Finding IoT Anomaly using Rough Fuzzy Periodic Subspace Clustering Approach

1. Introduction

Over the previous few years Internet of Things (IoT) networks have brought significant changes in the individual life, society and industry [1,2]. The IoT devices consists of huge number of sensors generating data over time [3] and as a result, the availability of streaming, time-series data is expanding exponentially. However, with the involvement of wide range of information and communication technology, IoT networks are exposed various security threats [4,5]. In other words, for an IoT system or the system that relies on it, there is a huge security and privacy challenges [6,7]. The challenges are in the form anomaly, fraud, intrusion or any other illegitimate activities that jeopardise the integrity of the system [8]. Although the IoT system can be reasonably protected by the defence mechanisms currently in place, malicious attackers are becoming more adept at breaking into networks. Again in the event inside attack it is more challenging to be prevented real-time. Therefore, identifying anomalies in such a system can provide actionable information in dire situations for which there are no trustworthy solutions [9,10,11,12,13,14,15,16,17,18]. Here, a new and reliable clustering-based method is put forth to address the problem.

Unsupervised learning techniques like clustering [19] are widely used to determine the distribution of data and patterns. It has recently been employed in anomaly detection as well as other branches like psychology and social science, where it has long been used extensively [20,21]. Static clustering and dynamic clustering are the two primary categories of clustering techniques. Static clustering primarily targets static datasets that are prepared before the algorithm is applied. Dynamic clustering is necessary in some applications using real-time data, such as cloud computing, IoT, finance, and stock markets. A hierarchical approach that may be applied to both static and dynamic datasets was proposed by the authors in [22]. Several incremental clustering algorithms were put forth by the authors in [23] in order to process new records or data instances as and when they are added.

There are mainly two problems encounter while dealing with anomalies in any real-time system like IoT, namely, the high-dimensionality of the data and the real-time detection of anomaly. Anomalies are often hard to find at high dimensionality. For that reason, more data are necessary to properly generalise as the number of attributes or features rises, data sparsity results. Data sparsity is brought on by these additional attributes or a sizable amount of noise from several irrelevant attributes that obscure the real anomalies. The term "curse of dimensionality" [24,25] is a well-known one used to describe the issue. As a result, it is discovered that numerous traditional anomaly detection methods [26,27,28] are inappropriate for high-dimensional data because they lose their effectiveness. [29] suggested a method for high-dimensional and categorical data anomaly detection. Similar works were presented in [30,31,32,33] Again, any real-time system like IoT generates real-time data. In such systems anomalies can be temporal or contextual [34] in nature, where the temporal order of the data is significant. To put it another way, a data instance can only be anomalous inside a particular temporal context, or more accurately, within a time-frame. Some of such anomalies can be periodic in nature i.e. occur after certain time-period of time. These anomalies are frequently difficult to detect. The development of an early warning system is one of the key applications of such abnormalities. In view of the above scenario, it is necessary to design an effective algorithm that locates clusters in the subspace of high-dimensional IoT data and detects anomalies in real-time.

Pawlak proposed rough set theory [35] to address the ambiguity and uncertainty that can be found in any dataset. Thivagar et al. [36,37], gave the notion of nano topological space in terms of the two approximations and generated CORE, a subset of attribute set of conditional attributes used for medical diagnosis. The same notion can be used for generating subset of high-dimensional IoT data

A comparison of five-time series anomaly detection techniques was done by the authors of [38]. Similar efforts were mentioned in [39,40,41,42,43,44,45,46,47]. The insider threat, which creates significant issues for the cyber security of industrial control systems, was addressed by the authors of [48]. A random forest-based strategy for online anomaly detection was presented by Zhao et al. [49]. In [50,51,52], the authors offered fuzzy-based approaches for real-time anomaly detection. In [53], the authors suggested a fuzzy neural network approach with the goal of identifying anomalies in significant cyberattacks. An effective real-time clustering-based anomaly detection system was described by the authors in [54].

Most of the algorithms discussed above have some limitations. For example, some are inefficient in finding anomaly from high-dimensional data and others are unable find real-time anomaly. Although there exist few algorithms [7,8,9,15,18,29,34,38,42,43] which efficiently detects the real-time anomaly, but a few actually addressed the periodicity of the real-time dataset. In real-time system the data generated continuously over a period of time which is the life-span of the dataset. Over the life-span of the dataset, there may be data instances of similar nature, occurs periodically. Considering the time attribute associated with IoT data as calendar dates (year_month_day_hour_minute_second), the periodic clusters can be generated where period of a cluster can be represented as sequence of life-spans of clusters. In other words, in such system it would be interesting to observe whether the clusters or anomalies generated are periodic nature or not. This information can be useful for prediction anomalies in any IoT system. In [55], the authors proposed a calendar-based periodic patterns from super-market datasets. With the help of an interval superimposition operation [56,57,58], the algorithm found match ratio which was then used to generate fully, partially and fuzzy [59] periodic patterns.

In this article, the problems of high-dimensionality, real-time and periodicity has been addressed efficiently and an algorithm is proposed which can generate fully periodic, partially periodic and fuzzy periodic clusters. It is named as RFPSCA. The algorithm uses notion of rough set theory and k-means clustering algorithm to generate clusters along with their sequence of life-spans then the interval superimposition is applied on life-spans to generate the periodicity of clusters. The objective of the paper is as follows:

Firstly, a dominance relation is defined on the dataset [60].

