1 Introduction

Currently, Internet of Things (IoT) [1,2,3,4] is the most addressable area for researchers as it acquires adequate and further necessary development in many aspects. The term IoT is elucidated by various authors from different outlooks. It can be defined as “A smart world where people live in a smarter way among smart objects and things”. It is predicted, in the near future, that the technologies of wireless networks with sensors and invisible embedded information systems gradually become essential components of human environmental necessities [5]. The technologies involved in the employment of the IoT are radio-frequency identification (RFID), near-field communications (NFC), machine-to-machine communications (M2M), and vehicular-to-vehicular communications (V2V) [6,7,8,9,10]. IoT can be classified and a network of connected things like RFID tags, actuators, sensors, smart phones, and other handled and mobile wireless devices [11]. The motivation is to share, embed, and exchange the real-world data among all the involved objects in a network [12, 13].

In IoT, the data are collected via sensors and then sent through wired or wireless communication channels in networks. The communication system is desired to be able for handling enormous amount of data from a huge number of sensors without any loss and secured from external interfaces [14, 15]. Due to resource-constrained nature and unattended operational environment of the involved devices in IoT, it is an important issue for researchers to propose and implement effective and efficient security approaches in such systems. Moreover, IoT is prone to different security issues as it uses the Internet infrastructure for exchange of information among various heterogeneous ends [16, 17]. For any IoT system, the essential security objectives are to ensure the appropriate authentication mechanism and deliver integrity and confidentiality about the data. A threat of any of these areas could create unavoidable issues to the system. The availability of services of objects in such systems is always desirable, which may be troubled using denial-of-service (DoS) attack by the malicious intruders. DoS attacks can be generated on various layers of sensor networks staring from physical to applications layers [16]. Moreover, such attacks in the RFID technology take to breakdown in reading RFID tags temporarily or sometimes permanently. DoS attacks reduce an RFID tag to misbehave or give wrong data under the scan. These DoS attacks can be initiated from remote locations and in distributed manner known as distributed DoS (DDoS) attacks.

Due to complexity and heterogeneity of connected objects in the IoT networks, DDoS attack is the most common attack on the network layer of IoT infrastructure. These attacks are carried out for two main purposes: (1) to get down the system and (2) to aid a spoofing or authentication attack [18, 19]. The network layer of IoT is also vulnerable to Trojan horses, viruses, spam and some other attacks which causes the unavailability of resources, information disclosure and network paralysis.

By using a secure intrusion detection system (IDS), prevention and detection of DDoS attack is timely possible [20, 21]. The IDSs use the agents for data collection and monitoring of network data traffic and nodes’ behaviors. An agent is a software entity that is capable of performing autonomous activities in its environment, in a flexible and intelligent manner regarding the achievement of its particular goal. Thus, a multi-agent system (MAS) is a system comprised of collection of autonomous agents that can collaborate with each other to learn and exchange experiences. The cooperation among various agents is generally achieved by means of communication. The Bayesian classification is a managed learning method and also a statistical method for classification. It is a probabilistic model which enables us to know uncertainty about a model in a principled way by using probabilities of the results. It can be used to answer diagnostic and predictive issues. In order to check the efficacy of the NSL-KDD dataset,Footnote 1 a Naïve Bayes classifier algorithm is used to model the normal and abnormal network activity. The Naïve Bayes classifier is a supervised learning algorithm based on applying Bayes’ theorem [22, 23]. It is one of the simplest models that can be used for classification and predictions.

1.1 Contribution

Our proposed Naïve Bayesian algorithm with multi-agent-based IDS (NB-MAIDS), against the potential threats of DDoS attacks in IoT, is based on Naïve Bayes classifier algorithm along with the implementation of multi-agents throughout the network. The agents gather information through sensors. Afterward, the gathered information is analyzed for further processing. The attacks can be prevented by reporting the malicious nodes’ activities information to either the connected IoT objects or the administrator. Moreover, the IDS-based systems are more feasible for the IoT environment due to their less implementation and execution costs.

The rest of the paper is organized as follows. Section 2 presents the preliminaries and related work. Section 3 discusses our proposed scheme. The simulation results are presented in Sect. 4. Finally, conclusions are drawn in Sect. 5.

2 Preliminaries and related work

This section includes the basic concepts needed to be understood before implementing our work and a brief survey on the work related to our proposed scheme.

