Video of the presentation is available here: https://youtu.be/L6EMnvALYtU Talk: An Asynchronous Distributed Deep Learning Based Intrusion Detection System for IoT Devices Speaker: Pu Tian Intrusion Detection Systems (IDS) in IoT devices are crucial for cybersecurity. Existing models may fail due to increased traffic pattern complexity and data complexity. To address these challenges, we propose an asynchronous distributed deep learning based IDS in which only training weights are shared and devices of heterogeneous computing power can train asynchronously. Empirical results on a large network intrusion dataset show that the system achieves high detection accuracy.

1. AN ASYNCHRONOUS DISTRIBUTED
DEEP LEARNING BASED INTRUSION
DETECTION SYSTEM FOR IOT DEVICES
PU TIAN
ADVISOR: DR. WEIXIAN LIAO
DEPARTMENT OF COMPUTER AND INFORMATION SCIENCES
TOWSON UNIVERSITY
5/29/2019

2. Background
• Internet of Things (IoTs).
• The connection of a wider range of everyday physical
devices, such as smart watch/phone and different
sensors.
• To collect a wider range of real-time data.
• Security issue.
• IoT Intrusion Detection System.

3. Design Goals
 Effective
• Identification of malicious network flow from complicated
protocols.
 Efficient
• Detection in a timely manner.

4. Existing IDS Models
 Knowledge Based Method:
• To establish exact rules for intrusion behaviors.
• Pros: Accurate and fast.
• Cons: (1) Vulnerable to new attacks.
(2) Time-consuming to create rules manually.

5. Existing IDS Models
 Machine Learning(ML) Method:
• Build model with labeled/unlabeled training data.
• Pros: Improved adaptability.
• Cons: (1) Computation resource consuming .
(2) Large data transmission for single-node
training.

6. General Federated Learning Model
 Synchronous Model
 Distributed nodes collect and train
local data independently.
 The central server fetches and
aggregates parameters after all
agents’ local updates are received.

7. General Federated Learning Model
• Pros: Reduced data transmission over the network.
• Cons: Performance problem of the slowest client.

8. Design Target
 Asynchronous Federated Learning Model
 Distributed nodes send their local
parameter update requests to the
server.
 The central server aggregates
immediately and sends updated
parameters back.

9. Challenges
 Staleness Problem

10. Challenges
 Existing Solutions for Staleness Problem
• Delayed Gradient Approximation Compensation.
• Update Weight Adjustment.
• Communication Optimization.

11. Proposed Method
 Neural Network
• Capacity of learning nonlinear complex patterns.

12.  Autoencoder(AE)
• Description: A NN used to
learn to represent itself as
close as possible.
• Encoder: Map(encode) input to
the latent layer, denoted by 𝓏.
• Decoder: Reconstruct the input
by mapping 𝓏 to the output
layer.
Proposed Method

13. Proposed Method
 Autoencoder(AE)
• Loss function: To measure the
discrepancy between the input 𝑥 𝑖
and
its reconstruction 𝑥 𝑖
.
• Root Mean Squared Error (RMSE)
RMSE =
∑ 𝑖=1
𝑛
(𝑥 𝑖− 𝑥 𝑖)2
𝑛
 For training: To minimize the RMSE value in order to reconstruct original input.
 For execution(detection): A smaller value indicates a higher possibility of similarity to the training
instances.

14. Proposed Method
 Intrusion Detection with AE
𝑋 𝑖+1
= {𝑥1, 𝑥1, 𝑥1, … … … , 𝑥 𝑛}
Case 1: 𝑅𝑀𝑆𝐸 < 𝑇ℎ𝑟𝑒𝑠ℎ𝑜𝑙𝑑 → 𝑋 𝑖+1 is GOOD.
Case 2: 𝑅𝑀𝑆𝐸 > 𝑇ℎ𝑟𝑒𝑠ℎ𝑜𝑙𝑑 → 𝑋 𝑖+1
is BAD.
𝑇ℎ𝑟𝑒𝑠ℎ𝑜𝑙𝑑 = 0.45

15. Proposed Method
 Asynchronous Parameter Update
• The gradient descent delay compensation method based on the approximation for the delayed value. *
• Originally proposed for image classification with ResNet and adopted for AE in IDS scenario.
*Zheng, Shuxin, Qi Meng, Taifeng Wang, Wei Chen, Nenghai Yu, Zhi-Ming Ma, and Tie-Yan Liu. "Asynchronous
stochastic gradient descent with delay compensation." In Proceedings of the 34th International Conference on
Machine Learning-Volume 70, pp. 4120-4129. JMLR. org, 2017.

16. Experiments
 Dataset
• CICIDS2017 : Normal and common attacks ranging from 9 a.m., Monday, July 3, 2017 to 5 p.m. on
Friday July 7, 2017, for a total of 5 days.
• Training Data: 100,000 normal data instances randomly chosen from Monday dataset.
• Testing Data: 200,000 normal as well as abnormal data(DDoS) instances extracted .
 Experiment Setup
• Server and Clients: One parameter server and four clients.
• Input Data Dimension: 77 features.
• Hidden Layer: 75% of the input layer dimension, 55 in this case.
• Parameter Update Method: 50 iterations for local updates and then a request for a global
parameter aggregation (20 iterations of global updates).

17. Experiments
 Training Errors over Aggregation Epochs

18. Experiments
 Metrics
• True Positive (TP): Attack data correctly classified as an attack.
• False Positive (FP): Normal data incorrectly classified as an attack.
• True Negative (TN): Normal data correctly classified as normal.
• False Negative (FN): Attack data incorrectly classified as normal.
• Accuracy =
𝑇𝑃+𝑇𝑁
𝑇𝑃+𝑇𝑁+𝐹𝑃+𝐹𝑁
• Precision =
𝑇𝑃
𝑇𝑃+𝐹𝑃
• Recall =
𝑇𝑃
𝑇𝑃+𝐹𝑁
• F-Score = 2 ×
𝑃𝑟𝑒𝑠𝑖𝑜𝑛 × 𝑅𝑒𝑐𝑎𝑙𝑙
𝑃𝑟𝑒𝑠𝑖𝑜𝑛+ 𝑅𝑒𝑐𝑎𝑙𝑙

19. Experiments
 Results
Metrics
Parameter
Update Method
Accuracy Precision Recall F-Score
Synchronous 98.495% 99.994% 92.539% 96.097%
Asynchronous 98.489% 99.992% 92.503% 96.068%

20. Conclusion
 Deep learning network (Autoencoder) for intrusion detection.
 Asynchronous parameter update for efficiency with accuracy guaranteed.
 Test with relatively new dataset.

21. Future Work
 Optimize asynchronous parameter update mechanism for large
scale distributed IDS network.
 Test more attack types.
 Give a full theoretical analysis for the convergence of
Autoencoder in asynchronous parameter update scenario.

22. Thank You !