Hybrid of anomaly-based and specification-based IDS for Internet of Things using unsupervised OPF based on MapReduce approach

Internet of Things (IoT) is a novel paradigm in computer networks in which resource-constrained objects connect to unreliable Internet by using a wide range of technologies. The insecure nature of the Internet and wireless sensor networks, that are the main components of IoT, make IoT vulnerable to different attacks, especially routing attacks (as insider attacks). A novel real-time hybrid intrusion detection framework is proposed in this study that consists of anomaly-based and specification-based intrusion detection modules for detecting two well-known routing attacks in IoT called sinkhole and selective-forwarding attacks. For this purpose, the specification-based intrusion detection agents, that are located in the router nodes, analyze the behavior of their host nodes and send their local results to the root node through normal data packets. In addition, an anomaly-based intrusion detection agent, that is located in the root node, employs the unsupervised optimum-path forest algorithm for projecting clustering models by using incoming data packets. This agent, which is based on the MapReduce architecture, can work in a distributed platform for projecting clustering models and consequently parallel detecting of anomalies as a global detection approach. The proposed method makes decision about suspicious behavior by using a voting mechanism. Notably, the proposed method is also extended to detect wormhole attack. The deployment of the hybrid proposed model is investigated in a smart-city scenario by an existing platform, as well. The free network's scale and the ability to identify malicious nodes are two key features of the proposed framework that are evaluated through different experiments in this study. The experimental results of simulated scenarios showed that the proposed hybrid method can achieve true positive rate of 76.19% and false positive rate of 5.92% when both sinkhole and selective-forwarding attacks were launched simultaneously. These rates in detecting wormhole attack are 96.02% and 2.08%, respectively.