2.1 DDoS attacks

The DoS and DDoS attacks are indeed very thoughtful issues for security in the Internet. The primary goal of such attacks is to disrupt the services by flooding an unnecessary huge traffic over the network. DDoS is relatively simple but one of the most powerful type of attack. Protection against DDoS flooding attacks are one of the tremendous interests for security professionals. DDoS flooding attack is a massive, integrated and generally explicit in nature which attempts to exhaust victim’s bandwidth or disrupt legitimate users’ access to the system services [24, 25]. There are two prime techniques to launch DDoS attacks in the Internet-based systems like IoT. The first technique is that attackers send some malfunctioned packets to the victim to confuse a protocol or application running on it. The other technique is the most common one, in which attackers try to do one or both of the following:

  1. (a)

    The attackers disrupt a legitimate user’s services by exhausting the server resources like: memory, CPU, sockets, I/O bandwidth and disk/database bandwidth. These are typically application-level flooding attacks [25].

  2. (b)

    The attackers upset an authentic user’s connectivity by exhausting the bandwidth, router processing capability, or network resources. These are typically network DDoS flooding attacks [24].

Table 1 shows the layer-wise distribution of DDoS attacks of IoT [26].

Table 1 DDoS attacks on IoT
Full size table

2.2 Intrusion detection system (IDS)

The IDSs continuously monitor the activities and users’ actions in a network to detect intrusions and the irregular activities. It is very difficult and costly to implement a system that is not prone to attacks. A network can suffer from different types of security holes. The IDSs analyze the events and actions generated by users’ operations and search out the suspicious and undesirable activities generated by malicious nodes [27]. An intrusion detection is a technology used for securing networks from the malicious attacks. The IDSs offer some usable information to the helpful preparation for protection purpose; like unique identification of the malicious intruder, time, and location of the intrusion and type of the intrusion. With the help of such information, the further or redundant intrusions can be prevented by the system. By implementing an IDS, the system is enabled to identify and prevent access of unauthorized and also legitimate users’ misusing and abusing their privileges. The IDSs can be classified as statistical or Bayesian-based, pattern matching-based, rule-based, state-based, and heuristics-based [28].

Some effective IDSs can be developed such as they have the capability to sense events and send warnings to the whole network or the administrator about the possible security threats. An ideal IDS besides detection of security breach and informing others, it also automatically develops a protective response against the threats.

2.3 Multi-agent system (MAS)

The agents in MAS independently collect the data and communicate with one another in coordinated and supportive way to achieve a common goal. Each agent operates on a control algorithm and when required, it can communicate with other agents. In the context of intrusion detection, the multi-agents can drastically reduce the work load on nodes in a network by distributing responsibilities among them. Implementing MASs in a system is the most appropriate method to attain the goals in distributed systems [29].

Some notable characteristics of agents in MAS are like autonomy, reactivity and pro-activeness [30]. Agent-based IDS gives an idea to divide the workload through distributed IDS so that the speed of network operations can be boosted. In such IDS environment the agents can be distributed and/or mobile [31]. According to [32], MASs empower the platform for sensors with the autonomic self-management property.

2.4 Naïve Bayes (NB) classifier algorithm

Naive Bayes methods are a set of managed knowledge gathering algorithms based on using Bayes theorem with the ‘Naïve’ assumption of individuality between every pair of features. In order to check the efficacy of the NSL-KDD dataset a Naïve Bayes classifier algorithm was used to model the normal and abnormal network activity. The Naïve Bayes classifier is a supervised learning algorithm based on applying Bayes’ theorem [22]:

$$\begin{aligned} P(H|E)=\dfrac{P(E|H) P(H)}{P(E)}, \end{aligned}$$
(2.1)

and

$$\begin{aligned} P(H|E)=P(E_1|H)\times P(E_2|H)\times \cdots \times P(E_n|H)\times P(H) \end{aligned}$$
(2.2)

According to this theorem, we can calculate the probability of event H conditioned on the data E by first calculating the probability of the data E conditioned by event H multiply by the probability of event A and normalized by the probability of the data E. In case of Intrusion detection, this means that we can calculate the probability of an attack is occurring based on some data by first calculating the probability that some preceding data were part of that type of attack and then multiply by the probability of that type of attack occurring, dropping the normalization of P(E) [22].

2.5 Related work

A reasonable work has been done in the area of securing communication networks. In [33], authors proposed an intrusion detection system for DoS detection in IPv6 over low-power wireless personal area networks (6LoWPAN)-based IoT. They designed an architecture to detect DoS attacks in ebbits networks. Basically, they integrated the 6LoWPAN with the network manager of ebbits. Moreover, the IDS probe (IDS-P) helps the IDS to listen 6LoWPAN network traffic. In addition, a DoS protection manager is integrated and the IDS with the ebbits network manager works as the security manager.

