2019 International Conference on Computational Intelligence and Knowledge Economy (ICCIKE)

December 11–12, 2019, Amity University Dubai, UAE

Anomaly Detection Techniques using

Deep Learning in IoT: A Survey
Bhawana Sharma Lokesh Sharma Chhagan Lal
Department of Information Technology Department of Information Technology Department of Computer Science and
Manipal University Jaipur Manipal University Jaipur Engineering
Jaipur, India Jaipur, India Manipal University Jaipur
[email protected] [email protected] [email protected]

Abstract—IoT technologies is improving life quality by computation at the device or the edge to solve some of the
enhancing several real-life smart applications. IoT includes issues of network security and delay in computation.
large number of devices generating huge amount of data which
needs large computation. Anomaly detection and security is the
major concern in the IoT domain. This survey paper provides II. ANOMALY DETECTION IN IOT
an overview of anomaly detection using machine learning and
deep learning methods in IoT applications. Machine learning A. Anomalies and sources of anomalies
and deep learning are powerful tools for analyzing normal and
abnormal behavior of IoT components and devices. In this In real-world data-sets there are instances which are
paper we outline key issues in research and challenges using dissimilar to all others instances and are known as anomalies.
deep anomaly detection techniques for resource constrained The anomaly detection is to detect such patterns whose
devices in real-world problems of IoT. Fog computing move the behavior is considered abnormal as compared to normal
computation at the device or the edge to solve some of the issues nodes. Different sources of anomalies are Intrusion detection
of network security and delay in computation. system, Fraud detection and Data leakage. Anomaly
detection is used in variety of areas in IoT domain as shown
Keywords—Anomaly Detection, Machine Learning, Deep
in Table I.
learning, Fog Computing, CNN, DNN
TABLE I. AREAS OF ANOMALY
I. INTRODUCTION
IoT is going through the phase of rapid growth Areas Anomaly Description Benefits
nowadays. Application specific systems designed for specific Prevent water
Water leakage
purposes requires less time for computation but it has limited waste
flexibility. IoT demands application, product and service Maintenance time
Smart Light bulb broken
platforms which can capture, communicate, store, access and reduced
Cities
share the data from the physical world. IoT is connecting all Electricity leakage To save energy
the devices referred to as ‘Things’ with internet and it has Gas leakage To save fuel
Health detection Life saving
been growing trend in decades. IoT deals with
Network Intrusion detection, fraud
sensors/actuators, RFID tags and communication To secure data
Security detection, DDoS attacks
technologies. RFID technology is transmitting the Surface inspection of To remove defect
identification information from the microchip to the reader Industries
device on device
through wireless communication. Other IoT devices and
technology such as barcode, smart phones and cloud
computing are used to form network. For information Intrusion detection: IoT devices are connected to the internet
exchange, processing and communication in IoT technical and remains vulnerable to security-related attacks. Heavy
standards specification needs to be designed for high quality damage to IoT network is caused by attacks such as Denial-
services. Standardization of the technologies will lead to of-service (DoS) attacks and distributed denial-of-service
success of IoT[1][2][3]. Layers of IoT are perception layer, (DDoS) attacks. Detection and prevention from those attacks
network layer and business layer. is the major issue in IoT applications.
Machine learning and deep learning techniques have
been used extensively for a many task including Fraud detection: IoT networks remain susceptible to stealing
classification, regression and in IoT application areas such as credit card information, bank account details, or other
intrusion detection system, computer vision, recommender sensitive information during logins or online payments.
system. Deep learning facilitates the analysis on fast and real
data streams to extract features and predict future in IoT
Data Leakage: Sensitive information from databases, file
domain. DL is considered better than traditional machine
servers and other information sources can leak to any external
learning as some features that might not be viewed to a
entity which results in not only the loss of information, but
human can be easily extracted and thus improve the accuracy
also creates threat that can destroy confidential information
[4]. In this paper review of different machine learning and
from the system. Proper encryption mechanisms can prevent
deep learning techniques for anomaly detection are described
such leaks.
for the IoT applications. Fog computing move the

978-1-7281-3778-0/19/$31.00 ©2019 IEEE

146
Authorized licensed use limited to: University of Guelph. Downloaded on May 09,2024 at 21:53:43 UTC from IEEE Xplore. Restrictions apply.
 2019 International Conference on Computational Intelligence and Knowledge Economy (ICCIKE)
December 11–12, 2019, Amity University Dubai, UAE

