Edge Intelligence for Network Intrusion Prevention in IoT

Ecosystem

Abstract

The Internet of Things (IoT) platform allows physical devices to connect directly to the internet

and upload data continuously. Insecure access makes IoT platforms vulnerable to different net-

work intrusion attacks. As a result, the Intrusion Detection System (IDS) is a core component of

a modern IoT platform. However, traditional IDS often follows rule-based detection where the

rules can be changed and exposed to the attacker and becomes weak over time. An efficient IDS

also needs to be dynamic and effective in real time. This paper proposes a deep learning-based

algorithm to protect the network against Distributed Denial-of-Service (DDoS) attacks, insecure

data flow, and similar network intrusions. A system architecture is designed for a cloud-based

IoT framework to implement the proposed algorithm efficiently. The performance evaluation

using standard datasets demonstrates that the proposed model provides an accuracy of up to

99.99%.
Keywords: Internet of Things (IoT), IoT Applications, Security, Attacks, Privacy, Machine

Learning, Deep Learning.

1. Introduction

The Internet of Things (IoT) is rapidly emerging in automobiles, banking and finance, health,

energy, retail, home appliance, and others. That is why the impact of IoT on the social, economic,

and commercial aspects of our society is significant. IoT applications access data, networks, and

machines in a unique way. As a result, the traditional security mechanisms for data and networks

must be more vital to ensure security and privacy for IoT applications. The unique character-

istics of the heterogeneous bulk of massive data, network architecture, connected nodes, and

dynamic network behaviour make the IoT ecosystem vulnerable to cyber-attacks by compromis-
Preprint submitted to Computers and Electrical Engineering April 5, 2023
ing security and privacy [1, 2]. The connected components of any IoT platform are massive in

number, sophisticated in design, and changed dynamically in real-time with vast data generation

and communication over network connectivity. In addition to physical entities, devices, data, and

networks, many applications and services run on the platform. These applications and services

communicate with each other and data storage over very complex network connections.

Artificial Intelligence (AI) analytics are continuously used for data analysis, application re-

quirements, and data visualization for further performance improvement. Since developing a

security framework for inter-platform is very challenging due to the unique characteristics (de-

scribed in section 2), so most platform uses discrete security model for different vulnerabilities.

In addition, Edge Intelligence (EI) and Edge Artificial Intelligence (EdgeAI) have significant

potential for network vulnerability detection and building intelligent protection systems against

those vulnerabilities. In this paper, we have explored the strength of EI for network intrusion

prevention. Fig 1 describes an abstract view of edge intelligence computing. In a traditional

cloud environment, Intrusion Detection System (IDS) and Intrusion Protection System (IPS) are

built on the top cloud layer shown in Fig 1 with several control settings in the virtual network

layer. However, EI can develop intelligent IDS and IPS on edge layers to protect others.

In this work, we control EI to extract insight from local data to build up local protection

on each edge location. Finally, combine those insights to build a globally secured system. An

efficient and robust system architecture is proposed to leverage the edge computing layer due to

run and train a hybrid deep learning network for intrusion detection. The contributions of the

proposed work are as follows.

1. A distributed and intelligent IDS and IPS system architecture has been developed for a

cloud-based IoT platform with different IDS and IPS components.

2. An learning-based algorithm has been introduced for a hybrid Deep Neural Network (DNN)

based intrusion detection.

3. We have proposed a method for distributed DNN training where each model is trained

locally and used to update the global deep learning model.

4. A simulation system is used to evaluate and compare the proposed system’s performance
2
 Figure 1: Illustration of edge intelligence (EI) computing

that depicts the system’s efficiency.

The rest of this paper is organized as follows. In Section 2, various IoT ecosystem com-

ponents and characteristics have been described. The potential threat model for IoT has been

discussed in Section 3. The recently developed approaches’ pros and cons are described in sec-

tion 4. Section 5 network intrusion prevention algorithm using deep learning is described. The

proposed system architecture and method have been described in section 6. Section 7 shows the

results of the experiments with proper graphical and tabular representations. The conclusion of

our work is delineated in section 8.

3
2. Problem Domain

IoT ecosystem consists of different components, as shown in Fig ?? representing the refer-

ence architecture provided by IBM. Fig ?? also describes the fundamental blocks of modern IoT

ecosystems. Each ecosystem component is described in section ?? in detail.

The main components for a typical IoT platform ecosystem are (i) device, (ii) user, (iii) con-

nectivity nodes, (iv) API, (v) application run-time, (vi) application management node, (vii) Edge

node (viii) data collection node and (ix) data monitoring node. Each of the components is vulner-

able to different security attacks. There can also be several extended variable components in an

IoT platform due to integration with other emerging technology, such as (i) Artificial Intelligence

Analytics, (ii) Blockchain Platform and (iii) Edge computing and others.

