Demise: Interpretable deep extraction and mutual information selection techniques for IoT intrusion detection

Luke R. Parker; Paul D. Yoo; Taufiq A. Asyhari; Lounis Chermak; Yoonchan Jhi; Kamal Taha

doi:10.1145/3339252.3340497

Demise: Interpretable deep extraction and mutual information selection techniques for IoT intrusion detection

Luke R. Parker
, Paul D. Yoo
, Taufiq A. Asyhari
, Lounis Chermak
, Yoonchan Jhi
, Kamal Taha

Electrical Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

35 Scopus citations

Abstract

Recent studies have proposed that traditional security technology – involving pattern-matching algorithms that check predefined pattern sets of intrusion signatures – should be replaced with sophisticated adaptive approaches that combine machine learning and behavioural analytics. However, machine learning is performance driven, and the high computational cost is incompatible with the limited computing power, memory capacity and energy resources of portable IoT-enabled devices. The convoluted nature of deep-structured machine learning means that such models also lack transparency and interpretability. The knowledge obtained by interpretable learners is critical in security software design. We therefore propose two novel models featuring a common Deep Extraction and Mutual Information Selection (DEMISe) element which extracts features using a deep-structured stacked autoencoder, prior to feature selection based on the amount of mutual information (MI) shared between each feature and the class label. An entropy-based tree wrapper is used to optimise the feature subsets identified by the DEMISe element, yielding the DEMISe with Tree Evaluation and Regression Detection (DETEReD) model. This affords ‘white box’ insight, and achieves a time to build of 603 seconds, a 99.07% detection rate, and 98.04% model accuracy. When tested against AWID, the best-referenced intrusion detection dataset, the new models achieved a test error comparable to or better than state-of-the-art machine-learning models, with a lower computational cost and higher levels of transparency and interpretability.

Original language	British English
Title of host publication	Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019
ISBN (Electronic)	9781450371643
DOIs	https://doi.org/10.1145/3339252.3340497
State	Published - 26 Aug 2019
Event	14th International Conference on Availability, Reliability and Security, ARES 2019 - Canterbury, United Kingdom Duration: 26 Aug 2019 → 29 Aug 2019

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	14th International Conference on Availability, Reliability and Security, ARES 2019
Country/Territory	United Kingdom
City	Canterbury
Period	26/08/19 → 29/08/19

Keywords

Deep learning
Feature engineering
IoT
Lightweight intrusion detection
Mutual information
Security mobility applications
Security of resource constrained devices
White-box modelling

Access to Document

10.1145/3339252.3340497

OpenUrl availability

Full text

Cite this

Parker, L. R., Yoo, P. D., Asyhari, T. A., Chermak, L., Jhi, Y., & Taha, K. (2019). Demise: Interpretable deep extraction and mutual information selection techniques for IoT intrusion detection. In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019 Article 3340497 (ACM International Conference Proceeding Series). https://doi.org/10.1145/3339252.3340497

@inproceedings{607b67c4eb9d453f8bb0de05dd47934e,

title = "Demise: Interpretable deep extraction and mutual information selection techniques for IoT intrusion detection",

abstract = "Recent studies have proposed that traditional security technology – involving pattern-matching algorithms that check predefined pattern sets of intrusion signatures – should be replaced with sophisticated adaptive approaches that combine machine learning and behavioural analytics. However, machine learning is performance driven, and the high computational cost is incompatible with the limited computing power, memory capacity and energy resources of portable IoT-enabled devices. The convoluted nature of deep-structured machine learning means that such models also lack transparency and interpretability. The knowledge obtained by interpretable learners is critical in security software design. We therefore propose two novel models featuring a common Deep Extraction and Mutual Information Selection (DEMISe) element which extracts features using a deep-structured stacked autoencoder, prior to feature selection based on the amount of mutual information (MI) shared between each feature and the class label. An entropy-based tree wrapper is used to optimise the feature subsets identified by the DEMISe element, yielding the DEMISe with Tree Evaluation and Regression Detection (DETEReD) model. This affords {\textquoteleft}white box{\textquoteright} insight, and achieves a time to build of 603 seconds, a 99.07\% detection rate, and 98.04\% model accuracy. When tested against AWID, the best-referenced intrusion detection dataset, the new models achieved a test error comparable to or better than state-of-the-art machine-learning models, with a lower computational cost and higher levels of transparency and interpretability.",

keywords = "Deep learning, Feature engineering, IoT, Lightweight intrusion detection, Mutual information, Security mobility applications, Security of resource constrained devices, White-box modelling",

author = "Parker, \{Luke R.\} and Yoo, \{Paul D.\} and Asyhari, \{Taufiq A.\} and Lounis Chermak and Yoonchan Jhi and Kamal Taha",