Secondly, an interval superimposition operation is defined and a match ratio in terms of interval superimposition is defined.

Finally, a new clustering-based method is proposed to generate periodic, partially periodic and fuzzy periodic clusters in the subspace of the dataset.

Thus, the RFPSCA first uses rough set theoretical approach to find a lower dimensional space by removing irrelevant attributes. Then the dynamic k-means clustering algorithm is applied on it to find the clusters along with their list of life-spans. At the end of this stage, each cluster will have a list of life-spans describing its period. Then the interval superimposition operation is applied on the list of life-spans to generate superimposed time-intervals along with its match ratio [55,56]. Match ratio will determine whether the corresponding cluster is fully periodic or partially periodic. Also, applying a nice method [56,57] on superimposed intervals fuzzy time interval can be generated. This way from each periodic (fully/partially) cluster fuzzy periodic clusters can be generated. Then, RFPSCA’s time-complexity is estimated. Lastly, a detailed comparative analysis is conducted with existing well-known clustering-based methods [9,10,19,46,54,61,62,63] using MATLAB implementation with Kitsune Network Attack [64] and KDDCUP’99 [65] datasets. The results efficaciously validate our technique.

The structure of the paper is as follows. In Section 2, it is discussed how this field has recently advanced. In Section 3, the problem definition is presented. Section 4 covers the proposal method (RFPSCA). Section 5 discusses the time-complexity. Section 6 of the paper contains the experiments, results, and analysis, and Section 7 of the paper contains the conclusions, limitations, and future directions.

2. Related Works

Since last couple of years IoT networks have become popular to upgrade substantially living standard of individual life, contributing the development of society and industry [1,2]. The IoT devices are generating data exponentially over time [3]. But, due to the involvement of Internet and other communication technology, IoT networks are always open to various security threats [4,5,6]. So, for any IoT system or the system which uses IoT devices the security and privacy challenges [7] are major cause of concern. Some of the common challenges for any IoT systems are in the form anomaly, fraud, intrusion or any other illegitimate activities that jeopardise the integrity of the system [8]. Although reasonable protection for IoT exist currently, but malicious attackers are becoming smart enough at breaking into networks. In [9], the authors proposed a hybrid algorithm using both partitioning and agglomerative hierarchical clustering for real-time anomaly detection. In [10], the author used a merge function in k-means algorithm to generate anomalies from mixed attribute-dataset. In [11], the authors put forwarded an agglomerative hierarchical model for the detection anomaly in network dataset. [12] built a rough set-based classification model for anomaly detection Applying automatic labelling for supervised learning, an anomaly detection scheme was proposed in [13]. An unsupervised approach for IoT anomaly detection was presented in [14]. In [15], the authors offered an efficient algorithm for online anomaly detection using self-supervised approach. In [16], the authors used correlation laws to detect anomalies. In [17], the authors proposed a new method incorporating neural process on semi-supervised anomaly detection model. In [18], the authors proposed an online anomaly detection paradigm which satisfies two key conditions: generality and scalability.

In [19], clustering paradigm was discussed in detail. Cheng et. al. [20], proposed a unified metric defined mixed attributes to generate clusters. In [21], the authors offered an agglomerative hierarchical model for clustering periodic patterns. In [22], the authors proposed a hierarchical clustering approach for both static and dynamic datasets. The authors of [23] offered many incremental clustering techniques that could handle newly added records or data instances. There are mainly two problems encounter while dealing with anomalies in any real-time system, namely, the high-dimensionality and the real-time detection of anomaly. In [24], the authors used on-class support vector machine for effectively detecting anomaly from high-dimensional data. In [25], the authors introduced a survey on contemporary anomaly detection paradigms. Kaya et. al. [26] analysed different methodologies for the communication patterns recognition. In [27], the authors suggested an efficient scheme for detection high-dimensional anomalies. In l28] the authors addressed the high-dimensionality and proposed an unsupervised method for anomaly detection in such data. A nice algorithm for anomaly detection in high-dimensional and categorical data was proposed in [29]. Taking into account the compactness and separation clusters, a nice anomaly detection algorithm was presented in [30]. In [31], the authors offered an R-based implementation density-based clustering algorithm. In [32], the authors presented a hybrid approach consisting of semi-supervised approach for anomaly detection in high-dimensional data. In [33], the authors proposed a mixed approach consisting of rough set theory and density-based clustering algorithm for the anomaly detection in high-dimensional data. In [34], the authors addressed issue of temporality of anomaly and proposed a clustering-based system for real-time anomaly detection in streaming data.

