An Efficient Two-Stage Network Intrusion Detection System in the Internet of Things

Internet of Things (IoT) devices and services provide convenience but face serious security threats. The network intrusion detection system is vital in ensuring the security of the IoT environment. In the IoT environment, we propose a novel two-stage intrusion detection model that combines machine learning and deep learning to deal with the class imbalance of network traffic data and achieve fine-grained intrusion detection on large-scale flow data. The superiority of the model is verified on the newer and larger CSE-CIC-IDS2018 dataset. In Stage-1, the LightGBM algorithm recognizes normal and abnormal network traffic data and compares six classic machine learning techniques. In Stage-2, the Convolutional Neural Network (CNN) performs fine-grained attack class detection on the samples predicted to be abnormal in Stage-1. The Stage-2 multiclass classification achieves a detection rate of 99.896%, F1score of 99.862%, and an MCC of 95.922%. The total training time of the two-stage model is 74.876 s. The detection time of a sample is 0.0172 milliseconds. Moreover, we set up an optional Synthetic Minority Over-sampling Technique based on the imbalance ratio (IR-SMOTE) of the dataset in Stage-2. Experimental results show that, compared with SMOTE technology, the two-stage intrusion detection model can adapt to imbalanced datasets well and reveal higher efficiency and better performance when processing large-scale flow data, outperforming state-of-the-art intrusion detection systems.