Automated Machine Learning Enabled Cybersecurity Threat Detection in Internet of Things Environment

1  Introduction

Internet of Things (IoT) is an enormous arrangement of gadgets associated through the private or public web, and that is implanted with the capacity to converse with one another streaming continuous information with less or no mediation expected from people, consequently constructing a brought together knowledge [1]. These days, gadgets of any size with a chip introduced for empowering concentrated control, gadget to-gadget control, remote sensor organizations, and installed frameworks are viewed as IoT gadgets [2]. For instance, security movement sensors, cell phones, voice associate controlled home mechanization gadgets like TVs, speakers, home lighting frameworks are viewed as IoT gadgets. The IoT empowered advancements can be utilized to foster savvy urban communities, school systems, e-shopping, e-banking, keep up with our wellbeing, oversee industry, and engage and safeguard people [3].

The IoT gadgets can be utilized for an open assault because of generally accessible to the organization. The modern IoT-cloud can be effortlessly designated by malware contamination and pilfered programming for hurtful utilization and to think twice about [4]. The product robbery is the improvement of programming by reusing source codes illicitly from another person’s work and camouflage as the first form. The saltine might duplicate the rationale of the first programming by figuring out strategies and afterward plan a similar rationale in one more kind of source code. It is an extreme danger to web security, which gives admittance to limitless downloads of pilfered programming, open source codes, and, advances and publicizes of pilfered adaptations. It quickly expands every year and gives significant financial misfortune to the product business [5].

At present, malicious assaults are all the more effectively unexpected because of the developing number of IoT organizations. The malware assaults are normally wanted to taint the security of IoT hubs, PC frameworks, and cell phones over the web. The malware recognizable proof examination is isolated into two principle techniques, for example, static and dynamic methodologies. In unique methodology, malware designs are learned while executing code in an ongoing virtual climate. Malicious way of behaving can be seen by work calls, work boundaries’ investigation, information stream, guidance follows, and visual examination of codes. Reports express that a large portion of the assault traffic created on IoT networks is mechanized through different means like content and malware [6]. The expansion in assaults joined with the independent idea of the chases down is an issue for IoT networks as the gadgets utilized in a fire and neglect design for a long time with practically no human connection.

The challenges involved in the IoT gadgets including restricted handling power and transmission capacity imply that giving sufficient security can be troublesome, which can bring about network layer goes after like denial of service (DoS) [7]. Consequently, it is critical to explore ways of distinguishing this sort of traffic on networks, which can be utilized in intrusion location and anticipation frameworks. Machine learning (ML) strategies can be taken advantage of to identify malicious traffic in intrusion recognition and avoidance frameworks. ML is a subset of artificial intelligence (AI) that includes utilizing calculations to gain from information and make expectations because of the information given [8]. ML has numerous applications remembering for retail, medical care, and money where AI calculations might be applied for foreseeing client ways of managing money, anticipating clinical issues in patients, and recognizing bank extortion, individually. Because of the enormous yearly expansions in cyberattacks that are being seen consistently, ML techniques are being fused to assist with handling the rising dangers of cyberattacks. ML includes a few purposes inside the field of cybersecurity, for example, network danger investigation, which can be characterized as the demonstration of examining dangers to the organization. ML can be gainful in this errand as it can screen approaching and active traffic to recognize possibly dubious traffic [9]. ML can be applied to intrusion detection systems (IDS) to assist with further developing the capacity of the framework to run independently and increment the precision of the framework while raising the alert on a speculated assault [10].

Novo et al. [11] present the study and estimation of many pre-processed approaches dependent upon traffic categorization to an ML-NN technique. The objective of this research was for evaluating this categorized by utilizing different data pre-processed approaches for obtaining one of the accurate methods. The presented depicts that, with executing the categorization of network traffic and many pre-processed approaches, the accuracy is improved by up to 45%. In [12], a smart IDS suitable for detecting IoT based attacks was executed. Particularly, for detecting malicious IoT network traffic, a DL technique was utilized. An identity solution makes sure the security of function and supports the IoT connectivity protocol for interoperating.

In [13], a novel approach auto-encoder DNN (AENN) was established with assuming evasion, priority violation, exploratory, and causative attack. The generated approach classifications the broadcast results utilized for predicting the transmit state if it can be jam data broadcast or sensing data. Next, the sensing data was executed to network trained which forecasts the intermediate attack. The authors in [14] present a robust scheme specially for helping detect botnet attacks of IoT devices. It can be complete by innovatively integrating the method of CNN-LSTM technique progress for detecting 2 general and serious IoT attacks (BASHLITE and Mirai) on 4 kinds of security cameras. The datasets that limited normal malicious network packet is gathered in real-time lab linked camera device from IoT environment.