B. Types of Anomaly Pandaboard based gateway and simulated on Contiki Cooja

It can be detected based on its type like Point-wise, environment.
Contextual or Collective [6]. Rm et al. [13] proposed an improved optimization
Point-wise anomalies is to detect the points which deviate approach when the number of clusters are known and the
largely from the rest of the data points and used when the weight is assigned to each data point in the cluster and then
evolution of the series is not predictable. It is generally used determine the relative position to the entire dataset.
for fraud detection. Experimental result on three different datasets shows that the
Collective anomalies are detected by typical time series improved optimized technique works better than K-Means.
patterns such as recurring patterns or shapes from multiple IoT Deep learning algorithm is used to develop an intelligent
devices. In supply chain delay shipment is very common but intrusion-detection system which detects malicious traffic in
if numerous delays then it needs investigation and thus the network [14]. Resource constrained IoT devices having
collective analysis. low power uses sequential deep neural-network models for
Contextual anomalies are detected when previous type of real-time anomaly detection. Proposed IDS is deployed for
information or context is taken into account such as day of the IoT networks using a Raspberry Pi. DNN is applied using
week. Contexts are almost always very domain specific. Keras, written in Python and tested using the Cooja network
simulator developed in Contiki operating system.
Online skull stroke detection is implemented using CNN
for feature extraction and then different classification methods
bayesian method, random forest, multilayer perceptron, k
nearest neighbor and support vector machine are applied[24].
Author performed image processing in python language and
used tensor flow and keras library to build and trained the
model with CNN and resultant data is then trained with SVM
or MLP.
Deep migration learning model is introduced which
enables the learning between different domains or tasks[25].
KDD CUP 99 is used as input where 41 number of input nodes
and 5 output nodes are taken and after experiments it is found
that 15 hidden layers provides the better performance.
Evaluation of proposed model is done by conducting
experiment in different scenarios. Data is collected on ubuntu
Fig. 1. Pointwise, Collective and Contextual Anomaly Types [6] platform imported into Microsoft windows 10 and simulated
using MATLAB.
III. LITERATURE REIVEW IV. FOG COMPUTING AND ANOMALY DETECTION
Machine learning and deep learning is widely used in In IoT domain Fog and edge computing provide greater
anomaly detection in IoT applications. One of the most quality of service by getting faster response. [22]. Large
important tasks in manufacturing industries is the surface amount of data generated by different IoT devices is
inspection. Deep convolution neural network method is processed near edge in fog and edge computing instead of
applied to find the defects within the cut-out region which is transmitting it to cloud which provides the services with
detecting an anomaly within an anomaly image [7]. faster response and greater quality. Fog computing
In multivariant time series anomaly detection and Characteristics are low latency, location awareness and wired
diagnosis abnormal status is detected after certain time steps or wireless access. Machine Learning and deep learning
and its causes is found. Multi-Scale Convolutional Recurrent algorithms for Fog and edge computing are focused on
Encoder-Decoder (MSCRED) [8] constructs multi-scale techniques can process large amount of data quickly for the
signature matrices in different time steps which is feed to a resource constrained devices.
convolutional encoder and convolutional Long-Short Term A distributed model is proposed in which provides
Memory network is developed. Convolution decoder parallel training and parameters sharing by distributed fog
reconstruct the input signature matrices and then residual nodes and detect network attack [23]. Experiment shows that
signature matrices are used to detect and diagnose the distributed model is better than centralized model using deep
anomalies. learning approach however deep learning consumes more
In health monitoring system real time anomaly is detected training time than shallow learning. Distributed attack
to monitor patient health. Deep neural network is applied to detection provides increase in accuracy and avoids overfitting.
online physical activity monitoring dataset called MobiAct to Distributed detection scheme based on extreme learning
detect real time fall detection of patient health based on machine is proposed for the resources available in cloud for
accelerometer data giving 98.75 percent accuracy [9]. Ukil et time consuming and computationally expensive training tasks
al. [12] proposed a model in which smartphone is used for [26]. In edge cloud computing model distributed computing is
cardiac anomaly detection. combined with modern machine learning technology. Raw
N.K et al. [11] proposed hybrid anomaly detection system data is anonymized at edge and is then used for training ELM
that detect anomaly between router and nodes. Nodes using cloud storage and computational facilities and suggest
temporally ban the communication for the prevention against the detection model used at the edge for classification to detect
anomaly. The developed system is test-bed on Zolertia and threats and anomalies. Author used CTU database for IoT data

