Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Open Set Dandelion Network for IoT Intrusion Detection

Jiashu Wu, Hao Dai, Kenneth B. Kent, Jerome Yen, Chengzhong Xu, Yang Wang

TL;DR

The paper tackles IoT intrusion detection under data scarcity by introducing the Open-Set Dandelion Network (OSDN), which performs unsupervised heterogeneous domain adaptation in an open-set setting to transfer knowledge from a resource-rich source NI domain to a data-scarce target II domain and to detect newly emergent intrusions. It crafts a dandelion-like hyperspherical feature space and couples it with a suite of mechanisms—DTMM, DASM, DEAM, DSDM, and SDCM—along with semantic corrections to encourage inter-category separability and intra-category compactness, while aligning source and target graphs and generating unknown samples for robust open-set learning. The approach yields substantial performance gains over three state-of-the-art baselines across five intrusion datasets, with a reported improvement of $16.9\%$ in accuracy, and demonstrates robustness to varying openness, ablation-supported contributions of each component, and practical efficiency. These findings suggest that combining hyperspherical, graph-embedding, and semantic-correction strategies for open-set domain transfer can meaningfully enhance IoT intrusion detection in real-world, data-limited environments.

Abstract

As IoT devices become widely, it is crucial to protect them from malicious intrusions. However, the data scarcity of IoT limits the applicability of traditional intrusion detection methods, which are highly data-dependent. To address this, in this paper we propose the Open-Set Dandelion Network (OSDN) based on unsupervised heterogeneous domain adaptation in an open-set manner. The OSDN model performs intrusion knowledge transfer from the knowledge-rich source network intrusion domain to facilitate more accurate intrusion detection for the data-scarce target IoT intrusion domain. Under the open-set setting, it can also detect newly-emerged target domain intrusions that are not observed in the source domain. To achieve this, the OSDN model forms the source domain into a dandelion-like feature space in which each intrusion category is compactly grouped and different intrusion categories are separated, i.e., simultaneously emphasising inter-category separability and intra-category compactness. The dandelion-based target membership mechanism then forms the target dandelion. Then, the dandelion angular separation mechanism achieves better inter-category separability, and the dandelion embedding alignment mechanism further aligns both dandelions in a finer manner. To promote intra-category compactness, the discriminating sampled dandelion mechanism is used. Assisted by the intrusion classifier trained using both known and generated unknown intrusion knowledge, a semantic dandelion correction mechanism emphasises easily-confused categories and guides better inter-category separability. Holistically, these mechanisms form the OSDN model that effectively performs intrusion knowledge transfer to benefit IoT intrusion detection. Comprehensive experiments on several intrusion datasets verify the effectiveness of the OSDN model, outperforming three state-of-the-art baseline methods by 16.9%.

Open Set Dandelion Network for IoT Intrusion Detection

TL;DR

The paper tackles IoT intrusion detection under data scarcity by introducing the Open-Set Dandelion Network (OSDN), which performs unsupervised heterogeneous domain adaptation in an open-set setting to transfer knowledge from a resource-rich source NI domain to a data-scarce target II domain and to detect newly emergent intrusions. It crafts a dandelion-like hyperspherical feature space and couples it with a suite of mechanisms—DTMM, DASM, DEAM, DSDM, and SDCM—along with semantic corrections to encourage inter-category separability and intra-category compactness, while aligning source and target graphs and generating unknown samples for robust open-set learning. The approach yields substantial performance gains over three state-of-the-art baselines across five intrusion datasets, with a reported improvement of in accuracy, and demonstrates robustness to varying openness, ablation-supported contributions of each component, and practical efficiency. These findings suggest that combining hyperspherical, graph-embedding, and semantic-correction strategies for open-set domain transfer can meaningfully enhance IoT intrusion detection in real-world, data-limited environments.

Abstract

As IoT devices become widely, it is crucial to protect them from malicious intrusions. However, the data scarcity of IoT limits the applicability of traditional intrusion detection methods, which are highly data-dependent. To address this, in this paper we propose the Open-Set Dandelion Network (OSDN) based on unsupervised heterogeneous domain adaptation in an open-set manner. The OSDN model performs intrusion knowledge transfer from the knowledge-rich source network intrusion domain to facilitate more accurate intrusion detection for the data-scarce target IoT intrusion domain. Under the open-set setting, it can also detect newly-emerged target domain intrusions that are not observed in the source domain. To achieve this, the OSDN model forms the source domain into a dandelion-like feature space in which each intrusion category is compactly grouped and different intrusion categories are separated, i.e., simultaneously emphasising inter-category separability and intra-category compactness. The dandelion-based target membership mechanism then forms the target dandelion. Then, the dandelion angular separation mechanism achieves better inter-category separability, and the dandelion embedding alignment mechanism further aligns both dandelions in a finer manner. To promote intra-category compactness, the discriminating sampled dandelion mechanism is used. Assisted by the intrusion classifier trained using both known and generated unknown intrusion knowledge, a semantic dandelion correction mechanism emphasises easily-confused categories and guides better inter-category separability. Holistically, these mechanisms form the OSDN model that effectively performs intrusion knowledge transfer to benefit IoT intrusion detection. Comprehensive experiments on several intrusion datasets verify the effectiveness of the OSDN model, outperforming three state-of-the-art baseline methods by 16.9%.
Paper Structure (30 sections, 23 equations, 13 figures, 7 tables)

This paper contains 30 sections, 23 equations, 13 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Traditional Intrusion Detection
  4. Domain Adaptation for Intrusion Detection
  5. Open-Set Domain Adaptation for Intrusion Detection
  6. Research Opportunity
  7. Model Preliminary and Architecture
  8. Model Preliminary
  9. The OSDN Architecture
  10. The OSDN Algorithm
  11. Dandelion-based Target Membership Mechanism (DTMM)
  12. Dandelion Angular Separation Mechanism (DASM)
  13. Dandelion Embedding Alignment Mechanism (DEAM)
  14. Discriminating Sampled Dandelion Mechanism (DSDM)
  15. Semantic Dandelion Correction Mechanism (SDCM)
  16. ...and 15 more sections

Figures (13)

  • Figure 1: Summarisation of IoT intrusion detection methods, the data dependency and drawback of traditional intrusion detection methods, and the merits of domain adaptation-based intrusion detection methods. The OSDN method belongs to the open-set domain adaptation-based intrusion detector.
  • Figure 2: The architecture of the OSDN model and the interrelationships between the OSDN's constituting components.
  • Figure 3: The analogy between the structure of a dandelion and the dandelion-like common feature subspace. Each pappus corresponds to a shared intrusion category, it needs to be compact and well-separated from other intrusion categories (pappuses), simultaneously achieving both intra-category compactness and inter-category separability. Target unknown intrusion categories reside in the gaps between pappuses to achieve distinguishability. The analogy between dandelion and the ideal common feature subspace leads to the naming of the Open-Set Dandelion Network (OSDN).
  • Figure 4: Illustrating example of the OSDN discriminating sampled dandelion mechanism to enhance intra-category compactness.
  • Figure 5: The OSDN semantic dandelion correction mechanism. It will point out easily confused intrusion category pairs from the probabilistic semantic perspective (the orange part), which will act as a correction to the dandelion angular separation mechanism (the green part).
  • ...and 8 more figures