A Novel Approach for Network Vulnerability Analysis in IIoT

1  Introduction

Industrial IoT (IIoT) signifies the function of IoT in industrial organization to get better operational efficiency. The IIoT speeds up the industrial mechanization development through connecting many IoT devices. The extensive exploitation of IoT apparatus in the Industrial model has generated diverse applications i.e., smart manufacturing, intelligent transport, etc. However, IIoT applications are impacted by dangerous security hazards caused by means of anomalous IIoT devices. Machine learning techniques are more efficient for securing the IIoT applications from harsh attacks.

A new Hybrid Deep Random Neural Network (HDRaNN) was developed in [1] for cyberattack detection. The designed approach increases the accuracy of attack detection however the time complexity was more. A hinge classification algorithm was introduced in [2] to detect the various attacks. The designed technique increases the precision but it failed to apply the large volume of data samples in a wide range of scenarios. Different machine learning techniques were introduced in [3] for cyber-vulnerability assessment. In [4], a machine learning technique was developed for distinguishing the data into different classes. However, it failed to reduce the complexity.

A False Data Injection” (FDI) attack detection using Autoencoders was developed in [5] for discovering attacks with lesser time. But it failed to use the efficient dimensionality reduction method to further minimize the execution time.

A Distributed Congestion Control system was introduced in [6] to identify and mitigate DoS attacks. But it failed to examine the traffic segmentation for improving detection and mitigation attack. A novel neural network approach was developed in [7] for the recognition of various anomalies in Industrial IoT systems. However, it failed to further validate the accuracy of attack detection.

Machine learning algorithms were developed [8] for anomaly detection in an industrial control environment. But the accuracy investigation was not performed. Deep Reinforcement Learning was planned in [9] for finding attacks in IIoT. The designed learning system was not efficient to achieve higher attack detection accuracy.

A novel IIoT-based dataset, called TON_IoT was developed in [10] that integrate both normal sensor measurement data and a variety of attacks. However, false positive rate was higher.

The key contributions of the MPDQDJREBC technique are listed as follows,

•   A novel MPDQDJREBC technique is developed for identifying malicious attacks with the applicability of the machine learning ensemble technique.

•   To get better malicious attacks detection performance in IIoT communication network, the MPDQDJREBC technique is developed based on feature extraction and categorization.

•   To minimize the attack detection time, a Maximum Posterior Dichotomous Quadratic Discriminant analysis is performed in the MPDQDJREBC technique to find the significant features for accurate classification based on likelihood estimation.

•   After that, ensemble classification is performed using the Jaccardized Rocchio Emphasis Boost technique to combine the weak learner result into strong output and also minimize the quadratic error. This assists to get better true positives and diminish the false positives and false negatives.

•   Finally, well-known experimentation is carried out to measure the performance of our MPDQDJREBC technique and other existing works. The experimental result reveals that MPDQDJREBC technique is highly efficient for network vulnerability analysis in IIoT.

This paper is intended as below. Section 2 explains conventional studies using machine learning techniques. Section 3 shows detailed processes of proposed MPDQDJREBC technique. In Section 4, experimental evaluation and results of these methods are presented. The conclusion Section 5 depicts the results of proposed work.

2  Related Works

A novel multi-feature layer was designed in [11] for attack detection where it gets lesser the false positive rate. But the time utilized for attack detection was more. A principal component analysis (PCA) was introduced in [12] for predicting malicious activities in IIoT. However, accurate detection of abnormal events was not attained. A Deep-IFS was developed [13] to discover attacks in IIoT traffic. But the efficient dimensionality reduction technique was not applied to minimize the complexity of intrusion detection.

A process-level attack-detection method was introduced in [14] for capable of detecting stealthy attacks. But it failed to apply the efficient machine learning technique for improving the accuracy of attack detection. A deep learning-based IDS method was developed in [15] for IIoT. However, securing IIoT network from various kinds of malicious activities was considered.