In addition to these variable numbers of components, the IoT ecosystem is heterogenous

and it is impossible to define the security model for each IoT platform. Most IoT platforms

are deployed in a broader network consisting of numerous network connectivity nodes, devices,

physical entities, users, and other components mentioned above. Also, the IoT ecosystem is

unpredictable and often changes dynamically over time. Most of these challenges are complex,

and the solution needs a framework of a combination of models. One of major the security chal-

lenges for the IoT ecosystem is DDoS or network intrusion. This paper presents a novel machine

learning-based DDoS intrusion attack presentation mechanism for the IoT ecosystem. DDoS

protection needs distributed IDS equipped with Edge Intelligence (EI) on each edge location to

develop better protection. Insight from local data at each edge location can unleash the full po-

tential of EI and help in better decision-making for primary IDS and IPS.In our proposed system,

each IDS and IPS are autonomous in deciding for their local protection. At the same time, they

contribute to global decision-making, especially for IoT platforms, where communication and

relevant activities are quick, short and event-triggered. This proposed system can make high-

quality decisions through knowledge sharing among edge locations and global IDS or IPS. This

also helps to overcome the challenges imposed due to uncertain and dynamic IoT devices.

4
3. Potential Threat Model for IoT Ecosystem

This massive data analysis in any IoT platform needs abundant computing power and re-

sources. With this increasing demand for real-time insight and substantial computing resources,

the decentralization of the edge computing layer has become an essential component of the IoT

ecosystem[3].

In an intelligent IoT ecosystem, it is essential to understand the threat model for any plat-

form. Fig 2 shows the threat model for an Intelligent IoT ecosystem. For example, a healthcare

IoT platform continuously collects sensor data regarding activity, patterns, socialization, speed,

mood, vitals, and molecular biomarkers from different medical devices as signals. These data are

processed to generate a medical replica for each patient. Each replica contains sensitive health

information.Fig 2 shows the threat surface for an IoT healthcare system.

There are multiple member in the the threat surface for an IoT healthcare system such as A01

(IoT Information)- Different analytic services and devices continuously compute and generate

intelligence and sensitive data through training, observation and monitoring for better perfor-

mance and optimization and A02 (User PII)- Personal Identifiable Information (PII) in a cog-

nitive IoT system can be sensitive, requiring specific security and regulatory compliance. The

next components is A03 (User Credentials)- Several physical entities with sensitive data are

registered and connected to IoT healthcare platforms. Therefore, IoT platforms are very popular

among hackers to collect user credentials and PII. In addition, we have A04 (Device Informa-

tion): Devices usually communicate with physical entities over industrial operational protocols

(OT) and HTTP. Moreover, devices are owned and managed by a third party. These scenarios

make them highly vulnerable to network attacks. We also have A05 (Application and Service

Credentials)- It is essential to secure these credentials to protect IoT platforms against network

intrusion attacks and A06 (Physical Entity Data)- Some physical entities are more sensitive than

others. For example, a feat-beat transmitting a patient’s heart rate requires more security than

a sensor transmitting the temperature. Then we have A07 (Process management Data): Often

business logic of any system is interpreted as a process and usually deployed in the cloud. This

is one of the most sensitive assets for IoT platforms, as any manipulation of the processed data
5
 Figure 2: Threat Model for IoT Platform

can cause destructive damage to the system.

In addition, there are A08 (Third Party Service Integration Data), A09 HMI (Human Machine

Interaction) and is also A10 Sensor Data. The primary security controls for IoT platforms are

Authentication, Password Hashing, encrypted networks communication protocol such as TLS,

and Operational technology (OT) such as TCP/MOBUS. The threat model shown in Fig. 2 also

identifies potential threat actors. Some prominent threat actors are malicious users (TA01), ma-

licious / compromised application codes, services, Human Machine Interaction Interface (HMI),

Sensors and isolated or connected edge nodes.

6
 Table 1: Different ML algorithms for DDoS detection and prevention
Author Description Evaluation
[6] KNN-based attack classification is used here. This method proposed a DDoS attack detection and mitigation
with a software-defined IoT framework. Different Threshold val-
ues are determined for different parameters for identifying the
attackers and affected systems.
[7] Semi-supervised deep extreme learning machine. This security mechanism can prevent DDoS attacks in case wire-
This work uses a software-defined network with less IoT generates attacks.
local and global controllers. Three-layer data cap-
ture, DDoS detection and DDoS Mitigation lever-
age ML model.
[8] ANN-based IDS for IoT. ANN-based IDS for IoT Centralized computing architecture im-
poses limitations for distributed IoT platforms and different dis-
tributed components such as the blockchain platform of the IoT
ecosystem.
[9] LSTM and CNN-based IDS. Hybrid neural network model, which works with higher effi-
ciency. However, the training is supervised, and data needs to
be processed before training.

