The Internet of Things (IoT) is a commonly used term for a concept that incorporates technology and devices for networking. This idea encompasses creations such as Machine-to-Machine (M2M), Wireless Sensor Networks (WSN), Low Power Wireless Personal Area Networks (LoWPAN) communications, or technologies such as Radio-Frequency Identification (RFID)  . Ultimately, the goal of the IoT is to develop capabilities for making these devices communicate with other devices using Internet communication protocols. However, despite having limited resources most developers of IoT devices such as smart TVs, smart watches, and smart lights attempt to add additional capabilities such as audio and visual sensors  .
IoT technology has quickly been incorporated into the development of smart home systems. Smart home systems are designed using sensor technologies; several devices are linked to a specific network where they can be easily operated and monitored . In addition to personal computers and smartphones, objects such as coffee makers and air conditioners, have recently begun linking to the internet, hence the term IoT. Customers can access relevant data from embedded applications while using a smartphone, tablet, or AI speaker to start operating IoT devices. One major example is Google Home . The possibility of these products being the object of cyber attacks is growing as the variety of devices connected to the network increases  . In fact, direct attacks and viruses attacking IoT devices have already been identified  . These threats may be detected utilizing techniques based on an analysis of hacking behavior as compared with valid use .
The fact that smart home systems allow various electronic devices, such as security cameras, to be remotely accessed through the internet means that attackers can take advantage of their faults to steal personal information and breach the privacy of smart home users. These security violations include eavesdropping on communication inside and out of the house through the involved wireless and Internet technologies, while the security cameras may be compromised to expose the activities of a smart home user . Such violations of security and privacy can threaten the protection of a smart home customer and such data can be used to commit serious crimes.
The majority of mainstream attacks targeting connected technologies are intended to undermine the growth of IoT systems . However, because IoT devices are intertwined with everyday life, attacks can have an immediate and direct effect on users . For example, hacking into commercial air conditioning units could result in the ability to change the temperature range in medical centers thereby compromising the safety of the healthcare environment. Tools to detect and eradicate attacker-initiated activities are also essential. Traditionally, cyber threats, safety tools, and intrusion prevention systems are also used to identify attackers. Using pattern recognition, these tools normally recognize threats by comparing the packets with a set of rules.
The conventional IDS is not very accurate when detecting anomalous trends since it operates on the basis of standard laws. In smart homes, these laws cannot be changed with new anomalous patterns . In a smart home environment, modern wireless networks, computers, and sensors face various security threats, and machine learning is seen as an ideal solution to this problem. Using different learning algorithms train sensors, and computers without any explicit programming, machine learning technology takes advantage of artificial intelligence using various learning algorithms train sensors, and devices without any explicit programming   .
This paper aims to introduce the use of a Hybrid Intrusion Detection System
Figure 1. System model of HID.
(HID) with a two-tiered intrusion detection system as shown in Figure 1. The first tier contains the machine learning technique. This technique has been studied by the smart home’s network traffic. The second tier will examine all requests that are being sent to the system based on patterns of user behavior profile. The reason for having a two-tiered intrusion detection system is to increase the system security and restrain the error rate since there will be more than one user who can control and monitor a smart home  .
The remainder of this paper is organized as follows: Section 2 briefly discusses the smart home technology. Sections 3 presents the problem statement. Next, the evaluation is demonstrated in Section 4. Section 5 shows the result. Finally, Section 6 contains the conclusion.
2. Smart Home Technology
The design of smart homes architecture consists of four main layers: the physical layer, communications layer, information layer, and decision layer . The physical layer contains the essential hardware of the smart home such as devices, sensors, routers, and any devices that can be involved in the smart home network. The communications layer is comprised of the software that is mainly used to format and route data between users, agents, and the house. The information layer in a smart home’s network is used to capture and store information which is later used to produce information to identify patterns used in decision-making. The decision layer is structured to determine the type of behavior obtained or stored in the information layer. As such, all four layers work closely together in the sense that the activities associated with one layer support the others  .
