Blockchain Assisted Optimal Machine Learning Based Cyberattack Detection and Classification Scheme

1  Introduction

Data analysis methods were used extensively in the cyber security field, and the current diffusion of advanced machine learning (ML) methods has permitted to precisely detect cyber-attacks and identify threats [1], both in post-incident analysis and real-time. Both unsupervised and supervised ML techniques were successfully used for supporting prevention systems and intrusion detection (ID), along with identifying security breaches and system misuses [2,3]. The scenarios of interest were generally characterized by a continuous data stream (like application-level or packet-level) that summarizes the conduct of the underlying system or network [4]. The ML methods’ role is either in detecting familiar attacks, anomalous behaviour (unsupervised method) (supervised method), or Anomaly-related approaches that fit normal system functioning status, identifying and isolating anomalies as unexpected behavioural deviations. Therefore, anomaly detection methods are attractive for their capability to identify zero-day attacks, which are attacks using unknown vulnerabilities [5,6]. Fig. 1 represents the overview of the blockchain (BC)-assisted cyberattack detection.

Figure 1: Blockchain-assisted cyberattack detection

In recent times, deep learning (DL) is becoming a hopeful analytic pattern because of its excellent function in examining huge volumes of data [7]. Dissimilar to the conventional ML method, DL supported effective feature engineering by handling automatic and reliable feature representation and extraction [8,9]. Since a strong analytic device, DL delivered existing latency and accuracy than the conventional ML method, and it is positioned for examining huge amounts of data in the 5G-based Internet of Things (IoT) [10]. This DL disposition supported forecasting future events, recognising assaults, and offering important data for placement and content caching in dynamic cases of 5G-assisted IoT [11].

Since an evolving technology, BC has become a hopeful choice for managing privacy and security in next-generation transmission structures [12,13]. It constitutes a peer-to-peer (P2P) transactions platform where the data is exchanged, recorded, and authenticated in a decentralized way for delivering verification data and security independent from centralized authorities [14]. The significant features of BC involving anonymity, decentralization, and security can apply secure data transactions and overcome centralized server dependence to support security in 5G-based IoT. Additionally, the inimitable property of dispersed data storage, smart contracts, and asset tracking make BC technology required for 5G-based IoT [15].

This study designs a new Blockchain Assisted Optimal Machine Learning based Cyberattack Detection and Classification (BAOML-CADC) technique. In the BAOML-CADC technique, the major focus lies in identifying cyberattacks. To do so, the presented BAOML-CADC technique applies a thermal equilibrium algorithm-based feature selection (TEA-FS) method for the optimal choice of features. The BAOML-CADC technique uses the extreme learning machine (ELM) model for cyberattack recognition. In addition, a BC-based integrity verification technique is developed to protect against the misrouting attack. The experimental validation of BAOML-CADC algorithm is tested on a benchmark cyberattack dataset.

2  Related Works

In [16], the authors identify false data injection attack (FDIA) in the microgrid mechanism, Hilbert-Huang transforms technique, along with BC-related ledger technology, was employed to scale up the security in smart direct current (DC)-microgrids by evaluating the voltage and current signals in controller and smart sensor nodes by deriving signal information. Ajayi et al. [17] devised a BC-related solution that guarantees the consistency and integrity of attack features shared in a cooperative ID mechanism. The modelled structure attains by preventing and identifying compromised intrusion detection system (IDS) nodes and fake feature injection. It even enables scalable attack features to exchange amongst IDS nodes, assures heterogeneous IDS node contribution, and is powerful to public IDS node leaving and joining the networks.

Kumar et al. [18] presented a new BC system for secured clinical data management that minimizes the computational and communicational overhead cost than the lightweight BC architecture and the prevailing bitcoin network. Kumar et al. [19] present a Privacy-Preserving and Secure Framework (PPSF) for IoT-driven smart city. This devised method is dependent upon 2 main systems: an ID system and a two-level privacy system. Firstly, in a 2-level privacy method, a BC was devised to transfer information of IoT securely, and the PCA method can be adapted to convert raw IoT data into a new structure. A Gradient Boosting Anomaly Detector (GBAD) was implemented in the ID method to evaluate and train the devised two-level privacy method related to IoT network datasets, such as BoT-IoT and ToN-IoT.