This article introduces a new Mayfly optimization (MFO) with regularized extreme learning machine (RELM) model, named MFO-RELM for Cybersecurity Threat Detection and classification in IoT environment. The presented MFO-RELM technique accomplishes the effectual identification of cybersecurity threats that exist in the IoT environment. For accomplishing this, the MFO-RELM model pre-processes the actual IoT data into a meaningful format. In addition, the RELM model receives the pre-processed data and carries out the classification process. In order to boost the performance of the RELM model, the MFO algorithm has been employed to it. The performance validation of the MFO-RELM model is tested using standard datasets.

2  Design of MFO-RELM Model

In this study, a new MFO-RELM model is introduced for Cybersecurity Threat Detection and classification in IoT environment. The presented MFO-RELM technique accomplishes the effectual identification of cybersecurity threats that exist in the IoT environment. At the initial stage, the MFO-RELM model pre-processes the actual IoT data into a meaningful format. In addition, the RELM model receives the pre-processed data and carries out the classification process. In order to boost the performance of the RELM model, the MFO algorithm has been employed to it. Fig. 1 shows the workflow of MFO-RELM model.

Figure 1: Workflow of MFO-RELM model

2.1 Process Involved in RELM Classification

After pre-processing, the RELM model receives the pre-processed data and carries out the classification process. The preprocessed data is given as input to the RELM technique for accomplishing classifier procedure. The SLFN techniques as BP learning approach are widely utilized ML approaches under the case from various regions [15]. This technique decreases the cost function for retaining the precision in an appropriate range by searching the particular input weighted and hidden layer (HL) bias which outcomes in improving in computation cost. An ELM is an effective solution for SLFN. The SLFN with L hidden node and activation function g(x) was provided under

YL(x)=∑i=1L⁡βihi(x)=h(x)βi, (1)

In which β=[β1,…,β2]T signifies the resultant weighted matrix amongst the output and hidden nodes. hi(x) stands for the hidden node outcome. Dissimilar from SVM and other BP based techniques, the parameter of HLs as the input weight wi and HL bias bi does not have that tuned and is arbitrarily created before the trained sample is obtained. For providing N trained instances {(xj,tj)}j=1N, ELM solved the learning problem by minimalized the error amongst tj & Yj :

‖H(w1,…,wN~,b1,…,bN~)β^−T‖=minβ⁡‖Hβ^−T‖ (2)

whereas

H(w1,…,wN~,b1,…,bN~)=[g(w1⋅x1+b1)⋯g(wL⋅x1+bL)⋮⋯⋮g(w1⋅xN+b1)⋯g(wL⋅xN+bL)],

β=[β1T⋮βLT], (3)

T=[t1T⋮tLT].

At this point, H is designated the HL resultant matrix. The resultant weighted β is calculated as:

β=H+T, (4)

In which H+ refers to the Moore Penrose generalizing inverse of matrix H with benefits of speed. For increasing the precision, ELM was combined as sparse demonstration. This hybrid model carries out classifiers from two fundamental phases [16]. Primarily, the ELM network was trained with the convention trained method. Conversely, during the testing step, reliability based classifier was utilized. In reliability-based classifier, the ELM classifications were executed once the tested information was classified correctly; then, the sparse demonstration based classifiers were utilized. Also, a normalized term was comprised to increase generalized performance and generate the solution further robust. At last, the resultant weighted of RELM is provided here:

β=(IC+HTH)−1HTT (5)

2.2 Process Involved in MFO Based Parameter Optimization

To boost the performance of the RELM model, the MFO algorithm has been employed to it. The selection of variables in the RELM model is vital for accomplishing an effective classifier outcome. Mostly, the ML method involves parameters that need to be enhanced. While the trial-and-error method is not possible, metaheuristic optimization related MFO approach is exploited to select variables. Commonly, the predictive error function performs as objective function of MFO method [17]. In MF, in swarm for MO method is detached into female and male MFs. As well, the male MF is strong, it will perform as optimal in optimization. In comparison with specific swarm in PSO method, the MO method is upgrading the location based on the existing position pi(t) and velocity vi(t) at the existing round:

pi(t+1)=pi(t)+vi(t+1) (6)

All the female and male MFs upgrade their location. But the velocity can be upgraded in different methods. The process involved in the MFO algorithm is given in Fig. 2.

Figure 2: Process involved in MFO algorithm

2.2.1 Movements of Male MFs

They implemented exploration or exploitation procedures in iteration. The velocity is upgraded by the existing fitness values f(xi) and the previous optimum fitness value in path f(xhi) . When f(xi)>f(xhi) , the male MF updates its velocity according to the existing velocity, integrated to the distance amongst others and the global optimal position, the previous finest path:

vi(t+1)=g⋅vi(t)+a1e−βrp2[xhi−xi(t)]+a2e−βrq2,[xg−xi(t)] (7)

While g indicates the variable decreased linearly in the highest to lowest value. a1, a2 , & β represent constant for balancing the value. rp & rg characterizes parameter employed for the Cartesian distance among the previous optimal position and the individuals, the global best position in swarm.