Rough set theory as tool to deal the ambiguity and uncertainty occurring any real-system was proposed by Pawlak [35]. In [36], the authors applied the rough set theory to produce nano topology. In [37], the authors applied the notion nano topology for medical diagnosis. The same notion was used for attribute reduction high-dimensional IoT data [33]. The authors carried out comparative analyses of five-time series anomaly detection methods in [38]. Alghawli [39], proposed an efficient algorithm for detection abnormal telecommunication traffic. In [40], the authors offered an anomaly detection model based on data mining approach. In [41,42,43], the authors carried out a widespread survey on anomaly detection appraoches for high-dimensional big data. Halstead et. al. [44], proposed a method using diverse meta-features for identifying recurring concept drift in data streams. In [45], the authors put forwarded a classification two-layered model for the online anomaly detection of highly unreliable data. In [46], the authors presented a scheme for online detection of anomaly in data stream. In [47], the authors proposed to evaluate cyber-risk for operation technology system. In [48], the authors discussed insider threat, which creates significant issues for the cyber security of industrial control systems. Zhao et al. [49] presented an online anomaly detection model based on random forest method. Izakian et. al. [50], proposed to introduce fuzzy in anomaly detection by proposing a fuzzy c-means-based technique. Similar works were reported in [51,52]. Souza et. al. [53], presented a fuzzy neural network-based approach for detecting anomalies in massive cyberattacks. In [54], the authors presented an effective clustering-based real-time anomaly detection system. Mahanta et. al. [55], proposed a calendar-based periodic patterns from super-market datasets. In [56], the authors used an interval operation called interval superimposition to find the solution of a fuzzy linear equation. In [58], the authors proposed a lemma call Glivenko-Cantelli lemma. Using the lemma on superimposed intervals [56], fuzzy interval [57,59] can be generated. In [60], the authors proposed a dominance relation on conditional attributes to generate set-valued ordered information systems.

3. Problem Definitions

In below, we present some important terms and definitions used in this paper.

Definition 3.1

Quadruple S=(U, A, V, f), where U is a non-empty finite set of objects, A is a finite set of attributes, V=∪V_a, V_a being domain of the attribute a∈A defines a set-valued information system [60]. A function f:U×A→P(V) is defined as ∀ x∈U, a∈A, 1 ≤ f(x, a)∈ V_a. Also we take, the attribute set A={C∪{d}; C∩{d}=φ; C, the set of conditional and d the decision attributes}.

Definition 3.2

If the domain of a conditional attribute can be arranged in ascending or descending order of preferences, then such attribute is called as criterion [36]. If every conditional attribute is a criterion, then the information system is known as set-valued ordered information system [60].

Definition 3.3

The attribute is an inclusion criterion if the values of some objects in U under a conditional attribute can be sorted according to inclusion increasing or decreasing preferences [60].

Definition 3.4

Let us assume a set-valued ordered information system having inclusion increasing preference. Also let us define a relation $R_A^{\ge }$ [60] as

$$R_A^{\ge }=\left\{\left(y,x\right)\in U\times U:f\left(y,a\right)\ge f\left(x,a\right)\forall a\in A\right\}$$

(1)

$R_A^{\ge }$ is said to be the dominance relation on U. When${(y, x)\in R}_A^{\ge }$then$y{\ge }_{A}x$, that means y is at least as good as x with reference to A.

Property 1

The inclusion dominance relation$R_A^{\ge }$

[60] is i) reflexive, ii) unsymmetric, and iii) transitive.

Definition 3.5

For x∈U, we define the dominance class [36,37] of x as

$$[{x]}_A^{\ge }=\{yϵU:\left(y, x\right)ϵR_A^{\ge }\}=\{yϵU:f\left(y, a\right)\ge f\left(x,a\right), \forall a ϵ U\}$$

(2)

where$U_A^{\ge }=\{{\left[x\right]}_A^{\ge }:x ϵ U\}$is the family of dominance classes.

Remark 1

${\mathrm{U}}_{\mathrm{A}}^{\ge }$

is never be a partition of U, rather creates a covering of U, that is U=∪ $[{\mathrm{x}]}_{\mathrm{A}}^{\ge }$.

Definition 3.6

For a given set-valued ordered information system S ={U, A, V, f} and for X ⊆ U, the upper approximation and lower approximation of X are respectively expressed as [36,37]

$$U_A^{\ge }\left(X\right)=\left\{xϵU:{\left[x\right]}_A^{\ge }\cap X\ne \varphi \right\}$$

(3)

And

$$L_A^{\ge }\left(X\right)=\{xϵU:[{x]}_A^{\ge } \subseteq X\}$$

(4)

Also the boundary region of X is given by

$$B_A^{\ge }\left(X\right)=U_A^{\ge }\left(X\right)-L_A^{\ge }\left(X\right)$$

(5)

Definition 3.7

For a set-valued ordered information system S, B (⊆A) is termed as criterion reduction of S if$R_A^{\ge }=R_B^{\ge }$and$R_M^{\ge }\ne R_A^{\ge }$for any M ⊆ A. In otherward, a minimal attribute set B is a criterion reduction of S if$R_A^{\ge }=R_B^{\ge }$ [36,37].

