{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,15]],"date-time":"2026-01-15T13:46:14Z","timestamp":1768484774360,"version":"3.49.0"},"reference-count":47,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2020,11,23]],"date-time":"2020-11-23T00:00:00Z","timestamp":1606089600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2020,11,23]],"date-time":"2020-11-23T00:00:00Z","timestamp":1606089600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cloud Comp"],"published-print":{"date-parts":[[2020,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The growth of the Internet of things (IoT) has ushered in a new area of inter-connectivity and innovation in the home. Many devices, once separate, can now be interacted with remotely, improving efficiency and organization. This, however, comes at the cost of rising security vulnerabilities. Vendors are competing to create and release quickly innovative connected objects, without focusing on the security issues. As a consequence, attacks involving smart devices, or targeting them, are proliferating, creating threats to user\u2019s privacy and even their physical security. Additionally, the heterogeneous technologies involved in IoT make attempts to develop protection on smart devices much harder. Most of the intrusion detection systems developed for those platforms are based on network activity. However, on many systems, intrusions cannot easily or reliably be detected from network traces. We propose a novel host-based automated framework for intrusion detection. Our work combines user space and kernel space information and machine learning techniques to detect various kinds of intrusions in smart devices. Our solution use tracing techniques to automatically get devices behavior, process this data into numeric arrays to train several machine learning algorithms, and raise alerts whenever an intrusion is found. We implemented several machine learning algorithms, including deep learning ones, to achieve high detection capabilities, while adding little overhead on the monitored devices. We tested our solution within a realistic home automation system with actual threats.<\/jats:p>","DOI":"10.1186\/s13677-020-00206-6","type":"journal-article","created":{"date-parts":[[2020,11,23]],"date-time":"2020-11-23T10:03:55Z","timestamp":1606125835000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":70,"title":["Multi-level host-based intrusion detection system for Internet of things"],"prefix":"10.1186","volume":"9","author":[{"given":"Robin","family":"Gassais","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1435-6297","authenticated-orcid":false,"given":"Naser","family":"Ezzati-Jivan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jose M.","family":"Fernandez","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Daniel","family":"Aloise","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Michel R.","family":"Dagenais","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2020,11,23]]},"reference":[{"key":"206_CR1","unstructured":"Evans D (2011) The internet of things : How the next evolution of the internet is changing everything. https:\/\/www.cisco.com\/c\/dam\/en_us\/about\/ac79\/docs\/innov\/IoT_IBSG_0411FINAL.pdf."},{"issue":"15","key":"206_CR2","doi-asserted-by":"publisher","first-page":"2787","DOI":"10.1016\/j.comnet.2010.05.010","volume":"54","author":"L Atzori","year":"2010","unstructured":"Atzori L, Iera A, Morabito G (2010) The internet of things: A survey. Comput Netw 54(15):2787\u20132805. https:\/\/doi.org\/10.1016\/j.comnet.2010.05.010.","journal-title":"Comput Netw"},{"key":"206_CR3","doi-asserted-by":"publisher","unstructured":"Kambourakis G, Kolias C, Stavrou A (2017) The mirai botnet and the iot zombie armies In: MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM), 267\u2013272.. IEEE. https:\/\/doi.org\/10.1109\/MILCOM.2017.8170867.","DOI":"10.1109\/MILCOM.2017.8170867"},{"key":"206_CR4","unstructured":"OWASPOWASP top 10 IoT vulnerabilities. https:\/\/www.owasp.org\/index.php\/Top_IoT_Vulnerabilities."