$$Accuracy=\frac{TP+TN}{TP+TN+FP+FN}$$

(13)

$$Precision=\frac{TP}{TP+FP}$$

(14)

$$Recall=\frac{TP}{TP+FN}$$

(15)

$$F1=\frac{2*Precision*Recall}{Precision+Recall}$$

(16)

$$IDR=\frac{DI}{TI}\times 100\%$$

(17)

4.3. Confusion Matrix Analysis

A confusion matrix is a table that defines the performance of a machine learning classifier with True Positive (TP), True Negative (TN), False Positive (FP), and False Negative (FN). These values are further used to measure accuracy, precision, recall, and F1-score, which are considered as state-of-the-art machine learning evaluation metrics.

4.3.1. Performance on BHA

The performance of the proposed deep neural network on BHA has been analyzed using the confusion matrix illustrated in Figure 3. The precision and recall on BHA are 88.4% and 96.9%. It demonstrates an accuracy of 96.5% with a specificity of 89.6%. The proposed intrusion detection system classifies 435 negative classes and 492 positive classes correctly. However, 16 negative classes were predicted as positive, and 57 positive class was predicted as negative. That is why the precision of the proposed IDE on the performance of Blackhole attack detection is 88.4%. However, the overall accuracy of the proposed IDS on BHA attack is satisfactory.

4.3.2. Performance on DDoS Attack

The DDOs attack is one of the common attacks. A successful DDoS attack can cause serious harm to business and customer satisfaction. If an IoT network is unavailable for an extended period of time, all dependent services will collapse, which downloads the overall Quality of Service (QoS) and ignites customer dissatisfaction [55]. The proposed deep neural network demonstrate better performance in classifying DDoS attack, which has been illustrated in the confusion matrix of Figure 4. It shows that the network correctly classifies 485 positive and 444 negative classes. However, 48 negative class was predicted as positive, and 23 positive class was predicted as negative. Overall, the network has achieved 92.2% precision and 95.5% recall. The accuracy of the network is 95.1%, and the sensitivity is 91.0%. According to the observation on the confusion of Figure 4, the proposed intrusion detection system is good at detecting DDoS attacks.

4.3.3. Performance on OSA

Attackers with the intention to penetrate into the IoT network without proper authorization usually attempt Opportunistic Service Attacks (OSA). The proposed deep learning-based intrusion detection system demonstrates up to the mark performance in detecting OSA. The confusion matrix analysis presented in Figure 5 demonstrates that the proposed deep neural network has been well-trained to classify Opportunistic Service Attacks (OSA). The intrusions are successfully detected with 94.8% precision and 95.5% recall. The classification accuracy is 95.2% with a sensitivity of 95.2% as well. The overall F1-score of the network in OSA detection is 95.04%. The experimenting IDS detects 952 attacks out of 1000 attacks correctly. Only 23 negative class was predicted as positive, and 25 positive class was predicted as negative class. It is evident from this observation that the proposed deep learning-based intrusion detection system detects Opportunistic Service attacks effectively.

4.3.4. Performance on SHA

The Sinkhole attack is a dangerous routing attack. In this attack, a neighboring IoT node is targeted. After that, the routing information is manipulated so that the requests expecting the received service from the IoT network are diverted to other destinations. It results in improper and, in many cases, no response to requests from the IoT devices. And the extended period of successful Sinkhole attacks can mislead a large volume of authentic requests. The performance of the proposed deep neural network-based intrusion detection system has been analyzed using the confusion matrix illustrated in Figure 6. It shows that the network correctly identifies 483 positive intrusions and 450 negative intrusions. However, the network predicts 35 benign events as intrusions. At the same time, it fails to predict 32 malignant classes correctly. The proposed network detects intrusion with 92.8% precision and 93.8% recall. The system’s overall accuracy is 93.4%, and the specificity is 93.2%. Out of 1000 instances, the proposed IDS detects 952 instances correctly. That means the proposed intrusion detection system is good at detecting Sinkhole attacks.

4.3.5. Performance on WHA

The Wormhole Attack (WHA) is the fifth intrusion in our attack model prepared for this experiment. One of the common bandwidth optimization tactics is to route the packets through the shortest path and store them in buffer memory to minimize the delay. The Wormhole Attack (WHA) manipulates the routing optimization information resulting longer delay routing delay. At the same time, it leads the packets through a longer route. The confusion matrix illustrated in Figure 7 demonstrates that the proposed network detects the WHA with 94.5% precision and 94.6% recall. The overall accuracy of the network is 94.2%, and the specificity is 95.0%. The network detects the intrusion with an F1-score of 94.36%. That means the deep learning-based intrusion detection system efficiently detect Wormhole attacks.

4.4. Overall Performance

The network’s overall performance on five different types of intrusions has been listed in

Table 2. Overall performance on random attack.