4. Related Works

A recent survey [4] identified the main approaches for intrusion detection are Signature-

based IDS [5], Anomaly-based, Specification-based and Hybrid. However, most models perform

poorly in IoT platforms with heterogeneous components. Only the hybrid model performs better

than any single approach. Therefore, recently, the hybrid model is becoming more popular than

others. This paper proposes a hybrid deep-learning model for network intrusion detection and

prevention.

IoT platform is exceptionally vulnerable due to intrusion attack [6] due to its heterogene-

ity. Due to its characteristics with the massive network, heterogeneous resources, large-scale

data and diverse connections, DDoS is a vulnerable attack on any IoT platform [7]. Leveraging

machine learning algorithms for network intrusion detection in IoT platforms is a popular idea.

Different hybrid models, such as convolutional Neural Networks (CNN), KNN, Random Forest

(RF), Naive Bayes (NB), Retention Time (RT), and Artificial Neural Networks (ANN), are used

in different research works. Table 1 shows several deep learning-based mechanisms to prevent

DDoS attacks on IoT platforms.

The existing methodologies are shown in Table 1 use a combination of ML algorithms for

DDoS detection and mitigation. In addition, feature-based classification machine learning algo-

rithms [10, 11] are also used to classify different types of network intrusion.A typical intrusion

7
detection system has sensors, an analysis engine and a reporting system [4]. Instead of using

one analysis engine, the proposed model in [4] creates multiple analysis engines across different

edge locations using distributed placement mechanism. Also, a recent survey [12] states that

host-based IDS suffers from challenges such as Limited Resources, Delay in Centralized Report-

ing, Lack of Context Knowledge, Real-time Notification, Large Scaling, Alarm Parallelization,

and Parallel computation. The edge location-based algorithms for IDS proposed in this paper

can overcome these limitations. Therefore, this paper considers a profile-based approach for the

proposed algorithm. Instead of the user and individual request, profiles are created for each edge

location using Edge Intelligence (EI).

5. A Proposed Deep Learning Algorithm

The network intrusion prevention algorithm described in Algorithm 1 has two separate phases.

First, the networkIntrusionDeetction() method uses edge intelligence to train the local deep learn-

ing model (M) at each edge location. Each local model is trained locally to update the global

deep learning model (GM). Each local model (M) can detect network intrusion events. The sec-

ond phase is to trigger necessary events to prevent such network intrusion. Algorithm 2 describes

the training mechanism for each local model.

Algorithm 1 Network Intrusion Prevention using Deep learning-based Edge Intelligence

1: procedure networkIntrusionDetection

2: trainingLocalModel()

3: globallyOptimization()

4: eventDetection()

5: procedure networkIntrusionPrevention

6: detectAttack()

7: detectVulnarablePoint()

8: blockVulnarablePoint()

9: noti f yOthers()

8
Algorithm 2 Training local model
1: Di ← local data storage that collects data from SCADA regarding device, network commu-
nication, activity, data transmission pattern and network protocols.
2: Mdi ← local deep learning model to generate the device profile for each device
3: M pi ← local deep learning model to generate the profile for edge location li
4: Pdv ← Initialize the set of profiles for all device at li
5: P(li ) ← Profile generated for li by E pi
6: for each device (dv j ) at location li do
7: P(dv j , li ) ← Profile generated for device dv j by D pi model after training locally at li
using the data stored at Di
8: Pdv ← update(P(dv j , li )
9: Mi ← update(Pdv , P(li ))
10: Pi ← Pro f ile f orli ← combine(Pdv , P(li ))
11: GM ← update(Mi )

For any public cloud instance C, there are n edge locations as shown in Eq (1). Fig. 3 shows

the global deep learning model (GM) deployed on the IoT platform in the cloud.

L = {L1 , L2 , . . . , Ln } (1)

Mi = {Mdi , M pi } (2)

The next method in Algorithm 1 is global Optimization, which optimizes all M using the

GM shown in Algorithm 3. The local model (M) is repeated at each edge location Li to learn the

profile of the corresponding edge location. Training local models generate a set of the trained

parameters and weights. The optimizer in the IoT platform uses these trained parameters to

optimize the global model (GM). The cost function used by the optimizer (GM) function in

Algorithm 3 is shown in Eq. (3). Here, for m different edge locations, y(i) is the training dataset

collected from edge location Li and ŷ(i) is the predicted value for y(i) using the trained parameter

from edge location Li . This cost value J(θ) allows ranking the trained parameters for different

edge locations and finally can optimize the global model (GM).