Furthermore, Sen [34] presented the framework of Distributed IDS (DIDS) which consists of a set of autonomous agents that cooperates with other to perform a distributed intrusion detection procession. The DIDS can detect both signature-based and anomalous activities in real-time by using distributed computation and message passing scheme among the agents. Multiple sectioned Bayesian networks are used to make distributed inferences. The IDSs have the capability to identify and isolate the suspicious nodes in the system with the help of Byzantine agreement p. A multi-agent system for intrusion detection (MASID), developed by Mechtri et al. [30], is an intrusion detection system for ad hoc networks. It is based on a multi-agent switch in a distributed and cooperative architecture. There is no need of the presence of any central entity in the entire system. Due to distributed nature of the system, the fault tolerance is increased, and the system failure is impossible. With implementation of agents, the authors used more flexible and completely automated intrusion detection processes.

Moreover, in [35], authors proposed a framework of Naïve IDS (NIDS) based on Naïve Bayes algorithm. The framework generates the pattern of the network services over data set labeled by the services. By using Naïve Bayes classifier algorithm, the framework detects the attacks with build-in patterns.

The authors in [36] designed an intrusion detection system for the IoT system called as SVELTE. They proposed their work securing systems from routing attacks specifically and other various attacks in general. The designed model is also compatible with IPv6-connected IoT. The SVELTE is an IDS giving positive results with small overhead deployment and limited energy consumption. However, the proposed system gives a noticeable number of false alarms during the detection process.

The techniques of artificial immune system, proposed in [37], are implemented in an IoT environment. An immune system is constructed and applied to detect possible attacks. A library is kept for defining attacks’ information and the immune system evolves as the data in library are updated. The system seems to be incomplete in some cases and also puts an extra burden on the processing nodes.

3 Naïve Bayesian algorithm with multi-agent-based IDS

The motivation of our work is to deliver a solution for detection and prevention of DDoS attacks in Network layer of IoT infrastructure. Before network operations are disrupted, the system prompts the proper execution of countermeasures aiming to increase network availability.

The work NB-MAIDS is an agent-based intrusion detection system for securing connected objects in IoT. The agents are viewed as autonomous, reflective, proactive and cooperative entities in the system. These are responsible for data collection, analysis and development of suitable inferences based on the analyzed data. Naïve Bayes algorithm is used for the classification of events data gathered by monitoring the network operations.

3.1 Architecture of the multi-agent system (MAS)

Each IDS in distributed routers consists of four types of agents, playing different but correlative roles, and cooperating with each other. These agents are either stationary or mobile agent, depending on the task which they perform. Furthermore, they adopt one of two different architectures: the proactive or deliberative. Agents of both types of architectures share some useful characteristics among them. Each agent is autonomous, intelligent, cooperative, rational, and capable of communicating with other agents. By employing the agents, we then look for a complete automation process of the detection. The agents are listed as follows:

  1. (a)

    Collector agent The collection agent is a reactive agent that is responsible for collection of audit or network data from source. We suggested My SQL as a data source from where collector agent collects data results of NSL-KDD Cup classified by Naïve Bayes classifier algorithm.

  2. (b)

    System monitoring agent The system monitoring agents are responsible for monitoring of the whole structure of MAS. It confirms whether the classified resultant data is normal or an attack. For this purpose, it looks up for previously detected data, if evidences are not enough, then it further collects more information from cooperating with IDSs with others.

  3. (c)

    Actuator agent Tthe actuator agent is a deliberative agent. Its main functionality is to react to the detected intrusions, as quickly as possible, to avoid future damages. An active response may include dropping of the connectivity to the potential attacker. It is also concerned with the update of normal and attack profiles in the database.

  4. (d)

    Communication agent The communication agent serves as a communication channel. This mobile agent is decision-making to share information with agents in sub-domain to which it belongs as well as inform IDSs in distributed nodes with the detection of the results and, if needed, inquire them for more information.

Fig. 1
figure 1

Multi-agent system

Full size image

As shown in Fig. 1, the agents of MAS are connected together to perform various operations collectively. The figure shows that collection agent is directly connected to the Naïve Bayes database. The flowchart in Fig. 2 shows that the information is first of all classified and if an abnormal traffic is detected then the system further analyzes the situation. In the flowchart, it is shown that both results of attack confirmation are forwarded to other routers for knowledge update. If the system finds an attack situation, then it takes appropriate action for avoidance of such attacks.