In [20], modelled a new process based on DL and Hilbert-Huang Transform for cyberattack recognition in DC-MGs along with identifying the assaults in distributed generation (DG) sensors and units. Then, an innovative elective group DL approach and Krill Herd Optimization (KHO) was devised. Then, Hilbert-Huang Transform was employed to extract the signals feature. Then such attributes were implemented as multiple deep input basis methods were constituted for capturing sentient traits automatically from raw fluctuation signals. Liang et al. [21] modelled a novel, distributed BC-related security system to improve modern power systems' self-defensive ability against cyberattacks. The authors discussed how BC technology improves the power grid's security and robustness by leveraging meters as nodes in dispersed networks and encapsulating meter measurements as blocks.

3  The Proposed Model

In this study, we have developed a new BAOML-CADC technique for Cyberattack Detection and Classification process. In the BAOML-CADC technique, the major focus lies in identifying cyberattacks. Initially, the presented BAOML-CADC technique applied the TEA-FS approach for the optimal choice of features. For cyberattack recognition, the BAOML-CADC technique used the ELM model. In addition, a BC-based integrity verification technique is developed to defend against the misrouting attack.

3.1 Algorithmic Steps of TEA-FS Technique

Primarily, the presented BAOML-CADC technique applied the TEA-FS approach for the optimal choice of features. TEA was simulated by thermodynamic phenomena and is classified as an evolutionary technique [22]. During this approach, the coordinates of all the systems can be transformed into volume or temperature, which are thermodynamic parameters. The study aims to search for an optimum solution based on the problem variable. In genetic algorithm (GA), the group of variables should be enhanced, often known as the chromosome. However, the term can be replaced by the thermodynamic system. In the Nvar-dimension problems, every system is a dimensional array determined using the following expression:

x=[T,V1,V2,…,VNvar−1](1)

In Eq. (1), T denotes the temperature, and V indicates the volume that might have multiple parameters. Thus, for ease of use, the problem became 2D problems by describing a new parameter ∀ termed “overall volume”:

∀=Σi=1Nvar−1ViNvar−1(2)

Here, the thermodynamic state of all the systems is determined by the following expression:

x=[T,∀](3)

The cost of every system can be defined using the f cost function.

cost=f(x)=f(T,∀)(4)

At first, the initial population can be generated by the number of Nsys. Based on upper and lower boundaries, the system is arbitrarily scattered in the function domain.

In coupling the Thermodynamic System, firstly, every system is combined to the closest system in the function domain. Next, the combined system exchanges heat or implements work together to reach equilibrium progressively. Eventually, the temperature gradient is reduced, the scope of the optimization technique is well analyzed, as well as the optimum value is found. Afterwards, the system is coupled, and heat exchange and work are executed, leading to changes in the volume and temperature of the system. The volume and temperature are distinct. However, the pressure can be similar. Moreover, the piston in the two systems moves freely. Hence every system implements either negative or positive work. In every thermodynamic procedure, the pressure in two systems is equivalent:

ΔE=Q−W(5)

In Eq. (5), Q represents the amount of heat transferred, and W denotes the work done by every system. Because of the conservation law of energy, the heat absorbed from the system is equivalent to the heat lost by the others (Q1=−Q2):

ΔE1+W1=−(ΔE2+W2)(6)

The energy change for an ideal gas is evaluated as ΔE=mcvΔT, and the thermodynamic work by W=PΔ∀. By replacing the term into Eq. (6) and divide with P, Eq. (7) can be attained:

m1CvP(Teq−T1)+(∀eq−∀1)=−m2cvP(Teq−T2)−(∀eq−∀2)(7)

In Eq. (7), the subscript eq denotes the thermodynamic state at equilibrium. Consider that m1=m2 and for easiness α=(m1cv)/P=(m2cv)/P=1, Eq. (7) is formulated by:

(Teq−T1)+(∀eq−∀1)=(T2−Teq)+(∀2−∀eq)(8)

Alternatively, the ideal gas law is represented as:

P∀=nRT(9)

The overall molar mass at the equilibrium state is equivalent to the sum of molar mass according to the conservation law of mass:

n1+n2=2neq(10)

By substituting Eqs. (9) with (10),

∀1T1+∀2T2=2∀eqTeq(11)

By integrating Eqs. (8) and (11), the following expression can attain Teq:

Teq=T12T2+T1T22+T1T2∀1+T1T2∀2T1T2+T2∀1+T1∀2(12)

In addition, ∀eq is derived by:

∀eq=T12∀2+T1T2∀1+T1T2∀2+T1∀1∀2+T1∀22+T22∀1+T2∀12+T2∀1∀22(T1T2+T2∀1+T1∀2)(13)

By using the ideal gas law and the first law of thermodynamics the equilibrium state of hypothetical system is evaluated. If every system attains equilibrium instantly, the state of two systems would be equivalent, and they won't exchange energy. In such cases, the function's domain won't be explored further, and the optimum solution cannot be attained. To avoid that, the subsequent relationship is suggested for overall volume and new temperature:

Ti,new=Ti+Teq2(14)

∀i,new=∀i+∀eq2(15)

Now the term i signifies the system number. When the ∀ values are encompassed of multiple parameters like the case in a three or higher-dimension problem, Vi is attained by:

Vi,new=Vi+∀i,new(16)

The two systems grow nearer to equilibrium at every phase, which causes the whole domain to be examined progressively and the optimum point to be found. The relationships between entropy and cost function are determined by:

cost=1entropy≡temperatureheat(17)

Thus, the study aims to diminish the cost function leads to maximizing the entropy of the system (S):

Snew−Seq≤0(18)

By transforming entropy into a cost function, the condition is transformed to:

f (Tnew'∀new)−f (Teq'∀eq)≥0(19)

The abovementioned conditions cause the algorithm to move towards the optimization function. When the criterion isn’t satisfied, a counter is determined for counting the number of failed attempts, then the thermodynamic condition is upgraded:

Ti,new=Ti+Teq2jnew(20)

∀i,new=∀i+∀eq2jnew(21)

Whereas inew=j+1. Because of the abovementioned relationship, in these cases, the system move towards the balance state at the lower speed than Eqs. (14) and (15) for satisfying the abovementioned conditions (Eq. (19)). This process is same as inspecting the second law of thermodynamics and preventing blind search of the function domain.

Lastly, many coupled systems reached equilibrium and accumulated at any point, excluding a few that might be trapped. This technique has the benefit that only some systems have an equivalent state. Hence the cost of every system differs from the thermodynamic equilibrium method.

The fitness function (FF) employed in the TEA-FS approach was modelled to maintain a balance amongst the classification accuracy (maximum), and the number of selected features in each solution (minimum) acquired through the selected attributes, Eq. (22) signifies the FF for evaluating solutions.

Fitness=αγR(D)+β|R||C|(22)

Here |R| signifies the cardinality of the selected subset, and |C| is the total features in the database; γr(D) designates the classification error rate of a given classifier. β and α were 2 parameters concerning the significance of subset length and classification quality. ∈ [1,0] and β=1−α.

3.2 Cyberattack Detection Using ELM Model

To detect cyberattacks, the BAOML-CADC technique used the ELM model. Huang et al. developed an ELM to increase overall performance and prevent time-consuming backward iterative training [23]. ELM is a Single hidden Layer Feedforward Network (SLFN) with random weight and biases amongst the hidden and input layers. ELM is commonly applied in different areas because of its quick training speed and easier realization. Fig. 2 depicts the framework of ELM. Data of N instances are provided (ip,0p)(p=1,2,…,N), where input matrix I =[i1,i2,…,iN]T and output matrices 0=[01,02,…,0N], whereas ip=[ip1,ip2,…,ipn]T, op = [0p1,0p2,…,0pm]T and n and m characterize the input and output dimensions, correspondingly. Initially, the ELM arbitrarily allows the bias D=[d1,d2,…,dq]∈RN×L and the weight E=[E1,E2,…,Eq]∈Rn×L that links the hidden and input layers. In contrast, L signifies the hidden node count with activation function h(x), Eq=[Eq1,Eq2,…,Eqn]T represents the weight connecting vector which connects n input node with q-th hidden nodes.

Figure 2: ELM structure

M=h(IE+D)(23)

The following formula can be expressed as output matrix O.

MF=O(24)

Whereas F=[F1,F2,…,FL]T signifies an output weight matrix that connects output to the hidden layers. The output weight matrices F are calculated using the least-square method.

F=M+O(25)

In Eq. (25), M+ signifies the Moore-Penrose (MP) generalized inverse of M matrix. When MTM is non-singular, then M+=(MTM)−1MT. In such cases, L is lesser than N. If MMT is non-singular, then M+=MT(MMT)−1. In such cases, L is higher than N.