Smart home devices consist of hardware such as sensors, actuators, gateways, and smart objects. These connected devices can communicate with various devices and smart home equipment to different network devices  . Actuators are used to manipulate a physical component; these are devices that are given a specific input upon the information on which to act and a specific motion. A physical feature, such as a temperature control valve mounted in smart homes, is manipulated by actuators  . A sensor gathers and distributes information about the physical environment and sends it to systems and devices for action. Sensors detect, measure, and indicate physical quantities such as light, motion, heat, pressure, and moisture, among others by converting them into electrical signals  . Gateways serve as the bridge between the actuator and the sensor. Gateways collect data from the sensors and send the processed data for action to the actuator. Gateways are technically the control centers to provide access to the users to their smart home device  .
There are several communication protocols available that are used in smart homes. Wired, wireless, or radio communication protocols are common communication forms. Routers such as Zigbee or Z-Wave, which are automation protocols, interact with most sensors that operate in smart homes. Network protocols such as Wi-Fi, Bluetooth, 6LoWPAN, or IEEE 802.15.4 are also available for these sensors  .
The service is a software program that has two methods to operate in a smart home system. A cloud provider that takes the responsibility of maintaining the program hosts is the first method, and the second method is to provide the service within the home environment. However, having the service inside the home setting means that users are responsible for tracking and upgrading any components of the software themselves  .
3. Problem Statement
Today, architects are incorporating smart home technology into new construction designs by adopting wired and wireless network infrastructures, paving the way for a seamless transition to this technology in the future. Many users are unaware of the threats to their privacy and security that exist from the potential breach of information collected by smart home devices (Figure 2). Every year the sophistication and number of cyber threats increase with millions of identities and billions of dollars being stolen.
There are hardware limitations on smart home devices presenting a major issue for IoT devices. These hardware limitations also lead to difficulty in adapting security features to any IoT devices over time. Since encryption and decryption are complex operations that involve a lot of computations, security approaches that rely heavily on encryption are not a good match for applying these resource-constrained devices. Most researchers agree that there are two major drawbacks to smart home devices: battery power and hardware computing 
Figure 2. Threaten the privacy and security of smart home.
 . The second major dilemma is heterogeneous protocols and weak encryption schemes can also affect dynamic features of smart home devices. Both heterogeneous protocols and weak encryption schemes lead the smart home network to face a lot of security problems  . Smart home providers often try to deploy secure services by reaching the essential security and privacy requirements, which include confidentiality, integrity, and availability. All these implementations will depend on factors such as device capabilities, mode of operation, and the manufacturer  .
Such network attacks that can occur at any given time might be detectable by applying a technique to study smart home network traffic. However, because smart home devices are closely employed by the user every day, there would be a risk of attack coming from the user behavior tier . For example, if the request is legitimate, and passes the network tier, the only method to determine if this request comes from the legitimate user is to have a known set of patterns. Therefore, user-behavior needs to be studied and identified, selecting the right user who sends the proper request at the right time while receiving the sensors correct request.
3.1. System Description
In the context of a sensor network, the smart home as a distributed environment shows the generic features of unreliability, which creates problems for behavior prediction. Security methods that rely heavily on encryption are not standard on these resource-constrained devices because encryption and decryption are complicated operations that require several computations  . Even if activated correctly, the malfunctioning condition of sensors may not produce a trigger event. Currently, using only one IDS will not be enough to secure and determine all requests that might occur in the smart home. We propose a HID in order to detect such attacks based on a profile of user behavior by using a two-tiered IDS.
The first tier is for intrusion detection systems using machine learning algorithm. The machine learning algorithm is an efficient data mining algorithm that can be used for real-time network intrusion detection  . The second tier is the misuse detection technique that applies a known set of user activity patterns. The user behavior profile will ask questions to determine the normal behavior of a user, thereby allowing anomalies to be identified .
In this paper, there are two experiments using two sorts of datasets. The first one is CSE-CIC-IDS2018 and the second one is NSL-KDD as shown in Table 1. This experiment was done using Jupyter Notebook and, Python. The libraries that we used are panada, and sklean. The operating system is Windows with Intel core i7 processor.
