Abstract
The term “the Industrial Internet of Things” has become increasingly more pervasive in the context of manufacturing as digitization has become a business priority for many manufacturers. IIoT refers to a network of interconnected industrial devices, resulting in systems that can monitor, collect, exchange, analyze, and deliver valuable data and new insights. These insights can then help drive smarter, and faster business decisions for manufacturers. However, these benefits have come at the cost of creating a new attack vector for the malicious agents that aim at stealing manufacturing trade secrets, blueprints, or designs. As a result, cybersecurity concerns have become more relevant across the field of manufacturing. One of the main tracks of research in this field deals with developing effective cyber-security mechanisms and frameworks that can identify, classify, and detect malicious attacks in industrial IoT devices. In this paper, we have developed and implemented a classification and detection framework for addressing cyber-security concerns in industrial IoT which takes advantage of various machine learning algorithms. The results prove the satisfactory performance and robustness of the approach in classifying and detecting the attacks.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Cyber-Physical Systems (CPS) are defined as systems in which a tight integration between the real-world and cyberspace exists [1]. Cyberspace is the virtual medium responsible for facilitating interconnections between users through telecommunications and computers to store, modify, or exchange data [2]. Once a CPS device is connected to the internet, it is referred to as the Internet of Things (IoT) [3]. IoT allows the interaction and cooperation of inter-networked physical objects to collect and exchange data over the Internet [4]. Advancements in IoT devices are urging traditional manufacturing systems to be integrated into cyberspace to take advantage of this emerging interaction and cooperation [5]. These systems are then can be replaced by a geographically dispersed network of services that are connected to the shop floor through the power of IoT. This spread or decentralization in manufacturing systems can help with providing more flexibility, agility, and adaptivity through a faster responsivity in processing shop floor data and thus can effectively overcome the challenges corresponding with traditional manufacturing systems. However, this higher connectivity can come at the cost of an increase in the number of cyber-attacks [6,7,8]. These attacks showed that given enough resources, all systems can be breached, with manufacturing systems being no exception with one in every three cyber-physical attacks happening in the manufacturing sector according to the Industrial Control Systems Monito Newsletter issued by the U.S. Department of Homeland Security [9, 10]. The rapid occurrence of such attacks on manufacturing and business operations and their information systems and the resulting damages and costs associated with them have urged scholars to consider new ways of detecting such attacks [11]. As the continuation of such efforts, we intend to show how appropriate machine learning approaches can be utilized to enhance the deterrence level of malicious attacks in industrial IoT devices in manufacturing. To this end, we have implemented a set of preprocessing and data analytics techniques on a new dataset in which various cyber-security attacks have been successfully detected via classification algorithms.
2 Background
Machine learning methods have been applied in many aspects of today’s manufacturing enterprises. Many scholars are now focusing on the use of these techniques to improve cybersecurity by monitoring and conducting surveillance of real-time network streams and real-time detection of threat patterns [12]. These methods can learn from historical data and train a model to correlate events, identify patterns, and detect anomalous behavior. Apart from the algorithm implementation and development, various efforts have been put forward by researchers in this field to simulate breach scenarios and record the subsequent data. These studies have resulted in a variety of data sets existing in the field within each different pre-processing technique have been coupled. As a result, a detailed literature review is needed to summarize the state-of-the-art of the field and identify the potential areas of improvement. The following paragraphs summarize the most notable research works done in this field to date.
Terzi, Terzi & Sagiroglu [13] have used an unsupervised anomaly detection approach and Principal Component Analysis (PCA) to identify anomalies in public big network data to understand network behavior to distinguish cyber-attacks and to provide better detection in the future. Autoencoder has been used with dimension reduction to detect cyber-attack anomalies [14]. In another study, Wan et al. [15] showed that using Wavelet Neural Network (WNN) to detect anomalies in industrial control communication systems can lead to better accuracy compared to using Back Propagation Neural Network (BPNN) in addition to being more adequate in real-time analysis.