Fig. 2
figure 2

Flowchart of the proposed algorithm

Full size image
Fig. 3
figure 3

Stage 1—data preprocessing in NB-MAIDS

Full size image
Fig. 4
figure 4

Stage 2—Naïve Bayes network model and training

Full size image
Fig. 5
figure 5

Stage 3—test data classification

Full size image

The three stages of the proposed model are illustrated in Figs. 3, 4 and 5. In the first phase, the system processes the data for Naïve Bayes classification. The module considers some domain knowledge, attack graphs, and process it with the help of WEKA,Footnote 2-based selection mechanism. In this stage of preprocessing, the dataset is normalized and unnecessary attributes and instances are removed as per defined principles.

In stage 2, the processed data are collected by the system. The network of Naïve Bayes learning agent analyzes the dataset provided with the help of a predefined algorithm. This stage inputs the phase of test data classification.

Figure 5 shows the last phase, stage 3, of the whole process. An inference analyzer is used to execute the test data with the help of the Naïve Bayes prediction mechanism to produce the ultimate conclusions in the form of results.

The procedure is further explained with the help of following algorithms. Algorithm 1 discusses the preprocessing and classification of data and Algorithm 2 updates the dataset with information about new suspicious attack information, both true or false results.

figure a
figure b

4 Simulation results

For simulations and result evaluations, we perform the work simulated in NS 2.35 under Ubuntu operating system. Plots are taken at the average of each ten different runs. The source and destination nodes are selected randomly after injecting malicious behavior to some of them to determine the threat effectiveness and other values. The simulation parameters are summarized in Table 2.

Table 2 Simulation parameters
Full size table
Fig. 6
figure 6

Relationship between false and detection probability of threats

Full size image

Detection probability specifies that whether a model can detect the intrusions properly. In Fig. 6, Bio-inspired Reputation and Trust Model WSN (BRTM-WSN) [38] performs better compared to Distributed Reputation-based Beacon Trust System (DRBTS) [39] model. It is observed that the BRTM-WSN model have an improved handling mechanism for intrusions generated by malicious users. Our model gives better results than the other two due to the existence of distributed Naïve Bayes based agents in the networks.

Fig. 7
figure 7

End-to-end packet-forwarding rate with variable number of malicious nodes

Full size image

The end-to-end packet-forwarding ratio is shown in Fig. 7. Results are made using Ad hoc On-Demand Distance Vector (AODV) routing protocol with and without our model. Some malicious nodes are injected to the system randomly. The percentage in gradually increased from 10 to 50 to collect various results.

Fig. 8
figure 8

Effect on performance in terms of delays

Full size image

The end-to-end delay is shown in Fig 8. As the system relies on IDS in MAS therefore it puts an extra delaying time as compared to a non-secured system. Results are taken by comparing our work with and without using AODV protocol.

Fig. 9
figure 9

Average packets dropped during no attack and DoS attack

Full size image

Figure 9 shows the activity recorded at ten different time intervals. Each time the amount of packet dropped with and without a DDoS is recorded. The records indicates that the amount is decreasing with passage of time as the system learns and acquire knowledge in its dataset through agents in the IDS.

Fig. 10
figure 10

Attack detection rates

Full size image

Figure 10 illustrates the detection ratios with respect to number of attacks. Our system detects anomalies more precisely as compared to a generic IDS for DDoS attack in the WSNs.

Fig. 11
figure 11

Detection rates on different throughput

Full size image

Finally, Fig. 11 shows the performance of detection rate with throughput of different methods. It is shown that the detection rate of our proposed system is significantly higher than BRTM-WSN [38], DRBTS [39], and optimal objective entropy (OOE)-based [40] methods.

5 Conclusion

Since the technologies and concepts of wireless sensor networks and mobile ad hoc networks are supposed to be integrated in the next generation Internet as a core part of IoT, most of the work is influenced by practices developed for these networks. The proposed NB-MAIDS mechanism is an advanced system for the intrusion detection in a network. The Naïve Bayes classification algorithm with practice of multiple agents for the DDoS attacks detection gives better performance compared to the traditionally used IDSs. The proposed scheme aims to secure the IoT network layer from the DDoS attacks imitated by malicious objects. Due to the distributed agents on the MAS, the total load is distributed among all the participants in the network. In addition, the reporting of detection and preventions of attacks is performed very fast. This work can be further expanded by replacing the Naïve Bayes classification algorithm with a light-weight pattern matching algorithm. The types, nature, and number of agents can be further advanced.