基于特征选择的可解释型物联网入侵检测模型

The Interpretable IoT Intrusion Detection Model Based on Feature Selection

高度异构的物联网设备产生的流量数据,在基于多时间粒度采集时虽然能够提升物联网入侵检测模型(IDS)的准确性,但也会造成特征冗余。与此同时,当下IDS的评估指标主要以结果为导向,忽视对IDS决策过程的解释。针对以上不足,提出基于特征选择的可解释的物联网IDS。首先,采用以轻量级梯度提升机为基分类器的交叉验证递归特征消除法,降低流量特征值冗余;其次,使用SHapley Additive exPlanations(SHAP)算法全局解释特征选择,辅助决策;最后,将机器学习用于入侵检测模型。采用N-BaIoT数据集中5种物联网设备的流量数据进行实验验证,通过特征选择把原有的基于5个时间粒度的115个特征提取到不到20个(仅为原来的17.37%),与主成分分析特征降维法相比准确度和F1值更高。结果表明,该方法能够解决特征冗余和增强模型可解释性,进而提高模型准确率,降低模型训练时间。

The traffic data generated by highly heterogeneous IoT devices can help to improve the accuracy of IoT intrusion detection models(IDS)when collected based on multiple time granularities,however,it also leads to the feature redundancy.At the same time,the evaluation indicators of IoT IDS are mainly result-oriented,ignoring the explanation of the IDS decision-making process.In view of the above shortcomings,an explainable IoT IDS based on feature selection has been proposed.Firstly,the cross-validation recursive feature elimination method using lightweight gradient boosting machine as the base classifier is adopted to reduce the redundancy of traffic feature values;secondly,the SHapley Additive exPlanations(SHAP)algorithm is used to globally interpret feature selection and assist decision-making;finally,machine learning is used for intrusion detection models.The traffic data of five IoT devices in the N-BaIoT dataset is used for experimental verification.Through feature selection,the original 115 features based on five time granularities are extracted to less than 20(accounting for only 17.37%of the original),which have higher accuracy and F1 values than the principal component analysis feature dimensionality reduction method.The experimental results show that this method can solve feature redundancy and enhance model interpretability,thereby improving model accuracy and reducing model training time.