SENMQTT-SET:An Intelligent Intrusion Detection in IoT-MQTT Networks Using Ensemble Multi Cascade Features

Recently, the number of Internet of Things (IoT) networks has been grown exponentially, which results in more data sharing between devices without appropriate security mechanisms. Since huge data management is involved, maintaining the time constraints between the devices in IoT networks is another significant issue. To address these issues, an intelligent intrusion detection system has been adapted to recognize or predict a cyber-attack using Elite Machine Learning algorithms (EML), and a lightweight protocol is used to manage the time-constrained issue. The experimental analysis of work is done on a testbed setup with the hardware and sensors connected using a lightweight Message Queue Telemetry Transport (MQTT) protocol. This comprises three parts: (i) collection of data with the help of a sensor for three different scenarios called SEN-MQTTSET; (ii) multi-context feature generation using an ensemble statistical multi-view cascade feature generation algorithm from the SEN-MQTTSET dataset; and (iii) evaluating the dataset using ML algorithms. The SEN-MQTTSET dataset has been created from the three scenarios, such as normal, attack on a subscriber, and attack on a broker. The multi-context feature is generated from the raw dataset using an ensemble statistical multi-view cascade feature generation algorithm. The EML is proposed to select the best model for intrusion detection among ML algorithms such as Logistic Regression, K-Nearest Neighbour, Random Forest, Naive Bias, Support Vector Machine, Gradient Boosting, and Decision Tree by the performance metrics such as accuracy, prediction time, F1-score, and others. The proposed dataset is validated and the accuracy is found to be above 99considered system model. Different quality parameters have been carried out for legitimate and attack traffic features to calculate the delay between the IoT-MQTT network.

conventional client-server architecture. In the client-server model, a client communicates directly with an endpoint.  Figure 1 shows the general architecture of MQTT (pub/sub model). The pub/sub paradigm separates the user who sends a message (the publisher) and the client receiving the message (the subscriber). The pub/sub paradigm does not have any direct contact and no knowledge about the co-existence of each other. The third component, named the MQTT broker, relates the pub/sub to filtering and distributing all incoming messages accurately to subscribers. The MQTT control packet frame structure consists of a fixed header (mostly available in all MQTT control packets), a variable header (available in some MQTT control packets), and a payload (available in some MQTT control packets). The data transmission using the MQTT protocol can be done with the topic name and QoS levels. There are three QoS levels: (i) QoS 0 is responsible for only one delivery, (ii) QoS 1 is responsible for at least one delivery, and (iii) QoS 2 is responsible for exactly-once delivery [6]. The rest of this paper is organized as follows: Some of the recent related works are presented in Section II. Section III describes the architecture setup and the proposed algorithms by machine learning (ML) techniques. Section IV shows the experimental testbed with results and discussions. Section V concludes this paper.

II. RELATED WORKS
A detailed [7] taxnomy of features in various MQTT protocols has been compared with other M2M protocols which are useful for end-users in choosing an appropriate broker or client suitable for implementation. In [8] describes the publish and subscribe protocol using MQTT-S, which is the open-source secured MQTT protocol extension adopted for wireless sensor networks (WSN). The MQTT-S architecture consists of two components, namely MQTT-S client and an MQTT-S gateway. The MQTT-S client enables the pub/sub of messages from the sensors to actuators. The MQTT-S gateway has two separate gateways, namely transparent and aggregating. The transparent gateway has many MQTT connections between the gateway and the brokers with MQTT-S clients linked to the gateway. A single MQTT connection to the broker with MQTT-S clients is referred to as an aggregating gateway. An MQTT-S client is only used to send messages in QoS 0, and it does not allow the broker to send messages to clients in QoS 1 or QoS 2.
The packet collection and analysis method [9] is used to measure the network environment and analyze the message loss and end-to-end delay for different QoS levels (QoS 0, QoS 1, and QoS 2) and payload sizes. The network experiments were done with wired and wireless connectivity between the pub/sub and the broker for comparison. The correlation coefficient measures the message loss and end-to-end delay in different QoS levels of the MQTT protocol. Smart home automation is implemented [10] using the ESP8266 controller and the MQTT protocol. The sensors and actuators such as light-dependent resistor (LDR), light-emitting diode (LED), and buzzers are connected to the ESP8266 with the Mosquitto [11] MQTT broker. The intensity of light is measured by using an LDR sensor, and the data is sent to an MQTT broker. The actuator's LED or buzzer can then subscribe to the data from the broker and act accordingly. All the data gathered from sensors and actuators is also sent to a cloud-based platform to aggregate, analyze, and visualize the data. A customized graphical user interface (GUI) was designed to monitor sensor data and control the devices remotely. Table 2 elaborates the recent works related to intrusion detection system (IDS) on IoT networks. The MQTT protocol is used to obtain the status of crude oil production with a