3.2. System Model
Figure 3 provides an overview of the first tier of the HID smart home system which will scan the network requests that come from the user side. This phase aims to examine all requests coming to the smart home system using machine learning. We used and compared four types of machine learning algorithms . They are random forest, Xgboost, decision tree, and K-nearest neighbors on
Table 1. Datasets.
Figure 3. Machine learning technique.
two kinds of datasets. We randomly selected three samples from each dataset. The results show that our models for each algorithm can effectively achieve seemingly satisfactory classification accuracy with the lowest false positive .
Before starting the training model, we applied preprocessing the CSE-CIC-IDS2018 and, NSL-KDD datasets the following steps:
1) Preparing the dataset by clearing noisy, and missing data.
2) Replacing the data frame with pandas library.
3) Deleting features which do not affect the performance of the model, such as the Time Stamp column.
4) Transform all categorical features into binary features by using One-Hot-Encoding.
5) Dealing with “Infinity” and “NaN” values with the mean value for each column by replacing them.
6) Formatting data into a standard datatype.
7) Unbalancing and balancing data by using two methods, down and up sampling.
Figure 4 illustrates the model with static user behaviors. Misuse detection is usually related to signature-based detection since alerts are created based on unique signatures. The misuse is also a misinterpretation of illegal device access or use of the sensor at an inappropriate time for an event. This concept is an analysis of the variety of misuse detection techniques to identify device attacks by implementing profile pattern matching. This model is illustrated by the conditions and the stored user behaviors for each sensor. The conditions will be defined as a combination of time of day and the number of requests that will be sent to the sensor, such as how many times the user will operate his sensor from
Figure 4. Misuses detection technique.
his phone. This table will be stored on the user behavior side. The steps below show how the user behavior tier works:
1) Sensors do not exist for all users, which may lead to error reports.
2) When users are not sending requests to sensors, the system is in static or fixed mode.
3) Each sensor is programmed to expect requests from certain users during predetermined times each day.
4) If requests are made outside of these given times, it implies the request may have been made by an intruder.
5) There is an access policy for all users, and based on this policy we have safe use resources and safe normal use.
6) There are exit access policies for all users. Based on this policy, we can determine if the request is unsafe and abnormal.
Most of the similar research work was executed by doing one tier of IDS. This tier could be focused on network behavior or user behavior. To summarize these methods, Table 2 presents the current IDSs for the IoT network tier. Consequently, current IDS ideas on the IoT environment are still at an early stage of growth. Some experiments have used data from network simulations or datasets that might dramatically decrease from a realistic setting.
Amouri et al.  incubated IDS for IoT networks by using machine learning. Their idea was to create list of the benign behavior of each sensor and detect any irregularities in network traffic. However, the experiment was evaluated by using a simulated network and not a real testbed. Doshi et al.  also developed machine learning algorithms in IoT networks to detect a particular attack, Distributed Denial of Service (DDoS) attacks. However, the studies rely exclusively on learning one attack behavior. In a study conducted by Lotfi et al. , with the intention of identifying any unusual short term and long term activities happening in a smart home environment by using neural networks. The results demonstrate that the system was showing the many false positives that can occur when analyzing the security of a given network. Yamauchi  developed an IDS for the smart home system by applying method learned sequences of events for a
Table 2. Similar to exist work on IDS for IoT.
predefined set of conditions. Yamauchi detected attacks by comparing the sequences of the events, including the current operation with the learned sequences. This approach was just focused on user behavior and although the outcome of this system may provide a good evaluation result, it has not been applied against other network attacks. Novak et al.  outlined a technique for anomaly detection in user behaviors for a smart home. The main aspect of their work was to identify unusual short/long activities that occurred in a home environment. They used neural network self-organizing maps to identify various anomalous activities. Furthermore, their detection technique was based on the duration of activities, which can lead to many false positives.
