{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,29]],"date-time":"2026-05-29T16:07:45Z","timestamp":1780070865044,"version":"3.54.0"},"reference-count":42,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2021,1,21]],"date-time":"2021-01-21T00:00:00Z","timestamp":1611187200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,1,21]],"date-time":"2021-01-21T00:00:00Z","timestamp":1611187200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Wireless Com Network"],"published-print":{"date-parts":[[2021,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Internet of Things (IoT) devices are well-connected; they generate and consume data which involves transmission of data back and forth among various devices. Ensuring security of the data is a critical challenge as far as IoT is concerned. Since IoT devices are inherently low-power and do not require a lot of compute power, a Network Intrusion Detection System is typically employed to detect and remove malicious packets from entering the network. In the same context, we propose feature clusters in terms of Flow, Message Queuing Telemetry Transport (MQTT) and Transmission Control Protocol (TCP) by using features in UNSW-NB15 data-set. We eliminate problems like over-fitting, curse of dimensionality and imbalance in the data-set. We apply supervised Machine Learning (ML) algorithms, i.e., Random Forest (RF), Support Vector Machine and Artificial Neural Networks on the clusters. Using RF, we, respectively, achieve 98.67% and 97.37% of accuracy in binary and multi-class classification. In clusters based techniques, we achieved 96.96%, 91.4% and 97.54% of classification accuracy by using RF on Flow &amp; MQTT features, TCP features and top features from both clusters. Moreover, we show that the proposed feature clusters provide higher accuracy and requires lesser training time as compared to other state-of-the-art supervised ML-based approaches.<\/jats:p>","DOI":"10.1186\/s13638-021-01893-8","type":"journal-article","created":{"date-parts":[[2021,1,21]],"date-time":"2021-01-21T07:02:57Z","timestamp":1611212577000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":112,"title":["Intrusion detection in internet of things using supervised machine learning based on application and transport layer features using UNSW-NB15 data-set"],"prefix":"10.1186","volume":"2021","author":[{"given":"Muhammad","family":"Ahmad","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Qaiser","family":"Riaz","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4417-1365","authenticated-orcid":false,"given":"Muhammad","family":"Zeeshan","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hasan","family":"Tahir","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Syed Ali","family":"Haider","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Muhammad Safeer","family":"Khan","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2021,1,21]]},"reference":[{"key":"1893_CR1","unstructured":"WEF: The Global Risks Report 2019. (2019). https:\/\/www.weforum.org\/reports\/the-global-risks-report-2019. Accessed Mar 2019"},{"key":"1893_CR2","unstructured":"O. Yunger, Cybersecurity is a bubble, but it\u2019s not ready to burst. (2019). https:\/\/techcrunch.com\/2019\/10\/03\/cybersecurity-is-a-bubble-but-its-not-ready-to-burst\/. Accessed Mar 2019"},{"key":"1893_CR3","unstructured":"L. O\u2019Donnell, More Than Half of IoT Devices Vulnerable to Severe Attacks. (2020). https:\/\/threatpost.com\/half-iot-devices-vulnerable-severe-attacks\/153609\/. Accessed