The increased connectivity of smart machines raises the wagers. The first alarm situation to breach industrial security was in 2009, when the speed of the centrifuge nuclear enrichment plant was modified to spin out of control by a Stuxnet malware. This was introduced via flash drive for a stand-alone network, which spread automatically across the networks [1]. A new malware called Trident destabilizes Safety Instrumented System (SIS) and provides a path for hackers to destroy the files by feeding false data [2]. A strong, smart, and safe shield is very much essential to reduce industrial espionage, IP leakage, information theft, which may lead to the production sabotage. Industrial Control Systems (ICSs) have unique vulnerability, as each connected devices represent a potential risk in each layer of the network, which is particularly susceptible to cyberattack. The major cause of hazardous issues in the industrial sector is the incompatible operation system, outdated Programmable Logic Controllers (PLCs), and Human-Machine Interfaces (HMIs) in an isolated environment with a lack of regular updates on attack patterns, and poor standards [3]. Table 1 provide a detailed list of IoT attack and the proposed counter measures to mitigate the complications of the attack.
An Intrusion Detection System (IDS) is a network security technology built to detect vulnerable exploits in the cyber world. IDS is classified in two forms based on the detection component as Network Intrusion Detection System (NIDS) and Host-based Intrusion Detection System (HIDS). A NIDS observes, monitors, and analyzes the network traffic to identify suspicious events, whereas HIDS trace abnormal activities and report to the security server. Anomaly Intrusion Detection (AID) observes the behavior by scanning the ports. Signature Intrusion Detection (SID) matches predefined patterns based on vulnerability and exploit are used to defend the situation [5]. SID methods have high rate of accuracy in classifying known attacks and AID methods are popular in identifying zero-day attacks; Both of the methods pro-duce high false-positive rates. IDS detects and reports to the security system but, lacks in preventing the exploitation, neither raise any automatic action to mitigate the risk [6]. Nowadays Intrusion Detection and Prevention System (IDPS) has become the dominant deployment option for the security system [7]. Feature selection, compatibility, and unavailability of the labeled dataset are the primary challenges faced by the current IDS models. Immense efforts are required to collect labeled datasets from real-time network traffic and preserve the confidentiality of the internal data. Feature selection plays a vital role in the development of the classification model, to learn good features on a limited amount of labeled data in supervised classification [8]. These features can be applied for other classification models with a small amount of dataset. Deep learning techniques are more popular for feature reduction and classification; these methods are successfully applied in image, audio, text, and numerical dataset for developing application models [9]. In this present work, we propose a Deep Learning (DL)-based NIDS model for classification and identifying the most relevant features and detecting the anomalies. We call our proposed model of intrusion as Smart Intrusion Detection with Risk Identification System (SID-RIS). The model is trained and verified on the KDD+ datasets and UNSW-BoT-IoT dataset. We have presented a comparative analysis with the existing techniques to evaluate the efficiency of our model.
The remaining paper is organized in four sections. In Section 2, a few latest and closely related work is discussed. Section 3 presents an overview of the proposed model and the risk factor analysis with the implementation procedures on both datasets. The results and comparative analysis of the model are discussed in Section 4. We conclude our work with future scope in Section 5.
Focusing on security applications, DL techniques with remarkable quality of self-learning are beneficial to developing intrusion detection models. These models result in low false rates and high accuracy as compared to traditional machine learning techniques. The standard Neural Network (NN) architecture is created with a multi-layer perceptron using a liner stack classifier. Raw data in the form of numbers/images/audio are fed into the neurons as input represented with x1, x2, x3,..., xn. Each input is multiplied by weights (w1,w2,w3,β¦,wn) and passed to an activation function which maps the input signals into an output signal.
In Equation 1, x represents the inputs, w represents weights to be added for each input, z is used for output, b represents bias, and f represents the activation function. The model adjusts the weights and repeats the task to improve the accuracy using back-propagation.