In this paper, we attempted different parameters to achieve accuracy in all the implemented algorithms. The chosen training and test data were divided into 80% to 20%. We used a random forest classifier, Xgboost, decision tree, and K-nearest neighbors. The accuracy shows the percentage of data normality and attack data that are true to classify. The metric used to detect attacks can be calculated using the following Equation (1), where True Positive (TP), True Negative (TN), False Positive (FP), and False Negative (FN).
The other metrics, such as precision and recall, can be calculated using the following Equation (2) and (3). Precision is indicated as a positive predictive value that means the precision of exposed attacks behaviors was correct  . Recall indicates the true positive rate or sensitivity, meaning how many anomalies requests the model exposes. Accuracy, recall, and precision is the most distinguished metrics used for comparing the performance of the algorithms used in intrusion detection systems. Other metrics, such as F1, should also be considered. F1 values refer to how discriminative the model is. It can be calculated by using Equation (4):
5.1. Network Behavior
The results demonstrate that the system, for the first tier experiment CSE-CIC-IDS2018 in Figure 5, the K-nearest neighbors was recognized as the most successful algorithm with an average accuracy rate of 95.9% . Random forest was identified as the second most accurate with an average rate of 95.7% . Other algorithms also earned strong accuracy relative to K-nearest neighbors and random forest. For the second experiment, NSL-KDD in Figure 6, random forest was the most successful algorithm with an average accuracy rate of 98.6%. Xgboost was the second most accurate with an average of 98.5%. The other algorithms also fulfilled strong accuracies likewise to random forest and Xgboost .
5.2. User Behavior
In several matching pattern methods, pattern matching algorithms are a crucial
Figure 5. Accuracy rate for CSE-CIC-IDS dataset.
Figure 6. Accuracy rate for NSL-KDD dataset.
factor. For some patterns, the term relates to the procedure of matching, represented within a body of information as tree frameworks. The matching pattern method is most commonly used to examine and detect any request for concern that arrives at the smart home and does not correspond with the pattern model. Based on our previous work   about the smart home network and using machine learning as an overarching framework, we added the patterns of user behavior profile based smart connected home described as Algorithm 1, S: is the sensor number which will be in a different location, t: is the time, u: user.
We used a dataset that belongs to the CASAS project . The CASAS is a project for creating real smart homes for researchers in this field. A simple and lightweight toolkit called “smart home in a box” has been developed. To be able to provide smart tasks, the components of this toolkit are packaged in a single small box and conveniently mounted in a home. The toolkit was installed in 32 smart homes and created several datasets . We employed one of the CASAS datasets for this study. The file that we employed has three features: date, time, sensor number, and status. We used the time column and sensor number column to create a scenario, as we mentioned in the case study part.
To improve user protection, Human behavior is various and hard to incorporate into one lifestyle. This means that each person can differ from one person to another. Therefore, to implement a data-driven approach for human behavior dealing with smart home sensors, feature extraction is one of the most important steps. This refers to the process of learning how many times a user will send a request to the smart home system using his smart devices such as a smartphone or smart tablet information from the sensor data. To conceptualize static user behavior to a normal level that is applicable to more than one individual, static user behavior will be usefully represented as a stable use of smart home sensors.
We created a scenario that considered an example to highlight the pattern task-related in user behavior. The task model of this use case starts from the early morning routine of a user awakening around 5:00 AM. The User always turns on the light, runs the water, and turns the coffee machine on to get ready before leaving to work. The User also turns on the TV and watches it while eating
breakfast. Then, the user leaves for work, and around 2:00 PM the user checks his refrigerator to see what type of groceries are therein. Also, the user usually, double-checks some sort of smart home sensors during the user’s time spent outside the home. Table 3 shows the time that each sensor can be received a request from the user side. Table 4 shows the anomaly event, which included routine attacks that may cause immediate and personal harm to users.
In this experiment, we create 8 types of sensors listed that connect it to a smart home. We assume these smart home devices can be connected to the Internet, users can command these devices.