Mar 2019"},{"key":"1893_CR4","unstructured":"MIT: 1998 DARPA Intrusion Detection Evaluation Dataset. Lincoln Laboratory MIT (1998). https:\/\/www.ll.mit.edu\/r-d\/datasets\/1998-darpa-intrusion-detection-evaluation-dataset. Accessed Mar 2019"},{"key":"1893_CR5","unstructured":"UCI: KDD Cup 1999 Data. University of California, Irvine (1999). http:\/\/kdd.ics.uci.edu\/databases\/kddcup99\/kddcup99.html. Accessed Mar 2019"},{"key":"1893_CR6","unstructured":"UNB: NSL-KDD dataset. University of New Brunswick (2009). https:\/\/www.unb.ca\/cic\/datasets\/nsl.html. Accessed Mar 2019"},{"key":"1893_CR7","doi-asserted-by":"publisher","unstructured":"N. Moustafa, J. Slay, UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set), in 2015 Military Communications and Information Systems Conference (MilCIS). (Springer, 2015), pp. 1\u20136. https:\/\/doi.org\/10.1109\/MilCIS.2015.7348942","DOI":"10.1109\/MilCIS.2015.7348942"},{"key":"1893_CR8","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2019.01.063","author":"M Lopez-Martin","year":"2019","unstructured":"M. Lopez-Martin, B. Carro, A. Sanchez-Esguevillas, J. Lloret, Shallow neural network with kernel approximation for prediction problems in highly demanding data networks. Expert Syst. Appl. (2019). https:\/\/doi.org\/10.1016\/j.eswa.2019.01.063","journal-title":"Expert Syst. Appl."},{"issue":"3","key":"1893_CR9","doi-asserted-by":"publisher","first-page":"4815","DOI":"10.1109\/JIOT.2018.2871719","volume":"6","author":"N Moustafa","year":"2019","unstructured":"N. Moustafa, B. Turnbull, K.R. Choo, An ensemble intrusion detection technique based on proposed statistical flow features for protecting network traffic of internet of things. IEEE Internet Things J. 6(3), 4815\u20134830 (2019). https:\/\/doi.org\/10.1109\/JIOT.2018.2871719","journal-title":"IEEE Internet Things J."},{"key":"1893_CR10","doi-asserted-by":"publisher","unstructured":"Y. Zhou, M. Han, L. Liu, J.S. He, Y. Wang, Deep learning approach for cyberattack detection, in IEEE INFOCOM 2018\u2014IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). (Springer, 2018), pp. 262\u2013267. https:\/\/doi.org\/10.1109\/INFCOMW.2018.8407032","DOI":"10.1109\/INFCOMW.2018.8407032"},{"key":"1893_CR11","doi-asserted-by":"publisher","unstructured":"V. Kumar, A. Das, D. Sinha, Statistical Analysis of the UNSW-NB15 Dataset for Intrusion Detection, pp. 279\u2013294 (2020). https:\/\/doi.org\/10.1007\/978-981-13-9042-5-24","DOI":"10.1007\/978-981-13-9042-5-24"},{"key":"1893_CR12","doi-asserted-by":"crossref","unstructured":"A. Javaid, Q. Niyaz, W. Sun, M. Alam, A deep learning approach for network intrusion detection system, in Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS). (Springer, 2016), pp. 21\u201326","DOI":"10.4108\/eai.3-12-2015.2262516"},{"issue":"2","key":"1893_CR13","doi-asserted-by":"publisher","first-page":"493","DOI":"10.1007\/s12083-017-0630-0","volume":"12","author":"N Sultana","year":"2019","unstructured":"N. Sultana, N. Chilamkurti, W. Peng, R. Alhadad, Survey on SDN based network intrusion detection system using machine learning approaches. Peer Netw. Appl. 12(2), 493\u2013501 (2019)","journal-title":"Peer Netw. Appl."},{"key":"1893_CR14","doi-asserted-by":"publisher","first-page":"148","DOI":"10.1016\/j.cose.2018.11.005","volume":"81","author":"B Selvakumar","year":"2019","unstructured":"B. Selvakumar, K. Muneeswaran, Firefly algorithm based feature selection for network intrusion detection. Comput. Secur. 81, 148\u2013155 (2019)","journal-title":"Comput. Secur."