Malware attacks detection was performed in [16] for IIoT. However, accuracy measured during attack discovery was not higher. A novel Convolutional Neural Network-Long Short Term Memory (AMCNN-LSTM) system was introduced in [17] for distinguishing the anomalies. However, the designed framework was not robust for accurate anomaly detection models. A novel classification scheme was introduced in [18] for the traffic characterization mechanism. However, the different levels of features were not considered to improve the performance of classification.

A novel malware discovery method using a machine-learning approach (MADP-IIME) was introduced in [19]. However, it failed to consider diverse categories of malware attacks. A graph-based security framework was developed in [20] for IIoT network. However, the attack detection performance using this framework was poor.

3  Proposal Methodology

The IIoT includes number of sensors, apparatus, engineering applications, databases, services, etc. The sensors employed in the IIoT network generate a massive amount of information where discovering the behavior of the network is considered as vital for securing IIoT applications from attacks. Therefore, an efficient attack recognition system is necessitated to safeguard an IIoT. Based on the motivation, the MPDQDJREBC technique is introduced for cyber-vulnerability assessment through the attack detection with different processes namely feature selection and classification.

Fig. 1 demonstrates the overall process of MPDQDJREBC for accurate attack detection. The proposed MPDQDJREBC technique consists of two phases. First, the number of features and data are collected from the dataset. After that, the feature selection is performed using Maximum Posterior Dichotomous Quadratic Discriminant analysis. Then, a classification is done based on the feature Jaccardized Rocchio Emphasis Boosting technique. A detailed explanation of these two processes of the MPDQDJREBC technique is provided in the below sections.

Figure 1: The processing diagram of proposed MPDQDJREBC technique

3.1 Maximum Posterior Dichotomous Quadratic Discriminant Analysis

The Maximum Posterior Dichotomous Quadratic Discriminant Analysis (MPDQDA) is introduced in this research work to detect the significant features. MPDQDA is a machine learning dimensionality reduction technique that helps to analyze the features in the given dataset. While using a machine learning technique for IoT real-time dataset, a lot of features are presented in the dataset and not all these features are significant every time. This unnecessary feature while training the machine learning technique directs to decrease the overall accuracy and enhance the complexity. Therefore, a feature selection is one of the significant steps while making a machine learning technique to discover the best possible set of features.

Fig. 2 illustrates the block diagram of MPDQDA to find the significant features in the dataset. First, number of features ‘ a1,a2,a3,…an ’ are collected from the dataset. After that, Quadratic discriminant analysis is performed based on the Gaussian distribution.

δ(ai,oj)=1√2πφexp⁡[−0.5(ai−ojφ)2] (1)

where, δ (ai,oj) represents a likelihood between the features, φ represents the deviation, ai,oj represents features and objectives (i.e., attack detection) in the dataset. Then the Maximum posterior function is applied to find the maximum likelihood between the features.

ρmap=arg maxδ(ai,oj) (2)

where, ρmap Maximum a posterior function, arg⁡max denotes an argument of the maximum function, δ (ai,oj) indicates likelihood between the features and objective. Finally, the dichotomous outputs are evaluated according to the likelihood estimation. Dichotomous outputs precisely provide two distinct outcomes.

y={arg maxδ(ai,oj);SelectfeaturesOtherwise;Removefeatures (3)

From (3), ‘ y ’ denotes Dichotomous results. The feature which is more likelihood is selected as significant for further processing. Otherwise, the features are removed from the dataset. As a result, the time complexity of attack detection in the IIoT network is said to be minimized.

Figure 2: The block diagram of the MPDQDA

The algorithmic process of MPDQDA is described as given below,

Algorithm 1 explains the algorithmic process of Maximum posterior dichotomous quadratic discriminant analysis based feature selection. At first, collections of features are taken from the dataset as input. Then the likelihood is estimated between the features and objective functions. Followed by, maximum a posterior is used to find the maximum likelihood between the features. Based on maximum likelihood estimation, vital features are discovered and other irrelevant features are eliminated which resulting in reduced time consumption of the attack detection.

