Geri Dön

IoT ağları için yeni bir saldırı tespit sistemi tasarımı

Design of a new intrusion detection system for IoT networks

PDF İndir

  1. Tez No: 964937
  2. Yazar: TUĞBA ULUSOY
  3. Danışmanlar: PROF. DR. ÜNAL ÇAVUŞOĞLU
  4. Tez Türü: Yüksek Lisans
  5. Konular: Bilgisayar Mühendisliği Bilimleri-Bilgisayar ve Kontrol, Computer Engineering and Computer Science and Control
  6. Anahtar Kelimeler: Belirtilmemiş.
  7. Yıl: 2025
  8. Dil: Türkçe
  9. Üniversite: Sakarya Üniversitesi
  10. Enstitü: Fen Bilimleri Enstitüsü
  11. Ana Bilim Dalı: Bilgisayar ve Bilişim Mühendisliği Ana Bilim Dalı
  12. Bilim Dalı: Bilgisayar Mühendisliği Bilim Dalı
  13. Sayfa Sayısı: 139

Özet

Nesnelerin İnterneti (IoT) teknolojisinin yaygınlaşması, beraberinde önemli güvenlik açıklarını da gündeme getirmiştir. Düşük donanım gücüne sahip, çeşitli protokollerle çalışan ve genellikle güvenlik açısından yetersiz olan bu cihazlar, Mirai gibi kötü amaçlı yazılımların hedefi hâline gelmekte ve büyük ölçekli DDoS saldırılarına zemin hazırlamaktadır. Kullanılan veri seti, güncel ve gerçekçi yapısıyla bilinen CIC-IoT2023'tür. 105 farklı cihaz ve 33 saldırı türü içeren bu veri setinden özellikle Mirai varyantları ve DDoS kategorileri seçilmiş, bu sayede sistemin gerçek dünya koşullarına daha yakın senaryolarda test edilmesi sağlanmıştır. Model, TensorFlow tabanlı olarak Google Colab ortamında eğitilmiş, veri dengesizliği SMOTE ve class-weight gibi stratejilerle giderilmiştir. Özellik seçimi için chi-square ve LightGBM gibi yöntemler kullanılmıştır. CIC-IoT2023 veri setinin bu çalışmada kullanılan versiyonu, çeşitli DDoS ve Mirai tabanlı saldırı türlerinin yanı sıra normal (Benign) trafiği de içerecek şekilde yapılandırılmıştır. LSTM, BiLSTM ve CNN-BiLSTM+Attention modelleri ile çok sınıflı (multi-class) çalışılmıştır. Veri setindeki eksik ve anlamsız verilerin temizlenerek model eğitimdeki sapmalar minimize edilmiştir. Özellikle modelde ezberlemeye neden olan sütunların veri setinden çıkarılması, overfitting riskini önemli ölçüde azaltmıştır. Çalışmada, özelliklerin değer aralıklarını normalize etmek amacıyla RobustScaler ve MinMaxScaler birlikte kullanılmıştır. Yüksek boyutlu veriyle çalışıldığı için SelectKBest yöntemiyle chi² testi uygulanmış ve en iyi 15 özellik seçilmiştir. LSTM ve BiLSTM modelleri %98'lik başarım değerleri ile birbirine oldukça yakın sonuçlar verirken, CNN-BiLSTM + Attention mimarisi, özellikle Mirai-Greeths ve Mirai-Greips sınıflarında daha düşük performans sergilemiştir. Model performansının sınıf bazlı detaylı analizini yapabilmek adına, ROC (Receiver Operating Characteristic) ve PR (Precision-Recall) eğrileri değerlendirilmiştir. LSTM modeline ait ROC eğrisi, modelin genel anlamda oldukça başarılı bir ayırt etme kapasitesine sahip olduğunu ortaya koymaktadır. Benign, DDoS-SYN, DDoS-TCPs, DDoS-UDP ve Mirai-udpplains gibi sınıflar için AUC = 1.00 seviyesinde değerler elde edilmiş, Mirai-Greeths ve Mirai-Greips gibi örüntüleri benzeşen alt sınıflarda ise AUC = 0.99 değerleri gözlemlenmiştir. BiLSTM modeli, çift yönlü öğrenme kapasitesi sayesinde özellikle zaman bağımlı örüntülerde daha derin bağlamları kavrayabilmektedir. BiLSTM modeli için ROC eğrilerinde model, Benign ve DDoS türlerinde AUC = 1.00 düzeyinde bir başarıya ulaşmıştır. Ancak Mirai-Greeths sınıfı için AUC = 0.97, Greips için ise AUC = 0.98 değerleri gözlemlenmiştir. CNN-BiLSTM + Attention modeli Precision-Recall (PR) eğrileri, özellikle dengesiz veri yapılarında sınıf bazlı doğruluğu ölçmek açısından kritiktir. Bu modelde Benign ve DDoS sınıflarında AP (Average Precision) değeri 1.00 olarak ölçülmüş olsa da, Mirai-Greeths sınıfı için AP = 0.84 ve Mirai-Greips için AP = 0.87 değeri elde edilmiştir. Üç modelin confusion matrix sonuçları birlikte değerlendirildiğinde Benign, DDoS-SYN, DDoS-TCPs ve DDoS-UDP gibi temel sınıflarda modellerin yüksek doğrulukta tahmin yaptığı anlaşılmaktadır. Ancak Mirai alt sınıflarında, benzer davranış desenleri sebebiyle modeller için daha zorlayıcı olmuştur. Bu durum, model mimarisi seçiminde sınıf yapısının ayrıştırılabilirliğinin göz önünde bulundurulması gerektiğini ortaya koymaktadır. Elde edilen sonuçlar, literatür ile karşılaştırıldığında veri setinde tercih edilen yöntem mimarilerinin hem performans hem de işlem süresi açısından dengeli bir çözüm sunduğu gözlemlenmiştir. Bu tez, IoT ortamlarında saldırı tespitine yönelik yapay zekâ destekli çözümlerin etkinliğini ortaya koymakta ve sektörel uygulamalar için öncü nitelikte bir sistem sunmaktadır.