3.3 BC-Based Integrity Verification

Finally, a BC-based integrity verification technique is developed to defend against the misrouting attack. Over the last few decades, BC technology has provided privacy and security in different networks [24]. Despite the remarkable features of BC, it is still susceptible to fraudulent activity. The malicious entity might carry out fraudulent and invalid transactions using different technologies, namely double-spending attacks. BC can be fused with ML algorithms to resolve these problems in this work. The dataset of bitcoin transactions has been utilized in the fundamental process, and the presented ML approach has been trained on the database. The pattern of transactions saved in the dataset can be analyzed for added applications. Simultaneously, the transaction can be done on the Ethereum network. The pattern of this transaction is the same as that of bitcoin transactions saved in the bitcoin transaction data. The transaction pattern is analysed and compared to the bitcoin transaction patterns. Once the pattern matches these transactions, the new transaction is categorized as malicious or legitimate. A double-spending attack has been performed in the fundamental process for additional testing of the robustness of the model.

The BC is a building block of the reliable authentication system. The major objective is to provide a solution where each flow made from the controller is stored in an immutable and verifiable dataset. The BC involves a sequence of blocks connected through hash value. In the BC system, the user contains a pair of keys, such as a public key represents the irreplaceable address and a private key to sign the BC transaction. The client sign a transaction using the private key and transfers it to another one in the network for authentication. If the transmission block gets confirmed, then it is added to BC. Once stored, the data in the presented block can't be modified without changing each subsequent block. Also, the data is presented in the host simultaneously. Thus, the modification is rejected by the peer host. Now, a private BC is presented in contradiction to public BC. The private BC determines who should participate in the network and represented action in addition to permission allocated to the identifiable applicant. Hence, the requirement has been limited for a consensus mechanism, including Proof of Work.

4  Results and Discussion

In this section, the performance validation of the BAOML-CADC method can be performed through a benchmark dataset [25], which has 1000 distinct classes of events. The dataset comprises multiclass (Attack, No event, and Natural) and binary (Attack and Natural) labels.

Table 1 demonstrates the experimental results offered by the BAOML-CADC method on the binary class dataset. In Fig. 3, a detailed sensy and specy outcomes of the BAOML-CADC model on the binary dataset are provided. The outcomes implied the improved values of sensy and specy under all classes. For instance, with SD-1 class, the BAOML-CADC model has provided sensy and specy of 98.44% and 99.99%, respectively. On the other hand, with SD-2 class, the BAOML-CADC approach has offered sensy and specy of 98.89% and 99.97% singly. Meanwhile, with the SD-10 class, the BAOML-CADC method has correspondingly rendered sensy and specy of 97.56% and 99.50%. Moreover, with the SD-15 class, the BAOML-CADC approach has presented sensy and specy of 96.83% and 99.87%, correspondingly.

Figure 3: Sensy and specy analysis of BAOML-CADC system under binary class database

Fig. 4 presents a comprehensive precn and Fscore outcomes of the BAOML-CADC method on the binary dataset. The outcomes exhibited improved values of precn and Fscore under all classes. For example, with SD-1 class, the BAOML-CADC algorithm has provided precn and Fscore of 96.46% and 97.39%, correspondingly. In contrast, with SD-2 class, the BAOML-CADC technique has offered precn and Fscore of 96.76% and 96.81%, correspondingly. In the meantime, with the SD-10 class, the BAOML-CADC model has provided precn and Fscore of 97.36% and 98.18% correspondingly. Likewise, with the SD-15 class, the BAOML-CADC methodology has correspondingly provided precn and Fscore of 98.85% and 97.56%.

Figure 4: Precn and Fscore analysis of BAOML-CADC system under binary class database

In Fig. 5, detailed accuy outcomes of the BAOML-CADC approach on the binary dataset are provided. The outcomes displayed the improved value of accuy under all classes. For example, with SD-1 class, the BAOML-CADC method has rendered anaccuy of 99.79%. On the other hand, with SD-2 class, the BAOML-CADC approach has provided anaccuy of 98.22%. In the meantime, with the SD-10 class, the BAOML-CADC technique has provided an accuy of 99.22%. Additionally, with the SD-15 class, the BAOML-CADC methodology has provided an accuy of 99.29%.