The Cartesian distance is the succeeding average to the distance collection:

||xi−xj||=∑k=1n(xik−xjk)2 (8)

Alternatively, when f(xi)<f(xhi) , the male MF update its velocity in the existing one with subjective dance coefficient d :

vi(t+1)=g⋅vi(t)+d⋅r1 (9)

Then, r1 represents the haphazard quantity from the standard distribution and is elected within −1 & 1 [18].

2.2.2 Movements of Female MFs

They update its velocity in numerous methods. Usually, female MF with wings live around 1–7 days, henceforth the female MF is urgency to distinguish the male MF to reproduce and mate them. Therefore, update their velocity based on the male MF. In the MO technique, the topmost optimal male and female MFs are described by the earlier mating, also the subsequent finest female, male MF is described by the succeeding mates, and so on. Therefore, the i-th female MF, once f(yi)<f(xi) :

vi(t+1)=g⋅vi(t)+a3e−βrmf2[xi(t)−yi(t)] (10)

Here, a3 suggests constant and is employed for balancing the velocity. rm indicates the Cartesian distance amongst others. Alternatively, when (yi)<f(xi) , the female MF update its velocity in the existing one with additional subjective dance fl :

vi(t)=g⋅vi(t)+fl⋅r2 (11)

While r2 embodies the accidental quantity from a standard distribution within −1 & 1.

2.2.3 Mating of MFs

Every topmost half female and male MFs are reproduced and set pair of children to others. The offspring are established randomly as follows:

offspring1=L∗male+(1−L)∗female (12)

offspring2=L∗female+(1−L)∗male (13)

In which L indicates the haphazard amount from Gauss distribution.

3  Experimental Validation

This section inspects the performance validation of the MFO-RELM model on test N-BaIoT dataset [19]. It comprises samples under several class labels.

Fig. 3 illustrates the confusion matrix offered by the MFO-RELM model on entire dataset. The figure reported that the MFO-RELM model has identified 982 samples under Mirai udpplain, 994 samples under Mirai udp, 990 samples under Mirai synm, 991 samples under Mirai scan, 989 samples under Mirai ack, 979 samples under Gafgyt udp, 996 samples under Gafgyt tcp, 994 samples under Gafgyt scan, 983 samples under Gafgyt junk, 986 samples under Gafgyt combo, and 988 samples under Benign class.

Figure 3: Confusion matrix of MFO-RELM model on entire dataset

Tab. 1 and Fig. 4 exhibits detailed classification outcomes of the MFO-RELM model on entire dataset. The results implied that the MFO-RELM model has accomplished effecula results in each class. For instance, in Mirai udpplain class, the MFO-RELM model has attained accuy , precn , recal , and Fscore of 99.76%, 99.19%, 98.20%, and 98.69% respectively. Along with that, in Mirai udp class, the MFO-RELM model has attained accuy , precn , recal , and Fscore of 99.81%, 98.51%, 99.40%, and 98.95% respectively. In addition, in Mirai syn class, the MFO-RELM model has attained accuy , precn , recal , and Fscore of 99.75%, 98.31%, 99%, and 98.65% respectively. Moreover, in Mirai udpplain class, the MFO-RELM model has attained accuy , precn , recal , and Fscore of 99.86%, 99.40%, 99.10%, and 99.25% respectively.

Figure 4: Classification outcomes of MFO-RELM model on entire dataset

Fig. 5 exemplifies the confusion matrix presented by the MFO-RELM model on 90% of training dataset. The figure stated that the MFO-RELM model has identified 676 samples under Mirai udpplain, 698 samples under Mirai udp, 697 samples under Mirai syn, 693 samples under Mirai scan, 719 samples under Mirai ack, 677 samples under Gafgyt udp, 684 samples under Gafgyt tcp, 710 samples under Gafgyt scan, 692 samples under Gafgyt junk, 687 samples under Gafgyt combo, and 674 samples under Benign class.

Figure 5: Confusion matrix of MFO-RELM model on 30% of training dataset

Tab. 2 and Fig. 6 display thorough classification outcomes of the MFO-RELM model on 70% of training dataset. The results implied that the MFO-RELM model has achieved effective results in each class. For instance, in Mirai udpplain class, the MFO-RELM model has attained accuy , precn , recal , and Fscore of 99.81%, 99.12%, 98.69%, and 98.90% respectively. Eventually, in Mirai udp class, the MFO-RELM model has attained accuy , precn , recal , and Fscore of 99.86%, 98.73%, 99.71%, and 99.22% respectively. Meanwhile, in Mirai syn class, the MFO-RELM model has attained accuy , precn , recal , and Fscore of 99.74%, 98.03%, 99.15%, and 98.59% respectively. Followed by, on Mirai udpplain class, the MFO-RELM model has attained accuy , precn , recal , and Fscore of 99.84%, 99.28%, 99%, and 99.14% respectively.