Definition 3.8

CORE(A) is given by CORE(A) =$\{aϵA:R_A^{\ge }\ne R_{A-\left\{a\right\}}^{\ge }\}$[see eg [36,37]]

Definition 3.9

Let$R_C^{\ge }$be a dominance relation on U, then${\tau }_C^{\ge }\left(X\right)=\{U, \varphi ,U_C^{\ge }\left(X\right), L_C^{\ge }\left(X\right), B_C^{\ge }\left(X\right)\}$forms a nano topology [36,37] on U with respect to X. And ${\beta }_C^{\ge }\left(X\right)=\{U, U_C^{\ge }\left(X\right), L_C^{\ge }\left(X\right)\}$ is the basis for ${\tau }_C^{\ge }\left(X\right)$. Furthermore, Core(C)=$\{aϵC:{\beta }_C^{\ge }\ne {\beta }_{C-\left\{a\right\}}^{\ge }\}$=$\cap$red(C) where red(C) denotes the criterion reduction.

Definition 3.10

Consider an information systemS=(U, A, V, f) consisting of m entities or objects x₁, x₂,...x_m. Let the attribute set A has n members. Then, S is expressed as an m×n matrix with rows as objects and columns as attributes. Attributes can be designated as dimensions.

Definition 3.11

Let us consider a_i=(a_i1, a_i2,…a_in) as the a_i’s numeric attribute, then the distance d(a_i, C_j) between a_i; i=1,2,..n and cluster C_j; j=1,2,…k is defined as follows.

$$d(a_i,C_j)=\frac{{}^{{\left|\left|a_i-c_j\right|\right|}^2}}{{\displaystyle \sum _{t=1}^k{\left|\left|a_i-c_t\right|\right|}^2}}$$

(6)

where c_j is the C_j,’s centroid and d(x_a, C_j)∈[0, 1].

Definition 3.12

Support and core of a fuzzy set.

The support of a fuzzy set A in X is the crisp set containing every element of X with membership grades greater than zero in A and is notified by S(A) = {x ∈ X; μ_A(x) > 0}, whereas the core of A in X is the crisp set containing every element of X with membership grades 1 in A [see e.g., [59]]. Obviously core [t₁, t₂] = [t₁, t₂], since a closed interval [t₁, t₂] is an equi-fuzzy interval with membership 1 [see e.g., [56,57,59]].

Definition 3.13

Set Superimposition.

Set superimposition (S), an operation, was proposed in [56] as follows;

A₁ (S) A₂ = (A₁ − A₂)^(1/2) (+) (A₁∩ A₂)⁽¹⁾ (+)(A₂ − A₁)^(1/2)

(7)

where (A₁ − A₂)^(1/2)) and (A₂ − A₁)^(1/2) are fuzzy sets [57,59] with constant membership value (1/2), and (+) signifies union of disjoint sets. To elaborate it, let A₁ = [s₁, t₁] and A₂ = [s₂, t₂] are two real intervals such that A₁∩A₂ ≠ ϕ, we will get a superimposed part. When two intervals are superimposed, each interval contributes a half of its value to the superimposed interval, so from Equation (7) we obtain

[s₁, t₁](S)[s₂, t₂] = [s₍₁₎,t₍₂₎]^(1/2) (+) [s₍₂₎,t₍₁₎]⁽¹⁾ (+) (s₍₁₎,t₍₂₎]^(1/2)

(8)

where s₍₁₎ = min(s₁, s₂), s₍₂₎ = max(s₁, s₂), t₍₁₎ = min(t₁, t₂), and t₍₂₎ = max(t₁, t₂).The superimposition process is presented using Figure 1, Figure 2 and Figure 3 below.

Similarly, three intervals [s₁, t₁], [s₂, t₂], and [s₃, t₃], (with non-empty intersection) are superimposed to get the following expression.

[s₁, t₁](S)[s₂, t₂](S)[s₃,t₃]=[s₍₁₎,s₍₂₎]^(1/3) (+)[s₍₂₎,s₍₃₎]^(2/3) (+) [s₍₃₎,t₍₁₎]⁽¹⁾(+) [t₍₁₎,t₍₂₎]^(2/3) (+)[t₍₂₎,t₍₃₎]^(1/3)

(9)

where the sequence {s_(i); i = 1, 2, 3} arranged from {s_i; i = 1, 2, 3} in increasing order of magnitude and {t_(i); i = 1, 2, 3} is also arranged from {t_i; i = 1, 2, 3} in the similar fashion.

Let [s_i ,t_i], i = 1,2,…,n, be n real intervals with${\displaystyle \underset{i=1}{\overset{n}{\cap }}\left[s_i,t_i\right]}$ ≠ ϕ .Using generalization (9) gives as follows.

[s₁, t₁](S) [s₂, t₂](S) ... (S)[s_n, t_n] = [s₍₁₎, s₍₂₎] ^(1/n) (+) [s₍₂₎, s₍₃₎]^(2/n) (+) ... (+) [s_(r), s_(r+1)]^(r/n) (+) ... (+) [s_(n),t₍₁₎]⁽¹⁾(+)[t_(1),t₍₂₎]^((n−1)/n)(+)...(+)[t_(n-r),t_(n-r+1)]^(r/n)(+)...(+)[t_(n-2),t_(n-1)]^(2/n)(+)[t_(n-1),t_(n)]^(1/n)

(10)

In (10), the sequence {s_(i)} is organized from {s_i} in increasing order of magnitude for i = 1,2,… n and similarly {t_(i)} is also organized from {t_i} in increasing order of magnitude [57]. It is to be noted here that the membership functions are the mixture of empirical probability distribution function and complementary probability distribution function given as follows

$${\gamma }_1\left(x\right)=\left\{\begin{array}{c} 0, x<s\left(1\right) \\ \frac{r-1}{m}, s\left(r-1\right)<x<s\left(r\right)\\ 1, x>s\left(m\right) \end{array}\right.$$

(11)

And

$${\gamma }_2\left(x\right)=\left\{\begin{array}{c} 1, x<t\left(1\right) \\ 1-\frac{r-1}{n}, t\left(r-1\right)<x<t\left(r\right)\\ 0, x>t\left(n\right) \end{array}\right.$$

(12)

The membership function of the fuzzy interval [57,59] will be provided to us by Equations (11) and (12), which together use the Glivenko-Cantelli Lemma of order statistics [58].