The denial of service category (DoS) in KDD CUP 1999 (KDD) and CSE-CIC-IDS2018 data sets have been used by Kim et al. [15] to develop Convolutional Neural Network (CNN) models to detect DoS intrusion attacks resulting in a high accuracy detection that ranged between 89%–99%. Wang et al. [16], McLaughlin et al.[17], and Gibert [18] have also used a CNN approach to detect malware. The latter evaluated their technique using the MalImg dataset and the Microsoft Malware Classification Challenge dataset and managed to outperform other methods in terms of accuracy and classification time.
Deep Neural Network (DNN) has been deployed to detect malware [19] on large scales data sets such as the Internal Microsoft dataset with over 2.6 million labeled samples with results for a two-class error rate of 0.49% for a single neural network and 0.42% for an ensemble of neural networks [20]. Xu et al. [21] combined DNN with Multiple Kernel Learning (MKL) to detect malware in applications run by users of Android devices. Aside from the aforementioned studies, there exist other studies that attempt to address the problem from aspects other than algorithm development. For instance, Elhabashy et al. [9] have proposed an attack taxonomy to better understand the relationships between quality control systems, manufacturing systems, and cyber-physical attacks. In another study, Wu et al. [22] have utilized anomaly detection and Random Forest algorithm to detect 3D printing and CNC milling machine malicious attacks.
3 Dataset and Methodology
In this paper, we used a dataset called “N-BaIoT” that was initially generated by Meidan et al. from network traffic patterns [23]. The initial data was gathered from nine commercial IoT devices infected by two different botnets. They have deployed two of the most common IoT botnet families namely, Gafgyt and Mirai, and collected traffic data before and after the infection. Gafgyt (also known as BASHLITE, Q-Bot, Torlus, LizardStresser, and Lizkebab) is one of the most infamous types of IoT botnets. To launch an attack, the botnet infects Linux-based IoT devices by brute-forcing default credentials of devices with open Telnet ports. Mirai is the second botnet that has been deployed in this isolated network. The experimental setup included a C&C server and a server with a scanner and loader. The scanner and loader components were responsible for scanning and identifying vulnerable IoT devices, and loading the malware to the vulnerable IoT devices detected. Once a device was infected, it automatically started scanning the network for new victims while waiting for instructions from the C&C server [23]. In our analysis, we only use seven of the devices out of the nine that exist in this data set. We have implemented and chosen the most effective classifiers for this specific data set which turned out to be KNN, DT, and RF. A brief description of these algorithms is described below:
-
1.
K-Nearest Neighbors (KNN): KNN is a supervised machine learning algorithm that can be used to solve both classification and regression problems. KNN assumes that similar data points exist nearby. In other words, similar data points are near to each other. KNN searches the entire data set for the k number of most neighbors and calculates distances for proximities before sorting the calculated distances in ascending order from smallest to largest and picking the first K with its feature that is associated with the smallest distance. KNN uses a large amount of training data, where data points are plotted in a high-dimensional space, where each axis in the space corresponds to an individual variable that characterizes that data point [24]. KNN has been used in intelligent mechanical systems to detect online fraud [25] and has been successfully implemented in a large number of business problems [26, 27].
-
2.
Decision Tree (DT): DT is a set of rules for dividing a large heterogeneous population into smaller, more homogeneous groups concerning a particular output feature. DT is one of the most common Data Mining (DM) techniques that is widely being used for both classification and regression analysis. DT comes in many types of decision algorithms, some of which are binary trees that always produce two categories (binary-split) at any level of the tree-like CART and QUEST. Others like CHAID and C5.0 are non-binary trees that often produce more than two categories at any level in the tree. Other minor differences exist between these four main DT algorithms such as, how to deal with missing value, variable selection, capacity to handle a huge number of classes in variables, and pruning methods [28,29,30]. DT has been used in phishing detection [31] and Adversarial detection [32].
-
3.
Random Forest (RF): RF is a type of ensemble learning method that have been widely used in many fields, such as computer vision and data mining. MRF performs very well with a large data set in a short time compared with other techniques. MRF is easy to interpret and understand, can handle both numerical and categorical data. MRF consists of a large number of individual decision trees that operate as a group producing a single effect (ensemble). Each decision tree is built by randomly selecting observations and specific features and averaging the results at the end. Thus, allowing it to limit overfitting without a substantial increase in the generalization error [33, 34]. RF has been used to detect ransomware and achieved a high accuracy level of 97.74% in detecting ransomware [35]. At the same time, RF was used as a feature selection tool when building an Auto-Encoder Intrusion Detection System (AE-IDS). The results showed that using RF helped in reducing the detection time and effectively improved the prediction accuracy [36].