Özet (Çeviri)

The widespread adoption of Internet of Things (IoT) technology has brought significant security vulnerabilities to the forefront. These devices, which have low hardware power, operate with various protocols, and are generally inadequate in terms of security, have become targets for malicious software such as Mirai, paving the way for large-scale DDoS attacks. The data set used is CIC-IoT2023, which is known for its up-to-date and realistic structure. From this data set, which includes 105 different devices and 33 attack types, Mirai variants and DDoS categories were specifically selected to ensure that the system could be tested in scenarios closer to real-world conditions. The model was trained in a Google Colab environment based on TensorFlow, and data imbalance was addressed using strategies such as SMOTE and class-weight. Methods such as chi-square and LightGBM were used for feature selection. The version of the CIC-IoT2023 dataset used in this study is configured to include various types of DDoS and Mirai-based attacks as well as normal (benign) traffic. Multi-class studies were conducted using LSTM, BiLSTM, and CNN-BiLSTM+Attention models. Missing and meaningless data in the dataset were cleaned to minimise deviations in model training. In particular, removing columns that caused memorisation in the model significantly reduced the risk of overfitting. In this study, RobustScaler and MinMaxScaler were used together to normalise the value ranges of the features. Since high-dimensional data was used, the chi² test was applied with the SelectKBest method, and the best 15 features were selected. While the LSTM and BiLSTM models yielded very similar results with 98% accuracy, the CNN-BiLSTM + Attention architecture performed worse, especially in the Mirai-Greeths and Mirai-Greips classes. ROC (Receiver Operating Characteristic) and PR (Precision-Recall) curves were evaluated to perform a detailed class-based analysis of model performance. The ROC curve for the LSTM model shows that the model has a highly successful discrimination capacity in general. AUC values of 1.00 were obtained for classes such as Benign, DDoS-SYN, DDoS-TCPs, DDoS-UDP, and Mirai-udpplains, while AUC values of 0.99 were observed for subclasses with similar patterns such as Mirai-Greeths and Mirai-Greips. The BiLSTM model can understand deeper contexts, especially in time-dependent patterns, thanks to its bidirectional learning capability. In the ROC curves for the BiLSTM model, the model achieved an AUC of 1.00 for Benign and DDoS types. However, AUC values of 0.97 were observed for the Mirai-Greeths class and 0.98 for Greips. The Precision-Recall (PR) curves of the CNN-BiLSTM + Attention model are critical for measuring class-based accuracy, especially in imbalanced data structures. In this model, while the AP (Average Precision) value was measured as 1.00 for the Benign and DDoS classes, AP = 0.84 was obtained for the Mirai-Greeths class and AP = 0.87 for the Mirai-Greips class. When the confusion matrix results of the three models are evaluated together, it is understood that the models make high-accuracy predictions in basic classes such as Benign, DDoS-SYN, DDoS-TCPs, and DDoS-UDP. However, in the Mirai subclasses, it has been more challenging for the models due to similar behaviour patterns. This situation reveals that the separability of the class structure should be considered in the model architecture selection. When compared with the literature, the results obtained show that the preferred method architectures in the data set offer a balanced solution in terms of both performance and processing time. This thesis demonstrates the effectiveness of artificial intelligence-supported solutions for attack detection in IoT environments and presents a pioneering system for sectoral applications. The results of the LSTM model in the Benign + Mirai + DDoS training, particularly the precision, recall, and f1-score metrics hovering around 0.999 levels across all classes, clearly demonstrate the model's success on time series data. This indicates that the model can detect true positives at a high rate and, in general, offers balanced classification performance. The fact that the validation loss is close to the training loss indicates that the model has not overfitted and has high generalisability. The loss value of 0.0015 calculated on the test data also supports this. Both training and validation accuracies remained at high levels, exceeding 99.9% especially after the 10th epoch. The absence of fluctuations in accuracy values as the epoch count increases demonstrates that the model has a stable learning process. Consequently, the 0.9995 accuracy rate obtained on the test data confirms the model's high performance. ROC curves are an important metric used to evaluate the classification performance of LSTM models. The fact that the AUC (Area Under Curve) value is calculated as 1.00 for all classes indicates that the model's ability to distinguish between positive and negative classes is close to perfect. The classification performance of the BiLSTM model has been summarised. The precision, recall, and F1-score values being at 0.999 levels for all classes indicate that the model produces highly balanced and accurate results. Compared to LSTM, the BiLSTM model has the advantage of being able to evaluate past and future contexts simultaneously in time series data. Although the overall success is quite high, a certain degree of confusion is observed, particularly between the Mirai and DDoS classes. The fact that 101 examples belonging to Mirai were predicted as DDoS indicates that these two attack types may exhibit similar behaviour patterns in some time windows. This situation is noteworthy in that it shows that structural similarities in models with bidirectional data flow may be perceived as similar by the model. However, the low overall error distribution proves that the model has strong learning capacity. The achieved test accuracy of 0.9995 confirms that the model can perform inter-class discrimination with high