Convolutional Neural Network (CNN) and Recurrent Neural Network (RNN) are the most popular methods used for detecting malware activities with self-learning techniques [13]. ANN is emphatic in monitoring network traffic and detecting Imminent attacks. ANN, CNN, and Deep Neural Network (DNN) are some of the supervised instance learning techniques trained with feed-forward neural networks. Yazan et al. [10] propose a Spider Monkey Optimization (SMO) algorithm for dimensionality reduction and the Stacked-Deep Polynomial Network (SDPN) for attack classification. The Deep Feature Embedding Learning (DFEL) model has been compared with KNNs, DT, and SVM and results with a 99.14% F1 score. Olakunie Ibitoye et al. [11]. compared a Feedforward neural network model with a self-normalizing neural network model for BoT-IoT dataset and resulted in 9% higher performance accuracy of SNN IDS than FNN IDS. A Generic algorithm-based Deep belief network model was proposed by Zhang et al. [12]. The model structure was integrated with a selection of features with crossover, mutation, and elite retention technique of generic algorithm. once the maximal algebraic value is reached the optimal structure is created. Restricted Boltzmann Machine (RBM) and Backpropagation network (BPN) are used for classification [12]. Roopak et al. [13] pro-posed four different classification deep learning models as MLP (Multilayer Perceptron), 1d-CNN, LSTM, CNN+LSTM with a comparative analysis on machine learning technique. CNN+LSTM, LSTM, 1d-CNN techniques have high accuracy rate than SVM, Naive Bayes, and Random Forest machine learning techniques for the CICIDS2017 dataset. CNN+LSTM remains the best-proposed technique with 97.15% accuracy where LSTM results in 96.24% and MLP results in 13.66% false rates. Thamilarasu G. et al. [14] propose a three-layer framework with network connection phase, anomaly detection phase, and the mitigation phase to identify, analyze, and reduce the risk factor using CNN techniques. Another integrated technique using LSTM and CNN as Hybrid CNN model testing on UNSW dataset is proposed by S.smys et al. [15]. LSTM is used for feature extraction and CNN for intrusion detection. The model gave an excellent performance with a 2.19 sec training time. Another Deep belief network model tested on a real-time dataset proposed by Balakrishnan et al. [16]. This model enhances the security network compared to Domain Generation Algorithm (DGA) with 0.997 highest precision. Chao Liang et al. [17] propose a multi-agent system with the blockchain and deep learning (DNN) algorithm, tested for the NSL-KDD dataset, and resulted in 91.50% accurate on testing. The Transient Search Optimization (TSO) algorithm by Fatani et al. [23] maintains the balancing between exploitation and exploration phases. The model is tested on the most popular IoT datasets including KDDCUP-99, NSL-KDD, BoT-IoT, and CICIDS-2017. It achieves higher accuracy compared to several existing approaches.
The traditional architecture of the IDS model is prone to security leaks. The multi-layer recursive structure analyzes the data at various levels and makes the model effective to handle the minute complications. The IoT system is exposed to multiple devices with different processing frameworks connected to various locations. A single layer model lacks in generating enhanced performance, as it is restricted with the scope of the connected components. The multi-layer model is distributed across the system and executes the processes at each level covering the major to minor values based on the state of the system. A self-trained security model with previous inputs minimizes human interaction. In this section, we focus on the proposed methodology. The data set used in building the detection model, the feature extraction techniques, and the multi-layered Cascade detection and classification algorithm are explained in sequence in this section.
We use NSL-KDD and UNSW-2018-BoT-IoT datasets in the present work. KDD Cup dataset is prepared using the network traffic captured by the 1998 DARPA IDS evaluation program [24]. The BoT-IoT dataset is collected from Cyber Range Lab of UNSW Canberra [25].