4 Results and Discussion
A 90/10 split has been used to form the training and test data sets considering the large scale of the data set. Also, in all of the experiments, a 5-fold cross-validation has been used for model validation. The accuracy results for each of these classifiers can be found in Fig. 1. As one can see from Fig. 1, the algorithms have been implemented on three different IoT devices (Ecobee Thermostat, Philips B120N10 Baby Monitor, and Provision PT737E Security Camera) compromised by two different bots (Mirai, and Gafgyt). The results indicate that the determining factor in the final accuracy of attack classification is the type of bot rather than the device type. In other words, the accuracy results show a similar pattern among three different devices compromised by a similar bot. According to the results, for devices attacked by Mirai bot, RF algorithm delivers the highest accuracy followed by the DT, and KNN. In particular, the accuracy achieved by the KNN algorithm dealing with the Thermostat compromised by the Mirai bot is the lowest among any other scenarios as this algorithm is only capable of accurately classifying the data in 0.755426 of the test data instances. This translates to a significant number of misclassification instances (12846 out of the 52525 instances in the test dataset) which underlines the poor performance of this algorithm in this specific scenario. On the other hand, for the Gafgyt bot, RF outperforms the other two algorithms while DT performs worst among them. As opposed to the left-hand side scenarios corresponding with the Mirai bot, even the worst-performing algorithm dealing with the Gafgyt bot (DT) is capable of accurately classifying the attacks in more than 0.99 of the test data instances.
It is important to note that even though the accuracy values for different algorithms look reasonably close, they translate to a significantly different number of misclassifications due to the large size of the dataset. This can be very critical in real-world scenarios as even a single cyber-security breach can result in a significant amount of loss from security and/ or economic points of view. The corresponding misclassification values can be found in Table 1.
5 Conclusion
We proposed a machine learning-based framework for attack classification and detection in IIoT devices. The experiments have shown the successful adoption of artificial intelligence to cybersecurity, which has led to an effective and robust approach for identifying, classifying, and detecting two different types of botnet attacks compromising three different IIoT devices. The evaluation process has employed accuracy as a performance metric to show the effectiveness of this approach. The experiments have demonstrated that a combination of various machine learning algorithms is capable of accurately detecting and classifying the attacks in more than 99.9% of the instances in the test data set employed. Future endeavors can focus on enhancing our approach by developing deep neural network-based models and also taking advantage of other emerging IIoT data sets. Future work can also attempt to develop more effective feature engineering methods that can transform the raw network data into richer input sources for building learning methods.
References
Chhetri, S.R., Rashid, N., Faezi, S., Al Faruque, M.A.: Security trends and advances in manufacturing systems in the era of industry 4.0. In: 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), pp. 1039–1046 (2017). https://doi.org/10.1109/ICCAD.2017.8203896
Koppisetty, H., Potdar, K., Jain, S.: Cyber-crime, forensics and use of data mining in cyber space: a survey. In: 2019 International Conference on Smart Systems and Inventive Technology (ICSSIT), Smart Systems and Inventive Technology (ICSSIT), pp. 722–727 (2019). https://doi.org/10.1109/ICSSIT46314.2019.8987921