Reference
Year Detection Method Inference [12] 2013 Anomaly-based  The IPv6 enabled IDS framework for securing IoT devices using 6LoWPAN has been discussed with  various vulnerable attacks inherited on the framework based on WSN and IoT protocols  [13] 2016 Pattern-based The Raspberry Pi with an open-source IDS called Snort has been used to detect the vulnerability in the IoT networks [14] 2018 Anomaly-based A plug and play-based network IDS called KitNET has been designed based on autoencoders [15] 2018 Pattern-based An enhanced pattern recognition algorithm based on IDS has been used to secure the IoT networks with a four-layered architecture [16] 2019 Anomaly-based To achieve a high detection ratio of attacks in IoT networks, a deep learning-based IDS with a combination of spider monkey optimization algorithm and stacked deep polynomial network is used to select optimal features [17] 2020 Anomaly-based To detect DDoS, DoS, Scan, and Theft attacks on the BoT-IoT dataset, a two-stage hierarchical IDS employing Multimodel Deep Autoencoders with soft classifiers is used [18] 2020 Anomaly and Pattern-based Passban-based IDS is used to protect IoT devices and gateways with ML algorithms two-step approach is discussed in [19]. As a first step, the service architecture of the crude oil refinery is constructed with the combination of MQTT and Azure cloud to enable reliable data and command delivery. The second step is a smart disruption management system that monitors the data, alerts modules, disruption management modules, and procedures for rescheduling the operations. During multiple data transmission in MQTT causes packet losses. A reliable messenger system between server and client in the MQTT protocol has been developed [20] by combining the message topic with the sequence number and flag number in order to prevent data losses during transmission.
A reliable MQTT broker implementation [21] has broadcast the information to the clients. Based on numerical computations, a solution has been developed to minimise the number of shared messages among brokers. Additionally, clusters of brokers are formed among the network edge nodes to minimise the delay between publishers and subscribers. To address the sub-linearity issue for multiple sessions in the MQTT protocol, greedy load balancing is used to serve publisher and subscriber topics to improve cluster scalability was discussed in [22]. SiGPro [23] is a real-time, customized notification system with optimized complexity by using an MQTT-Bridge for hierarchical server communication. The simulations have been carried out for 19 rescue scenarios of missing persons with those characteristics, and all the information is maintained secretly.
The design and implementation of the MQTT client (MQTTc) [24] for low code footprint and optimized memory usage make the MQTT protocol more suitable for portable and lightweight embedded applications. A secure version of the MQTT and MQTT-SN protocols (SMQTT and SMQTT−SN) with improved security in addition to the existing MQTT protocol is discussed in [25]. It is based on Key/Ciphertext Policy-Attribute Based Encryption (KP/CP-ABE) using lightweight Elliptic Curve Cryptography implemented on the MQTT protocol in WSN. The sensor data is encrypted by KP/CP-ABE with a public key generated by the publisher, and the subscriber is decrypted by KP/CP-ABE with a public key generated by the actuators.
The MQTT-SN security bootstrapping architecture [26] was designed to provide end-to-end security for the data. To achieve end-to-end security, the concept of topic certificates is employed. Topic certificates are used to build an encrypted direct route between a publisher and a group of subscribers without depending on transport layer security (TLS). MQTT thing to thing security (MQTT-TTS) can secure the communication between pub and sub by adding the TTS header and security-specific header to the existing MQTT frame header [27].
A security scheme in the MQTT protocol uses cryptographic smart cards [28] for encrypting the client-tobroker data communication without changing protocol message specifications. This authentication scheme meets the requirements of both data secrecy and data integrity. The implementation of the Keyed-Hash Message Authentication Code (HMAC) generation algorithm [29] has been employed instead of a complex encryption algorithm to improve the efficiency with less time for the client to retrieve the messages. The different cloud MQTT brokers were analyzed from a security standpoint and conducted a denial-of-service (DoS) attack and information collection techniques to discover the least vulnerable broker was discussed in [30].
On analyzing traffic features using the internet protocol packet size entropy (IPSE) [34] method, the DoS attack can be detected. The design of IPSE can identify both longterm attacks and short-term attacks on any architecture by observing time series of packet size entropy and distinct traffic packet size distribution shifts during DoS attacks. A small change in step rise time in the time series indicates that a possible DoS attack is happening. In the case of a normal feature, no changes can occur in step rise time. An MQTT threat model [35] has been established between IoT devices and MQTT brokers and endpoints such as servers, personal computers, and smartphones. The testbed simulates and analyses attack scenarios such as DoS, identity spoofing, information exposure, and privilege elevation. The MQTT Mosquitto broker was installed on a virtual computer running Ubuntu Linux 14.0 for analyzing the SYN flood attack. The large packet payload, up to 2000 PUBLISH messages with a VOLUME 4, 2021