Attack	Accuracy (%)	Precision (%)	Recall (%)	F1-Score (%)	IDR
Blackhole	92.7	92.63	93.01	92.28	96.45
DDoS	92.9	92.86	93.03	92.61	95.41
Opportunistic Service	95.2	95.19	95.2	95.04	90.17
Sinkhole	93.3	93.28	93.3	93.07	91.7
Wormhole	94.6	94.6	94.58	94.36	92.33
Average	93.74	93.712	93.824	93.472	93.21

. The overall performance has been analyzed based on a live random attack on the system. Because of security and confidentiality issues, we were not allowed to open the system and invite unknown attackers to attack the system. However, a realistic intrusion model has been created to study the performance of the system. In this model, the system has been observed for 24 h. During this time, multiple attacks were made randomly. We preserved an attack log to compare with the detected intrusion by the system.

The overall performance is illustrated in Figure 8. It has been observed that the proposed deep learning-based intrusion detection system is best at detecting Opportunistic Service Attacks (OSA). However, it does not indicate that the system is not good at detecting other intrusions. The average accuracy for all intrusion detection is 93.74%, precision is 93.172%, recall is 93.824%, and the F1-score is 93.472%. The intrusion detection rate has been observed for each type of attack. The average IDS is 93.11% which assures protection against most experimenting attacks.

The average accuracy, precision, recall, and F1-score show the marginal difference, illustrated in Figure 9. The average value range of the evaluation metrics is between 93% to 94%, marked in yellow color. That means the proposed intrusion detection system is accurate, stable, and suitable for practical application to secure IoT networks by automatically detecting intrusions.

5. Limitation & Future Scope

The proposed Deep Learning-based Intrusion Detection (DID) system demonstrates outstanding experimental results and analysis performance. The experimental results support the claim that it is both an effective and practical solution to automatically detect intrusion in IoT networks. However, like any computing system, the proposed intrusion detection system has some weaknesses. These limitations have been highlighted in this section. These limitations pave the path to conducting more research in the future and further developing the proposed system.

5.1. Intrusion Model Limitation

The proposed system is effective only for the intrusion model presented in this paper. There are five types of intrusions in the model. These are the most frequently occurring intrusions. However, many other intrusions still need to be addressed in this paper. This is one of the limitations and also an opportunity for further experimentation. The proposed deep neural network can be trained for other attacks. In our future research, we will explore more attacks and publish an analysis based on the findings.

5.2. Absence of Comparison

The innovative deep learning-based intrusion detection system proposed in this paper and the context of performance analysis need to have inclusive commonalities with the literature explored by the author of this paper. The proposed approach is yet to be compared with other published methodologies. A numeric comparison of the performance of one method with others requires some common grounds. That is why no numeric performance comparison has been presented in this paper. This limitation of this research leads to an opportunity to discover common ground among different intrusion detection systems and compare their performance.

5.3. System Dependent Dataset

The intrusion detection system proposed in this paper has been trained with the dataset produced by the experimenting system. Every new deployment of the DID system requires retraining the model with the dataset exclusive to that particular system. Although the DID system protocol is independent and is deployable in any network, it requires re-training for every new IoT network. It is a significant limitation of the proposed intrusion detection system. However, this limitation opens a future scope of research. The development of a massive dataset from different IoT networks followed by proper feature engineering has the potential to be the solution to this limitation.

The limitations of the proposed deep learning-based intrusion detection system open the door to further research. This research may overcome the limitations and further strengthen the system and ensure better security for IoT networks.

6. Conclusions

We are experiencing a new paradigm shift in communication technology where devices communicate among themselves. The projection of 30.9 billion active Inter of Things (IoT) devices by 2025 clearly indicates this new paradigm. This 55% growth in the IoT industry draws the attention of business people, entrepreneurs, and cybercriminals. Because of a resource-constrained computing environment, manufacturers pay attention to developing IoT devices with maximum service quality and little attention to security. However, attacks on IoT is not an attack on isolated devices; it is a doorway to intruding on many other connected services. This is why cybercriminals find it attractive and beneficial to attack IoT devices and which is why it is essential to detect intrusion on IoT networks right after an attempt. IoT network consists of thousands of IoT nodes transmitting and receiving massive voluminous data, making detecting the intrusion complicated. The innovative deep learning-based intrusion detection system presented in this paper identifies the most common and frequently attempted attacks on IoT networks with an average accuracy of 93.74%. Deep Neural Networks (DNNs) are dependent on datasets. A deep learning-based intrusion detection system trained for a particular network performs well for that network only because of the heterogeneous nature of different IoT networks. The innovative approach of this paper solves this complication by collecting the dataset from the experimenting network. This innovative approach is a game changer that makes the proposed system a robust and scalable intrusion detection system that can learn from any IoT network and detect intrusion automatically. In the future, the scope of developing a platform-independent framework from the deep learning-based intrusion detection system for IoT networks will be explored. It is expected that a lightweight version of the proposed framework will be more efficient and effective in intrusion detection.