We analyzed the packets from/to for a period of time. The result showed us the deployed electronics when the user controls the devices and shows the system has ability to clarify the status of the sensor when devices are operated. Figure 7 shows how the system can determine and accurately classify all requests that come to the smart home. To prove the efficacy of the user behavior system, we tested the system by generating a random request with a time and ran it through the system to see how the system determined the request, Figure 8 shows the random result. The evaluation shows that the system can detect the type of request if it is legitimate and match it with the user behavior profile. We
Table 3. User behavior table.
Table 4. Attempt attack scenario.
Figure 7. User behavior data analysis.
Figure 8. Random test data analysis.
observe that there are a limited number of legitimate requests that the user input into the user behavior profile. We added 2 anomalous requests that resembled legitimate request of turning on each sensor into data and attempted to detect them. The evaluation shows that the system can detect the type of request if it is legitimate and match it with the user behavior profile.
Theoretically, the smart home system would be a part of overall smart living, such as entire smart cities, and connect to various networks at any time and anywhere. The smart home system has two divisions, including network behavior and user behavior. However, this two-part design makes the system more vulnerable. This paper proposed a novel hybrid model based on intrusion detection methods tailored for smart homes, a machine learning-based prevention technique, and misuse detection methods based on user behavior profile patterns.
For the first tier, the proposed approach can be used for controlling data and monitoring systems that have specifications for individual smart home devices. The method is a scalable model that is cohesive with big data. We analyzed the model with CSE-CIC-IDS2018, and NSL-KDD datasets can still be applied on relatively minimal datasets with a low ratio of anomalies request. For the second tier, we focused on adding the detect anomalies method that offers more protection to smart home systems and supports the network tier. This approach examines all requests that come from the network tier and detects anomalies from user profiles. Anomalies will be identified and analyzed by monitoring the number of requests for specific events and the time duration of an activity. By doing this, the system will be most effective and secure .
 Alghayadh, F. and Debnath, D. (2020) Hid-Smart: Hybrid Intrusion Detection Model for Smart Home. 2020 10th Annual Computing and Communication Workshop and Conference, Las Vegas, 6-8 January 2020, 384-389.
 Granjal, J., Monteiro, E. and Silva, J.S. (2015) Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues. IEEE Communications Surveys & Tutorials, 17, 1294-1312.
 Lee, K., Kim, D., Ha, D., Rajput, U. and Oh, H. (2015) On Security and Privacy Issues of Fog Computing Supported Internet of Things Environment. 2015 6th International Conference on the Network of the Future, Montreal, 30 September-2 October 2015, 1-3.
 Yamauchi, M., Ohsita, Y., Murata, M., Ueda, K. and Kato, Y. (2019) Anomaly Detection for Smart Home Based on User behavior. 2019 IEEE International Conference on Consumer Electronics, Las Vegas, 11-13 January 2019, 1-6.
 Capellupo, M., Liranzo, J., Bhuiyan, M.Z.A., Hayajneh, T. and Wang, G. (2017) Security and Attack Vector Analysis of IoT Devices. International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage, Guangzhou, 12-15 December 2017, 593-606.
 Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., et al. (2017) Understanding the Mirai Botnet. 26th USENIX Security Symposium, Vancouver, 16-18 August 2017, 1093-1110.
 Shirali-Shahreza, S. and Ganjali, Y. (2018) Protecting Home User Devices with An SDN-Based Firewall. IEEE Transactions on Consumer Electronics, 64, 92-100.
 Kim, B.-K., Hong, S.-K., Jeong, Y.-S. and Eom, D.-S. (2008) The Study of Applying Sensor Networks to a Smart Home. 2008 Fourth International Conference on Networked Computing and Advanced Information Management, Gyeongju, 2-4 September 2008, 676-681.
 Xu, K., Wang, F., Egli, R., Fives, A., Howell, R. and Mcintyre, O. (2014) Object-Oriented Big Data Security Analytics: A Case Study on Home Network Traffic. International Conference on Wireless Algorithms, Systems, and Applications, Harbin, 23-25 June 2014, 313-323.
