Intrusion Detection in Industrial IoT Networks using NetFlow and Machine Learning Techniques on the NF-ToN-IoT-v2 Dataset
DOI:
https://doi.org/10.56714/bjrs.52.1.9Keywords:
Industrial Internet of Things (Iiot), Intrusion Detection System (IDS), Netflow, NF-Ton-Iot-V2 Dataset, Machine Learning, SMOTE, Random ForestAbstract
The massive expansion of industrial IoT networks introduces new and significant security challenges. the class of bad hack attacks that requires real-time detection and only traditional intrusion detection systems cannot perform this task due to their inadequacy in handling very large amounts of data, primarily for complete and useful analysis. In addition, there is a very serious class-imbalance problem: there are so many normal traffic outnumbering anomaly traffic (even if enough attack samples exist, it is hard to train). In this paper, we propose an improved NetFlow based intrusion detection framework where class imbalance is one individual heterogeneous in the NetFlow data of common traffic is normal. Suppose that a machine learning evaluation would result in low, moderate or high ambiguity results between negative and positive samples. If we could develop better preprocessing tools followed by more extensive machine learning evaluation something like this may be possible. We show that this framework generalizes all BDPs for (at least) the readers who are not interested in more technical details. This approach uses a state of the art NetFlow-based data set (NF-ToN-IoT-v2) for training instances that are deliberately designed to encompass a broad range of IIoT attack types. The main steps of the proposed work are: (1) Hard Preprocessing Log1p transformation for normalization and StandardScaler feature scaling; (2) SMOTE over-Sampling due to high-class imbalance only ~1% original dataset samples are attacks; (3) Random Forest, K-Nearest Neighbors (KNN), Multi-Layer Perceptron evaluation. All pretreatment steps were then applied after splitting the data types. This was to avoid data leakage and therefore obtain a better estimate of performance. All models performed better with SMOTE preprocessing. It can be noted from the tests that compared to the imbalanced baseline used as a test case attack led to an AUC-ROC relative increase of ~13–28% and an attack recall by approximately 300%. Random Forest performed best for all classifiers. AUC-ROC (0.950) and Matthews Correlation Coefficient (MCC) (0.778) offer a balance between detection speed and accuracy. Additionally, MLP (AUC-ROC = 0.949 and MCC = 784) was competitive for being both speedy and powerful, while KNN still has its nature of not being very speedy, as while 99.7% of the summation traffic was in good taste but only 76.5% was for the attacks. Among the features chosen for relevance to our models, we observed that those which had a long-time relationship (dur) and included various types (proto) of protocols that were used by packets and their mean size did provide over 83%
Downloads
References
[1] L. Da Xu, W. He, and S. Li, "Internet of things in industries: A survey," IEEE Transactions on Industrial Informatics, vol. 10, no. 4, pp. 2233-2243, 2014. DOI: 10.1109/TII.2014.2300753 DOI: https://doi.org/10.1109/TII.2014.2300753
[2] B. Almusawy, A. A. J. I. J. o. E. Alrammahi, E. Engineering, and Telecommunications, "Insider detection using combination of machine learning and expert policies," vol. 13, no. 5, pp. 389-396, 2024. DOI: 10.18178/ijeetc.13.5.389-396 DOI: https://doi.org/10.18178/ijeetc.13.5.389-396
[3] M. A. Al-Garadi, A. Mohamed, A. K. Al-Ali, X. Du, I. Ali, and M. Guizani, "A survey of machine and deep learning methods for internet of things (IoT) security," IEEE Communications Surveys & Tutorials, vol. 22, no. 3, pp. 1646-1685, 2020. DOI: 10.1109/COMST.2020.2988293 DOI: https://doi.org/10.1109/COMST.2020.2988293
[4] F. Hussain, R. Hussain, S. A. Hassan, and E. Hossain, "Machine learning in IoT security: Current solutions and future challenges," IEEE Communications Surveys & Tutorials, vol. 22, no. 3, pp. 1686-1721, 2020. DOI: 10.1109/COMST.2020.2986444 DOI: https://doi.org/10.1109/COMST.2020.2986444
[5] N. Chaabouni, M. Mosbah, A. Zemmari, C. Sauvignac, and P. Faruki, "Network intrusion detection for IoT security based on learning techniques," IEEE Communications Surveys & Tutorials, vol. 21, no. 3, pp. 2671-2701, 2019. DOI: 10.1109/COMST.2019.2896380 DOI: https://doi.org/10.1109/COMST.2019.2896380
[6] B. Claise, "Cisco systems NetFlow services export version 9," RFC 3954, 2004. DOI: 10.17487/RFC3954 DOI: https://doi.org/10.17487/rfc3954
[7] R. Hofstede, P. Čeleda, B. Trammell, I. Drago, R. Sadre, A. Sperotto, and A. Pras, "Flow monitoring explained: From packet capture to data analysis with NetFlow and IPFIX," IEEE Communications Surveys & Tutorials, vol. 16, no. 4, pp. 2037-2064, 2014. DOI: 10.1109/COMST.2014.2321898 DOI: https://doi.org/10.1109/COMST.2014.2321898
[8] H. He and E. A. Garcia, "Learning from imbalanced data," IEEE Transactions on Knowledge and Data Engineering, vol. 21, no. 9, pp. 1263-1284, 2009. DOI: 10.1109/TKDE.2008.239 DOI: https://doi.org/10.1109/TKDE.2008.239
[9] S. Kaufman, S. Rosset, and C. Perlich, "Leakage in data mining: Formulation, detection, and avoidance," ACM Transactions on Knowledge Discovery from Data, vol. 6, no. 4, pp. 1-21, 2012. DOI: 10.1145/2382577.2382579 DOI: https://doi.org/10.1145/2382577.2382579
[10] I. Guyon and A. Elisseeff, "An introduction to variable and feature selection," Journal of Machine Learning Research, vol. 3, pp. 1157-1182, 2003.