m
1 X
J(θ) = − y(i) log ŷ(i) + 1 − y(i) log 1 − ŷ(i)




(3)
m i=1

9
Algorithm 3 Global online optimization of local model
1: for each edge location Li ∈ L do
2: Mi ← optimize(GM)
3: Mdi ← update(Mi )
4: M pi ← update(Mi )

After training, M is ready for network intrusion detection. It generates a regular pattern-based

profile (P)for Li , profiling the network communication, data transmission, most regular protocols,

and other network activity. M can also detect any anomaly in the regular profile (P). When an

anomaly is detected and classified as a network intrusion event (NIi ), edge service Ei triggers a

predefined preventive action event. For example, if a DDoS is identified at edge location L1 , the

corresponding edge service E1 will block the identified device responsible for the attack.

6. Proposed System Architecture and Method

In this paper, a network prevention algorithm has been proposed and described in Algorithm

1. The fundamental concept of the algorithm is that the combination of robust system infras-

tructure and software-defined artificial intelligence-enabled edge services deployed among edge

locations can improve the governance of the overall threat model of the ecosystem. This section

describes the proposed system architecture and the machine learning neural network model.

6.1. System Architecture

The proposed system is cloud-based and has two components, (i) Intrusion Detection System

(IDS) and (ii) Intrusion Prevention System (IPS) for the IoT platform.

The core platform has different components for both IDS and IPS. The global deep learning

model (GM), is used for online training and performance optimization. The IPS leverages the

proposed system’s global risk and governance management module (GRM) which provides ser-

vices for notification, reporting and information, and a threat or attack assessment. In addition,

the proposed hybrid machine learning algorithm for IDS is deployed on each edge location as

an artificial intelligence-based edge service. For example, different edge services, E1, E2, and

E3, are deployed in three different edge locations, L1, L2 and L3, respectively, as shown in Fig.

3. Edge services share data among local data storage by periodically updating the data to global
10
 Figure 3: Artificial Edge Service System architecture for DDoS attack and other network intrusion prevention

data storage. Edge services also collect low-level data from the corresponding SCADA. Once

the data are collected and stored in the local storage, they are processed and cleaned to be ready

for the proposed algorithm. Data are also ranked by adding pre-defined weights to get a suit-

able ground truth for proposed machine learning. The ground truth is periodically sent to global

data storage to share with other edge locations. Local data storage is refreshed periodically with

data from global data storage. This bi-directional data flow between local edge data storage and

central global data storage improves the ground truth quality and the machine learning algorithm.

A cloud-based deep learning algorithm deployed in the IoT platform learns the data from

global data storage to classify similar edge locations. When a new edge location is added to the

ecosystem, this deep learning algorithm can learn the behaviour of the new edge location based

on its information regarding different behaviour and KPI and classify the new location with a

similar edge location. Groups of similar edge locations facilitate the dynamic selection of the

suitable communication and network topology, KPI threshold and other parameters for the new
11
 Table 2: DEVICE PROFILE LEARNED BY DEEP LEARNING MODEL

# Attribute Description

1 id Globally unique id of the edge location

2 avg tr data volumn Average transmitted data volume

3 avg cl data volumn Average collected data volume

4 friends(f) The set of devices that are communicated with most frequently

5 peak hour The peak hour for data transmission

edge location.

6.2. Deep learning models

Deep learning models can be trained in three different patterns, e.g. (i) centralized, (ii) decen-

tralized and (iii) hybrid. This work uses a hybrid training method for our proposed deep learning

models. Each edge location contains a set of deep learning models, as shown in Eq (2). This

section describes the training for all deep learning models for this proposed algorithm.

6.2.1. Deep learning model for device profile generation

For example, the edge location L1 has a DNN-based model M1 consisting of two cascaded

deep learning models (Md1 and Mp1). M1 trains itself on the data from local data storage D1 at

the edge location L1. M1 learns the profile of different devices of the IoT platform and creates a

profile for the edge location L1. The device profile can be described as the schema in Table 2.

Some parameters from the edge location are stored as time series. As RNN is more suitable

for time series than DNN, a hybrid neural network model (CNN-LSTM) is chosen to process

the sequential data at the first phase and classify them into a similar group. An LSTM model

is chosen for sequential data processing, and for classification, the CNN model is used for this

proposed model. Fig 4 shows the basic architecture of the proposed model.