3.2 Jaccardized Rocchio Emphasis Boosting Based Attack Detection

After the feature selection, the proposed MPDQDJREBC technique predicts malicious attacks with the application of machine learning concepts. The malicious attacks in IIoT systems are discovered in this section using Jaccardized Rocchio Emphasis boosting based attack detection (JREB-AD). In proposed work, JREB-AD is a machine learning ensemble technique. JREB-AD translates weak learners into strong ones. The MPDQDJREBC technique uses the Jaccardized Rocchio Emphasis Boost method for accurate vulnerability assessment in IIoT systems by identifying malicious attacks.

Fig. 3 explains schematic structure of JREB-AD for accurate classification with lesser time consumption. The JREB-AD acquires the training sample set {xi,zi} as input where xi=D1,D2,…,Dm ’ denotes the sample data and zi indicates the ensemble classification outcomes. Then, JREB-AD builds ‘ k′ set of weak learners β1,β2,β3,….βk as a Jaccardized Rocchio Classifier (JRC) to categorize input data D1,D2,D3,…Dm into different classes.

Figure 3: Schematic structure of JREB-AD

The JRC is a classification model that assigns the input training samples into the label of the output class whose mean is closest to the observation. Here, two classes are initialized namely normal and attack. The Jaccard index is applied to a Rocchio classifier to measure the similarity between the training data and mean of class.

S=[Di∩Cm]∑Di+∑Cm−[Di∩Cm] (4)

where ‘ S ’ indicates a Jaccard similarity coefficient, Di denotes training data, Cm indicates a mean of a particular class, the intersection symbol ‘ ∩ ’ designates mutual independence between the data and mean of class which are statistically dependent, ∑Di is the summation of Di value, ∑Cm is the summation of Cm value. The similarity coefficient provides results from 0 to 1 [0≤S≤1] . The proposed JREB-AD classifies the data into a particular class based on the higher similarity. In this way, the weak JRC classifies the data into normal or attack.

The observed weak JRC results have some training errors. The JREB-AD sum the entire weak JRC results using below,

z=∑i=1k⁡Ri (5)

where, z indicates ensemble classification results, Ri indicates weak JRC result. The weight is initialized for all weak JRC to determine the final strong classification results using below,

z=∑i=1k⁡Ri∗φi (6)

From (6), ‘ φi ’ depicts weight given to the weak JRC. The JREB-AD employs the weighted emphasis function to measure the quadratic error of classification results using below,

ε=exp⁡[ϑ((∑i=1k⁡Riφi−z)2−(1−ϑ)(∑i=1b⁡Ri)2)] (7)

From (7), ε shows a weighted emphasis function, ϑ indicates a weighting constraint, z depicts actual results, ‘ ∑i=1k⁡Riφi ’ indicates a predicted classification result of weak JRC with weight φi and without weight ∑i=1k⁡Ri . From (7), ϑ denotes a weighting constraint rate. The JREB-AD obtain the final output using below,

ε=exp⁡[(∑i=1k⁡Riφi−z)2] (8)

According to estimate the error value, the weak JRC weight gets updated. If the weak JRC correctly classifies input information, the weight value is decreased. Otherwise, the weight is increased. Finally, the weak JRC with lowest error is considered as the final strong result for accurate classification. Based on the classification results, normal or attack data are correctly identified with superior precision.

The detailed process of JREB-AD is illustrated as follows,

Algorithm 2 represents overall process of JREB-AD to get better the categorization precision. The JREB-AD at the start builds a set of weak JRC. The weak JRC initializes the number of classes and means value. Then the Jaccard similarity is measured between the data and mean of a particular class. Based on similarity, the information is categorized into a consequent class. The obtained weak learner results are combined and assigned weight. The weighted emphasis function is employed in JREB-AD to calculate the quadratic error of each weak JRC. Finally, the weak JRC with a lesser quadratic error is identified as an accurate strong classification result.