Jazdi, N.:Cyber physical systems in the context of industry 4.0. In: 2014 IEEE International Conference on Automation, Quality and Testing, Robotics, pp. 1–4, May 2014. https://doi.org/10.1109/AQTR.2014.6857843
Atzori, L., Iera, A., Morabito, G.: The Internet of Things: a survey. Comput. Netw. 54(15), 2787–2805 (2010). https://doi.org/10.1016/j.comnet.2010.05.010
Shahin, M., Chen, F.F., Bouzary, H., Krishnaiyer, K.: Integration of lean practices and Industry 4.0 technologies: smart manufacturing for next-generation enterprises. Int. J. Adv. Manufact. Technol. 107(5–6), 2927–2936 (2020). https://doi.org/10.1007/s00170-020-05124-0
Rauch, E., Dallasega, P., Matt, D.T.: Distributed manufacturing network models of smart and agile mini-factories. Int. J. Agile Syst. Manage. 10(3–4), 185–205 (2017)
Elhabashy, A.E., Wells, L.J., Camelio, J.A.: Cyber-physical security research efforts in manufacturing - a literature review. Procedia Manufact. 34, 921–931 (2019). https://doi.org/10.1016/j.promfg.2019.06.115
Shahin, M., Chen, F.F., Bouzary, H., Zarreh, A.: Frameworks proposed to address the threat of cyber-physical attacks to lean 4.0 systems. Procedia Manufact. 51, 1184–1191 (2020). https://doi.org/10.1016/j.promfg.2020.10.166
Elhabashy, A.E., Wells, L.J., Camelio, J.A., Woodall, W.H.: A cyber-physical attack taxonomy for production systems: a quality control perspective. J. Intell. Manuf. 30(6), 2489–2504 (2018). https://doi.org/10.1007/s10845-018-1408-9
ICS Monitor Newsletters | CISA. https://www.us-cert.gov/ics/monitors. Accessed 20 Oct. 20
Culot, G., Fattori, F., Podrecca, M., Sartor, M.: Addressing industry 4.0 cybersecurity challenges. IEEE Eng. Manage. Rev. 47(3), 79–86, thirdquarter (2019). https://doi.org/10.1109/EMR.2019.2927559
Mahmood, T., Afzal, U.: Security analytics: big data analytics for cybersecurity: a review of trends, techniques and tools. In: 2013 2nd National Conference on Information Assurance (NCIA), pp. 129–134 (2013). https://doi.org/10.1109/NCIA.2013.6725337
Terzi, D.S., Terzi, R., Sagiroglu, S.: Big data analytics for network anomaly detection from netflow data. In: 2017 International Conference on Computer Science and Engineering (UBMK), pp. 592–597 (2017). https://doi.org/10.1109/UBMK.2017.8093473
Gaggero, G.B., Rossi, M., Girdinio, P., Marchese, M.: Neural network architecture to detect system faults/cyberattacks anomalies within a photovoltaic system connected to the grid. In: 2019 International Symposium on Advanced Electrical and Communication Technologies (ISAECT), pp. 1–4 (2019). https://doi.org/10.1109/ISAECT47714.2019.9069683
Wan, M., Song, Y., Jing, Y., Wang, J.: Function-aware anomaly detection based on wavelet neural network for industrial control communication. Secur. Commun. Netw. (2018). https://doi.org/10.1155/2018/5103270
Wang, W., Zhu, M., Zeng, X., Ye, X., Sheng, Y.: Malware traffic classification using convolutional neural network for representation learning. In: 2017 International Conference on Information Networking (ICOIN), pp. 712–717. IEEE (2017).https://doi.org/10.1109/ICOIN.2017.7899588
McLaughlin, N., et al.: Deep Android Malware Detection, pp. 301–308 (2017). https://doi.org/10.1145/3029806.3029823
Gibert, D., Mateu, C., Planes, J., Vicens, R.: Using convolutional neural networks for classification of malware represented as images. J. Comput. Virol. Hack. Tech. 15(1), 15–28 (2018). https://doi.org/10.1007/s11416-018-0323-0
Grosse, K., Papernot, N., Manoharan, P., Backes, M., McDaniel, P.: Adversarial perturbations against deep neural networks for malware classification (2016). arXiv:1606.04435 [cs], http://arxiv.org/abs/1606.04435. Accessed 18 Jun 2020
Dahl, G.E., Stokes, J.W., Deng, L., Yu, D.: Large-scale malware classification using random projections and neural networks. In: 2013 IEEE International Conference on Acoustics, Speech and Signal Processing, pp. 3422–3426, May 2013. https://doi.org/10.1109/ICASSP.2013.6638293