KDD + Dataset We have used the NSLKDD+ dataset that has 41 labeled input features with binary and multi-class attack classification. A total of 38 traffic classes with 21 attack classes are available in the test data, from which 16 attacks and 1 normal class are considered for training. The attack records are grouped into four major classes as DoS, Probing, user-to-root (U2R), and root-to-local (R2L) [24]. We have selected KDD+ dataset with a total of 125973 records of which 58630 are attack values and 67343 are normal records. UNSW-BoT-IoT dataset The BoT-IoT dataset is collected from the Cyber Range Lab of UNSW Canberra. The environment with the combination of normal and attack traffic is configured and collected in various formats. The dataset is created in three categories: i) entire dataset with all features, ii) 5% of data with training and testing files with all the features, and iii) 10-best features with training and testing splits. The dataset has been classified with nine types of cyber-attacks and is represented with 46 labeled feature classes. To test the efficiency of the model we have selected a 5% best-featured dataset which has 10,48,457 attack records and 118 normal values [25]. The dataset supports four attack classes as DDoS, DoS, Normal, reconnaissance, and theft. Table 2 displays various attack classes and number of records in each class for both the datasets. 70% of the data is considered as the training data, 15% for the validation, and 15% for the testing. SID-RIS focuses on multi-class classification to train and trace various cyberattacks.
As the first step of normalization, we use the fill missing function to replace all the empty values with standard and constant values. In the second step, all the categorical values (NaN) are converted into numerical identities for easy prediction. We have applied one hot-encoding technique for conversion. This technique processes the categorical variable and converts it into a numerical representation. But at the same time natural ordering between categories with integers may result in poor performance or unexpected results, we have converted the string values to a new binary variable and added for each unique integer value. The BoT-IoT dataset contains three categorical features as prototype, attack category, and sub category (NaN values) which are encoded into numerical form before producing as input to the network model. Normal values are indicated with 0 and the attack values as 1 or any categorical integer value based on the class.
In this study, we are extending our previous experiment [26] in which we have concluded that the model tested with optimal features resulted in a minimum error, compared to the model trained for the entire dataset. In this study, we are using the best subset evaluated from feature reduction techniques. Then we train the sample with Cascading Feed Forward Back Propagation (CFFBP) classification and detection technique. We have selected the 10 best-featured samples provided by the BoT-IoT dataset, and for the KDD dataset, we have used CFS-Subset-Evaluator, a feature reduction algorithm, that results in six best features from 41 labeled values. The CFS subset evaluation technique generates a subset of attributes with the individual predictive ability of each feature, along with the degree of redundancy between them. The resulted features are highly correlated with the target class and have low inter co-relation with other input values. Further to improve the training efficiency and speed up the detection process, we have used the encoded values as input for detection models generated from the Auto Encoder (AE) technique. AE reduces the given input into the lower-dimensional format and regenerates the output as a new representation. To replicate the input vector against the output layer, and train the AE model, we implement a back-propagation algorithm. For a given input X and reconstruction result as x, the network is trained by minimizing the error L (x, π ^)
to measure the variation between the original input and the encoded output. We have trained AE with 25 hidden layers using the scaled conjugate gradient training algorithm. The model performance is evaluated using Mean Square Error (MSE) with L2 sparsity regularizes, the model results in with 6.66% MSE.
To prevent over-fitting additional information is given to the model in the process of regularization. L2 regression is also considered as ridge regression with the linear regression in Equation 2 and the loss function with L2 norm of the weights represented in Equation 3.
π ^= π π + π π + π π π π + β― + π π + π π + π.
(2)
In the above expression for an auto-encoder model, π₯ ^ with x as input variables, w represents the weight, and $b$ represents the bias. We use a loss function to analyze the difference between the true and predicted values. The regularization parameter is represented by Ξ» > 0 $ and β is used to calculate the total loss and predict the efficiency of the model for each input and added weight. The neurons are "inactive" if their output value is close to 0 and active if it is close to 1; we use the sparsity parameter to make it inactive and avoid over-fitting issues. This checks that the average activation of each hidden neuron is close to it, which is a small value close to zero [27].