4  Experimental Scenario

Performance evaluations of the proposed MPDQDJREBC technique and existing methods namely HDRaNN [1], HCA-MBGDALRM [2] are measured by conducting experimental using Java language and UNSW_NB15 Dataset from Kaggle https://www.kaggle.com/mrwellsdavid/unsw-nb15. In order to conduct the experiment, a UNSW_NB15 Dataset is used for detecting the normal or attacks. The dataset consists of different. CSV files. Among them, the training.CSV files are taken to conduct the experiments. The training.CSV files consist of 1, 75,341 records and 45 attributes. The last two columns of the datasets are attack category and Label. Each row in the dataset is classified and labeled as normal or attack records. Before the data classification, significant features are selected for minimizing the complexity. The result of MPDQDJREBC technique is estimated using below metrics.

•   Accuracy

•   Precision

•   Recall

•   F-measure

•   Attack detection time

Accuracy: It is calculated as ratios of a number of exactly predicted data to the total number of data considered as input Then, the accuracy is obtained as,

Acc=(post+negtpost+negt+posf+negf)∗100 (9)

where Acc denotes an accuracy that is evaluated in units of percentage (%).Where, post denotes a true positive, negt indicates a true negative, posf denotes a false positive, negf denotes a false negative. Accuracy is measured in milliseconds (ms).

Precision: It is obtained as the ratio of the number of precisely classified data to the total number of input data.

Pr=[postpost+posf]∗100 (10)

where, Pr denotes a precision, post denotes a true positive, posf indicates a false positive. Precision is measured in percentage (%).

Recall: It is acquired as a percentage of true positives to true positive and false negatives. The recall is calculated as follows,

Rl=[postpost+negf]∗100 (11)

where, Rl denotes a recall, post denotes a true positive, negf denotes a false negative. The recall is measured in percentage (%).

F-measure: it is measured based on the average of precision and recall. The F-measure is computed as given below,

Measuref=2∗[Pr∗RlPr+Rl]∗100 (12)

The F-measure is calculated in units of percentage (%).

Attack detection time: It calculates time required by the algorithm for detecting the attack or normal through the classification process. The attack detection time is calculated as given below,

T=m∗T(CSD) (13)

Where T indicates an attack detection time, m denotes the number of data, T(CSD) explains a time employed to categorize the single data. The attack detection time is obtained in units of milliseconds (ms).

Tab. 1 displays the accuracy results of three different machine learning methods namely MPDQDJREBC, HDRaNN [1], and HCA-MBGDALRM [2] respectively. As shown in Tab. 1, ten dissimilar accuracy results are observed based on number of input data. The result clearly illustrates that the proposed MPDQDJREBC achieves higher accuracy when compared to existing techniques. In the first iteration, 5000 data are considered to calculate the accuracy. By applying MPDQDJREBC, 92% accuracy was observed and the accuracy of existing HDRaNN [1] and HCA-MBGDALRM [2] are 88% and 84% respectively. Similarly, nine various performance results are observed for each technique. The results point out that the accuracy using proposed MPDQDJREBC technique is improved by 4%, 6% as compared to HDRaNN [1] and HCA-MBGDALRM [2] respectively.

Fig. 4 illustrates the accuracy of graphical representation with varying numbers of data. As shown in the figure, the horizontal axis signifies the number of data and the vertical axis denotes the accuracy of attack detection. Therefore, the graphical outcome clearly shows that the MPDQDJREBC technique attains higher accuracy than the conventional techniques. This is because of the fact that the application of Jaccardized Rocchio Emphasis Boost Classification technique. The ensemble technique accurately gives strong classification results through lessening the quadratic error. This supports to get better the accuracy of attack detection.

Figure 4: Graphical performance of accuracy

Tab. 2 and Fig. 5 reveal the performance results of precision with varying numbers of data. For each iteration, different precision results are observed for each method. The precision of three methods MPDQDJREBC, HDRaNN [1], and HCA-MBGDALRM [2] are shown in the above graph. The graphical outcomes inferred that the precision of the MPDQDJREBC technique is increased when the conventional works. This is owing to the employment of the proposed concepts accurately finding the normal or attack and minimizing the incorrect classification through the ensemble technique. For each technique, ten various results are estimated with respect to dissimilar numbers of input data. The obtained results of precision using the MPDQDJREBC technique are analyzed to the performance of traditional works. The compared results indicate that the performance of precision is found that the precision is considerably increased by 3% and 4% using MPDQDJREBC technique than the state-of-the-art methods.