12
 Figure 4: Artificial Edge Service System architecture for DDoS attack and other network intrusion prevention

6.2.2. Deep learning model for edge profile classification

Once the devices are grouped, the next step is to understand the behavioural insight of the

physical entities, devices, IoT gateway, data flow, network communication, and control mecha-

nism provided by SCADA for each edge location. We followed a three-step learning algorithm

similar to [13] for this. Firstly, the machine learning models (Mdi , M pi ) are trained with the local

data to recognize the behavioural patterns of the edge locations. This training can be similar

to the offline training described in [13]. Each local model evaluates itself using local data and

periodical synchronization with global data storage. At this stage, the primary goal is to learn

the pattern of communication topology for each edge location. The corresponding deep learning

model M in the edge location learns the communication topology to learn the overall network

communication pattern of the edge location. M also learns essential KPIs such as Communica-

tion cost, Average data volume, Peak hour, Average traffic duration, Mostly talked peer devices,

and Latency. To improve the performance, the KPIs are combined and normalised as V, which

can be any value between 0 and 1. Once the standard KPI for network communication topology

of the edge location is locally learned, ground truth is established and shared with the GM. Table

3 shows the type of edge location based on the KPI used in this work.

The profile for each edge location can be described as Table 4.

13
Table 3: FIVE DIFFERENT TYPES OF EDGE LOCATION CLASSIFIED BY THE PROPOSED DEEP LEARNING
ALGORITHM
# Class Value of V
1 A ≥ 0 and < 0.2
2 B ≥ 0.2 and < 0.4
3 C ≥ 0.4 and < 0.6
4 D ≥ 0.6 and < 0.8
5 E ≥ 0.8 and < 1.0

Table 4: DEVICE PROFILE LEARNED BY DEEP LEARNING MODEL

# Attribute Description
1 id Globally unique id of the edge location
2 daily data flow
2.1 peak hour The peak hour for data transmission
2.2 protocols List of mostly used protocols in different network communication
3 Commonucation topologies A list of communications happen in the corresponding edge location
3.1 id Globally unique id for communication
3.2 source device An array of Source device
3.3 target device An array of Target device(s)
3.4 avg data volumn Average data volume
3.5 type Type of the connecion
3.6 protocols List of used protocols in the end-to-end communication
3.7 nework components An array of used or visited network components, e.g. firewall, VPN etc.
3.8 timestamp Stand time and end time
3.9 total consumption cost Unit cost * time duration of the communication
4 KPI score (V) A learned metric for the corresponding edge location
5 Friendset (F =f1, f2 . . . , fn) A learned list that contains the set of devices that communicated most frequently

Each communication topology is continuous-time data with multiple variables. For process-

ing this multivariate continuous-time data, we have chosen an ordinary differential equation-

based GRU-D neural network [14] model (Ep) to learn each edge location’s profile. Fig ??

shows the ordinary differential-based neural network to generate the optimized profile for each

edge location.

Secondly, the GM trains itself to optimize the local models and updates the corresponding

ground truth profile for all edge locations. GM also classifies edge profiles, Pi ϵP, where P =

P1 , P2 , . . . , Pn for corresponding edge location, L j ϵL, where L = L1 , L2 , . . . , Ln . As shown in

Fig. 6, the GM classifies all edge profiles in five different classes, as shown in Table 3.

6.2.3. Deep learning model and edge service for DDoS attack prevention

At this point, each device in each edge location has a corresponding profile indicating the

ordinary and usual behaviour and different KPI measurements. This information helps to un-
14
 Figure 5: Global training for model and ground truth optimization for edge profile generation

Figure 6: Global training for model and ground truth optimization for edge profile generation

derstand the standard amount of data captured and transmitted by each physical entity under

each device of the IoT ecosystem. On the second layer, each edge location also has its local

ground truth, indicating the standard network communication topology. We finally need a ma-

chine learning model for anomaly detection to identify potential DDoS attacks. If the proposed

model identifies an abnormal amount of data for any device from a particular edge location, an

alert will be generated by the edge intelligence services. On receiving the alert, the edge ser-

vice communicates with the corresponding authorized service or component to report massive

abnormal data transmission by marked devices and report for a potential DDoS attack. During

this communication phase, the edge service triggers a preventive event, such as blocking the data

transmission from the marked device and keeping the status suspended for the device. Preventive
15
 Figure 7: Global optimization for local models

events are predefined as a script.

As mentioned, network intrusion, such as DDoS prevention, is executed using edge intelli-

gence as shown in Fig. 7; three different deep learning models are used for profile identifica-

tion, classification of profile and network intrusion detection for the individual edge location.

Global multivariate deep learning models are used to rank different edge location profiles. Later

these profiles are used as knowledge for network intrusion prevention mechanisms. In addition,

theGM also categorizes different edge locations based on their vulnerabilities to malicious at-

tacks. This helps to identify secured edge locations for data processing. Global and local models

are deployed in cloud-based IoT platforms. Governance, network activity monitoring, and risk

management for the network and IoT ecosystem are managed through multiple edge services

deployed among edge locations.

