The new generation of mobile networks whose roll-out is foreseen by 2030, envisions to offer a much wider range of applications comparing to 5G by interconnecting billions of IoT devices such as extended reality devices, wearable displays, drones, and autonomous vehicles. The unprecedented growth of 6G-enabled IoT devices along with the massive emergence of connections in the future 6G communication platforms will increase the security vulnerabilities for the 6G-enabled massive IoT networks, leading to a wide spectrum of known and unknown security threats. At the same time, attackers are becoming more sophisticated and powerful to carry out new types of attacks against the massive IoT networks. Therefore this creates the need for developing advanced security solutions to cater for massive IoT networks, in particular to run on energy constrained IoT devices, that are often battery powered.
Intrusion detection that already constitutes a popular defense technology for traditional IP networks is currently foreseen by industry and research community as a promising security solution that can also play a significant role in protecting IoT networks as long as novel Intrusion Detection Systems (IDSs) tailored to the resource-constrained characteristics of IoT networks have been developed. In particular, considerable research efforts have recently been put into the design and development of lightweight Anomaly-based Intrusion Detection Systems (AIDSs), leveraging Machine Learning (ML) techniques (e.g. SVMs) because of their ability to detect new, previously unknown attacks (e.g. zero-day attacks) in IoT networks. However, although AIDSs are attractive conceptually, they cannot be widely applied in practice as they suffer from high false-positive rate due to the fact that they may classify unseen (i.e. not included in the training dataset) benign instances as malicious. Thus, decreasing the false positive rate of future lightweight AIDSs is critical for their acceptance and wide adoption of massive IoT networks in the coming next years.
Towards this direction, the main research focus is on the feature selection process. Nevertheless, the efficacy of feature selection highly depends on the quality (i.e. relevant, informative) of the initial set of raw features used for the generation of training/testing datasets. Consequently, the identification of effective raw features (i.e. relevant and informative) is of utmost importance to enhance the feature selection process in order to select the subset with the most significant features that will lead to robust AIDSs with reduced false-positive rate. However, so far and to the best of knowledge, raw features for IoT AIDSs are identified through empirical processes relying on the researchers/engineers’ expertise and practical experience in the implementation peculiarities (e.g. underlying functionality, protocols and devices) of the IoT networks where the developed AIDSs will be deployed to protect. In other words, there is a lack of a formal structured process to enable a more reliable, efficient and holistic identification of effective raw features, taking into account the impact of attacks on the performance of the targeted IoT network as the impact on the performance is closely related to implementation peculiarities of the IoT network. In fact, very effective features for improving the detection capabilities of AIDSs can be derived from metrics related to the impact of attacks on the performance of the targeted IoT network and thus, it is essential and at the same time challenging the quantification of the performance of the operation of the IoT network under attack in order to measure the actual impact and “translate” it to proper attack impact metrics (e.g. throughput, response time).