precision. Despite this success, the slight fluctuations observed in the validation curve indicate that the model can maintain flexible decision boundaries when encountering complex structures. It presents the comparative results of the LSTM, Bi-LSTM, and CNN-BiLSTM + Attention models. While all three models achieved high success rates, the CNN-BiLSTM + Attention model stood out in all metrics. This model not only made more accurate predictions with an accuracy rate of 0.9996 and a test loss of 0.0011, but also achieved a more stable and low-loss learning process. The 0.9997–0.9996 levels achieved in critical performance metrics such as precision, recall, and f1-score demonstrate that this model is more reliable in sensitive areas such as attack detection. The fact that the ROC-AUC value is 1.00, as with other models, indicates that top-level performance is maintained in terms of discriminative power. Therefore, choosing the CNN-BiLSTM + Attention model is a reasonable and recommendable approach, both in terms of metric superiority and operational reliability. When applying the LSTM model for benign and Mirai binary classification, the K-fold cross-validation method was preferred. This method ensures that the model is evaluated more reliably by testing it on different data subsets rather than just a single training-test split. The dataset is divided into a specific number of equal parts and the model is tested on each part while being trained on the remaining parts. This ensures that the model's overall performance is reflected more fairly across the entire dataset. During the K-Fold application, the training and validation loss and accuracy values of the model in each fold were monitored separately. It was observed that the loss values decreased steadily across all folds and the accuracy rates rose rapidly. In the best fold the test accuracy was close to 100% and the test loss was measured at only 0.0006. All precision, recall, and f1-score values reached levels of 0.9999, demonstrating that the model was successful not only in terms of accuracy but also in maintaining balance between classes. In this context, it can be said that the K-Fold method helped the model produce a more generalised representation without overfitting. In particular, evaluating the data distribution across all layers, independent of random splits, has increased the model's adaptability to different scenarios. Training loss initially dropped rapidly and then stabilised at low levels. Similarly, validation loss also decreased steadily, demonstrating the model's strong generalisation performance. BiLSTM can operate with minimal loss within a specific data slice, and the model parameters contribute optimally to both the learning process and validation performance. It has been observed that training and validation accuracies start at 0.99998, rapidly exceed 0.99999, and maintain this value throughout the process. When applying the LSTM model for benign and DDoS binary classification, the K-fold cross-validation method was preferred. This method utilised the K-Fold cross-validation technique. This application ensures that the model is tested more consistently and evenly across the entire dataset, without being confined to a specific subset of data. The model consistently delivered high accuracy rates during both training and validation across different folds. The AUC value for both classes was observed to be 1.00 on the ROC curve. According to the confusion matrix, the LSTM model classified the Benign and DDoS classes with very high accuracy. Classification errors occurred in only nine examples, clearly demonstrating the model's high classification capability. When examining the ROC curves, the AUC (Area Under Curve) values of 1.00 for the Benign and DDoS classes indicate that the model distinguishes between the classes without error and possesses very high discriminative power. In the loss graph obtained from the test data, it is observed that the training and validation loss values decrease over time and stabilise. Model's test accuracy, it is seen that the accuracy rates rise rapidly as the epoch progresses and stabilise at a high level. Furthermore, thanks to the K-Fold cross-validation method, it is observed that the model adapts to wider variations by being tested on different data subsets and that its generalisability increases. This study demonstrates that different deep learning architectures can detect attacks occurring in IoT networks with high accuracy rates. Specifically, the BiLSTM architecture provided the most balanced result in terms of both processing time and accuracy rate. The BiLSTM model was able to distinguish between DDoS and Mirai-type attacks with up to 98% accuracy, keeping inter-class confusion to a minimum. The inclusion of the CNN component contributed to spatial pattern extraction, but this contribution increased the training time in some cases. Although the attention architecture theoretically has the potential to learn more advanced patterns thanks to its attention mechanism, the results of this study show that in practical applications, a high number of parameters can lead to errors. Complex models struggled to distinguish between classes, particularly when there were significant similarities between subclasses, such as Mirai-Greeths and Mirai-Greips. The studies conducted revealed that model performance is not solely dependent on architectural choices; data balance, feature selection, and hyperparameter tuning are equally decisive factors. In experiments using features selected specifically by the Chi² method, the model showed less tendency towards overfitting. ROC curves, accuracy-F1 balance, and confusion matrix analyses also corroborate these findings. It can be stated that the system proposed in this thesis is particularly applicable in edge-based IoT security solutions and offers satisfactory results in terms of speed and accuracy. When the results obtained are compared with the literature, it is observed that the proposed solution is competitive and demonstrates superior performance in some respects.