7. Result Evaluation and Comparative Analysis

In this section, we have described the experimental environment, the properties of the dataset

used for the experiment, and a simulation environment consisting of a cloud IoT framework,
16
 Table 5: SETTINGS FOR SIMULATED EDGE LOCATION
Settings Ubuntu (L1) Apple (L2) Windows (L3)
OS Ubuntu 16.04.6 LTS Catalina (10.15.6) 10 Professional
Location US Dublin Frankfrut
Type Virtual Machine Laptop Virtual Machine
Size 4 Core, 16GB 2 Core, 8GB 8Core, 32GB

Table 6: DATASET SHAPE FOR TRAINING AND TESTING

Dataset Shape
Train (24203, 88)
Test (11922, 88)
Train L1 (7321, 88)
Test L1 (3606, 88)
Train L2 (10892, 88)
Test L2 (3951, 88)
Train L3 (5990, 88)
Test L3 (2951, 88)

virtual machine, and laptop. Later, the proposed algorithm is evaluated, and the results are

compared with other related works.

7.1. Experiment setup and dataset

The IoT platform [15] is deployed on the IBM cloud London availability zone. We have used

three virtual machines to simulate the edge locations, as shown in Table 5.

We used IDS evaluation datasets [16] from the Canadian Institute of Cybersecurity. This

dataset describes different kinds of DDoS attacks during the year 2019. We have split the dataset

into training and test subset. Each dataset is divided into three sets for three simulated edge

locations, L1, L2, and L3, as shown in Table 5. Table 6 shows the shape of the different datasets.

The Train and Test datasets are used to train and test the global model in IoT infrastructure.

The communication topologies are shown in table 4, generated from the dataset for each edge

location. There are 88 parameters of each communication topology, as shown in Fig 8. Fig 9

shows the distribution of parameters.

17
Figure 8: Correlation Matrix for training among different parameters of single communication topology in edge location
L1

7.2. Result Evaluation

Different machine learning algorithms such as RNN (LSTM and GRU and their variations),

and CNN are used for network IDS and IDP. The proposed deep learning model uses a hybrid

training mechanism. The key performance indicator (KPI) for hybrid training are (i) training loss,

(ii) convergence, (iii) privacy, (iv) communication cost, (v) latency and (vi) energy efficiency. In

this section, the proposed model is evaluated against all six KPIs.

18
 Figure 9: Dataset parameters distribution for Global Training dataset

7.2.1. Training Loss

Figure 11 shows the detection of DDoS attack ground truth generated by the M for edge

location L1 for different parameters. Similarly, ground truths and edge profiles for locations

L2 and L3. For the feature classification in the case of device profile generation for different

edge locations, the proposed algorithm demonstrates faster training time and better accuracy

than existing algorithms [4, 17]. Fig 10 shows the comparative loss for the proposed GM model

against UIDS [4] and Passban [17].

The proposed model generates a profile, similar to Fig. 11, for each edge location based on

the real-time communication topology showing that particular source IP, destination IP, port, or

protocols are more vulnerable than others. These profiles improve the performance of models

for intrusion detection.

Once the local models are trained in locations L1, L2, and L3, the trained parameters are

uploaded to the IoT platform to optimize the GM. We used Adam Optimizer [18] to optimize the

output of the GM. Using the trained parameters, we get 98% accuracy after only 435 iterations.

19
 Figure 10: Comparative loss analysis for 450 iterations

Figure 11: DDoS attack detection at edge location L1 by local model after 1000 iteration

At this point, the GM can identify the vulnerable source IP, destination IP, port, and protocols

for different edge locations. The cost function used by the optimizer is described in Eq(3). For

intrusion detection, the proposed model is evaluated against existing feature-based algorithms

[10, 17, 16]. Table 7 compares different models for the dataset [16] with the proposed model.

20
 Table 7: COMPARATIVE ANALYSIS OF TRAINING LOSS FOR IDENTIFICATION
Algorithm Precision per Iteration
1000 2000 3000 4000 5000
ID3 78.01 78.92 80.10 81.00 82.16
Random Forest 70.25 70.84 70.91 71.07 73.27
Naive bayes 40.10 41.21 42.16 43.71 45.01
Logistic Regression 25.00 27.04 29.12 31.02 33.05
Flow-Gurd[9] 96.17 97.82 97.92 98.48 98.90
Proposed Model 99.92 99.98 99.99 99.99 99.99

Figure 12: Comparative training accuracy between Flow-Gurd [9] and Proposed Model

The work [9] achieved identification accuracy of the proposed LSTM is as high as 98.9%, and

the classification accuracy with the CNN model is up to 99.9% for 5000 iterations. Compared

to other existing models, our proposed model achieves the same level of accuracy faster. The

training and testing time are significantly lower in the case of the proposed model. Fig 12 shows

that the proposed model achieves the highest accuracy 99% in less time than algorithms Flow-

Gurd [9].