},{"key":"206_CR5","doi-asserted-by":"publisher","first-page":"25","DOI":"10.1016\/j.jnca.2017.02.009","volume":"84","author":"BB Zarpel\u00c3\u010do","year":"2017","unstructured":"Zarpel\u00c3\u010do BB, Miani RS, Kawakani CT, de Alvarenga SC (2017) A survey of intrusion detection in internet of things. J Netw Comput Appl 84:25\u201337. https:\/\/doi.org\/10.1016\/j.jnca.2017.02.009.","journal-title":"J Netw Comput Appl"},{"key":"206_CR6","unstructured":"Bray R, Cid D (2008) OSSEc host-based intrusion detection guide."},{"key":"206_CR7","unstructured":"Security QIThe sagan log analysis engine. https:\/\/quadrantsec.com\/sagan_log_analysis_engine\/."},{"issue":"14","key":"206_CR8","doi-asserted-by":"publisher","first-page":"3188","DOI":"10.3390\/s19143188","volume":"19","author":"VH Bezerra","year":"2019","unstructured":"Bezerra VH, da Costa VGT, Barbon Junior S, Miani RS, Zarpel\u00c3\u010do BB (2019) Iotds: A one-class classification approach to detect botnets in internet of things devices. Sensors 19(14):3188. https:\/\/doi.org\/10.3390\/s19143188.","journal-title":"Sensors"},{"key":"206_CR9","unstructured":"Breitenbacher D, Homoliak I, Aung YL, Tippenhauer NO, Elovici Y (2019) Hades-iot: A practical host-based anomaly detection system for iot devices (extended version). CoRR abs\/1905.01027. http:\/\/arxiv.org\/abs\/1905.01027."},{"key":"206_CR10","unstructured":"Cheng S-T, Wang C-H, Horng G-J (2008) Osgi-based smart home architecture for heterogeneous network In: 2008 3rd International Conference on Sensing Technology, 527\u2013532.. IEEE."},{"issue":"7","key":"206_CR11","doi-asserted-by":"publisher","first-page":"1645","DOI":"10.1016\/j.future.2013.01.010","volume":"29","author":"J Gubbi","year":"2013","unstructured":"Gubbi J, Buyya R, Marusic S, Palaniswami M (2013) Internet of things (iot): A vision, architectural elements, and future directions. Futur Gener Comput Syst 29(7):1645\u20131660. https:\/\/doi.org\/10.1016\/j.future.2013.01.010. Including Special sections: Cyber-enabled Distributed Computing for Ubiquitous Cloud and Network Services & Cloud Computing and Scientific Applications \u2013 Big Data, Scalable Analytics, and Beyond.","journal-title":"Futur Gener Comput Syst"},{"key":"206_CR12","doi-asserted-by":"publisher","first-page":"358","DOI":"10.1016\/j.future.2016.10.026","volume":"76","author":"TKL Hui","year":"2017","unstructured":"Hui TKL, Sherratt RS, S\u00c3a\u0327nchez DD (2017) Major requirements for building smart homes in smart cities based on internet of things technologies. Futur Gener Comput Syst 76:358\u2013369. https:\/\/doi.org\/10.1016\/j.future.2016.10.026.","journal-title":"Futur Gener Comput Syst"},{"key":"206_CR13","unstructured":"Acosta Padilla FJ, Baccelli E, Eichinger T, Schleiser K (2016) The future of IoT software must be updated In: IAB Workshop on Internet of Things Software Update (IoTSU), Dublin, Ireland. https:\/\/hal.inria.fr\/hal-01369681. Internet Architecture Board (IAB)."},{"key":"206_CR14","unstructured":"Antonakakis M, April T, Bailey M, Bernhard M, Bursztein E, Cochran J, Durumeric Z, Halderman JA, Invernizzi L, Kallitsis M, et al (2017) Understanding the mirai botnet In: USENIX Security Symposium, 1092\u20131110."},{"key":"206_CR15","doi-asserted-by":"publisher","unstructured":"Saxena U, Sodhi JS, Singh Y (2017) Analysis of security attacks in a smart home networks In: 2017 7th International Conference on Cloud Computing, Data Science Engineering - Confluence, 431\u2013436.. IEEE. https:\/\/doi.org\/10.1109\/CONFLUENCE.2017.7943189.","DOI":"10.1109\/CONFLUENCE.2017.7943189"},{"key":"206_CR16","unstructured":"Sikder AK, Petracca G, Aksu H, Jaeger T, Uluagac AS (2018) A survey on sensor-based threats to internet-of-things (iot) devices and applications. CoRR abs\/1802.02041."