147
Authorized licensed use limited to: University of Guelph. Downloaded on May 09,2024 at 21:53:43 UTC from IEEE Xplore. Restrictions apply.
 2019 International Conference on Computational Intelligence and Knowledge Economy (ICCIKE)
December 11–12, 2019, Amity University Dubai, UAE

sources. The data source includes different types of attacks V. KEY ISSUES AND CHALLENGES IN ANOMALY
including DoS, the system is trained on one dataset and tested DETECTION
on another datasets. Experiments show that concatenating  Missing data points: Due to external environment data
time windows of variable length increases effectiveness and is lost which is difficult to detect.
addition of computing resources decreases the time required
 Data corruption: External factors or device
to train the ELM classifier.
malfunctioning corrupts the data and makes it difficult to
Rare events are detected using IRESE deployed on edge
differentiate anomaly and corrupted data.
device which continuously process the data and apply
 Encrypted data: to detect anomaly on encrypted data is
machine learning techniques [27]. Data collected by IoT
difficult.
devices is buffered for few seconds and then send to data
framing where it is divided into smaller frames for feature  Sensor fusion: It is difficult to collect data from different
extraction techniques and then rare event detection strategy is sensors and then aggregate for the results.
applied in two stages. At the first stage BIRCH Micro  Real time detection: Real time anomaly detection
clustering technique is applied at the edge device to cluster involves high speed streaming data and thus require faster
high-speed incoming data in real time. At second stage response.
Agglomerative macro clustering is applied to get macro  Noisy data: Electronic transmission generates noisy data
clusters from the clusters formed at first stage based on and thus is required to remove that from edge computing
Euclidean distance between clusters which finally divides into devices in IoT before forwarding it to cloud.
rare event and normal cluster. Experiment is conducted on  Traffic surge: Huge amount of data can overload
audio data which include gunshot, siren, glass break and anomaly detection task.
scream and results show that optimal value of threshold is  Multivariate data: Frequent change in data should also
selected where the all three values precision, recall and F1 is be considered.
highest altogether.

TABLE II. SUMMARY OF DEEP LEARNING ALGORITHMS IN ANOMALY DETECTION

Author Name Method Used Methodology Areas

Gruber, D. P., & Unsupervised learning deep Surface inspection in manufacturing industries. Image Manufacturing
Tabatabai. (2019).[7] convolution neural network detection for anomaly. Industries
Multi-Scale Convolutional Intrusion
] Zhang & N. In time series multivariate signature matrices are used
Recurrent Encoder-Decoder for Detection
V(2018)[8] to detect and diagnose anomalies.
time series multivariate System
Deep neural network is applied to online physical
Health
activity monitoring dataset called MobiAct to detect
Mahfuz, (2019)[9] Deep Neural network Monitoring
real time fall detection of patient health based on
System
accelerometer data giving 98.75 percent accuracy
Thanigaivelan, & Detect attacks on nodes and react against anomaly by Intrusion
Hybrid anomaly detection.
Isoaho, J. (2018).[11] temporary communication ban on it detection system
A. Ukil & Puri , A. Cardiac anomaly detection Detection of anomalies in healthcare analytics based
Health Care
Pal(2016)[12] through a smartphone on IoT.
Improved optimization approach when the number of
An improved optimization clusters are known and the weight is assigned to each Optimization
Alguliyev (2017).[13]
approach for clusters data point in the cluster and then determine the Technique
relative position to the entire dataset.
DNN is applied using Keras, written in Python and Intrusion
Thamilarasu, G., &
Sequential deep neural-network tested using the Cooja network simulator developed in Detection
Chawla, S. (2019).[14]
Contiki operating system System
Distributed deep learning is applied for attack
Diro, A. A., & detection. Distributed model performs better than
Intrusion
Chilamkurti, N. (2018). Distributed Deep learning centralized model. Deep learning is one input layer
detection system
[23] and 3 hidden layers with softmax layer as output
layer.
Author performed image processing in python
Dourado, C. M. J. M., Online Stroke
CNN with classification language and used tensor flow and keras library to
Pires, S. & detection in
methods build and trained the model with CNN and resultant
H. C. De. (2019)[24] Skull
data is then trained with SVM or MLP
Proposed model is evaluated by conducting Feature
Li, D., Deng, L., Lee,
experiment in different scenarios. Data is collected on extraction and
M., & Deep migration learning
ubuntu platform imported into Microsoft windows 10 intrusion
Wang, H. (2019)[25]
and simulated using Matlab. detection system
Extreme learning machine is proposed for distributed Intrusion
Comput, J. P. D, & detection scheme for the resources which perform detection system
Extreme learning Machine
Palmieri, F. (2018).[26] time consuming and computationally expensive in edge
training task available in cloud. computing

