The Internet of Things (IoT) is a network of billions of interconnected devices embedded with sensors, software, and communication technologies with the capabilities of gathering and exchanging data via the Internet, allowing them to communicate with one another and execute a variety of functions independently. One of the important wireless communication technologies for establishing connections and enabling communication in IoT contexts is the IEEE 802.11 wireless local area network (WLAN) ^{[1][2][3][4][5][6]}[1,2,3,4,5,6], commonly called Wi-Fi. It is one of the fastest-growing technologies and a widely deployed type of network due to ease of installation, flexibility, mobility, reduced cost of ownership, and scalability ^[7][8][7,8]. Devices in the IoT system face various security challenges including attacks launched to target different layers of the stack [9]. Wi-Fi-enabled IoT is deployed almost everywhere, ranging from common households to large-scale critical infrastructures with a rapidly growing number of devices such as smartphones, laptops, tablets, smartwatches, IoT devices, etc., along with the advancement and growth of various services such as cloud-based data storage, social networking, contented services, online banking, e-commerce, etc. However, due to the broadcast nature of the wireless signal on an open wireless medium, protocols, and mechanism design vulnerabilities, IoT Wi-Fi networks are exposed to various attacks from hackers and intruders. The insecurity of these Wi-Fi-enabled IoT devices is increasingly growing as they become easy targets of various attacks. De-authentication and disassociation DoS attacks are among those security challenges where attackers can easily spoof the MAC address of the client or the AP while they are in the process of genuine authentication/association and de-authentication/disassociation by carrying out an attack on their behalf which can result in turning down the Wi-Fi network and denying services. Common Vulnerabilities and Exposures (CVE) recorded a number of de-authentication and disassociation attacks carried out against different Wi-Fi networks and environments [10].

There is a need for more secure Wi-Fi networks [11] and several advancements have been made. The first approach is the innovation of Wi-Fi communication technology itself, including the latest security enhancement with Wi-Fi Protected Access 3 (WPA 3) [12], and performance enhancement with IEEE 802.11ax [13] (commonly called Wi-Fi 6). However, WPA 3 has potential flaws and vulnerabilities [14], one of which is vulnerability to Denial of Service (DoS) attacks aimed at disconnecting network devices, with de-authentication and disassociation included among such successful attacks. The other approach is the development and advancement of different intrusion detection systems (IDS), a vital cybersecurity technique, deployed to operate as a second security protection, monitoring and identifying unusual activities carried out by attackers that influence the availability of the Wi-Fi network. A number of machine and deep learning-based IDS solutions have been developed over the recent years to solve some of these problems ^{[15][16][17][18][19][20][21][22][23]}[15,16,17,18,19,20,21,22,23]. For example, the authors of [15] identified different Wi-Fi vulnerabilities by carrying out various attacks and recommended strong encryption, employee training, and improving organizational security standards. In [17], the authors proposed a Wireless Intrusion Detection System to detect attacks on Wi-Fi networks while [14] introduced a WIDS to classify Wi-Fi traffic captured with n-grams into normal or malicious using machine learning models. Machine and deep learning-based IDSs can potentially offer better security by design, and therefore enhance the security of IoT Wi-Fi network infrastructures. However, the solutions mentioned above still face difficulties, including failing to achieve better performance, lacking up-to-date datasets, and not providing end-to-end solutions. Using old datasets can cause less effective attack detection as it may not capture the current state of Wi-Fi networks (including updated security protocols, authentication methods, or encryption standards), may fail to accurately represent the current attack landscape, and can miss already known vulnerabilities and weaknesses addressed by the latest security mechanisms. In addition, according to the reseaourchers' knowledge, current solutions fail to provide an up-to-date end-to-end solution with real-time automated Wi-Fi network traffic analysis and attack detection mechanisms. Moreover, despite their rapid growth and importance, such security risks are not properly addressed in IoT systems such as smart home Wi-Fi network environments.