We have selected Cascading Feed Forward Back Propagation (CFFBP) method to classify the anomaly and identify the attack and normal packets. As with all other network models, Feed Forward (FF) model consists of a single input layer, multiple hidden layers, and selected output layers. Back Propagation (BP) is used as a learning algorithm to train the network models by updating the weights and calculation the error values to propagate the prior layer. The non-linear transfer function of multiple layers allows one to learn both linear and non-linear relations between input and output vectors [28].
Connecting the input weights from each successive layer is the unique property of the proposed model. Networks with multiple layers have the potential to learn the complex relations between input and output vectors. The model begins with a single input layer and adds multiple connected layers one by one in the process which receives connections from the original input layer and all previously hidden units. A connection from a neuron and multi-layer network is combined with a direct link and shaped through an activation function in the hidden layer [29]. Perceptions are added one by one in this correlation, it starts with a small number and ends up with a bigger size. Additional connections improve the speed and learning rate. The process is terminated when the net performance is accurate. Such network pattern is called as Cascading Forward Back Propagation Neural Network (CFBPNN). The mathematical expression of CFBPNN is given in Equation 4.
In Equation 4, y represents the output layer, β π π=1 is used to calculate the sum of weights and bias of each layer. The special feature of this network is to carry forward the calculated weights and bias by establishing a direct relationship between the input and hidden layers using π π π€ π π π₯ π + π 0 An activation function is used to train the complex patterns and take decisions for passing the values for the next layers. Figure 1, represents the internal structure of the cascade model representing the internal connectivity to the weights of the previous layer to next.
The experiment is conducted on both dataset samples for optimal features adopted from the feature extraction model. The dataset is split into a 70% training set and 15%test set and 15% for validation according to the random data split method. The system is trained using cascading feed-forward network with seven inputs for the KDD+ dataset and 19 input layers for the BoT-IoT dataset. Five hidden layers (10 nodes each) and output layer (1 node) for four attack classes in binary form (0 for normal and 1 for attack) are considered. The model is trained and experimented on an I5 processor (16 GB RAM and 1 TB Octan memory) with a window 10 operating system using MATLAB R2021a environment. Based on the repeated experiments conducted, we have adopted the network model with ideal parameters which produce the highest accuracy and the lowest false rate. We then define the evaluation parameters and finally, discuss the results.
Various parameters used to activate the network are: i) Data division method: Random (dividerand), ii) no. of Epochs: 1000, iii) transfer function: Transit, iv) training method: Levenberg-Marquardt (trainlm), v) adaption learning function: learngdm, and vi) performance indicator: Mean Square Error (MSE). Cascading model is applied and tested for both the data sets with the same parameters given above. The only change in the size of the input layer is based on the number of features available in the dataset.
To identify the correlation between input and target variables, we have represented a correlation plot for all the six input variables and one target variable for the subset evaluated from KDD+ dataset. The relation between the variable and the impact is displayed in Figure 4. The diagonal cells represent selfcorrelation. The last column and the row represent the correlation between the variable in a horizontal and vertical direction. From Figure 4a, we observe that Src-bytes and Dst-Bytes have high impact on the attack types. Diff-RV-rate, srv-error-rate, and logged-in-status variables are having very little impact with zero and negative values for the evaluated subset. Figure 4b represents the Correlation plot (coorplot) for BoT-IoT dataset with 18 input features and one target value with four classes. It is observed that only seven variables have a positive impact on the target variable and the other ten variables have a negative impact on the attack variable. This experiment helps in tracing the most prominent variable having a high impact on the attack variants. This technique can be further enhanced using the script to develop any prevention model.
The dataset with different input features with variant values is considered for the experiment. The dataset is prepossessed before analyzing self-taught learning on it. Categorical at-tributes with string values are converted into discrete numerical attributes using the one-hot conversion method. As discussed in the methodology section 3.3, optimal features are considered to train and test the model. The testbed is then trained with autoencoders, and the resulted data is used to develop a cascade classification model. These two approaches are applied for the evaluation of NIDSs on the selected samples with a random data split. The proposed model achieved very high accuracy and less false-alarm rates compared to the training implemented for the entire dataset. Cascading model is applied and tested for both datasets with the same parameters. As discussed in [26], the detection model is implemented only for the subset, evaluated with best features. This reduces the training time and results in the highest accuracy. Evaluation metrics project the performance of the model, it helps to determine the capabilities and discriminate the model results. We have tested the model for multi classes and analyzed the results using a confusion matrix.