Definition 3.14

Match ratio

If n be the number of periods in the life-span of dataset (no. of years/months/days etc.) and m be the number of time-intervals in the list of life-spans of any cluster, then m/n is called match ratio. Obviously, 0 ≤ m/n ≤ 1. For m/n< 1, the corresponding cluster is partially periodic and for m/nv=1, fully periodic.

4. Proposed Algorithm

For detecting anomalies, a partitioning subspace clustering approach is employed. The method first uses rough set theoretic approach for attribute or dimension reduction and then uses dynamic k-means clustering approach for finding clusters along with their life-spans. Each cluster will have a sequence of time intervals representing its life-spans. Then, interval superimposition-based approach is employed to find the periodic clusters along with the noises. The propose method is as follows. Here the dataset S=(U, A) is an information system consisting of both conditional attributes and decision attributes. First of all, the data pre-processing techniques is employed to convert the information system as set-valued ordered information system. Then, a dominance relation is generated on the ordered information system. With reference to the dominance relation, a nano topology and its basis is generated. Then the criterion reduction process is used to generate CORE(A) as a subset of attribute set A and new information system E=(U, CORE(A)) on U is formed which is a lower dimensional space. The pseudocode of the algorithm for the criterion reduction is given below.

Algorithm 1. Subspace Generation.

Input. (U, A): the information system, where the attribute set A is divided into C-conditional attributes and D-decision attributes, consisting of n objects, Output: Subspace of (U, A) Step1. Generate a dominance relation $R_C^{\ge }$ on U corresponding to C and X⊆U. Step2. Generate the nano topology ${\tau }_C^{\ge }\left(X\right)$and its basis ${\beta }_C^{\ge }\left(X\right)$ Step3. for each x∈C, find ${\tau }_{C-\left\{x\right\}}^{\ge }\left(X\right)$and ${\beta }_{C-\left\{x\right\}}^{\ge }\left(X\right)$ Step4.    if (${\beta }_C^{\ge }\left(X\right)={\beta }_{C-\left\{x\right\}}^{\ge }\left(X\right)$) Step5.        then drop x from C, Step6.    else form criterion reduction Step7. end for Step8. generate CORE(C)=∩{criterion reductions} Step9. Generate subspace of the given information system

The above algorithm supplies the CORE of the attribute set by removing insignificant attributes which gives us a subspace E=(U, CORE(A)) of the given information system S=(U, A). Then a dynamic k-means is applied on E. The algorithm is as follows. Following is an explanation of the algorithm: First of all, it randomly picks first k –data instances from the CORE(A) as k-clusters-centroid with associated time-stamp (time of generation) as start-time of their life-spans. For each cluster, a last-time and a list is maintained to keep last time-stamp and life-span of each cluster respectively. Initially start-time =last-time. If a data instance is added to a cluster based on how far away from the cluster centroid it is, its current time-stamp (current-time) is added to the life span to obtain an updated life span, provided that the time gap between the cluster's last-time and the data instance current-time is within a predetermined range, such as t_max. Otherwise, a new life-span will start by setting current-time as start-time and the previous life-span of the cluster will be closed with last-time as end of the life-span. The life-span of the cluster will be put to the list maintained for it if its length is more than a specified length (say t_min). The life spans of the earlier and later clusters are updated if a data instance switches from one cluster to another during the execution process. For instance, if the time stamp on the outgoing data instance is either the start-time or end-time of the preceding cluster, the life-span of the prior cluster is updated by using the next or previous cluster time-stamp. Updates are made to the cluster-centroids also. Again, the life spans of the former and later clusters will not change if the time stamp of the outgoing data instance falls within those life spans, but the cluster centroids will be modified. Similar to this, if the time stamp of a data instance migrating from one cluster to another falls outside the later cluster's life-span, the cluster-centroid is updated and the later cluster's life-span is updated as well, provided that the time gap between the two clusters is within a certain limit (t_max). The pseudocode of the algorithm is given below.