},{"key":"206_CR17","doi-asserted-by":"crossref","unstructured":"Babar S, Stango A, Prasad N, Sen J, Prasad R (2011) Proposed embedded security framework for internet of things (iot) In: Wireless Communication, Vehicular Technology, Information Theory and Aerospace & Electronic Systems Technology (Wireless VITAE), 2011 2nd International Conference On, 1\u20135.. IEEE.","DOI":"10.1109\/WIRELESSVITAE.2011.5940923"},{"key":"206_CR18","unstructured":"Wagner C, Dulaunoy A, Wagener G, Mokkadem S (2017) An extended analysis of an iot malware from a blackhole network."},{"issue":"7","key":"206_CR19","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1109\/MC.2017.201","volume":"50","author":"C Kolias","year":"2017","unstructured":"Kolias C, Kambourakis G, Stavrou A, Voas J (2017) Ddos in the iot: Mirai and other botnets. Computer 50(7):80\u201384. https:\/\/doi.org\/10.1109\/MC.2017.201.","journal-title":"Computer"},{"key":"206_CR20","doi-asserted-by":"publisher","unstructured":"Sabahi F, Movaghar A (2008) Intrusion detection: A survey In: 2008 Third International Conference on Systems and Networks Communications, 23\u201326.. IEEE. https:\/\/doi.org\/10.1109\/ICSNC.2008.44.","DOI":"10.1109\/ICSNC.2008.44"},{"key":"206_CR21","doi-asserted-by":"publisher","unstructured":"Nobakht M, Sivaraman V, Boreli R (2016) A host-based intrusion detection and mitigation framework for smart home iot using openflow In: 2016 11th International Conference on Availability, Reliability and Security (ARES), 147\u2013156.. IEEE. https:\/\/doi.org\/10.1109\/ARES.2016.64.","DOI":"10.1109\/ARES.2016.64"},{"key":"206_CR22","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1145\/2046614.2046619","volume-title":"Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM \u201911","author":"I Burguera","year":"2011","unstructured":"Burguera I, Zurutuza U, Nadjm-Tehrani S (2011) Crowdroid: Behavior-based malware detection system for android In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM \u201911, 15\u201326.. ACM, New York, NY, USA. https:\/\/doi.org\/10.1145\/2046614.2046619."},{"key":"206_CR23","doi-asserted-by":"publisher","unstructured":"Eskandari S, Khreich W, Murtaza SS, Hamou-Lhadj A, Couture M (2013) Monitoring system calls for anomaly detection in modern operating systems In: 2013 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), 19\u201320.. IEEE. https:\/\/doi.org\/10.1109\/ISSREW.2013.6688856.","DOI":"10.1109\/ISSREW.2013.6688856"},{"issue":"3","key":"206_CR24","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1145\/1541880.1541882","volume":"41","author":"V Chandola","year":"2009","unstructured":"Chandola V, Banerjee A, Kumar V (2009) Anomaly detection: A survey. ACM Comput Surv 41(3):15\u201311558. https:\/\/doi.org\/10.1145\/1541880.1541882.","journal-title":"ACM Comput Surv"},{"key":"206_CR25","doi-asserted-by":"publisher","unstructured":"Murtaza SS, Sultana A, Hamou-Lhadj A, Couture M (2012) On the comparison of user space and kernel space traces in identification of software anomalies In: 2012 16th European Conference on Software Maintenance and Reengineering, 127\u2013136.. IEEE. https:\/\/doi.org\/10.1109\/CSMR.2012.23.","DOI":"10.1109\/CSMR.2012.23"},{"key":"206_CR26","doi-asserted-by":"publisher","unstructured":"Murtaza SS, Hamou-Lhadj A, Khreich W, Couture M (2014) Total ads: Automated software anomaly detection system In: 2014 IEEE 14th International Working Conference on Source Code Analysis and Manipulation, 83\u201388. https:\/\/doi.org\/10.1109\/SCAM.2014.37.","DOI":"10.1109\/SCAM.2014.37"},{"key":"206_CR27","doi-asserted-by":"crossref","unstructured":"Chandola V, Banerjee A, Kumar V (2012) Anomaly detection for discrete sequences: A survey 24:1\u20131.","DOI":"10.1109\/TKDE.2010.235"},{"issue":"3","key":"206_CR28","doi-asserted-by":"publisher","first-page":"264","DOI":"10.1145\/331499.331504","volume":"31","author":"AK Jain","year":"1999","unstructured":"Jain AK, Murty MN, Flynn PJ (1999) Data clustering: A review. ACM Comput Surv 31(3):264\u2013323. https:\/\/doi.org\/10.1145\/331499.331504.","journal-title":"ACM Comput Surv"},{"key":"206_CR29","unstructured":"Shende S (1999) Profiling and tracing in linux."