Attack-specific feature analysis framework for NetFlow IoT datasets

With the deployment of a vast number of Internet of Things devices across diverse applications, new security vulnerabilities have emerged. Since Internet of Things devices often have significantly limited resources, the intrusion detection system for Internet of Things networks should be efficiently designed with minimum power consumption. As feature selection is a widely used method to reduce the complexity of network traffic data by eliminating unnecessary or redundant features, a framework for attack-specific feature analysis based on feature selection is proposed to design intrusion detection systems in Internet of Things networks efficiently. The proposed framework identifies the important features relevant to specific attack types, especially in class-imbalanced Internet of Things datasets, whereas the traditional feature analysis framework for the intrusion detection system applies feature selection approaches to entire datasets regardless of attack types. Furthermore, attack-specific intrusion detection systems are built using only a few important features selected by feature analysis. A comprehensive analysis using NetFlow Internet of Things datasets, NF-BoT-IoT-v2 and NF-ToN-IoT-v2, is conducted in the experiments with six filter-based feature selection algorithms and two unsupervised learning-based intrusion detection systems. The experiment results show the performance enhancement of attack-specific intrusion detection systems, thus confirming the effectiveness of the proposed framework. The proposed framework improves detection accuracy for all attack types by an average of 38.36% when using Isolation Forest and an average of 2.84% when using autoencoder.