148
Authorized licensed use limited to: University of Guelph. Downloaded on May 09,2024 at 21:53:43 UTC from IEEE Xplore. Restrictions apply.
 2019 International Conference on Computational Intelligence and Knowledge Economy (ICCIKE)
December 11–12, 2019, Amity University Dubai, UAE

At the first stage BIRCH Micro clustering technique is

applied at the edge device to cluster high-speed
Haider, Z., Vecchio, M., incoming data in real time. At second stage Audio data
Antonini, M., & IRESE unsupervised learning Agglomerative macro clustering is applied to get detection in
Antonelli, F. (2019)[27] macro clusters from the clusters formed at first stage edge computing
based on Euclidean distance between clusters which
finally divides into rare event and normal cluster.

VI. CONCLUSIONS [13] Alguliyev, R. M., Aliguliyev, R. M., Imamverdiyev, Y. N., &
Sukhostat, L. V. “An Anomaly Detection Based on Optimization”.
In this paper several deep learning and machine International Journal of Intelligent Systems and Applications, 9(12),
learning techniques are described for the anomaly detection 87–96, 2017.
over the past few years in IoT. This review provides new [14] Thamilarasu, G., & Chawla, S. “Towards Deep-Learning-Driven
Intrusion Detection for the Internet of Things”. Sensors (Basel,
insight to the researchers in the field of anomaly detection Switzerland), 19(9). 2019.
in IoT. Everyday a new unknown attack is discovered and [15] Lloret, J., Tomas, J., Canovas, A., & Parra, L. “An Integrated IoT
thus there is need of new algorithms to detect the attack. IoT Architecture for Smart Metering”. IEEE Communications
includes large number of devices and generate huge amount Magazine, 54(12), 50–57, 2016.
of data and thus large computation is needed. There is a need [16] M.-O. Pahl , F.-X. Aubet , “All eyes on you: distributed multi-
of feature extraction to faster the speed of computation. dimensional IoT microservice anomaly detection”, in: Proceedings
of the 2018 Fourteenth International Conference on Network and
Anomaly detection at edge devices will provide faster Service Management (CNSM)(CNSM 2018), 2018 . Rome, Italy
response and greater quality of service in IoT. Real time [17] Moustafa, N., Slay, J.: “The evaluation of network anomaly
data streaming in IoT needs real time anomaly detection. It detection systems: statistical analysis of the UNSW-NB15 ata set
is challenging and costly to detect anomaly using deep and the comparison with the KDD99 data set”. Inf. Secur. J. 25(1–
learning which requires high computing on resource 3), 18–31 (2016)
constrained IoT devices. [18] ] H. H. Pajouh, R. Javidan, R. Khayami, D. Ali, and K.-K. R. Choo,
"A two-layer dimension reduction and two-tier classification model
for anomaly-based intrusion detection in IoT backbone networks,"
REFERENCES IEEE Transactions on Emerging Topics in Computing, 2016.
[1] Xu, L. Da, Member, S., He, W., & Li, S. “Internet of Things in [19] R. Kozik , M. Chora ´s , M. Ficco , F. Palmieri , “A scalable
Industries : A Survey”. 10(4), 2233–2243. 2014 distributed machine learning approach for attack detection in edge
[2] Lin, J., Yu, W., Zhang, N., Yang, X., Zhang, H., & Zhao, W. “A computing environments”, J. Parallel Distrib. Comput. 119 (2018)
Survey on Internet of Things :Architecture , Enabling Technologies 18–26.
, Security and Privacy , and Applications”. 4(5), 1125–1142, 2017. [20] A. Ayad, M. Shaban, and W. Gabriel, 2017. [Online]. Available:
[3] Al-fuqaha, A., Member, S., Guizani, M., Mohammadi, M., & https://github.com/xtarx/ “Unsupervised-Anomaly-Detection-with-
Member, S. “Internet of Things: A Survey on Enabling Generative-Adversarial-Netw,” 2017.