Device Level Implementation
MQTTset [31] 2020 X X ToN-IoT [32] 2019 X MQTT-IOT-IDS2020 [33] 2021 X X X SENMQTT-SET 2021 4 MB header payload, is sent to the broker during that time the subscriber cannot get the message or there is a time delay in receiving the message from the publisher.
To investigate further exploitations of the MQTT protocol with normal and encrypted communications, the target devices are subjected to a novel low-rate distributed denial of service (DDoS) attack known as SlowITe [36]. The framework [37] for the DoS attack is created on the application layer and implemented to evaluate the MQTT protocol against the DoS attack with two classes: legitimate and DoS attack. The DoS attack dataset is created with different attack scenarios such as connect flooding, delayed connect flooding, payload connect flooding and invalid subscription flooding. A ML model was developed using a dataset to mitigate the DoS attack on MQTT message brokers. This framework shows the high effectiveness of detecting DoS attacks. Furthermore, the multiclass IDS [38] has been designed with ML techniques with two methods of classification, such as ensemble and deep learning. First, the various attack captured datasets have been created in order to detect the anomalies in an IoT environment.
The security vulnerability of MQTT has been categorized into two: data security and network security. Where data security is referred to as the data transfer from sensors to actuators with an encrypted format. In the network, security is responsible for preventing unauthorized and flooding attacks. The main motivation for this paper is to prevent unauthorized and flooding attacks on IoT-MQTT networks using ML algorithms. The main technical challenges in other existing datasets are that they have more features without device-level implementation, which leads to more complex detection of attacks in real-time. The proposed contributions give a better solution when compared to other literature. Table 3 describes the various parameters considered for generating the IoT-MQTT context dataset. These datasets are differentiated by label, IoT telemetry data, Heterogeneity of IoT data sensor, real-time devices and device-level implementation.

A. CONTRIBUTIONS
The main research contributions of this paper are described as follows.
1) A novel IoT experimental setup is created with heterogeneous sensors and real-time devices with legitimate and attack dataset SENMQTT-SET. 2) An ensemble statistical multi-view cascade feature generation algorithm is developed to evoke the im-portant features from the SENMQTT-SET in order to detect the attack in less time. 3) Seven ML algorithms are evaluated to show the effectiveness and reliability of the proposed dataset. And for building the best model using Elite Machine Learning (EML) for detecting the attack. The accuracy, f1-score, and other performance metrics are compared with the existing dataset. 4) Finally, performance metrics such as cumulative distribution function, jitter, packet length, and latency are evaluated and validated in three scenarios: normal, subscriber attack, and broker attack.

III. METHODOLOGY
This section describes three parts of a proposed method such as (i) Framework for attack detection and proposed SEN-MQTTSET dataset generation, (ii) DoS attack model, and (iii) Proposed multi-context features generation and EML.