Figure 5: Accuy analysis of BAOML-CADC system under binary class database

In Table 2, the experimental results offered by the BAOML-CADC model on the Multiclass class dataset are represented. In Fig. 6, a brief sensy and specy outcomes of the BAOML-CADC methodology on the Multiclass dataset are offered. The figure exhibited the improved values of sensy and specy under all classes. For example, with SD-1 class, the BAOML-CADC algorithm has provided sensy and specy of 93.30% and 95.07%, correspondingly. Instead, with SD-2 class, the BAOML-CADC model has presented sensy and specy of 91.04% and 94.03%, correspondingly. Meanwhile, with the SD-10 class, the BAOML-CADC method has provided sensy and specy of 93.05% and 95.57%, correspondingly. Also, with the SD-15 class, the BAOML-CADC model has provided sensy and specy of 90.99% and 95.36%, correspondingly.

Figure 6: Sensy and specy analysis of BAOML-CADC system under multiclass database

In Fig. 7, detailed precn and Fscore outcomes of the BAOML-CADC method on the Multiclass dataset are provided. The figure exhibited the improved values of precn and Fscore under all classes. For instance, with SD-1 class, the BAOML-CADC model has provided precn and Fscore of 79.32% and 82.16%, correspondingly. Otherwise, with SD-2 class, the BAOML-CADC technique has presented precn and Fscore of 82.35% and 80.83%, correspondingly. In the meantime, with the SD-10 class, the BAOML-CADC model has provided precn and Fscore of 83.39% and 80.16% correspondingly. Besides, with the SD-15 class, the BAOML-CADC method has presented precn and Fscore of 79.36% and 83.77%, correspondingly.

Figure 7: Precn and Fscore analysis of BAOML-CADC system under multiclass database

In Fig. 8, a complete accuy outcomes of the BAOML-CADC method on the Multiclass dataset are provided. The results show the improved value of accuy under all classes. For example, with SD-1 class, the BAOML-CADC method has provided an accuy of 93.64%. On the other hand, with SD-2 class, the BAOML-CADC approach has shown anaccuy of 94.67%. In the meantime, with the SD-10 class, the BAOML-CADC algorithm has rendered anaccuy of 94.05%. Furthermore, with the SD-15 class, the BAOML-CADC technique has an accuy of 91.77%.

Figure 8: Accuy analysis of BAOML-CADC system under multiclass database

Table 3 presents a comparative analysis of the BAOML-CADC with existing approaches [26]. The comprehensive comparative examination of the BAOML-CADC method with existing models on binary class is described in Fig. 9. The outcomes exhibited that the RF technique has reached poor performance with anaccuy of 80.61% while the JRip model has managed to obtain slightly improved outcomes. Additionally, the Adaboost+JRip and k-nearest neighbour (KNN) methods have accomplished closer performance with accuy of 95.56% and 95.49%, respectively. Although the BDLE-CAD technique has resulted in reasonable outcomes with accuy of 98.63%, the BAOML-CADC technique surpassed the other ones with anaccuy of 99.14%.

Figure 9: Accuy analysis of BAOML-CADC approach under binary class dataset

The comprehensive comparative examination of the BAOML-CADC model with existing methods on multiclass is given in Fig. 10. The outcomes show that the RF method has reached poor performance with anaccuy of 80.51% while the JRip algorithm has managed to gain slightly improved outcomes. Also, the Adaboost+JRip and KNN methodologies have accomplished closer performance with accuy of 91.44% and 87.66%, correspondingly. Although the BDLE-CAD method has resulted in reasonable outcomes with anaccuy of 92.63%, the BAOML-CADC approach surpassed the other ones with an accuy of 93.17%.

Figure 10: Accuy analysis of BAOML-CADC approach under multiclass dataset

These results demonstrated the supremacy of the BAOML-CADC model on cyberattack classification.

5  Conclusion

In this study, we have developed a new BAOML-CADC technique for Cyberattack Detection and Classification process. In the BAOML-CADC technique, the major focus lies in identifying cyberattacks. Initially, the presented BAOML-CADC technique applied the TEA-FS approach for the optimal choice of features. For cyberattack recognition, the BAOML-CADC technique used the ELM model. In addition, a BC-based integrity verification technique is developed to protect against the misrouting attack. The experimental validation of BAOML-CADC technique is tested on a benchmark cyberattack dataset. The obtained values implied the improved performance of the BAOML-CADC algorithm over other models with maximum accuracy of 93.17%. In the future, the performance of BOAML-CADC technique can be improved using a hyperparameter tuning process.

Funding Statement: This work was funded by the of Scientific Research at Princess Nourah bint Abdulrahman University, through the Research Groups Program Grant No. (RGP-1443-0051).

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.