},{"key":"1893_CR15","doi-asserted-by":"crossref","unstructured":"A. Azab, M. Alazab, M. Aiash, Machine learning based botnet identification traffic, in 2016 IEEE Trustcom\/BigDataSE\/ISPA. (IEEE, 2016), pp. 1788\u20131794","DOI":"10.1109\/TrustCom.2016.0275"},{"issue":"23\u201324","key":"1893_CR16","doi-asserted-by":"publisher","first-page":"2435","DOI":"10.1016\/S1389-1286(99)00112-7","volume":"31","author":"V Paxson","year":"1999","unstructured":"V. Paxson, Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23\u201324), 2435\u20132463 (1999). https:\/\/doi.org\/10.1016\/S1389-1286(99)00112-7","journal-title":"Comput. Netw."},{"issue":"1","key":"1893_CR17","first-page":"136","volume":"56","author":"RC Staudemeyer","year":"2015","unstructured":"R.C. Staudemeyer, Applying long short-term memory recurrent neural networks to intrusion detection. South Afr. Comput. J. 56(1), 136\u2013154 (2015)","journal-title":"South Afr. Comput. J."},{"issue":"4","key":"1893_CR18","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1145\/382912.382914","volume":"3","author":"W Lee","year":"2000","unstructured":"W. Lee, S.J. Stolfo, A framework for constructing features and models for intrusion detection systems. ACM Trans. Inf. Syst. Secur. (TiSSEC) 3(4), 227\u2013261 (2000)","journal-title":"ACM Trans. Inf. Syst. Secur. (TiSSEC)"},{"key":"1893_CR19","first-page":"1954","volume":"4","author":"A \u00d6zg\u00fcr","year":"2016","unstructured":"A. \u00d6zg\u00fcr, H. Erdem, A review of kdd99 dataset usage in intrusion detection and machine learning between 2010 and 2015. PeerJ Preprints 4, 1954\u20131 (2016)","journal-title":"PeerJ Preprints"},{"key":"1893_CR20","doi-asserted-by":"crossref","unstructured":"R.C. Agarwal, M.V. Joshi, Pnrule: A new framework for learning classifier models in data mining (a case-study in network intrusion detection), in SDM (2001)","DOI":"10.1137\/1.9781611972719.29"},{"key":"1893_CR21","unstructured":"H.G. Kayacik, A.N. Zincir-Heywood, M.I. Heywood, Selecting features for intrusion detection: a feature relevance analysis on KDD 99 intrusion detection datasets, in Proceedings of the Third Annual Conference on Privacy, Security and Trust 94, 1722\u20131723 (2005)"},{"issue":"5","key":"1893_CR22","doi-asserted-by":"publisher","first-page":"649","DOI":"10.1109\/TSMCC.2008.923876","volume":"38","author":"J Zhang","year":"2008","unstructured":"J. Zhang, M. Zulkernine, A. Haque, Random-forests-based network intrusion detection systems. IEEE Trans. Syst. Man Cybernet. Part C (Appl. Rev.) 38(5), 649\u2013659 (2008)","journal-title":"IEEE Trans. Syst. Man Cybernet. Part C (Appl. Rev.)"},{"key":"1893_CR23","doi-asserted-by":"publisher","first-page":"376","DOI":"10.1016\/j.future.2014.06.001","volume":"55","author":"MS Huda","year":"2016","unstructured":"M.S. Huda, J.H. Abawajy, M. Alazab, M. Abdollahian, M.R. Islam, J. Yearwood, Hybrids of support vector machine wrapper and filter based framework for malware detection. Future Gener. Comput. Syst. 55, 376\u2013390 (2016)","journal-title":"Future Gener. Comput. Syst."},{"issue":"11","key":"1893_CR24","first-page":"2878","volume":"9","author":"M Alazab","year":"2014","unstructured":"M. Alazab, S. Huda, J. Abawajy, R. Islam, J. Yearwood, S. Venkatraman, R. Broadhurst, A hybrid wrapper-filter approach for malware detection. J. Netw. 9(11), 2878\u20132891 (2014)","journal-title":"J. Netw."