Algorithm 2: Dynamic k-means clustering algorithm

Input. E: Information system consisting n objects and attribute set CORE(A) ⊆ A, tmax: the maximum time-gap of consecutive time-stamp, tmin: the minimum length of life-span. Output. Set of clusters where each cluster is associated with a sequence of time intervals as its life-spans Step1. Given d1-dimensional dataset CORE(A) Step2. Select C[i]={x[i], tp[i]}; i=1,2,..k, where x[i] be the data instances or means of clusters, tp[i] points to list of time-intervals each maintained for every cluster contains time-stamps (start-time) of x[i] and start-time = last-time initially Step3. for each incoming data instance x with current time-stamp current-time Step3.    { if d(x, Cj) ≤ d(x, Ci), i ≠ j; i =1, 2,…k Step4.       {Add x to Cj Step5.        Update mean(Cj) Step6.         if (|current-time – last-time[j]|≤ tmax) Step7.           {if(last-time[j] ≤ current-time) Step8.               extend life-span(Cj) by setting last-time[j] = current-time Step9.           else go to Step3 Step10.           } Step11.           else if(|last-time[j] - start-time|≥ tmin Step12.           {Add [start-time[j], last-time[j]] to tp[j] Step13.         set last-time[j] = start-time[j] = current-time Step14.           } Step15.       } Step16.     } Step17. if (assign does not occur) go to Step19 Step18 else go to Step3 Step19. Output cluster set

Here each output cluster in the final output cluster set is having a sequence of time-intervals describing its life-span. It should be noted that only clusters with life-spans of at least t_min are provided by Algorithm 2.

For each cluster with sufficient number of time intervals as its life-spans, the following procedure is applied to find periodic clusters from the interval list. The interval superimposition operation is to keep the information about the periods. The interval superimposition is used only if the periods have overlapping or non-empty intersection. Throughout algorithm3 execution, a list of superimposed time periods is maintained. The total number of periods of any clusters is taken as n (number of Years/Months etc.). To determine whether a new crisp time-interval can be superimposed on already superimposed time-interval or not. it is checked whether the interval has non-empty intersection with the core of superimposed time interval or not (the definition of core is given in Section 3). If it has then the superimposition process is computed to get a new superimposed time interval and membership values are reconstructed accordingly. The list of superimposed time intervals is initially empty. A full pass through the time interval list of a cluster is conducted during algorithm3 execution. When it switches to a new time interval, it determines if it can be superimposed on any of the previously obtained superimposed intervals. If so, the superimposition process is performed, which updates the relevant superimposed time interval. This interval is added as a new entry to the list if it does not superimpose with any of the previously acquired superimposed time intervals (kept as a list). Finally, each superimposed time intervals is examined to determine the number of time intervals superimposed in one place and kept using a counter (m). At the beginning of superimposition process of an interval the value of m is taken as 1. If an interval is superimposed the interval, then m is updated by adding 1 to it. At the execution for a cluster the match ratio is obtained with help of m and n. If match ratio is found to be 1, the corresponding cluster is fully periodic else partially periodic. Each superimposed time intervals produces a fuzzy time interval. This way, the fuzzy periodic clusters can be obtained. The pseudocode for the process is given below.

Algorithm 3: algorithm for finding periodic(fully/partially) and fuzzy periodic clusters.

Step1. For each cluster c with list of line-spans L. Step2. initially Lc=null // Lc is the list of superimposed intervals Step3. lt = L.get() // lt points to the 1st time interval (life-span) in L Step4. Lc = append(lt) Step5. m=1 // m = number of intervals superimposed Step6. while((lt=L.get())!=null) Step7.     {flag = 0 Step8.       while ((lct =L.get())!=null) Step9.         if (compsuperimp(lt, lct) Step10.         flag =1 Step11.       if (flag == 0) Step12.       Lc.append(lt) } Step13.     } Step14.       } Step15.     compsupeimp(lt, lct) Step16.       if(|intersect(lct, lt)!=null)| Step17.   { superimp(lct, lt) Step18.     m++ Step19.     return 1 Step20.     } Step21   return 0 Step22. match ratio = m/n // n = number periods in the whole dataset. Step23. if (match=1) Step24. the cluster c is fully periodic Step25. else partially periodic Step26. generate fuzzy intervals from superimposed intervals to get fuzzy periodic clusters. Step27. End

The function compsuperimp(lt, lct) initially finds the intersection between lt and the core of lct. If it is found to be non-empty, the function computes the superimposition process by reconstructing the membership values. If lt has been superimposed on lct it returns 1 else otherwise returns 0. get () and append () are functions operating on time interval lists to get a pointer to the next time interval in a list and to append a time interval into a list respectively. For each cluster, a counter (m) is also kept in order to keep track of how many time intervals are superimposed in one place. The match ratio is computed with the help of m. If the match ratio is found to be 1, the corresponding cluster is fully periodic else partially periodic. Finally, the fuzzy intervals can be generated with the help of superimposed intervals to get fuzzy periodic patterns The flowchart for the proposed method is described in Figure 4 below.

Anomalies are data instances or groups of data instances that either belong to sparse clusters or don't fit the defined life-spans. As a result, a data instance may be anomalous depending on both its generation time and its distance from clusters.