A. FRAMEWORK FOR ATTACK DETECTION AND PROPOSED SEN-MQTTSET DATASET GENERATION
A typical IoT-MQTT network has a group of sensors connected to IoT devices. The proposed framework testbed environment is created by using the four Raspberry Pi [39] (RPi) (namely A, B C, and D), two Node Mcu [40] (NMcu) (namely E and F) and one Raspberry Pi (G) are connected to router as depicted in Figure 2. Here RPi (A, B) and NMcu (E) act as a publisher, RPi (C, D) and NMcu (F) act as a subscriber and RPi (G) act as a Mosquito MQTT broker the IP address of each device is tabulated in Table 4.
To monitor or control the device a router is interconnected  [41] tools later the specific MQTT traffic filter is applied with tshark [42] to extract the particular features and processed to csv file. After generating the dataset from the devices, two attributes of label like normal or attack type is added. These labels are appended to the original csv files generated after feature extraction.
Algorithm 1 describes the script for four simulated sensor data such as air quality sensor, passive infrared motion sensor, temperature sensor, and CO 2 gas sensor implemented on RPi and NMcu. Python [43] and microPython [44] are used to create the sensors script for all the physical devices RPi and NMcu respectively. The main objective of the script is to measure the four different sensors such as air quality sensors, passive infrared sensors, temperature sensors, and CO 2 sensors according to the parameter given in Table 5. These sensor data with the specific topic is published to the MQTT broker of RPi G.

Algorithm 1: Creation of four simulated sensor data
Input: A,P ,T ,C,bip,port and cid ; where A is the air quality sensor data, P is the passive infrared motion sensor data, T is the temperature sensor, C is the CO 2 sensor data, bip is the broker IP address, port is the MQTT port number and cid is the client

B. ATTACK MODEL -DOS
The main aim of DoS attacks is to send many flooding messages to the server to prevent legitimate user access. The average number of users to access the system is called Little's Law [45] and the formula is given as follows: where λ is the system arrival rate for sensor data, where V is the average system time a sensor data spends, and T is the total time taken in the system. DoS attacks try to occupy the system for a long time, so legitimate features cannot get the service. It increases the processing time per packet and increases the arrival rate of packets through complicated computer activities on the victim's device. Mostly the authentication and authorization can prevent unauthorized access in any industrial MQTT-IoT systems, and authenticated clients are permitted to send or receive messages on selected subjects only. The access levels of MQTT-IoT data are two types: valid MQTT broker connection credentials and valid pub/sub service authorization.  [49] 0 to 5% VOL optional CO 2 sensor is used to detect the carbon content in the air by using non-dispersive infrared (NDIR). This can be employed in the industry.
An attacker can send the MQTT CONNECT packet without valid credentials, hence the clients cannot publish or subscribe without successful broker connections. Using a brute force attack, an attacker can also change the PUBLISH or SUBSCRIBE packet parameters without correct credentials and authorization. The control packet data and the level of access being provided to an attacker is referred to as basic connect flooding (BCF).

1) Basic Connect Flooding (BCF)
The attacker just sends a huge number of CONNECT packets to the target server for authentication requests to overwhelm the service provided by the MQTT broker. The steps are illustrated in Algorithm 2.
Algorithm 2: Basic Connect Flood generation steps [37] Input: N c ,bip and port where N c is the number of connect packets , bip is MQTT broker IP address and port is the MQTT port number. 1 bip ← 192.168.0.107 2 port ← 1883 3 cid ← mqtt − random(1, 1000) 4 r = client.connect(bip, port, cid) 5 c = [] 6 for i = 1 to 10,000 do Once the connection is established on the MQTT protocol between the publisher and the subscriber, the publisher will send a CONNECT frame packet to the MQTT broker to establish the connection. The broker will reply CONACK to the publisher. The basic connect flooding attacks will send N connects to the MQTT broker in order to keep it busy. In this way, the subscriber cannot receive the packets from the publisher on time.

C. PROPOSED MULTI-CONTEXT FEATURES GENERATION AND ML TECHNIQUES
The proposed SEN-MQTTSET dataset has a combination of both TCP and MQTT traffic data. Each network trafficidentified flow has been retrieved for each pcap file: frame length, delta time, IP length, source IP, destination IP, IP port, MQTT message type, length, message, etc. The raw dataset has 120 features, including the labels of classification. As the features of the dataset are in large volume, the space required to store the dataset is greater and some of the ML algorithms may not work properly, so the feature reduction helps to solve this issue. The proposed multi-context feature generation is combined with two parts (i) The best of two feature selection from the raw dataset using Logistic Regression (LR) (ii) Ensemble statistical multi-view feature generation. The proposed flow diagram is given in Figure 3. The proposed multicontext feature generation steps are presented in Algorithm 3. The best-selected features are frame length and frame delta time, obtained from the raw dataset among 120 features including flow-based, TCP, IP, and MQTT using Logistic Regression. Based on the selected features, the statistical features with combined session features have been created and named the optimized SENMQTT-SET dataset. Now the proposed optimized dataset is preprocessed using normalization techniques and trained using ML techniques such as LR , K-Nearest Neighbour (KNN), Random Forest (RF), Naive Bias (NB), Support Vector Machine (SVM), Gradient Boosting (GB), and Decision Tree (DT). To detect the attack by using an elite ML prediction model.