Benzer Tezler

  1. Tez No

    805083

    Kritik altyapılara yönelik derin öğrenme tabanlı saldırı tespit sistemi tasarımı

    Deep learning based-intrusion detection system design for critical infrastructure

    HAKAN CAN ALTUNAY

    Doktora

    Türkçe

    Türkçe

    2023

    Bilgisayar Mühendisliği Bilimleri-Bilgisayar ve KontrolKarabük Üniversitesi

    Bilgisayar Mühendisliği Ana Bilim Dalı

    DOÇ. DR. ZAFER ALBAYRAK

  2. Tez No

    865744

    Development and formal verification of a new secure provisioning scheme for IoT networks

    IoTağları için yeni bir güvenli önyükleme şeması geliştirilmesi ve biçimsel olarak doğrulaması

    İLKER YAVUZ

    Doktora

    İngilizce

    İngilizce

    2024

    Bilgisayar Mühendisliği Bilimleri-Bilgisayar ve Kontrolİstanbul Teknik Üniversitesi

    Elektronik ve Haberleşme Mühendisliği Ana Bilim Dalı

    PROF. DR. SIDDIKA BERNA ÖRS YALÇIN

  3. Tez No

    829235

    Wireless lan design and future internet architecture

    Başlık çevirisi yok

    ASHRAF THAKER MAHMOOD ALMUKHTAR

    Yüksek Lisans

    İngilizce

    İngilizce

    2023

    Bilgisayar Mühendisliği Bilimleri-Bilgisayar ve KontrolAltınbaş Üniversitesi

    Elektrik ve Bilgisayar Mühendisliği Ana Bilim Dalı

    PROF. DR. OSMAN NURİ UÇAN

  4. Tez No

    557452

    New lightweight DoS attack mitigation techniques for RPL based IoT networks

    RPL temelli IoT ağları için DoS saldırılarının etkisini azaltacak yeni teknikler

    AHMET ARIŞ

    Doktora

    İngilizce

    İngilizce

    2019

    Bilgisayar Mühendisliği Bilimleri-Bilgisayar ve Kontrolİstanbul Teknik Üniversitesi

    Bilgisayar Mühendisliği Ana Bilim Dalı

    PROF. DR. SEMA FATMA OKTUĞ

  5. Tez No

    722521

    Distributed anomaly-based intrusion detection system for IoT environment using Blockchain technology

    Dağıtılmış anomali tabanlı saldırı tespit sistemi Blockchain teknolojisi kullanılan IoT ortamı için

    NOUHA HEJAZI

    Yüksek Lisans

    İngilizce

    İngilizce

    2022

    Bilgi ve Belge Yönetimiİstanbul Teknik Üniversitesi

    Bilişim Uygulamaları Ana Bilim Dalı

    DOÇ. DR. ENVER ÖZDEMİR

Geri Dön