[11] R. A. A. Habeeb, F. Nasaruddin, A. Gani, I. A. T. Hashem, E. Ahmed, and M. Imran, "Real-time big data processing for anomaly detection: A survey," International Journal of Information Management, vol. 45, pp. 289-307, 2019. DOI: 10.1016/j.ijinfomgt.2018.08.006 DOI: https://doi.org/10.1016/j.ijinfomgt.2018.08.006
[12] M. Sarhan, S. Layeghy, and M. Portmann, "Towards a standard feature set for network intrusion detection system datasets," Mobile Networks and Applications, vol. 27, pp. 357-370, 2022. DOI: 10.1007/s11036-021-01843-0 DOI: https://doi.org/10.1007/s11036-021-01843-0
[13] M. Al-Fawa'reh, A. Al-Fayoumi, and M. Al-Kasassbeh, "Intrusion detection for industrial internet of things based on deep learning," Journal of Ambient Intelligence and Humanized Computing, vol. 12, pp. 10289-10304, 2021. DOI: 10.1007/s12652-020-02794-2 DOI: https://doi.org/10.1007/s12652-020-02794-2
[14] Z. Maseer, R. Yusof, N. Bahaman, S. A. Mostafa, and C. F. M. Foozy, "Benchmarking of machine learning for anomaly based intrusion detection systems in the CICIDS2017 dataset," IEEE Access, vol. 9, pp. 22351-22370, 2021. DOI: 10.1109/ACCESS.2021.3056614 DOI: https://doi.org/10.1109/ACCESS.2021.3056614
[15] M. Sarhan, S. Layeghy, and M. Portmann, "NF-ToN-IoT-v2: A new NetFlow-based dataset for IoT intrusion detection," Data in Brief, vol. 42, p. 108164, 2022. DOI: 10.1016/j.dib.2022.108164 DOI: https://doi.org/10.1016/j.dib.2022.108164
[16] A. Hamdouchi, A. El Kalam, and A. Ouahman, "A deep learning approach for intrusion detection in IoT networks using NF-ToN-IoT dataset," in Proceedings of the International Conference on Advanced Technologies for Humanity, 2022, pp. 145-158.
[17] J. Kim, J. Kim, H. Kim, and M. Shim, "CNN-based network intrusion detection against denial-of-service attacks," Electronics, vol. 9, no. 6, p. 916, 2020. DOI: 10.3390/electronics9060916 DOI: https://doi.org/10.3390/electronics9060916
[18] L. Breiman, "Random forests," Machine Learning, vol. 45, no. 1, pp. 5-32, 2001. DOI: 10.1023/A:1010933404324 DOI: https://doi.org/10.1023/A:1010933404324
[19] T. Cover and P. Hart, "Nearest neighbor pattern classification," IEEE Transactions on Information Theory, vol. 13, no. 1, pp. 21-27, 1967. DOI: 10.1109/TIT.1967.1053964 DOI: https://doi.org/10.1109/TIT.1967.1053964
[20] D. E. Rumelhart, G. E. Hinton, and R. J. Williams, "Learning representations by back-propagating errors," Nature, vol. 323, pp. 533-536, 1986. DOI: 10.1038/323533a0 DOI: https://doi.org/10.1038/323533a0
[21] N. V. Chawla, K. W. Bowyer, L. O. Hall, and W. P. Kegelmeyer, "SMOTE: Synthetic minority over-sampling technique," Journal of Artificial Intelligence Research, vol. 16, pp. 321-357, 2002. DOI: 10.1613/jair.95 DOI: https://doi.org/10.1613/jair.953
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Journal of Basrah Researches (Sciences)

This work is licensed under a Creative Commons Attribution 4.0 International License.
This journal is licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0).
Under this license, users are permitted to read, download, copy, distribute, print, search, link to the full texts of articles, and create derivative works, including for commercial purposes, provided that appropriate credit is given to the original author(s) and the source.
Authors retain the copyright of their published work, while granting the Journal of Basrah Researches Sciences (JBRS) the right of first publication. Proper attribution must include the article title, author name(s), journal name, DOI, and a link to the Creative Commons license.