Xu, L., Zhang, D., Jayasena, N., Cavazos, J.: HADM: hybrid analysis for detection of malware. In: Bi, Y., Kapoor, S., Bhatia, R. (eds.) IntelliSys 2016. LNNS, vol. 16, pp. 702–724. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-56991-8_51
Wu, M., Song, Z., Moon, Y.B.: Detecting cyber-physical attacks in CyberManufacturing systems with machine learning methods. J. Intell. Manuf. 30(3), 1111–1123 (2017). https://doi.org/10.1007/s10845-017-1315-5
Meidan, Y., et al.: N-BaIoT: network-based detection of IoT botnet attacks using deep autoencoders. IEEE Pervasive Comput. 17(3), 12–22 (2018). https://doi.org/10.1109/MPRV.2018.03367731
Samui, P., Sekhar, S., Balas, V.E.: Handbook of Neural Computation. Elsevier (2017). https://doi.org/10.1016/C2016-0-01217-2
Kannagi, A., Mohammed, J.G., Murugan, S.S.G., Varsha, M.: Intelligent mechanical systems and its applications on online fraud detection analysis using pattern recognition K-nearest neighbor algorithm for cloud security applications. Mater. Today: Proc. (2021). https://doi.org/10.1016/j.matpr.2021.04.228
Greenwell, B.B.B.: Hands-On Machine Learning with R. 2020. https://bradleyboehmke.github.io/HOML/knn.html. Accessed 17 Jun 2020
Cahyani, D.E., Nuzry, K.A.P.: Trending topic classification for single-label using multinomial naive bayes (MNB) and multi-label using k-nearest neighbors (KNN). In: 2019 4th International Conference on Information Technology, Information Systems and Electrical Engineering (ICITISEE), Information Technology, Information Systems and Electrical Engineering (ICITISEE), 2019 4th International Conference on, pp. 547–552 (2019). https://doi.org/10.1109/ICITISEE48480.2019.9003944
Kass, G.V.: An exploratory technique for investigating large quantities of categorical data. J. R. Stat. Soc. Ser. C (Appl. Stat.) 29(2), 119–127 (1980). https://doi.org/10.2307/2986296
Salzberg, S.L.: C4.5: programs for machine learning by J. Ross Quinlan. Morgan Kaufmann Publishers Inc, 1993. Mach Learn 16(3), 235–240 (1994). https://doi.org/10.1007/BF00993309
Loh, W.-Y., Shih, Y.-S., Loh, W.-Y., Shih, Y.-S.: Split selection methods for classification trees. 7(4) (1997). http://www3.stat.sinica.edu.tw/statistica/j7n4/j7n41/j7n41.htm . Accessed 17 Jun 2020
Zhu, E., Ju, Y., Chen, Z., Liu, F., Fang, X.: DTOF-ANN: an artificial neural network phishing detection model based on decision tree and optimal features. Appl. Soft Comput. 95, 106505, (2020). https://doi.org/10.1016/j.asoc.2020.106505
Appiah, B., Qin, Z., Abra, A.M., Kanpogninge, A.J.A.: Decision tree pairwise metric learning against adversarial attacks. Comput. Secur. 106, 102268, (2021). https://doi.org/10.1016/j.cose.2021.102268
Bai, J., Li, Y., Li, J., Yang, X., Jiang, Y., Xia, S.-T.: Multinomial random forest. Pattern Recogn. 122, 108331, (2022). https://doi.org/10.1016/j.patcog.2021.108331
Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001). https://doi.org/10.1023/A:1010933404324
Khammas, B.M.: Ransomware detection using random forest technique. ICT Express 6(4), 325–331 (2020). https://doi.org/10.1016/j.icte.2020.11.001
Li, X., Chen, W., Zhang, Q., Wu, L.: Building auto-encoder intrusion detection system based on random forest feature selection. Comput. Secur. 95, 10185110 (2020). https://doi.org/10.1016/j.cose.2020.101851
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this paper
Cite this paper
Shahin, M., Chen, F., Bouzary, H., Hosseinzadeh, A., Rashidifar, R. (2023). Classification and Detection of Malicious Attacks in Industrial IoT Devices via Machine Learning. In: Kim, KY., Monplaisir, L., Rickli, J. (eds) Flexible Automation and Intelligent Manufacturing: The Human-Data-Technology Nexus . FAIM 2022. Lecture Notes in Mechanical Engineering. Springer, Cham. https://doi.org/10.1007/978-3-031-18326-3_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-18326-3_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-18325-6
Online ISBN: 978-3-031-18326-3
eBook Packages: EngineeringEngineering (R0)