An effective method for anomaly detection in industrial Internet of Things using XGBoost and LSTM

Zhen Chen; ZhenWan Li; Jia Huang; ShengZheng Liu; HaiXia Long

doi:10.1038/s41598-024-74822-6

An effective method for anomaly detection in industrial Internet of Things using XGBoost and LSTM

Sci Rep. 2024 Oct 14;14(1):23969. doi: 10.1038/s41598-024-74822-6.

Authors

Zhen Chen^#^{1

2}, ZhenWan Li^#^{1

2}, Jia Huang^{1

2}, ShengZheng Liu^{1

2}, HaiXia Long^{3

4}

Affiliations

¹ College of Information Science Technology, Hainan Normal University, No. 99 LongKun South Road, Haikou city, 571158, Hainan Province, China.
² Key Laboratory of Data Science and Smart Education, Ministry of Education, Hainan Normal University, Haikou city, 571158, Hainan Province, China.
³ College of Information Science Technology, Hainan Normal University, No. 99 LongKun South Road, Haikou city, 571158, Hainan Province, China. myresearch_hainnu@163.com.
⁴ Key Laboratory of Data Science and Smart Education, Ministry of Education, Hainan Normal University, Haikou city, 571158, Hainan Province, China. myresearch_hainnu@163.com.

^# Contributed equally.

Abstract

In recent years, with the application of Internet of Things (IoT) and cloud technology in smart industrialization, Industrial Internet of Things (IIoT) has become an emerging hot topic. The increasing amount of data and device numbers in IIoT poses significant challenges to its security issues, making anomaly detection particularly important. Existing methods for anomaly detection in the IIoT often fall short when dealing with data imbalance, and the huge amount of IIoT data makes feature selection challenging and computationally intensive. In this paper, we propose an optimal deep learning model for anomaly detection in IIoT. Firstly, by setting different thresholds of eXtreme Gradient Boosting (XGBoost) for feature selection, features with importance above the given threshold are retained, while those below are ignored. Different thresholds yield different numbers of features. This approach not only secures effective features but also reduces the feature dimensionality, thereby decreasing the consumption of computational resources. Secondly, an optimized loss function is designed to study its impact on model performance in terms of handling imbalanced data, highly similar categories, and model training. We select the optimal threshold and loss function, which are part of our optimal model, by comparing metrics such as accuracy, precision, recall, False Alarm Rate (FAR), Area Under the Receiver Operating Characteristic Curve (AUC-ROC), and Area Under the Precision-Recall Curve (AUC-PR) values. Finally, combining the optimal threshold and loss function, we propose a model named MIX_LSTM for anomaly detection in IIoT. Experiments are conducted using the UNSW-NB15 and NSL-KDD datasets. The proposed MIX_LSTM model can achieve 0.084 FAR, 0.984 AUC-ROC, and 0.988 AUC-PR values in the binary anomaly detection experiment on the UNSW-NB15 dataset. In the NSL-KDD dataset, it can achieve 0.028 FAR, 0.967 AUC-ROC, and 0.962 AUC-PR values. By comparing the evaluation indicators, the model shows good performance in detecting abnormal attacks in the Industrial Internet of Things compared with traditional deep learning models, machine learning models and existing technologies.

Keywords: Anomaly detection; Feature selection; IIoT; LSTM; Loss function; XGBoost.

Abstract

Grants and funding