note = "Funding Information: We are grateful to the Laboratory of Information and Communication Systems Security at George Mason University in the U.S. for providing us a copy of AWID dataset as well as their invaluable discussions; and special thanks to Samsung SDS for their constructive criticism and financial support on this work. Publisher Copyright: {\textcopyright} 2019 Association for Computing Machinery. All rights reserved.; 14th International Conference on Availability, Reliability and Security, ARES 2019 ; Conference date: 26-08-2019 Through 29-08-2019",

year = "2019",

month = aug,

day = "26",

doi = "10.1145/3339252.3340497",

language = "British English",

series = "ACM International Conference Proceeding Series",

booktitle = "Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019",

}

Parker, LR, Yoo, PD, Asyhari, TA, Chermak, L, Jhi, Y & Taha, K 2019, Demise: Interpretable deep extraction and mutual information selection techniques for IoT intrusion detection. in Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019., 3340497, ACM International Conference Proceeding Series, 14th International Conference on Availability, Reliability and Security, ARES 2019, Canterbury, United Kingdom, 26/08/19. https://doi.org/10.1145/3339252.3340497

Demise: Interpretable deep extraction and mutual information selection techniques for IoT intrusion detection. / Parker, Luke R.; Yoo, Paul D.; Asyhari, Taufiq A. et al.
Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019. 2019. 3340497 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Demise

T2 - 14th International Conference on Availability, Reliability and Security, ARES 2019

AU - Parker, Luke R.

AU - Yoo, Paul D.

AU - Asyhari, Taufiq A.

AU - Chermak, Lounis

AU - Jhi, Yoonchan

AU - Taha, Kamal

N1 - Funding Information: We are grateful to the Laboratory of Information and Communication Systems Security at George Mason University in the U.S. for providing us a copy of AWID dataset as well as their invaluable discussions; and special thanks to Samsung SDS for their constructive criticism and financial support on this work. Publisher Copyright: © 2019 Association for Computing Machinery. All rights reserved.

PY - 2019/8/26

Y1 - 2019/8/26

N2 - Recent studies have proposed that traditional security technology – involving pattern-matching algorithms that check predefined pattern sets of intrusion signatures – should be replaced with sophisticated adaptive approaches that combine machine learning and behavioural analytics. However, machine learning is performance driven, and the high computational cost is incompatible with the limited computing power, memory capacity and energy resources of portable IoT-enabled devices. The convoluted nature of deep-structured machine learning means that such models also lack transparency and interpretability. The knowledge obtained by interpretable learners is critical in security software design. We therefore propose two novel models featuring a common Deep Extraction and Mutual Information Selection (DEMISe) element which extracts features using a deep-structured stacked autoencoder, prior to feature selection based on the amount of mutual information (MI) shared between each feature and the class label. An entropy-based tree wrapper is used to optimise the feature subsets identified by the DEMISe element, yielding the DEMISe with Tree Evaluation and Regression Detection (DETEReD) model. This affords ‘white box’ insight, and achieves a time to build of 603 seconds, a 99.07% detection rate, and 98.04% model accuracy. When tested against AWID, the best-referenced intrusion detection dataset, the new models achieved a test error comparable to or better than state-of-the-art machine-learning models, with a lower computational cost and higher levels of transparency and interpretability.

AB - Recent studies have proposed that traditional security technology – involving pattern-matching algorithms that check predefined pattern sets of intrusion signatures – should be replaced with sophisticated adaptive approaches that combine machine learning and behavioural analytics. However, machine learning is performance driven, and the high computational cost is incompatible with the limited computing power, memory capacity and energy resources of portable IoT-enabled devices. The convoluted nature of deep-structured machine learning means that such models also lack transparency and interpretability. The knowledge obtained by interpretable learners is critical in security software design. We therefore propose two novel models featuring a common Deep Extraction and Mutual Information Selection (DEMISe) element which extracts features using a deep-structured stacked autoencoder, prior to feature selection based on the amount of mutual information (MI) shared between each feature and the class label. An entropy-based tree wrapper is used to optimise the feature subsets identified by the DEMISe element, yielding the DEMISe with Tree Evaluation and Regression Detection (DETEReD) model. This affords ‘white box’ insight, and achieves a time to build of 603 seconds, a 99.07% detection rate, and 98.04% model accuracy. When tested against AWID, the best-referenced intrusion detection dataset, the new models achieved a test error comparable to or better than state-of-the-art machine-learning models, with a lower computational cost and higher levels of transparency and interpretability.

KW - Deep learning

KW - Feature engineering

KW - IoT

KW - Lightweight intrusion detection

KW - Mutual information

KW - Security mobility applications

KW - Security of resource constrained devices

KW - White-box modelling

UR - https://www.scopus.com/pages/publications/85071726306

U2 - 10.1145/3339252.3340497

DO - 10.1145/3339252.3340497

M3 - Conference contribution

AN - SCOPUS:85071726306

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019

Y2 - 26 August 2019 through 29 August 2019

ER -

Demise: Interpretable deep extraction and mutual information selection techniques for IoT intrusion detection

Abstract

Publication series

Conference

Keywords

Access to Document

OpenUrl availability

Other files and links

Fingerprint

Cite this