5. Complexity Analysis

For generating dominance classes and corresponding classes, the algorithm needs to compare values of all the possible pairs of objects from U in all dimensions, there can be at most |U|×|U|×|C| number of comparison. So, the computational complexity for step1 is O(n².d), where |U|=n, and |C|=d. For generating the nano topology, the lower approximation and approximation of the set has to be generated, which takes computational time O(|X|.|U|). So the total computational cost of step1 and step2 is O(n².d+|X|.|U|)= O(n².d) which is the worst-case complexity. From step3 for loop starts and it runs over the at most all the attribute set. The computation of step 4 to step7 takes constant time say O(k₁), where k₁=constant. Therefore, the computational cost from step3 to step8 is O(k₁d). Similarly, that of step9 and 10 is also constant say O(k₂), where k₂=constant. The overall complexity of algorithm 1 is O(n².d + k₁d+ k₂)=O(n².d). For finding complexity of Algorithm 2, the following steps are taken. Let k (≤ n) be number of clusters. The computational cost of centroid is O(n + n.k.d₁) = O(n.k.d₁), where d₁ (≤d), is the dimension of the CORE. Also, O(2n.k) = O(n.k) is the time required compute the minimum distance and time-gap for each cluster. The cost of updating cluster-mean and life-span is O(2k). The total cost of Algorithm 2 is O(i(n.k.d₁ + n.k + k)) = O(i.n.k.d₁) = O(n³) as i (≤ n), the number of iterations, k ≤ n, and d₁ is considerably small. The worst-case complexity of the whole method is O(n².d + n³). For finding time-complexity of Algorithm 3, we proceed as follows. Let n₁ be the size of sequence of time-intervals associated with a cluster and n₂ be the average number of time-intervals superimposed. For each time-interval of a cluster, it is required to make pass through the list of superimposed time-intervals to check whether the corresponding time-interval can be superimposed on any of the available superimposed time-intervals or not. For this the intersection of the current time-interval with the core of the superimposed time-interval is computed which requires O(1) time. If the current time-interval superimposes then its boundaries are to be inserted into two sorted arrays used to keep the end points of the superimposed time-intervals (one sorted array for left end points and other for right end points). Now, searching in a sorted array requires O(log n₁) time and insertion needs O(n₁) time. The two end points requires O(2(log n₁ + n₁)) = O(n₁) time. For one cluster the process requires O(n₁ .p .n₂) time, where p is size of the list superimposed time-intervals. But p = O(n₁), and n₂ = O(n₁); the overall time-complexity in the worst-case is O(n₁³). For k clusters, the total time-complexity in worst-case is O(k .n₁³). Therefore, the worst-case complexity of the whole method is O((n².d + n³) + k .n₁³). Also k = O(n), which gives the time-complexity as O(n².d + n³ + n .n₁³) = O(n³ + n .n₁³), as d ≤ n, which is the time-complexity of the method in worst-case. Since the time-complexity of the method depending on n and n_1, and not depending on d (dimension). It runs mostly cubic time. The algorithm looks efficient for finding anomalies in high-dimensional data

6. Experimental Analysis and Results.

In this Section the experimental studies are conducted and comparative analysis of the proposed method is performed against ten different clustering-based anomaly detection algorithms namely k-means [19], IF (Isolation Forest) [61,62], SC (Spectral Clustering) [54], HDBSCAN (hierarchical density-based spatial clustering of applications with noise) [63], ACA (Agglomerative Clustering Algorithm) [54], LOF (Local Outlier Factor) [54], SSWLOFCC (streaming sliding window local outlier factor coreset clustering algorithm) [54], PCM (Partitioning Clustering with Merging) [10], OnCAD (Online Clustering and Anomaly Detection) [46], and MCA (Mixed Clustering Algorithm) [9]. The dataset employed for the experiment is Kitsune Network Attack dataset [64] and KDDCUP’99dataset [65], collected through the UCI machine repository. The Kitsune dataset [64] is a multi-variate, sequential, time-series dataset with real and temporal attributes. It has 27,170,754 data instances and its number of attributes is 115. Whereas, KDDCUP’99 [65] is a multi-variate dataset with numeric, categorical and temporal attributes. It has 4,898,431 data instances and its number of attributes is 41.

The proposed method is implemented using MATLAB. The implementation process consists of three stages, input data pre-processing, periodic subspace clustering, and testing. First of all, the method accepts the input data converts it to set-valued matrix. The matrix representation of the dataset is the information system. Since rough set can’t deal with continuous attribute, so they are discretized at the same. The algorithm1 is then applied to find the subset of the attribute set by removing the insignificant attributes and by using the concept of dominance relation, nano topology and its basis. The algorithm1 gives subset as CORE of the attribute set. Then the algorithm2 is applied on CORE to find clusters along with the set of sequence time-intervals where each cluster is associated with a sequence time intervals describing its life-span. For, the efficient implementation, two parameters namely t_min (minimum length of a life-span = 180 minutes) and t_max (maximum time-gap between two consecutive time-stamps associated with a cluster =20 minutes) are to be specified. Then the algorithm3 is applied the clusters to generate periodic, partially periodic and fuzzy periodic clusters. The performances of the method along with afore-mentioned methods in terms of accuracies in detection rate are recorded. The details of the outcomes of the investigations are presented both in the tabular form and graphically in Table 1 and graphically in Figure 5, Figure 6, Figure 7, Figure 8, Figure 9, Figure 10 and Figure 11 respectively below.

It following observations can be drawn from the obtained results.

The k-means algorithm is reasonably good as per as the accuracy of anomaly detection is concern. However, it is sensitive to both the dataset and the dimensions. It is also sensitive to the distribution of the dataset in the plane. It cannot supply periodic clusters

The IF model is reasonably good in terms of the accuracy of the anomaly detection, however, it is efficient up to a certain dimensional dataset and beyond which its efficacy decreases rapidly. It cannot supply periodic clusters.

