A malicious threat detection model for cloud assisted internet of things (CoT) based industrial control system (ICS) networks using deep belief network
Introduction
With the advancement of cloud and Internet of Things (IoT) technologies, their applications in the modern industries are growing at an unprecedented rate [[8], [24], [36]]. Cloud platform enables highly efficient monitoring and controlling of ICS networks in the industries by the application of cloud assisted Internet of Things (CoT) [25] which facilitates faster and cheaper intelligent data acquisition and processing resulting in a maximum profit from the plant. The devices in the ICS were initially manufactured considering an isolated operating environment which ignore the privacy and security of data and control traffic. However, due to the extensive integration of ICS networks with cloud network in modern industries, the CoT devices with smart sensing capabilities, PLCs, actuators, intelligent electronic devices (IEDs) of ICS are exposed to external malicious attacks from corporate network [[6], [17], [24]].
In general, ICS are given protection against malicious attacks using standard ICT security systems. Standard ICT security systems are familiar with only known and common malware behavior which may not be same for ICS. Anti-malware techniques suggested in the literature to date are mostly tailored towards updating their database tools by manual experts on a regular basis, which limits their applicability in protecting ICSs, [[7], [31], [34]], for example, in real time [[22], [23], [31]]. Malware detection systems for ICS needs to be capable of defending against unknown behavior of malware without manual labeling by experts where data needs to be collected on a regular basis to keep the system up to date. In addition, it is very challenging to preserve the availability and integrity of the services provided by the ICS against malicious code [[1], [12], [12]], which therefore, demands the development of specialized malware detection techniques [[6], [24], [33]]. As such, developing an automated cyber defense model in safeguarding ICS against unknown malicious attacks by advanced malicious software is well motivated.
Static signature-based or dynamic behavior based supervised approaches [[16], [29], [32]] of malware detection in conventional information technology (IT) network security have limitations for the cases when malware dynamically change their internal structure and attacking patterns [[4], [18], [27]]. The static signature-based approach uses a byte sequence) [16] known as malware signature. Detection engine requires a list of signatures from all known malware which is computed by manual experts. This makes the detection system expensive. Unpacking of malware also increases computational complexity. In real time to update manually the malware signatures stored in the detection engine’s database on a regular basis is infeasible for a large number of malware. Obfuscation techniques [[10], [26]] in static analysis can disguise the detection engine by changing the code and thereby the signature of malware. But when malware is in run-time, behavior may remain same. Therefore dynamic analysis [[10], [26]] can extract better feature sets than static approaches as it uses run time behavior of malware which is collected by triggering the malware in a virtual machine environment (no requirements of any unpacking like static approaches) [[2], [23], [26], [27]]. Fig. 1 shows the usage of Application Program Interface (APIs) during the run time which was extracted by run time behavior collection. These are very dynamic and similar in terms of most of the API usage for different malware. These dynamic nature in the API usage render the malware difficult to understand, analyze and detect by most supervised learning based current detection methods. Both static and dynamic analysis based approaches are supervised and require regular update of the malware feature database for the detection engine and retraining of the detection system. This limits their applicability for cloud based ICS networks.
Huda et al. [14] proposed a semi-supervised approach to avoid manual update of detection engine. This approach use a hybridized training procedure using feature processing, feature selection, unsupervised clustering and supervised training. This [14] makes database update procedure very complex. ICS master terminal units (MTU) and remote terminal unit (RTU) servers have limited computational resources, run on comparatively older operating systems (OSs) and operated differently form the traditional IT computational resources. Therefore a complex database update procedure could limit regular operations of ICS network or may be difficult to implement such complex updating system [14] on these MTU/RTUs. Therefore, a simplified approach how to discover the behavioral variations in the new variants and update the engine’s knowledge-base without any manual effort is a critical research question, which is the main research direction of our current work.
Deep learning is an emergent [35] technique and extensively used in many pattern recognition problems due its capability to learn from unsupervised data. In this work we proposes cyber-threat detection model for CoT based ICS networks. In this work, we propose two different detection models based on deep belief network (DBN). In first proposed model, we use a disjoint training and testing set with DBN. By the application of different obfuscation techniques including polymorphism and metamorphism, malware authors generate numerous variations of malware which changes the attack patterns dynamically. The explosive growth of new variants can be used for extracting the new and unknown patterns. In our second proposed model, we use all available known/labeled and unlabeled executables for the trailing of DBN which provides additional knowledge of hidden patterns from the new variants. Novelty of the proposed DBN based detection model are that the training procedure of DBN based models is similar to the semi-supervised approach in their adaptive nature. But DBN based models do not require any additional processing like feature reduction and un-supervised clustering before they are trained using supervised learning. Thus making the training procedure simpler which is more feasible to implement in ICS networks.
When DBN is trained with all available (labeled and unlabeled) data as it does not require any labeling of data and completely unsupervised, DBN can learn the hidden intrinsic patterns of new unlabeled malware data through a layered structure of representation where higher layer represents more abstract characteristics of malware behavior. Higher layer learns and constructs behavioral features based on the feature of lower layers forming more significant features. Later, the trained DBN can easily be used in detection engine. However, DBN’s performances vary depending on its configuration which requires that the hyper-parameters to be set appropriately. Generally, the size of mini batch, weight initialization, chosen epochs, number of hidden layers and units in each layer, learning rate and momentum constitute the set of hyper-parameters. In this work we proposed an optimal DBN by a varying structure of DBN iteratively and the number of epochs. Thus our proposed models can extract changes in the attack patterns in an unsupervised manner from the incoming unlabeled executables through a more simplified training procedure by using optimal DBN structures. This keeps the detection engine up-to-date automatically without any manual effort. Proposed DBN based model can be used in process control network layer [[21], [37]] of industrial control system as an intrusion detection system [[13], [37]].
