Reinforcing IoT Security with TabNet-IDS: A Deep Learning Approach for Intrusion Detection

By Dr Silpaja Chandrasekar, PhDReviewed by Susha Cheriyedath, M.Sc.Oct 18 2023

In a paper published in the journal PLOS ONE, researchers explored the proliferation of Internet of Things (IoT) and Industrial IoT (IIoT) systems in conjunction with Industry 4.0 technology, focusing on the escalating use of IoT devices. This surge raised concerns about security risks from malicious network activities, particularly Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, which threaten device functionality.

Researchers employed machine learning (ML) and deep learning (DL) algorithms to combat these issues by creating an Intrusion Detection System (IDS) named TabNet-IDS. This innovative model harnessed attentive mechanisms for automated feature selection from tabular datasets, enhancing IDS training and providing interpretable results.

The TabNet-IDS demonstrated its efficacy by achieving remarkable accuracy rates of 97% on the Canadian Institute for Cybersecurity Intrusion Detection System 2017 (CIC-IDS2017) dataset, 95% on the Cybersecurity Experimentation-CIC Intrusion Detection System 2018 (CSE-CICIDS2018) dataset, and an impressive 98% on the "Canadian Institute for Cybersecurity Distributed Denial of Service 2019(CIC-DDoS2019) dataset.

Network Security Challenges in IoT

The proliferation of the IoT has raised concerns about cybersecurity as diverse devices are interconnected, making the system susceptible to various threats, including DoS and DDoS attacks. Research has explored advanced technologies such as ML, DL, and IDS to counter these challenges. However, handling high-dimensional datasets and ensuring model transparency remain challenges. As a result, there is a growing focus on improving security measures, reducing computational complexity, and enhancing model interpretability to safeguard IoT networks against evolving cyber threats.

Related Work

Previous research has emphasized the rapid expansion of IoT devices and the growing importance of IoT security amid the widespread adoption of smart devices across various sectors. Existing security tools need enhancements to effectively address evolving threats, with a particular focus on actively countering DDoS attacks.

Researchers have explored deep learning-based Intrusion Detection Systems (IDS), but these models often need more interpretability. In response, researchers have actively utilized explainable AI (XAI) frameworks such as Local Interpretable Model-agnostic Explanations (LIME) and SHapley Additive exPlanations (SHAP), despite their computational demands. Attention-based mechanisms, such as self-attention networks (SAN), have enhanced feature selection with mixed results.

TabNet-IDS Features & Hyperparameter Optimization

The TabNet algorithm presents a pioneering approach to IDS that addresses the unique challenges of tabular data. Unlike traditional IDS models, which often require extensive feature engineering before training, TabNet streamlines the process by introducing a sequential attention mechanism for feature selection. Automating preprocessing, TabNet facilitates flexible data integration and instant-wise feature selection, reducing model complexity and shorter training times. This feature promotes the development of lightweight models, making TabNet particularly suitable for resource-constrained IoT systems. The architecture comprises four key modules: the encoder, decoder, feature transformer, and attentive transformer.

Hyperparameter tuning plays a crucial role in optimizing the TabNet-IDS model. To achieve this, Optuna, an optimization algorithm, is employed to explore the hyperparameter search space dynamically. Optuna's efficient architecture offers several advantages, such as dynamic construction of the search space, suitability for both lightweight and heavyweight computational tasks, and pruning and efficient sampling techniques. The hyperparameter tuning process provides insights into the significance of various parameters, including patience levels and the number of steps, ultimately enhancing the model's accuracy and interpretability.

Study Findings

The study introduces a novel TabNet-IDS architecture, highlighting its performance evaluation across three distinct datasets: CIC-IDS2017, CSE-CICIDS2018, and CIC-DDoS2019.The study utilizes a 10-fold cross-validation approach and employs a batch size of 1024 while using the Adam optimization function for model training. It incorporates Ghost Batch Normalization (GBN) of 128 as a virtual_batch_size for efficient mini-batching. The results in Table 5 provide insights into the model's accuracy, precision, recall, F1-measure, MCC, and test times, showcasing the TabNet-IDS model's efficacy in differentiating network traffic in training and testing phases.

The evaluation reveals that the TabNet-IDS model performs strongly on all three datasets. It achieves an average accuracy of over 95% and performs exceptionally well on the CIC-IDS2017 dataset, achieving an average accuracy of 97.03%. Moreover, it excels in rapidly processing and classifying network traffic, a vital capability for real-time intrusion detection and response in IoT systems. The study also demonstrates the model's consistency and reliability across various evaluation metrics, making it a promising tool for enhancing the security of networked devices.

Furthermore, the study delves into the model's explainability by visualizing feature importance and selection masks. The TabNet-IDS model showcases adaptive feature selection, decision steps, and sparse feature representation, enhancing detection and classification. The visualized feature masks provide insights into the features that play pivotal roles in decision-making at each step of the model. The TabNet-IDS model exhibits strong performance, rapid response, and an inherent ability to adapt to diverse network characteristics, making it a valuable asset for IoT security applications.

Summary

To sum up, ML and DL algorithms are crucial in enhancing network profile detection and securing IoT systems. This study explored using a DL algorithm for tabular data, a relatively under-explored area in ML and DL tasks. The TabNet-IDS model demonstrated strong detection capabilities and reduced false alarms in multi-class network profile classification.

Notably, the model offers interpretability without relying on third-party frameworks, making it lightweight. Hyper-parameter tuning helped optimize the model's performance, resulting in 97%, 95%, and 98% accuracy on different datasets. While the model showed competitive performance, its behavior can vary on other datasets, necessitating further exploration and validation of a broader range of data for real-world applications.