A confusion matrix is the most appropriate technique to analyze the performance of the classification model. The results of this technique identify the types of errors encountered by the model in the process of training and testing. The number of incorrect predictions is analyzed for each class assigned to the model with the target variable. The difference in the prediction and actual assumptions are projected in the matrix; it also includes the errors made by the classifier and the category which is wrongly analyzed. The elements of the confusion matrix are used to construct the accuracy of the overall model. The formula to calculate each element of the matrix and the precision is displayed in Figure 5.
The ratio of false cases marked as true.
The ratio of correctness for the classified samples.
The ratio of the true positive samples to predict the positive samples. Recall (R): Represent the ratio of true positive values to the total value. This reflects the model's ability to recognize the attacks from a given class. The model results in 100\% accuracy for the KDD+ dataset tested on the best features subset, and 99.7\% accuracy for the BoT-IoT dataset. A minimum false rate is observed with 0.3\% for the theft category. The detailed analysis of attack detection ration for each class is given in Figure 7.
We have tested and compared the model of both the dataset samples and the result matrix is projected in Table 3. The CFBP model is proved more suitable for detecting the attacks with multi-class classification for both the sample datasets. The observational point is that the model shows excellent results for the KDD+ dataset, in which the testing and training are implemented for the subset generated using the feature selection method. The results for the BoT-IoT dataset are quite good compared to other state of art models, the model is most apt in identifying Dos attacks for various samples. There is a slight variation in identification of reconnaissance and theft attack with 0.1%. A detailed projection of the attack class with the resultant matrix is projected in Table 3. The comparison with existing systems is shown in Table 4. The rule-based Decision tree (TDTIDS) model has the highest accuracy of all the existing models [18] with 99.98%. CFBP model has the benchmark of 100% in the identification of all class attack values. The DBN [12] and RNNIDS [22] models have a poor performance comparatively, while the other models' performance are very close to each other. The multi-class feed forward neural network [21] has a very close accuracy with our CFBNN with a raised recall score but, CFBNN has less FPR which indeed reduces the scope of error. CFBNN performs much better than [14], [15], [22], [18] on the basis of accuracy, precision, and false rate which are the most important metrics for a detection system. The average false-positive ratio of our model is lower than all these models. However, the disadvantage with the regular deep learning techniques is to determine values with the next layer but, our cascade model has the advantage of processing the previous weight and bias values to the next hidden layers; this improves the detection rate and reduces the error factor. The main goal of CFBNN is to improve the detection rate and reduce the error rate which is successfully accomplished with the six selected features executed in the CFBNN model. The test proves with 100% accuracy and 0% false rates.
We propose SID-RIS, an intrusion detection model for IIoTs. The purpose of the present study is to improve the detection solution for IoT and IIoT devices and establish an accurate monitoring environment that handles unsafe structure and detect abnormal behavior. SID-RIS is based on deep learning. It classifies the given input based on cascading forward method. A CFS-subset evaluation technique is used to select the optimal features from KDD+ dataset and then process the subset for the training detection model. The model is examined on both KDD+ and BoT-IoT data set and evaluated using the confusion matrix. Our solution, CFBNN achieves better performance in terms of accuracy 100% for the KDD+ dataset, and 99.7% accuracy and 1.1% false rate for BoT-IoT data set for multiclass classification. To identify the risk factor, we have implemented a co-relation plot to trace the impact of the variable with the target and identified three variables for the KDD+ dataset and seven for the BoT-IoT dataset. In the future, we would like to extend our work to experiment with prevention techniques for other open datasets to generalize the results.