2. Intrusion Detection System (IDS)

An intrusion in cyber security refers to unauthorized access or entry into a node or network system. This can be accomplished through various methods such as hacking, malware, or social engineering. An intrusion’s goal could be to steal sensitive information, disrupt operations, or gain control of a targeted node or an entire network. To protect against these types of threats, intrusion detection and prevention are critical aspects of cyber security. An intrusion detection system (IDS) detects malicious user’s unauthorized access to systems or networks. IDSs’ primary duties are to monitor hosts and networks, evaluate computer system activity, produce warnings, and respond to suspicious behavior. The basic architecture of an IDS, as shown in Figure 1 (adapted from [24]), consists of a data collection device (sensor), an intrusion detection engine, a knowledgebase (database), a configuration device, and a response component [25]. Based on different factors, IDSs can be classified into various types among which network IDS (NIDS) is widely deployed and  the ouresearchers' solution falls under this category. A Network Intrusion Detection System (NIDS) typically examines network traffic for patterns or anomalies that might reveal an intrusion. The NIDS is often deployed on the border router or switches and monitors network traffic flow to identify threats that occur across the network connection [26]. It operates on the OSI Model’s Network Layer or Data Link Layer. Most NIDSs are independent of the operating system (OS), allowing them to be used in various OS scenarios. Furthermore, NIDSs can identify specific protocol types and network assaults. The disadvantage is that they only monitor traffic moving via a certain network section.

3. Machine and Deep Learning for IDS

Both traditional machine learning (TML) and deep learning approaches prove their capability for the advancement of IDSs. However, because of the speed and amount of IoT-produced data, TML approaches continue to face several challenges in extracting relevant features from the massive and unstructured data created by IoT devices as they need well-crafted feature engineering. Deep learning methods have become the preferred approach in recent years due to their ability to learn features automatically, efficiently handle large-scale datasets, and adapt and learn new data with less extensive retraining, as well as their flexibility and capability of capturing nonlinear relationships in data.

3.1. Convolutional Neural Networks

A convolutional neural network (CNN) is one of the most often utilized forms of neural networks in computer vision. It proved to be effective in many challenges such as face recognition [27], object detection [28], picture classification [25], image restoration [29], image captioning [30], industrial applications [31], audio recognition [32], and so on, which makes it critically useful in image analysis. The basic architecture of a CNN, as shown in Figure 2 (adapted from [33]), consists of different types of layers among which the main layers are convolutional, pooling, rectification, and flatten layers. At the core of a CNN is the convolutional layer whose units are organized into output feature maps following the convolution operation using filters or kernels. The output feature maps are then passed through the pooling layer to reduce their dimensions and the number of overfitting parameters which in turn accelerates neural network performance and leads to faster training. At the same time, it keeps the majority of the dominant information (or features) in every stage of the pooling process. Furthermore, pooling filters aid in learning the most important features and removing outliers and inconsistencies. Classifiers are often composed of fully connected layers, and they carry out classification tasks according to the identified features. In general, in contrast to other DL or ML algorithms that can be over-fitted with massive amounts of data, CNNs can instantly determine the sort of attack.

3.2. Transfer Learning

Transfer learning (TL) [34] is a powerful method for exploiting deep neural networks on smaller datasets. The goal of transfer learning is to transfer the structure and parameters of large-scale dataset-trained models (e.g., AlexNet, VGGNet, and ResNet) to new tasks and use the weights trained on the large dataset as the initial weights for the new task [18]. As a result, TL leverages the knowledge learned from the source domain to solve the problem in the target domain without the need to learn from scratch with a massive amount of data. As opposed to training new models from the beginning using new datasets, we may leverage the patterns learned from datasets like ImageNet (millions of photos of various things) as the foundation of the new problem, as shown in Figure 3.