The proposed work differs from existing deep learning-based network intrusion detection

algorithms by introducing EI for training. The distributed training mechanism of the proposed

models reduces the training time significantly. This proposed model provides an efficient alterna-

tive for signature-based and feature-based network models for the IoT ecosystem. Another con-

tribution of this proposed approach is that along with real-time network intrusion detection, this

approach dynamically generates a profile for each edge location. These profiles can contribute

to developing Intrusion prevention systems. In addition, profile analysis provides knowledge

regarding attack type, process and severity.

21
7.2.2. Privacy

Unlike traditional IDS and IPS [9, 5], local data are trained locally, and only the intelligence

or maturity through the trained model is shared among other edge locations. Hence, the actual

data are not shared among different edge locations. Moreover, less data communication ensures

data privacy at the edge level.

7.2.3. Communication Cost

In a pure centralized training method, a global model needs to collect data continuously from

each edge location. In a decentralized DNN training method, data must be communicated among

edge locations and the central cloud for computation. This communication overhead increases

other KPIs such as latency, energy and bandwidth consumption. Our proposed model overcomes

these challenges by collecting only trained ground truth from each edge location. Inter-edge lo-

cation communication is not required for model training. Once the local model gets the maturity

of a certain pre-defined threshold level, the trained model is then communicated to GM. GM uses

these learned parameters to improve its learning and at the same time, it also improves the global

parameter and the local models. Instead of millions of communication among edge locations and

the central model, we need two communication at every edge location periodically, e.g. (i) send

local learned knowledge to GM (ii) receive learning from GM. It helps to keep latency, energy

and bandwidth consumption at their minimum level.

7.2.4. Latency

There are two kinds of latency KPIs (i) communications and (ii) computations. Communica-

tion latency is tightly bound with the capability of the edge node. For this KPI, we compared the

computation latency of the global model under distributed training method. Table 8 shows the

comparative computation latency for each model. The proposed model takes only 62 min 48 sec

for training and achieves higher accuracy in less time than other models.

7.2.5. Energy Consumption

In our model, each local model is trained with locally available data. For our experiment,

we found that the data size at the London edge location is comparatively smaller than the data
22
 Table 8: COMPARATIVE ANALYSIS OF LATENCY
Algorithm Training Time (in minute) Best Iteration Best Accuracy
ID3 628.12 4998 75
Random Forest 503.2 4100 73
Naive bayes 572.41 5000 38
Logistic Regression 317.42 5000 21
Flow-Gurd[9] 417.42 5000 99
Proposed Model 62.48 2900 99

size at the Frankfurt edge location. During off-peak traffic periods, we can use the resources

for computation to keep the energy computation optimal. Pattern recognition can provide better

resource utilization by re-purposing the resources for different use. With known parameters, the

proposed model can design computing resources and minimize energy consumption.

8. Conclusion

This paper presents an end-to-end edge intelligent-based solution for network intrusion, e.g.,

DDoS detection and prevention. In this paper, we showcased the efficiency of Edge AI for

IoT platforms. Instead of using host-based model training, this work proposed a distributed

placement for IDS across different edge locations, utilizing the high-performance computing

power for a deep learning model trained on real-time data. Various deep learning models are

used based on use cases. The proposed hybrid model leverages the strength of deep learning

models such as CNN, LSTM, GRU-D, and Neural ODE-based GRU-D for feature classification,

anomaly detection and specified profile generation to detect intrusion. The proposed model

can be trained offline in edge locations, and later those local ground truths can improve the

performance of the global model. We have designed a distributed IDS empowered with IPS.

The proposed IPS provides real-time protection against network attacks and risk and governance

management. The proposed IPS updates in real-time with IDS results and can prevent different

network attacks. The proposed IPS also enables local edge services to take necessary action, such

as removing vulnerable devices from the registry and notifying users about vulnerable devices

from the edge locations. Therefore it is possible to provide early prevention rather than late

defence. Understanding the edge location profile helps design a defensive and proactive system.
23
ACKNOWLEDGEMENT

The publication of this article was funded by Qatar National Library.