},{"key":"206_CR30","unstructured":"\u00c3L\u2019cole Polytechnique De Montr\u00c3l\u2019al, Dagenais MR, \u00c3L\u2019cole Polytechnique De Montr\u00c3l\u2019alThe LTTng tracer: A low impact performance and behavior monitor for GNU\/Linux Mathieu Desnoyers."},{"key":"206_CR31","doi-asserted-by":"publisher","first-page":"201","DOI":"10.1007\/s11219-016-9311-0","volume":"25","author":"F Wininger","year":"2016","unstructured":"Wininger F, Jivan NE, Dagenais M (2016) A declarative framework for stateful analysis of execution traces. Softw Qual J 25:201\u2013229.","journal-title":"Softw Qual J"},{"key":"206_CR32","unstructured":"Desnoyers M, Dagenais M (2009) Deploying lttng on exotic embedded architectures In: Embedded Linux Conference, vol. 2009."},{"key":"206_CR33","unstructured":"Proulx PTracing bare-metal systems: a multi-core story - LTTng. https:\/\/lttng.org\/blog\/2014\/11\/25\/tracing-bare-metal-systems\/."},{"issue":"1","key":"206_CR34","doi-asserted-by":"publisher","first-page":"18","DOI":"10.1186\/s13639-016-0067-1","volume":"2017","author":"T Bertauld","year":"2017","unstructured":"Bertauld T, Dagenais MR (2017) Low-level trace correlation on heterogeneous embedded systems. EURASIP J Embed Syst 2017(1):18. https:\/\/doi.org\/10.1186\/s13639-016-0067-1.","journal-title":"EURASIP J Embed Syst"},{"issue":"8","key":"206_CR35","doi-asserted-by":"publisher","first-page":"1798","DOI":"10.1109\/TPAMI.2013.50","volume":"35","author":"Y Bengio","year":"2013","unstructured":"Bengio Y, Courville A, Vincent P (2013) Representation learning: A review and new perspectives. IEEE Trans Pattern Anal Mach Intell 35(8):1798\u20131828.","journal-title":"IEEE Trans Pattern Anal Mach Intell"},{"key":"206_CR36","doi-asserted-by":"publisher","first-page":"6","DOI":"10.1155\/2012\/140368","volume":"2012","author":"N Ezzati-Jivan","year":"2012","unstructured":"Ezzati-Jivan N, Dagenais MR (2012) A stateful approach to generate synthetic events from kernel traces. Adv Soft Eng 2012:6\u2013666. https:\/\/doi.org\/10.1155\/2012\/140368.","journal-title":"Adv Soft Eng"},{"key":"206_CR37","unstructured":"Feurer M, Klein A, Eggensperger K, Springenberg J, Blum M, Hutter F (2015) Efficient and robust automated machine learning. In: Cortes C, Lawrence ND, Lee DD, Sugiyama M, Garnett R (eds)Advances in Neural Information Processing Systems 28, 2962\u20132970.. Curran Associates, Inc.http:\/\/papers.nips.cc\/paper\/5872-efficient-and-robust-automated-machine-learning.pdf."},{"key":"206_CR38","doi-asserted-by":"publisher","first-page":"255","DOI":"10.1145\/586110.586145","volume-title":"Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS \u201902","author":"D Wagner","year":"2002","unstructured":"Wagner D, Soto P (2002) Mimicry attacks on host-based intrusion detection systems In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS \u201902, 255\u2013264.. ACM, New York, NY, USA. https:\/\/doi.org\/10.1145\/586110.586145."},{"key":"206_CR39","unstructured":"Homoliak I, Teknos M, Ochoa M, Breitenbacher D, Hosseini S, Han\u00e1cek P (2018) Improving network intrusion detection classifiers by non-payload-based exploit-independent obfuscations: An adversarial approach. CoRR abs\/1805.02684. http:\/\/arxiv.org\/abs\/1805.02684."