1) Data pre-processing
The Min-Max scaling normalizes the input data feature of optimized SENMQTT-SET into the static interval to tackle varied dynamic ranges for the 10 input features shown in Table 6. By applying Min-Max normalization, the optimized SENMQTT-SET dataset features are converted into a linear transformation so that the ML algorithms can easily learn the features and develop the prediction model.

2) EML and ML models
The EML is proposed to select the best ML algorithm attack detection model from the LR, K-Nearest Neighbour (KNN), Random Forest (RF), Naive Bias (NB), Support Vector Machine (SVM), Gradient Boosting (GB), and Decision Tree (DT).

a: LR
The LR [50] model is based on statistical calculations which follow the tree-based calculations to forecast the value of the binary predictive variable y ∈ [0, 1], where 0 is a negative class, and 1 is a positive class.    e: RF RF [52] is a classification method that is based on tree structures. The results are obtained by the formation of a data forest with many sub-trees. It generates a random selection of the training set for decision trees and forms the tree according to the outcome of the individual set. The RF algorithm can handle missing values and it also helps to avoid overfitting by using an appropriate parameter tweaking method.
f: DT DT [50] is a supervised ML algorithm used for classification and regression. Every node in a decision tree is either a leaf node or a decision node. The decision-making processes are simply comprehensible because they are straightforward and the tree is interconnected with internal and external nodes. The decisions are made by internal nodes, which also visit their child nodes in the next decision-making steps, provided the leaf node is node-less and tagged.

IV. RESULTS AND DISCUSSIONS
The testbed consists of five RPi devices and two NMcu connected with simulated sensors. The RPi and NMcu are connected by a modem with a common SSID and password. The attacker/victim is a personal computer with an i3 processor to inject the basic connect flooding attack on the subscriber and broker. All the publisher and subscriber devices are interconnected with the Mosquito MQTT broker.
Using the Paho MQTT client library in the program of RPi can publish and subscribe to the sensor data connected to the devices. Similarly, the esp8266 client library is used in NMcu to publish and subscribe to the sensor data. The dataset was collected for three scenarios, such as no attack, attack on subscriber, and attack on broker. Figure 4 shows the experimental testbed with four RPi , two NMcu and a router. In all scenarios, the RPi A, B, and E of NMcu publishes the sensor data with the help of Python script and embedded c via MQTT broker. And the RPi C, D, and G of NMcu for the subscriber of the sensor data with the help of Python and microPython script via MQTT broker. Using the tcpdump tool, the packets are captured for 1800 seconds  from the subscriber to the publisher. In RPi C executed the tcpdump command for obtaining the legitimate and attack traffic features.

A. SCENARIO 1: NO ATTACK
In scenario 1 (no attack) the traffic features have been captured between the publisher and the subscriber via a broker. The four sensors data will keep on going from publisher to MQTT broker. The schematic diagram shows the connections of scenario 1 is illustrated in Figure 5. Figure 6 shows the details of sniffed packets of tcpdump in wireshark for obtaining the individual packet details. In wireshark the seven important pieces of information about the packets are visible such as number, time, source, destination, protocol, length, and info. The number represents the number of the network packets, time represents the time at which the specific packet has been recorded, the source is the IP address of where the packets are coming from, the destination is the IP address of where the packet is going, protocol refers to the TCP, MQTT, etc., and info represents the additional information about the packets which has been recorded. In the info field, there is only one CONNECT command and one ACK packet present for scenario 1. Later these captured pcap files are converted to csv files using Python script. Table 7 displays the four sensor data from Scenario 1 along with the timestamp and message topic. The architecture setup for scenario 2 is depicted in Figure 7 where an attack is on the subscriber side. A basic connect flooding attack is injected at the subscriber node by the Python script on the PC. Tcpdump tools capture the packets transferred from the publisher to the subscriber and saved to a pcap file. Figure 8 shows the details of sniffed packets using tcpdump for obtaining the individual packet details. In the info field, there are many CONNECT commands and ACK packets present for scenario 2. Later these captured pcap files are converted to csv files using Python script. Table 8 shows the four sensor data with timestamp and message topic of scenario 2.

