Investigating Dynamic User-Level Scheduling to Improve AI-Based Intrusion Detection Systems on IoT

Examensarbete för masterexamen
Master's Thesis
High-performance computer systems (MPHPC), MSc
Coban, Ali Zulfukar
Mirzai, Aria
Internet of things devices with their inherent convenience factor have exploded in numbers during the latest decade, however at the cost of rising security concerns. This is largely due to their incapability of solving complex and computationally heavy numerical problems especially when dealing with large data-sets, a key component for computers in today’s world for fending off attacks. The main contribution of this thesis is investigating how a dynamic user-level scheduler can improve the detection capabilities of AI-based intrusion detection systems and to enable retraining of an AI algorithm on an IoT device. The models are assumed to be made of lightweight and data-driven machine learning algorithms, such as ”PASAD” which we chose to utilize for this work. The scheduler was created after having initially developed a basic framework for allowing the PASAD models to detect attacks, denoted as our ”baseline” system. The experiments that followed proved that the dynamic user-level scheduler provides several additional advantages compared to the baseline, mainly a substantial throughput increase which reduces the time until attacks are detected, a critical factor from the security aspect. Additionally, a model prioritization feature was built to allow the scheduler to allocate more processing resources towards nodes it is suspecting to be under attack. Both of these variables play an important role in pawing the way to having our IoT devices being protected by more robust security schemes, even for those devices considered too resource limited today. With our scheduler implemented on an Nvidia Jetson Nano, is it possible to calculate approximately 57,000 anomaly scores per second, which are used in the attack monitoring process, for roughly 97 detection models while simultaneous retraining is taking place (results are for when PASAD is the utilized detection algorithm). Furthermore, with 75 PASAD models the scheduler is able reach ≈1.46 times the performance of the baseline with retraining enabled and with retraining disabled it reaches ≈2.15 times the performance of the baseline.
Internet of things , Anomaly-based intrusion detection system , User-level scheduling , model training
Arkitekt (konstruktör)
Geografisk plats
Byggnad (typ)
Teknik / material