Figure 6: Classification outcomes of MFO-RELM model on 70% of training dataset

Fig. 7 illustrates the confusion matrix offered by the MFO-RELM model on 30% of testing dataset. The figure reported that the MFO-RELM model has identified 306 samples under Mirai udpplain, 296 samples under Mirai udp, 293 samples under Mirai syn, 298 samples under Mirai scan, 270 samples under Mirai ack, 302 samples under Gafgyt udp, 312 samples under Gafgyt tcp, 284 samples under Gafgyt scan, 291 samples under Gafgyt junk, 299 samples under Gafgyt combo, and 314 samples under Benign class.

Figure 7: Confusion matrix of MFO-RELM model on 30% of testing dataset

Tab. 3 and Fig. 8 demonstrate extensive classification outcomes of the MFO-RELM model on 30% of training dataset. The results exhibited that the MFO-RELM model has gained maximum results in each class. For instance, in Mirai udpplain class, the MFO-RELM model has provided accuy , precn , recal , and Fscore of 99.67%, 99.35%, 97.14%, and 98.23% respectively. Simultaneously, in Mirai udp class, the MFO-RELM model has offered accuy , precn , recal , and Fscore of 99.70%, 98.01%, 98.67%, and 98.34% respectively. In line with, on Mirai syn class, the MFO-RELM model has reached accuy , precn , recal , and Fscore of 99.79%, 98.99%, 98.65%, and 98.82% respectively. Finally, in Mirai udpplain class, the MFO-RELM model has attained accuy , precn , recal , and Fscore of 99.91%, 99.67%, 99.33%, and 99.50% respectively.

Figure 8: Classification outcomes of MFO-RELM model on 30% of testing dataset

Fig. 9 validates the training/validation accuracies gained by the MFO-RELM model on the test dataset. The results understood that the MFO-RELM model has resulted in maximum training/validation accuracies on the test data with a rise in epoch count.

Figure 9: Training/validation accuracies of MFO-RELM model

Fig. 10 reports the training/validation losses conveyed by the MFO-RELM model on the test dataset. The results concluded that the MFO-RELM model has reached least training/validation losses on the test data with a rise in epoch count.

Figure 10: Training/validation losses of MFO-RELM model

A detailed comparative study of the MFO-RELM with other models [20] is made in Tab. 4 and Fig. 11. The experimental results implied that the MFO-RELM model has outperformed the other methods. For precn , the MFO-RELM model has offered increased precn of 98.93% whereas the BA-NN, PSO-NN, and LGBA-NN models have resulted in reduced precn values of 84.53%, 83.94%, and 87.34% respectively. Besides, for recal , the MFO-RELM model has presented enhanced recal of 88.02% whereas the BA-NN, PSO-NN, and LGBA-NN models have resulted in reduced precn values of 88.02%, 88.81%, and 92.42% respectively. Similarly, for precn , the MFO-RELM model has gained maximum Fscore of 98.94% whereas the BA-NN, PSO-NN, and LGBA-NN models have reached minimal Fscore values of 84.68%, 84.31%, and 89.18% respectively.

Figure 11: Comparative Classification outcomes of MFO-RELM model

From the detailed results and discussion, it is ensured that the MFO-RELM model has accomplished maximum performance over the other recent methods.

4  Conclusion

In this study, a new MFO-RELM model is introduced for Cybersecurity Threat Detection and classification in IoT environment. The presented MFO-RELM technique accomplishes the effectual identification of cybersecurity threats that exist in the IoT environment. At the initial stage, the MFO-RELM model pre-processes the actual IoT data into a meaningful format. In addition, the RELM model receives the pre-processed data and carries out the classification process. To boost the performance of the RELM model, the MFO algorithm has been employed to it. The performance validation of the MFO-RELM model is tested using standard datasets and the results highlighted the better outcomes of the MFO-RELM model under distinct aspects. Thus, the MFO-RELM model is found to be effective in the recognition of cybersecurity threats in the IoT environment. In the future, novel clustering and outlier removal processes can be included to raise the efficiency of the MFO-RELM model.

Funding Statement: The authors extend their appreciation to the Deanship of Scientific Research at King Khalid University for funding this work under grant number (RGP 2/142/43). Princess Nourah bint Abdulrahman University Researchers Supporting Project number (PNURSP2022R161), Princess Nourah bint Abdulrahman University, Riyadh, Saudi Arabia. The authors would like to thank the Deanship of Scientific Research at Umm Al-Qura University for supporting this work by Grant Code: (22UQU4210118DSR06).

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.