},{"key":"206_CR40","doi-asserted-by":"crossref","unstructured":"Holik F, Horalek J, Marik O, Neradova S, Zitta S (2014) Effective penetration testing with metasploit framework and methodologies In: 2014 IEEE 15th International Symposium on Computational Intelligence and Informatics (CINTI), 237\u2013242.. IEEE.","DOI":"10.1109\/CINTI.2014.7028682"},{"key":"206_CR41","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-319-20550-2_1","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"A Kharraz","year":"2015","unstructured":"Kharraz A, Robertson W, Balzarotti D, Bilge L, Kirda E (2015) Cutting the gordian knot: A look under the hood of ransomware attacks. In: Almgren M, Gulisano V, Maggi F (eds)Detection of Intrusions and Malware, and Vulnerability Assessment, 3\u201324.. Springer, Cham."},{"issue":"1","key":"206_CR42","first-page":"25","volume":"30","author":"S Kotsiantis","year":"2006","unstructured":"Kotsiantis S, Kanellopoulos D, Pintelas P, et al (2006) Handling imbalanced datasets: A review. GESTS Int Trans Comput Sci Eng 30(1):25\u201336.","journal-title":"GESTS Int Trans Comput Sci Eng"},{"key":"206_CR43","first-page":"729","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"F Pendlebury","year":"2019","unstructured":"Pendlebury F, Pierazzi F, Jordaney R, Kinder J, Cavallaro L (2019) TESSERACT: Eliminating experimental bias in malware classification across space and time In: 28th USENIX Security Symposium (USENIX Security 19), 729\u2013746.. USENIX Association, Santa Clara, CA. https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/pendlebury."},{"key":"206_CR44","doi-asserted-by":"publisher","unstructured":"Abd Rani K, Abd Rahman HA, Fong S, Zuraida K, Abdullah N (2013) An application of oversampling, undersampling, bagging and boosting in handling imbalanced dataset 285. https:\/\/doi.org\/10.1007\/978-981-4585-18-7-2.","DOI":"10.1007\/978-981-4585-18-7-2"},{"key":"206_CR45","unstructured":"Hsu C-W, Chang C-C, Lin C-J (2003) A practical guide to support vector classification."},{"issue":"3","key":"206_CR46","doi-asserted-by":"publisher","first-page":"542","DOI":"10.1109\/TNN.2009.2015974","volume":"20","author":"O Chapelle","year":"2009","unstructured":"Chapelle O, Scholkopf B, Zien, Eds. A (2009) Semi-supervised learning (chapelle, o. et al., eds.; 2006) [book reviews]. IEEE Trans Neural Netw 20(3):542\u2013542.","journal-title":"IEEE Trans Neural Netw"},{"key":"206_CR47","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1080\/09540091.2018.1560394","volume":"31","author":"D Devi","year":"2019","unstructured":"Devi D, Biswas S, Purkayastha B (2019) Learning in presence of class imbalance and class overlapping by using one-class svm and undersampling technique. Connect Sci 31:1\u201338. https:\/\/doi.org\/10.1080\/09540091.2018.1560394.","journal-title":"Connect Sci"}],"container-title":["Journal of Cloud Computing"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1186\/s13677-020-00206-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1186\/s13677-020-00206-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1186\/s13677-020-00206-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,11,23]],"date-time":"2020-11-23T10:33:39Z","timestamp":1606127619000},"score":1,"resource":{"primary":{"URL":"https:\/\/journalofcloudcomputing.springeropen.com\/articles\/10.1186\/s13677-020-00206-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,11,23]]},"references-count":47,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,12]]}},"alternative-id":["206"],"URL":"https:\/\/doi.org\/10.1186\/s13677-020-00206-6","relation":{},"ISSN":["2192-113X"],"issn-type":[{"value":"2192-113X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,11,23]]},"assertion":[{"value":"29 January 2020","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 October 2020","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"23 November 2020","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"The authors declare that they have no competing interests.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"62"}}