C. SCENARIO 3: ATTACK ON BROKER
The architecture setup is illustrated in Figure 9 where an attack is on the MQTT Broker. A Basic connect flooding attack is injected at the MQTT broker node by the Python script in the PC. Tcpdump tools captured the packets transferred from the publisher to the subscriber and saved to the pcap file.      Figure 10 shows the details of sniffed packets of tcpdump in wireshark for obtaining the individual packet details. In info field there are many CONNECT commands and ACK packets present for scenario 3. Later these captured pcap files are converted to csv files using Python script. Table 9 show the four sensor data with timestamp and message topic of scenario 3. Quality of parameters such as jitter, packet length, and latency is computed for the three scenario experimental setups. The cumulative distribution function (CDF) calculates the cumulative probability for a frame packet length value. The probability of a random observation taken from the features is less than or equal to a certain value that can be determined by the CDF. The distribution of frame packet lengths can also be observed using the cumulative distribution function as shown in Figure 11. There is a shift in the curve towards the right when the node is under attack.

b: Jitter
The publisher has four sensor message topics, namely sens/temp, sens/air, sens/motion, and sens/gas. In jitter analysis, the packet delay between the same message topic and the time difference between all sensor data packets received by the subscriber and the publisher has been computed. Table 10 shows the packet loss for three scenarios such as no attack, attack on subscriber, and attack on broker. The packet loss is calculated for 10 and 20 s, when the attack on broker the packet loss of 9.1% and 5.8 % respectively, when there is no attack on subscriber 6.6% and 6.8% respectively and when no attack 0% and 0% respectively. . Figure 12 shows the end-to-end time delay distribution of subscribers without and with an attack. The end-to-end time delay time is calculated at the subscriber node by the sensor data published to the subscriber via the MQTT broker. The average time delay without attack and with attack is 80 ms and 1230 ms, respectively.  Figure 13 shows the end-to-end time delay distribution of brokers without and with an attack. The end-to-end time delay time is calculated at the MQTT broker, where the sensor data is published to the subscriber. On seeing this graph, the average time delay for without attack and with attack is 30 ms and 640 ms, respectively. Figure 14 shows the transmit time delay between the subscriber packet without attack and with attack. 10000 packets were sent from the publisher to the end-user, called a subscriber, via a broker. The average time delay between two consecutive packet data transmissions without attack and with attack is 200 ms and 750 ms, respectively.  Figure 15 shows the transmit time delay between the packet in the broker without attack and with attack. 10000 packets were sent from the publisher to the end-user, called a subscriber, via the broker. The average time delay between VOLUME 4, 2021 two consecutive packet data transmissions without attack and with attack is 250 ms and 600 ms, respectively. c: Packet length FIGURE 16. Subscriber node packet length of sensor data in without attack and with attack Figure 16 shows the packet length of sensor data without attack and with attack received at subscriber node. The packet length varies from 32 to 58 for without attack scenario and in with attack varies from 40 to 50. This graph shows that some of the packet lengths get increased and truncated in with attack when compared to without attack.  Figure 17 shows the packet length of sensor data without attack and with attack received at broker node. The packet length varies from 42 to 50 for without attack scenario and in with attack varies from 0 to 56. This graph shows that some of the packet length gets decreased and truncated in with attack when compared to without attack.

d: Latency
In latency analysis, the timestamp is appended to all the sensor data of the message topic, such as sens/temp, sens/air, sens/motion, and sens/gas, shown in Table 11. The timestamp of the received data has been recorded at wireshark, allowing the time delay between subscriber and publisher to be calculated for both the subscriber without and with attack, as well as the broker without and with attack. Figure 18 shows the time delay between the publisher and the subscriber without and with an attack. The average time delay between the publisher and a subscriber is 100 ms without an attack and 300 ms with an attack on the subscriber node. Figure 19 shows the time delay between the publisher and the subscriber without and with an attack. The average time delay between the publisher and a subscriber is 100 ms without an attack and 400 ms with an attack on the broker node.

E. ASSESSMENT OF ML ALGORITHMS
The assessment of various ML algorithms has been carried out to find the performance metrics such as accuracy, attack detection rate, attack predictive value, normal predictive value, mathews correlation coefficient, F1 score, and false alarm rate, to validate the ML models by using a confusion matrix.