References

[1] Y. Cao, Y. Cao, Synchronization of multiple neural networks with reaction–diffusion terms under cyber–physical
attacks, Knowledge-Based Systems 239 (2022) 107939.
[2] Y. Cao, Y. Cao, S. Wen, T. Huang, Z. Zeng, Passivity analysis of delayed reaction–diffusion memristor-based neural
networks, Neural Networks 109 (2019) 159–167.
[3] Internet of Things for insights from connected devices, https://www.ibm.com/cloud/architecture/
architectures/iotArchitecture/reference-architecture/.
[4] B. B. Zarpelão, R. S. Miani, C. T. Kawakani, S. C. de Alvarenga, A survey of intrusion detection in internet of
things, Journal of Network and Computer Applications 84 (2017) 25–37.
[5] P. Kumar, R. Kumar, G. P. Gupta, R. Tripathi, A distributed framework for detecting ddos attacks in smart contract-
based blockchain-iot systems by leveraging fog computing, Transactions on Emerging Telecommunications Tech-
nologies 32 (6) (2021) e4112.
[6] D. Yin, L. Zhang, K. Yang, A ddos attack detection and mitigation with software-defined internet of things frame-
work, IEEE Access 6 (2018) 24694–24705.
[7] N. Ravi, S. M. Shalinie, Learning-driven detection and mitigation of ddos attack in iot via sdn-cloud architecture,
IEEE Internet of Things Journal 7 (4) (2020) 3559–3570.
[8] I. Sumaiya Thaseen, J. Saira Banu, K. Lavanya, M. Rukunuddin Ghalib, K. Abhishek, An integrated intrusion
detection system using correlation-based attribute selection and artificial neural network, Transactions on Emerging
Telecommunications Technologies 32 (2) (2021) e4014.
[9] Y. Jia, F. Zhong, A. Alrawais, B. Gong, X. Cheng, Flowguard: An intelligent edge defense mechanism against iot
ddos attacks, IEEE Internet of Things Journal 7 (10) (2020) 9552–9562.
[10] V. Kumar, A. K. Das, D. Sinha, Uids: A unified intrusion detection system for iot environment, Evolutionary
Intelligence 14 (1) (2021) 47–59.
[11] S. Wen, S. Xiao, Y. Yang, Z. Yan, Z. Zeng, T. Huang, Adjusting learning rate of memristor-based multilayer neural
networks via fuzzy method, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
38 (6) (2018) 1084–1094.
[12] S. Raponi, M. Caprolu, R. Di Pietro, Intrusion detection at the network edge: Solutions, limitations, and future
directions, in: International Conference on Edge Computing, Springer, 2019, pp. 59–75.
[13] E. Li, Z. Zhou, X. Chen, Edge intelligence: On-demand deep learning model co-inference with device-edge syn-
ergy, in: Proceedings of the 2018 Workshop on Mobile Edge Communications, 2018, pp. 31–36.
[14] M. Habiba, B. A. Pearlmutter, Neural odes for informative missingess in multivariate time series, in: 2020 31st
Irish Signals and Systems Conference (ISSC), IEEE, 2020, pp. 1–6.
24
[15] Internet of Things – IoT, https://www.ibm.com/cloud/internet-of-things.
[16] I. Sharafaldin, A. H. Lashkari, S. Hakak, A. A. Ghorbani, Developing realistic distributed denial of service (ddos)
attack dataset and taxonomy, in: 2019 International Carnahan Conference on Security Technology (ICCST), IEEE,
2019, pp. 1–8.
[17] M. Eskandari, Z. H. Janjua, M. Vecchio, F. Antonelli, Passban ids: An intelligent anomaly-based intrusion detection
system for iot edge devices, IEEE Internet of Things Journal 7 (8) (2020) 6882–6897.
[18] D. P. Kingma, J. Ba, Adam: A method for stochastic optimization, arXiv preprint arXiv:1412.6980 (2014).

Mansura Habiba obtained PhD in deep learning science from Maynooth University, Ireland.

Currently, she is working as Principal Platform Architect in IBM Consulting.

Md. Rafiqul Islam obtained PhD in computer science from Universiti Teknologi Malaysia in

1999. Currently, he is a Professor in Computer Science and Engineering Discipline of Khulna

University, Bangladesh. He has published over 150 Journals, Conference papers, and Books. He

has some papers published in journals with high-impact factors. His research interest includes

information security, machine learning and optimization.

S. M. Muyeen received his PhD. Degrees from Kitami Institute of Technology, Japan, in 2008,

in Electrical and Electronic Engineering. At present, he is working as a full Professor in the

Electrical Engineering Department of Qatar University. His research interests are power sys-

tem stability and control, electrical machine, FACTS, energy storage systems (ESS), Renewable

Energy, and HVDC system.

A B M Shawkat Ali obtained PhD from Monash University, Australia, in 2005. He is a Professor

at The University of Fiji and a consultant in Data Science. He published over 150 Books, Book-

Chapters, Journals and Conference Papers. He has received over 8 million research grants from

sectors such as the EU, USAID, World Bank, Singapore, Canada and Australia.
25