Context-Aware and Class Imbalance Invariant Threat Severity Assessment for Heterogeneous IoT

Due to demand for information ubiquity and large-scale automation, proliferating Internet-connected heterogeneous devices exhibit significant variations in data processing capacities, purposes, operating principles, underlying protocols, and dynamic contexts. As a result, adversarial entities exploit the increasing heterogeneous network (HetIoT) vulnerabilities, leading to frequent high-impact attacks due to anomalous device interactions and scarce knowledgebase. This paper presents a two-fold solution to the problem through a network intrusion detection and prevention framework for HetIoT, called \textit{HetIoT-NIDPS}. Firstly, we assign fault scores to the Expert-curated Knowledgebase (EK) framework, correlating with low-level alerts to assess threat severity and achieve context-awareness. Secondly, the proposed Beta distribution-based HetIoT traffic behavior approximation facilitates class imbalance invariance and improves classifier performance. Additionally, the HetIoT-NIDPS can detect zero-day attacks by identifying known attack variations upon encountering unseen traffic instances. Furthermore, the dynamic HetIoT contexts necessitate real-time threat assessment through online training---performed by analyzing small batches of network traffic samples. We propound the \textit{CorrELM} classifier based on the extreme learning machine algorithm and test the hypotheses on the Bot-IoT dataset. Finally, we prioritize the correlated alerts based on their severity, determined from root cause analysis and threat severity assessment tables. The results obtained prove that the proposed HetIoT-NIDPS framework is context-aware---producing reduced false alerts, class imbalance invariant---facilitating near real-time threat assessment with unbiased classifier performance, and generalizable---applicable to many NID datasets, which the existing techniques lack when combined.