 Komninos, N., Philippou, E. and Pitsillides, A. (2014) Survey in Smart Grid and Smart Home Security: Issues, Challenges and Countermeasures. IEEE Communications Surveys & Tutorials, 16, 1933-1954.
 Alghayadh, F. and Debnath, D. (2020) A Hybrid Intrusion Detection System for Smart Home Security. 2020 IEEE International Conference on Electro Information Technology, Chicago, 31 July-1 August 2020, 319-323.
 Mamdouh, M., Elrukhsi, M.A. and Khattab, A. (2018) Securing the Internet of Things and Wireless Sensor Networks via Machine Learning: A Survey. 2018 International Conference on Computer and Applications, Beirut, 25-26 August 2018, 215-218.
 Geneiatakis, D., Kounelis, I., Neisse, R., Nai-Fovino, I., Steri, G. and Baldini, G. (2017) Security and Privacy Issues for an IoT Based Smart Home.2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics, Opatija, 22-26 May 2017, 1292-1297.
 Samuel, S.S.I. (2016) A Review of Connectivity Challenges in IoT-Smart Home. 2016 3rd MEC International Conference on Big Data and Smart City, Muscat, 15-16 March 2016, 1-4.
 Altolini, D., Lakkundi, V., Bui, N., Tapparello, C. and Rossi, M. (2013) Low Power Link Layer Security for IoT: Implementation and Performance Analysis. 2013 9th International Wireless Communications and Mobile Computing Conference, Sardinia, 1-5 July 2013, 919-925.
 Giri, A., Dutta, S., Neogy, S., Dahal, K. and Pervez, Z. (2017) Internet of Things (IoT): A Survey on Architecture, Enabling technologies, Applications and Challenges. Proceedings of the 1st International Conference on Internet of Things and Machine Learning, Liverpool, October 2017, Article No. 7.
 Dey, S., Roy, A. and Das, S. (2016) Home Automation Using Internet of Thing. 2016 IEEE 7th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference, New York, 20-22 October 2016, 1-6.
 Bugeja, J., Jacobsson, A. and Davidsson, P. (2016) On Privacy and Security Challenges in Smart Connected Homes. 2016 European Intelligence and Security Informatics Conference, Uppsala, 17-19 August 2016, 172-175.
 Karimi, K. and Krit, S. (2019) Smart Home-Smartphone Systems: Threats, Security Requirements and Open Research Challenges. 2019 International Conference of Computer Science and Renewable Energies, Agadir, 22-24 July 2019, 1-5.
 Yang, Y., Wu, L., Yin, G., Li, L. and Zhao, H. (2017) A Survey on Security and Privacy Issues in Internet-of-Things. IEEE Internet of Things Journal, 4, 1250-1258.
 Brdiczka, O., Langet, M., Maisonnasse, J. and Crowley, J.L. (2008) Detecting Human Behavior Models from Multimodal Observation in a Smart Home. IEEE Transactions on Automation Science and Engineering, 6, 588-597.
 Alghayadh, F. and Debnath, D. (2020) Performance Evaluation of Machine Learning for Prediction of Network Traffic in a Smart Home. 2020 11th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference, New York, 28-31 October 2020, 837-842.
 Amouri, A., Alaparthy, V.T. and Morgera, S.D. (2018) Cross Layer-Based Intrusion Detection Based on Network Behavior for IoT. 2018 IEEE 19th Wireless and Microwave Technology Conference, Sand Key, 9-10 April 2018, 1-4.
 Doshi, R., Apthorpe, N. and Feamster, N. (2018) Machine Learning ddos Detection for Consumer Internet of Things Devices. 2018 IEEE Security and Privacy Workshops, San Francisco, 24 May 2018, 29-35.
 Shahreza, M.L., Moazzami, D., Moshiri, B. and Delavar, M. (2011) Anomaly Detection Using a Self-Organizing Map and Particle Swarm Optimization. Scientia Iranica, 18, 1460-1468.