4. IoT and the Wi-Fi Protocol

The Internet of Things (IoT) is a network of billions of interconnected physical devices embedded with sensors, software, and communication technologies with the capabilities of gathering and exchanging data via the Internet, allowing them to communicate with one another and execute a variety of functions independently. Wi-Fi has become part of our daily lives and more popular for use in many areas of application including smart home equipment due to its low cost, ubiquity, and ease of connecting. The continuous decline in the price of Wi-Fi chipsets has contributed significantly to its expansion. With the rapidly increasing IoT advancement and billions of connected objects, Wi-Fi applications reached new heights. More than 37 billion Wi-Fi-enabled devices were shipped in 2021, and the global value of Wi-Fi is estimated to be $4.9 trillion by 2025 [35]. The increasing deployment of IoT devices is the primary driver of this market growth. Wi-Fi-enabled devices communicate with an intermediary device such as an access point (AP), a networking device linked to a wired or cellular network through radio signals over the airwaves, via Wi-Fi. The AP effectively turns Internet data into radio waves and transmits them into the surrounding area.

De-Authentication and Disassociation Attacks

An IoT Wi-Fi network has many vulnerabilities such as an open wireless medium, lack of robust encryption protocols, the unprotected nature of the management frames, and insufficient validation of de-authentication frames. These security challenges make an IoT Wi-Fi network vulnerable to various attacks such as Denial of Service (DoS), spoofing, eavesdropping, Man-In-The-Middle Attack, and many others [36]. The de-authentication and disassociation DoS attacks are the attack scenarios that this work focuses on. The security evaluation of a network generally involves different phases such as exploration, analysis, attack, and operation. For the attack scenarios, network traffic associated with the association/disassociation process of the 802.11 Wi-Fi networks is the focus of the analysis and attack detection.

5. De-Authentication DoS Attack

De-authentication attacks are classified as management frame attacks and fall under the Denial of Service attack which targets disrupting the communication between users (stations) and the Wi-Fi AP [37]. Normally, a de-authentication frame is used to gracefully end a connection between a connected client and an access point. The AP or the station can invoke the de-authentication due to shutdown, out of coverage, or other reasons. When the AP receives this frame, it also transmits the de-authentication frame back to the client. While this is a normal process for de-authentication, an attacker can take advantage of this process. An attacker exploits this regular process by first waiting for a client to authenticate with the AP and then launching attacks by spoofing the MAC address of a target client and sending the de-authentication frame to the AP on behalf of the victim. This disconnects the connection of the station to the AP. The attacker then spoofs this client’s MAC address and delivers the de-authentication frame to the AP. The entire process is shown in Figure 4 (adapted from [38]).

6. Disassociation DoS Attack

An existing association is terminated via a disassociation frame. Any of the two associated stations can initiate a disassociation notice. Disassociation cannot be denied since it is a notification rather than a request. The receiving station clears the appropriate states and keys from its memory in response to the disassociation notice. Stations often dissociate when they leave the network or when they relocate and want to join another network. If an AP cannot manage all of its associated stations or is restarting, it broadcasts a broadcast disassociation to disconnect all of them. Because the disassociation frame is neither encrypted nor authenticated, it is vulnerable to spoofing. Anyone may spoof the source address (SA) using MAC spoofing tools and techniques such as Aircrack-ng, MAC changer, Scapy, or custom scripts. By sending a faked disassociation frame, the attacker can force the target victim client to dissociate, as shown in Figure 5 (adapted from [38]).

7. Log Collection and Parsing

Small to large-scale systems generate logs on a regular basis to record system states and runtime information, each of which includes a date and a log message describing what happened. This useful information might be used for a variety of purposes (for example, anomaly detection), and thus logs are gathered first for later use. Logs are unstructured plain text and consist of constant and variable parts [39]. Logs consist of constant parts predefined in the source code and they remain the same in different occurrences. The remaining parts of the log are variable parts that change depending on the different occurrences and are generated dynamically. Log parsing extracts a group of event templates to create a structured and well-established log format from the raw logs. More specifically, each log message can be parsed into an event template (constant part) with some specific parameters (variable part).

8. Elastic Stack

The Elastic stack is an open-source project that primarily consists of Elasticsearch, Logstash, and Kibana (ELK) used for data preprocesses, data search, and data visualization [40]. ELK is preferred as it is open-source with the capabilities of log collection, processing, and visualization. Being open-source and other vital features of ELK help develop effective and efficient vendor-independent solutions including log collection, log parsing, visualization, and feature extraction.