The SC algorithm is not good in terms of both the accuracy of anomaly detection and the execution time. It is not applicable for finding periodic clusters

The HDBSCAN is very poor both in terms both the accuracy of detection and the execution. Though it works very good in lower dimensional data, its performance decreases with respect to increment in the dimension of dataset. It is not applicable for finding periodic clusters.

The ACA is reasonably good in terms of both the accuracy of anomaly detection and the execution time, however it is very sensitive to the order of input to the algorithm. It not useful in determining periodic clusters.

The LOF algorithm is quite better in terms of both the accuracy of anomaly detection and the execution time. However, it has similar issues like k-means algorithm.

The SSWLOFCC is a better algorithm as per as real-time anomaly detection is concern. Its performance does not depend much on the size of the dataset. However, its execution increases with increment of the dimension as well as the size of the dataset. It also cannot extract periodic clusters.

The PCM is an algorithm consisting of both k-means and hierarchical agglomerative approaches. However, its performance decreases with the increase of the size of the dataset and the dimension. As its performance heavily depends on both the algorithm. It cannot be used for finding periodic clusters.

The OnCAD has a problem dimensionality. Its accuracy of the anomaly detection and the execution time fall rapidly with the increase of the data size and dimensions. It cannot find periodic clusters.

The MICA is very good as per as the accuracy of anomaly detection is concern. It has the accuracy of 98% which is quite impressive. It execution time is also reasonably good. However, it cannot be used for finding periodic clusters.

The proposed algorithm (RFPSCA) is very good as per as the accuracy of anomaly detection is concern. Its detection rate is almost same for both the datasets with different sizes and dimensions. Its accuracy of the detection rate is 98% and 98.3% for KDDCUP’99 [65] and Kitsune [64] datasets respectively. It has the ability to extract periodic clusters which others cannot. Though, its execution time is little more than that of others, the rate of increase is reasonably less. Extra time requires is the time of finding subspace and extracting periodicity. Thus, the execution time of RFPSCA depends mostly on the dataset sizes and the number of periods associated with a cluster as its life-span.

Moreover, the RFPSCA’s time-complexity is compared in contradiction of that of k-means [19], IF model [61,62], SC Algorithm [54], HDBSCAN algorithm [63], ACA Algorithm [54], LOF algorithm [54], SSWLOFCC algorithm [54], PCM algorithm [10], OnCAD algorithm [46], and MCA Algorithm [9]. The results are presented graphically in Figure 12 and Figure 13. It has been found that most of the aforesaid algorithms not only depends on dataset sizes but also on dimension of the dataset. In fact, some are inefficient in high-dimensional data and other efficacy decreases with the increase of dataset’s size and dimension. However, RFPSCA depends mostly on size of dataset and is a bit dependent on the sequence of time-intervals associated with every clusters which is negligible factor. So, RFPSCA runs mostly in cubic time.

7. Conclusions, Limitations and Lines for Future works

7.1. Conclusions.

In this article, a clustering-based method for finding IoT anomalies in a subspace is given. The method first uses, nano topology-based attribute reduction approach for finding subspace as a CORE. Then, a dynamic k-means clustering approach is employed to find k-clusters in the subspace. It is to be mentioned here that the clusters obtained by the aforesaid approach will have k-number of sequence time-intervals where each cluster is associated with a sequence describing its life-span. Then, using an interval superimposition method a match for each cluster is computed which determines whether the cluster is fully or partially period. The set of superimposed time-intervals will give fuzzy time intervals. At the end, the method supplies fuzzy periodic clusters in the subspace. Since the obtained clusters are periodic nature, they provide more detail information about the nature of the data instances. The anomalies would be mostly doubtful instances which do not belongs any of the periodic clusters. The proposed method is named as RFPSCA.

The time-complexity of the method is computed and found to be O(n³ + n .n₁³) in worst-case, where n = the number of instances and n₁ = the maximum number of intervals associated with any cluster. Obviously n₁ is very small in comparison to n. Therefore, the method runs in cubic time approximately.

For finding efficacy further, ten well-known clustering-based algorithm taken and a detailed comparative analysis is conducted against RFPSCA with two well-known datasets namely KDDCUP’99 [65] and Kitsune [64] Network anomaly detection datasets. RFPSCA is found be efficient than others for detecting anomalies in high-dimensional data. Experimentally, it has been found that that RFPSCA can extract anomaly with around 98% of accuracy.

7.2. Limitations and Future directions of work

The proposed RFPSCA has some limitations. Firstly, it is unable to deal with continuous data as since rough set is inefficient to handle continuous data. Secondly, since the method is partitioning-based approach uses k-means algorithm, it has the similar issues like k-means algorithm in finding anomalies. For example, the centroid of any cluster can be pulled by anomalies or there may be a cluster of anomalies extracted by the method which looks like normal cluster. Finally, the method cannot detect anomalies from temporal interval data.

Future works can be possible in the following lines

Method other than k-means approach can be employed for efficient IoT anomaly detection.

Effective method can be proposed to deal with continuous attributes or temporal interval dataset.