},{"issue":"3","key":"1893_CR25","doi-asserted-by":"publisher","first-page":"773","DOI":"10.1109\/TIFS.2018.2866319","volume":"14","author":"T Kim","year":"2018","unstructured":"T. Kim, B. Kang, M. Rho, S. Sezer, E.G. Im, A multimodal deep learning method for android malware detection using various features. IEEE Trans. Inf. Forens. Secur. 14(3), 773\u2013788 (2018)","journal-title":"IEEE Trans. Inf. Forens. Secur."},{"issue":"2","key":"1893_CR26","doi-asserted-by":"publisher","first-page":"577","DOI":"10.1109\/TSMCB.2007.914695","volume":"38","author":"W Hu","year":"2008","unstructured":"W. Hu, W. Hu, S. Maybank, Adaboost-based algorithm for network intrusion detection. IEEE Trans. Syst. Man Cybernet. Part B (Cybernet.) 38(2), 577\u2013583 (2008)","journal-title":"IEEE Trans. Syst. Man Cybernet. Part B (Cybernet.)"},{"key":"1893_CR27","doi-asserted-by":"crossref","unstructured":"L. Ert\u00f6z, M. Steinbach, V. Kumar, Finding clusters of different sizes, shapes, and densities in noisy, high dimensional data, in Proceedings of the 2003 SIAM International Conference on Data Mining. (SIAM, 2003), pp. 47\u201358","DOI":"10.1137\/1.9781611972733.5"},{"key":"1893_CR28","doi-asserted-by":"crossref","unstructured":"A. Valdes, K. Skinner, Adaptive, model-based monitoring for cyber attack detection, in International Workshop on Recent Advances in Intrusion Detection, (Springer, 2000), pp. 80\u201393","DOI":"10.1007\/3-540-39945-3_6"},{"key":"1893_CR29","doi-asserted-by":"crossref","unstructured":"D.-Y. Yeung, C. Chow, Parzen-window network intrusion detectors, in Object Recognition Supported by User Interaction for Service Robots, vol. 4, (IEEE, 2002), pp. 385\u2013388","DOI":"10.1109\/ICPR.2002.1047476"},{"key":"1893_CR30","unstructured":"W. Li, Using genetic algorithm for network intrusion detection, in Proceedings of the United States Department of Energy Cyber Security Group, vol. 1, pp. 1\u20138 (2004)"},{"key":"1893_CR31","unstructured":"L. Didaci, G. Giacinto, F. Roli, Ensemble learning for intrusion detection in computer networks, in Workshop Machine Learning Methods Applications, Siena, Italy (2002)"},{"issue":"8","key":"1893_CR32","doi-asserted-by":"publisher","first-page":"625","DOI":"10.1016\/j.cose.2011.08.009","volume":"30","author":"C Kolias","year":"2011","unstructured":"C. Kolias, G. Kambourakis, M. Maragoudakis, Swarm intelligence in intrusion detection: a survey. Comput. Secur. 30(8), 625\u2013642 (2011)","journal-title":"Comput. Secur."},{"key":"1893_CR33","doi-asserted-by":"publisher","first-page":"295","DOI":"10.1007\/978-3-642-20505-7_26","volume":"96","author":"MA Salama","year":"2011","unstructured":"M.A. Salama, H. Eid, R. Ramadan, A. Darwish, A.E. Hassanien, Hybrid intelligent intrusion detection scheme. Adv. Intell. Soft Comput. 96, 295\u2013302 (2011). https:\/\/doi.org\/10.1007\/978-3-642-20505-7_26","journal-title":"Adv. Intell. Soft Comput."},{"key":"1893_CR34","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1016\/j.neucom.2012.11.050","volume":"122","author":"U Fiore","year":"2013","unstructured":"U. Fiore, F. Palmieri, A. Castiglione, A. De Santis, Network anomaly detection with the restricted Boltzmann machine. Neurocomputing 122, 13\u201323 (2013)","journal-title":"Neurocomputing"},{"key":"1893_CR35","doi-asserted-by":"crossref","unstructured":"S. Thaseen, C.A. Kumar, An analysis of supervised tree based classifiers for intrusion detection system, in 2013 International Conference on Pattern Recognition, Informatics and Mobile Engineering, (IEEE, 2013), pp. 294\u2013299","DOI":"10.1109\/ICPRIME.2013.6496489"},{"key":"1893_CR36","doi-asserted-by":"publisher","DOI":"10.1080\/08874417.2019.1688731","author":"L Wang","year":"2020","unstructured":"L. Wang, R. Jones, Big data analytics in cyber security: network traffic and attacks. J. Comput. Inf. Syst. (2020). https:\/\/doi.org\/10.1080\/08874417.2019.1688731","journal-title":"J. Comput. Inf. Syst."