Figure 5: Performance of precision with varying number of data

The experimental results of recall using three methods are shown in Tab. 3 and Fig. 6. The recall is measured based on true positives and false-negative results of attack detection. The recall is measured based on three methods MPDQDJREBC, HDRaNN [1], and HCA-MBGDALRM [2]. Compared to existing methods, the MPDQDJREBC technique has the ability to provide a higher recall rate. This is due to analyzing the extracted feature values with the help of Jaccard similarity and it provides either two possible results such as normal or attack. When getting the 5000 data as input, the resultant value of the recall rate is 97.67%. Whereas, the recall value of the two existing methods HDRaNN [1] and HCA-MBGDALRM [2] are 95.12% and 92.10% respectively. In the same way, a variety of results are determined based on number of input data. The average of comparative analysis proves that the recall is found to be improved by 1% and 3% using the MPDQDJREBC model than the existing [1] and [2].

Figure 6: Performance of recall with varying number of data

Tab. 4 and Fig. 7 demonstrate the experimental results of the F-measure of attack detection using three methods MPDQDJREBC, HDRaNN [1], and HCA-MBGDALRM [2] depends on varied number of data. The F-measure is measured by both precision results and recall. From the tabulated value, it is demonstrated that the proposed model provides improved F-measure results when compared to existing techniques. Let us consider the 5000 input data, the F-measure of the MPDQDJREBC technique is 95.45% and the F-measure of HDRaNN [1] and HCA-MBGDALRM [2] are 92.85% and 89.74%. The compared results indicate that the MPDQDJREBC technique increases the performance of the F-measure by 2% and 3% when compared to [1] and [2] respectively.

Figure 7: Performance of F-measure with varying number of data

Tab. 5 provides the performance results of attack detection time of MPDQDJREBC, HDRaNN [1] and HCA-MBGDALRM [2]. For each technique, ten various results are observed by considering a varied number of input network data taken from given dataset. The experimental output indicates that attack detection time of proposed MPDQDJREBC technique is minimized when compared to two conventional works. While acquiring 5000 data for estimating the attack detection time, the proposed MPDQDJREBC consumes 17.5ms to classify an input data as normal or attack. Whereas, 19msand21ms of time consumed by the HDRaNN [1] and HCA-MBGDALRM [2] for classifying the input data. From the comparative analysis, it is clear that the attack discovery time using proposed MPDQDJREBC technique is lessened by 12% and 18% when compared to [1] and [2] respectively.

In Fig. 8, the experimental results of attack detection time with the different numbers of data using three different techniques MPDQDJREBC, HDRaNN [1], and HCA-MBGDALRM [2]. Among the three methods, the attack detection time of MPDQDJREBC is considerably reduced. This is due to the application of MPDQDA based feature selection. The MPDQDA measures the likelihood estimation between the features and objective functions. The maximum posterior function helps to discover the significant features and other features are taken away from the dataset. This assists to diminish the time consumption of the attack detection.

Figure 8: Performance of attack detection time with varying number of data

5  Conclusion

A novel machine learning-based technique MPDQDJREBC is intended in this article to efficiently discover of attacks in IIoT. The MPDQDJREBC technique cyber-vulnerability assessment along with their security susceptibilities through the accurately and timely detecting attacks. At first, the Maximum posterior dichotomous quadratic discriminant analysis is performed to emphasize the vital features. With the selected significant features, the Jaccardized Rocchio Emphasis Boost Classification technique is applied for detecting the normal or attack with higher accuracy. Experimental assessment is carried out using an improved version of the UNSW_NB15 Dataset with the parameters i.e., accuracy, precision, recall, F-measure, and attack discovery time. The quantitatively analyzed result clearly indicates that the MPDQDJREBC technique improves the accuracy, precision, recall, F-measure and also lessens attack detection time as than the conventional works.

Funding Statement: The authors received no specific funding for this study.

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.