1) Confusion matrix
The confusion matrix [53] is an error matrix used to define a classification models performance on a test data set with certain true values. By using the confusion matrix, it is possible to visualize the performance of various ML algorithms, as shown in Figure 20. The percentage of all features correctly defined over all the data is as follows.
where TP-true positive, TN-true negative, FP-false positive, and FN-false negative. The percentage of the ratio between attack feature instances correctly detected among the expected cases as an attack is called APV. AP V = T P T P + F P MCC is a statistical metrics that is used to evaluate a classification models performance.
f: F1 Score The F1 Score rate is the ratio of normal requests that are detected as attacks overall normal requests as follows: F 1score = 2 * T P 2 * T P + F P + F N g: False alarm rate (FAR) False alarm rate (FAR) is an error metric used to evaluate the classification model performance based on the probability of false-positive with the null hypothesis.
h: Receiver operating characteristic (ROC): Receiver operating characteristic (ROC) curve is helpful to classify the thresholds performance model with the plot. This plot consists of two parameters namely true positive rate (TPR) and false positive rate (FPR).
T P R = T P T P + F N F P R = F P F P + T N (10) Figure 21 shows the ROC curves for the seven ML models. It can be seen that DT, RF, and GB classifiers provide better performance when compared with the other classifiers (LR, KNN, SVM and NB). Table 12 describes the evaluation metrics such as train accuracy, test accuracy, ADR, APV, NPV, F1-Score, MCC,  FAR, ROC, training time and testing time of ML models using proposed optimized SENMQTT-SET. DT classifiers outperforms well when compared to the other ML model. Table 13 describes the comparison of the various algorithms for accuracy and F1 score of the proposed multi-context algorithm with [31], [32] and [33]. The elite ML model is generated and tested for attack detection using the proposed feature generation from the SEN-MQTTSET dataset. The proposed ensemble multi-view cascade feature consists of 11 attributes such as time_epoch, num_pkts, mean_iat, sd_iat, min_iat, max_iat, mean_pkt_len, std_pkt_len, min_pkt_len, max_pkt_len and is_attack. The dataset consists of normal traffic instances and attacks class instances with labels 0 for normal and 1 for the attack. Among the 11 features, 10 are numerical and 1 is binary. The proposed optimized SENMQTT-SET dataset is divided randomly into 20% of the testing and 80% is training to evaluate using ML algorithms. Figure 22 shows the comparison of performance metrics such as accuracy, F1-score, attack detection rate, and attack prediction for all ML algorithms. The maximum testing accuracy obtained from DT, RF, and GB is 100%, KNN is 99.89, SVM is 94.13%, NB is 83.16% and LR is 90.04. Among the seven ML models, the best model is called the Elite ML model, based on all the best metrics of the DT classifier algorithm. When compared to the optimised SENMQTT-SET with [31], [32] and [33], the proposed multi-view cascade feature dataset accuracy and f1 score are higher and differ by approximately 1%.   DT has outperforms with training time and detection time of 8 ms and 4 ms respectively, even though the NB achieved less training time and detection time of 4 ms and 3.8 ms respectively but the accuracy and other performance metrics are low when compared to DT. Finally, the elite ML chooses the best ML model to detect attacks in real-time.

V. CONCLUSION
In this work, the SENMQTT-SET dataset has been generated and analyzed for MQTT attack detection in IoT contexts. The intrusion detection testbed includes three scenarios: no attack, attack on a subscriber, and attack on a broker and it has been designed to record regular traffic and attack characteristics. The SEN-MQTTSET dataset was developed from the traffic features while the data was received from different networked IoT sensors (temperature, motion sensors, etc.). An ensemble multi-view cascade feature generation algorithm was used to generate optimized SENMQTT-SET from the raw dataset. Later, these features are evaluated by using ML algorithms and selected the best model using elite ML to detect an attack or normal in the MQTT-IoT network. The generated proposed features show the effective intrusion detection system in MQTT cyber-attacks and achieve an accuracy of more than 99%. The detailed quality of parameters was measured for three scenarios, and the packet time delay for without attack was less than that for with attack. In the future, deep learning-based explainable artificial intelligence (XAI) methods [54] can be used to improve the behavior of multi-modal traffic classifiers.