},{"key":"1893_CR37","doi-asserted-by":"publisher","first-page":"294","DOI":"10.1016\/j.neucom.2019.02.047","volume":"340","author":"NG Bhuvaneswari Amma","year":"2019","unstructured":"N.G. Bhuvaneswari Amma, S. Selvakumar, Deep radial intelligence with cumulative incarnation approach for detecting denial of service attacks. Neurocomputing 340, 294\u2013308 (2019). https:\/\/doi.org\/10.1016\/j.neucom.2019.02.047","journal-title":"Neurocomputing"},{"key":"1893_CR38","doi-asserted-by":"publisher","unstructured":"N. Moustafa, J. Slay, The significant features of the UNSW-NB15 and the KDD99 data sets for network intrusion detection systems, in 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS). (Springer, 2015), pp. 25\u201331. https:\/\/doi.org\/10.1109\/BADGERS.2015.014","DOI":"10.1109\/BADGERS.2015.014"},{"key":"1893_CR39","doi-asserted-by":"publisher","unstructured":"T. Janarthanan, S. Zargari, Feature selection in UNSW-NB15 and KDDCUP\u201999 datasets, in 2017 IEEE 26th International Symposium on Industrial Electronics (ISIE), pp. 1881\u20131886 (2017). https:\/\/doi.org\/10.1109\/ISIE.2017.8001537","DOI":"10.1109\/ISIE.2017.8001537"},{"key":"1893_CR40","unstructured":"M.L. Group, Weka 3: Machine Learning Software in Java. University of Waikato. https:\/\/www.cs.waikato.ac.nz\/ml\/weka\/. Accessed Mar 2019"},{"key":"1893_CR41","first-page":"30","volume-title":"Mobile Networks and Management","author":"N Koroniotis","year":"2018","unstructured":"N. Koroniotis, N. Moustafa, E. Sitnikova, J. Slay, Towards developing network forensic mechanism for botnet activities in the IOT based on machine learning techniques, in Mobile Networks and Management, ed. by J. Hu, I. Khalil, Z. Tari, S. Wen (Springer, Cham, 2018), pp. 30\u201344"},{"key":"1893_CR42","unstructured":"W. Badr, Having an Imbalanced Dataset? Here Is How You Can Fix It. Online (2019). https:\/\/towardsdatascience.com\/having-an-imbalanced-dataset-here-is-how-you-can-solve-it-1640568947eb"}],"container-title":["EURASIP Journal on Wireless Communications and Networking"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1186\/s13638-021-01893-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1186\/s13638-021-01893-8\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1186\/s13638-021-01893-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,8,22]],"date-time":"2024-08-22T19:39:55Z","timestamp":1724355595000},"score":1,"resource":{"primary":{"URL":"https:\/\/jwcn-eurasipjournals.springeropen.com\/articles\/10.1186\/s13638-021-01893-8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,21]]},"references-count":42,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,12]]}},"alternative-id":["1893"],"URL":"https:\/\/doi.org\/10.1186\/s13638-021-01893-8","relation":{},"ISSN":["1687-1499"],"issn-type":[{"value":"1687-1499","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,1,21]]},"assertion":[{"value":"26 May 2020","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"8 January 2021","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"21 January 2021","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"The authors declare that they have no competing interests.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"10"}}