Technology is pivotal in the rapid growth of services and intensifying the quality of life. Recent technology, like the Internet of Things (IoT), demonstrates an impressive performance in fast-forward development. Intrusion Detection System (IDS) is used as a lifeline to prevent attacks by classifying the activities as normal and suspicious. In this paper, we propose a two-phase IDS for IoT. In the first phase, we categorize data into four sections according to the data types (i.e., nominal, integer, binary, and float). We then classify them using different versions of the Naive Bayes classifier. After that, we use majority voting to choose the final result of the classification. In the second phase, we pass those data which behave normally or are benign in the first phase and classify them using an unsupervised elliptic envelope. We validated our work using the standard NSL-KDD, UNSW_NB15, and CIC-IDS2017 datasets. We found the proposed method more efficient than existing IDS techniques and achieved reasonable accuracy in the first phase. Furthermore, the benign data is sent to the second phase of the analysis. After the second phase, we achieved a 97% accuracy in the NSL-KDD dataset, 86.9% in the UNSW_NB15 dataset, and 98.59% accuracy in the CIC-IDS2017 dataset.
In the evolutionary era, the Internet has always been performing a most significant role. Globally, the total estimate of Internet users is projected to increase from 3.9 billion in 2018 to 5.3 billion by 2023, as stated by Cisco Annual Internet Report . Furthermore, the Internet of Things (IoT) is becoming increasingly widespread. IoT integrates many heterogeneous objects (such as in a smart home: intelligent bulbs, refrigerators, fans, air conditioners, automated doors, and TVs.) with various connecting technologies such as Bluetooth Low Energy (BLE), WiFi, and ZigBee. There are also other domains and applications in which the IoT can play an important role and enhance our lives quality. These applications include smart transportation, industrial automation, agriculture, and healthcare .
The IoT model  has been emerging towards formulating a cyber–physical environment where everything can be found, operated, investigated, and modernized. Because of being connected, the chances of attacks on the network increase. Many attacks and malicious incidents can affect different layers of the IoT architecture, creating security concerns. Makhdoom et al.  discussed the commonly known attacks on different layers, depending on the anatomy of the malware, and IoT-enabled cyber-attacks are also illustrated in a survey . Similarly, Zarpel et al.  elaborated on intrusion detection systems in IoT. They have classified IDS based on placement strategies, detection methods, security threats, and validation strategies. Zargar et al.  explained in detail about Distributed Denial of Service (DDoS) attacks and also classified the countermeasures.
This paper presents a machine learning-based two-phase IDS. Firstly, we categorize data into four sections according to the data types (e.g., nominal, integer, binary, and float). Then classify them using different versions of the Naive Bayes classifier. After that, with the help of majority voting, we choose the final result of the classification. In the second phase, we pass those data which behave like normal in the first stage, and these data are classified using an unsupervised elliptic envelope. It draws an imaginary envelope and assigns value 1, which lies inside the Envelope, and −1 outside the Envelope. Our proposed model is also performing very well in the imbalanced distribution of the data by providing the weight initialization to each class. Finally, we got an overall 97% accuracy with a meager false positive rate. The drawback of this model is that it does not work pretty in multiclass classification.
In future work, we will improve the multiclass classification and feature engineering techniques model, expand this procedure in real-time for network traffic analysis, and evaluate performance. We will further attempt to capture network data by deploying IoT devices in the real world. Moreover, the IDS system will detect malicious incidents in real-time and immediately take appropriate action to prevent damage.