Technologies, Protocols, and Applications”. 17(4), 2347–2376, [21] M. Haselmann and D. Gruber, “Supervised machine learning based
2015. surface inspection by synthetizing arti- ficial defects,” in 2017 16th
[4] Chalapathy, R., & Chawla, S. “Deep Learning for Anomaly IEEE International Confer- ence on Machine Learning and
Detection: A Survey”. 1–50, 2019. Applications (ICMLA). IEEE, 2017, pp. 390–395.
[5] Mohammadi, M., Member, G. S., Al-fuqaha, A., & Member, S. [22] Moh, M., & Raju, R. “Machine Learning Techniques for Security of
(n.d.). “Deep Learning for IoT Big Data and Streaming Analytics : Internet of Things ( IoT ) and Fog Computing Systems”. 2018
A Survey”. X(X), 1–40 International Conference on High Performance Computing &
[6] Mohamudally, N., & Peermamode-Mohaboob, M. “Building An Simulation (HPCS), 709–715, 2018.
Anomaly Detection Engine (ADE) for IoT Smart Applications”. [23] Diro, A. A., & Chilamkurti, N. “ Distributed attack detection scheme
Procedia Computer Science, 134, 10–17,2018. using deep learning approach for Internet of Things”. Future
[7] Haselmann, M., Gruber, D. P., & Tabatabai, P. “Anomaly Detection Generation Computer Systems, 82, 761–76, 2018.
Using Deep Learning Based Image Completion”. Proceedings - 17th [24] Dourado, C. M. J. M., Pires, S., Silva, P., Victor, R., Nóbrega, M.,
IEEE International Conference on Machine Learning and Carlos, A., … Albuquerque, H. C. De. “Deep learning IoT system
Applications, ICMLA 2018, 1237–1242, 2019. for online stroke detection in skull computed tomography images”.
[8] Zhang, C., Song, D., Chen, Y., Feng, X., Lumezanu, C., Cheng, W., Computer Networks, 152, 25–39, 2019.
… Chawla, N. V. “A Deep Neural Network for Unsupervised [25] Li, D., Deng, L., Lee, M., & Wang, H. (2019). International Journal
Anomaly Detection and Diagnosis in Multivariate Time Series Data, of Information Management “IoT data feature extraction and
“2018. intrusion detection system for smart cities based on deep migration
[9] Mahfuz, S., Isah, H., Zulkernine, F., & Nicholls, P. “Detecting learning”. International Journal of Information Management,
Irregular Patterns in IoT Streaming Data for Fall Detection.” 2018 (March), 0–1. 2019
IEEE 9th Annual Information Technology, Electronics and Mobile [26] Comput, J. P. D., Kozik, R., Choraś, M., Ficco, M., & Palmieri, F.
Communication Conference, IEMCON 2018, 588–594, 2019. (2018). “A scalable distributed machine learning approach for attack
[10] Rajesh, G., Mangathayaru, N., & Narsimha, G. CLAPP : “A self- detection in edge computing environments”. J. Parallel Distrib.
constructing feature clustering approach for anomaly detection”. Comput., 119, 18–26, 2018.
Future Generation Computer Systems, 74, 417–429, 2017. [27] Haider, Z., Vecchio, M., Antonini, M., & Antonelli, F. (2019).
[11] Thanigaivelan, N. K., Nigussie, E., Virtanen, S., & Isoaho, J. Engineering Applications of Artificial Intelligence “IRESE : An
“Hybrid Internal Anomaly Detection System for IoT: Reactive intelligent rare-event detection system using unsupervised learning
Nodes with Cross-Layer Operation”. Security and Communication on the IoT edge”. Engineering Applications of Artificial
Networks, 2018, 1–15, 2018 Intelligence, 84(September 2018), 41–50.
[12] A. Ukil , S. Bandyoapdhyay , C. Puri , A. Pal. “Iot healthcare
analytics: The importance of anomaly detection”, in: Proceedings of
the 2016 IEEE 30th International Conference on Advanced
Information Networking and Applications (AINA), IEEE, 2016, pp.
994–997.

149
Authorized licensed use limited to: University of Guelph. Downloaded on May 09,2024 at 21:53:43 UTC from IEEE Xplore. Restrictions apply.