The rest of the paper is organized as follows. The next section describes a mathematical formulation of the problem and motivation of DBN based approach. Section 3 describes the proposed approaches with their mathematical formulations, different metrics to extract intrinsic characteristics of new variants, and training procedures of detection systems. This section also describes a sandbox environment to collect dynamic behavior based features. Experimental results and analysis are given in Section 4 followed by a conclusion in Section 5.
Section snippets
Problem formulation
Cloud assisted Internet of Things (CoTs) [[6], [15], [24], [28]] are extensively used and integrated in ICS in today’s industrial systems. This has many advantages over conventional ICS which includes faster computation and availability of huge storage facilities, central monitoring and control facilities of RTUs and CoTs from a remote corporate locations resulting in an enormous increase in productivity and economic benefit of industries [[3], [11], [19], [20], [36]]. Although this integration
Proposed DBN based detection models
In this section, we present the proposed DBN based detection models. The detailed design of our proposed threat detection model is presented using an architecture as mentioned in Fig. 2. The proposed models have several components which include malware triggering in a virtual machine and collection of behavioral logs, preprocessing of the log files and feature extraction, training of the DBN and finally detection of malware with automatic database update. The next sections describe the
Malware data set, feature extraction, results and discussion
To demonstrate the efficiency of our proposed approach in malware detection, experimental data from [14] and Vx heaven1 are used. A total of 485 executables were collected manually from various versions of Win32 based systems. The total numbers of malware samples used in our experiments is 967. The malware and their types used in the experiment are presented in Table 1. All executable files are run in the sandbox environment [14] and then the API
Conclusion
SCADA system are increasingly being integrated through the cloud and IoT platforms. This facilitates low cost data acquisition, transmission and easy multi-user decentralized remote monitoring. Initially devices in ICS were manufactured to run on isolated networks, so considered low security measures. Due to the integration, SCADA networks over open TCP/IP networks are exposed to severe malicious threats. Since, the characteristics of ICS networks and their operations (which mostly runs on real
Acknowledgments
The authors would like to extend their sincere appreciation to the Deanship of Scientific Research at king Saud University for its participation in funding this Research-group NO (RGP-1436–039).
Shamsul Huda received his Ph.D. degree in computer science. He is a Lecturer in School of Information Technology, Deakin University, Australia. He has published more than 50 journal and conference papers in well reputed journals including IEEE Transactions. His main research area is information security, cyber–physical systems, computational intelligence and machine learning. Earlier to join in Deakin, he worked also in Federation University as a Research Fellow. Dr Huda worked as an Assistant
References (37)
- et al.
Defending unknown attacks on cyber-physical systems by semi-supervised approach and available unlabeled data
Inform. Sci.
(2017) - et al.
A three-stage analysis of IDS for critical infrastructures
Comput. Secur.
(2015) - et al.
Industrial Process Automation Systems Design and Implementation
(2015) Are industrial control systems ready for the cloud?
Int. J. Crit. Infrastruct. Prot.
(2015)- et al.
A cloud-based architecture for the internet of things targeting industrial devices remote monitoring and control
IFAC-PapersOnLine
(2016) - et al.
Software-defined cloud manufacturing for industry 4.0
Procedia CIRP
(2016) Statistical method of change detection
- K. Blokhin, J. Saxe, D. Mentis, Malware similarity identification using call graph based system call subsequence...
- et al.
Deterministic detection of cloning attacks for anonymous RFID systems
IEEE Trans. Ind. Inf.
(2015) - et al.
Malwise: An effective and efficient classification system for packed and polymorphic nlalware
IEEE Trans. Comput.
(2013)
Smote: Synthetic minority over-sampling technique
J. Artificial Intelligence Res.
Review of security issues in industrial networks
IEEE Trans. Ind. Inf.
An approach to cyber-physical vulnerability assessment for intelligent manufacturing systems
J. Manuf. Syst.
Efficient clustering of very large document collections
Data Mining Sci. Eng. Appl.
Design, modelling, simulation and integration of cyber physical systems: Methods and applications
Comput. Ind.
Cited by (51)
A feature selection based on genetic algorithm for intrusion detection of industrial control systems
2024, Computers and SecurityDeep learning-based intrusion detection approach for securing industrial Internet of Things
2023, Alexandria Engineering JournalHybrid honey badger-world cup algorithm-based deep learning for malicious intrusion detection in industrial control systems
2023, Computers and Industrial EngineeringAnalysis of safety and security challenges and opportunities related to cyber-physical systems
2023, Process Safety and Environmental ProtectionNetwork intrusion detection based on DNA spatial information
2022, Computer NetworksDeep learning for malware detection: Literature review
2024, Journal of Theoretical and Applied Information Technology
Shamsul Huda received his Ph.D. degree in computer science. He is a Lecturer in School of Information Technology, Deakin University, Australia. He has published more than 50 journal and conference papers in well reputed journals including IEEE Transactions. His main research area is information security, cyber–physical systems, computational intelligence and machine learning. Earlier to join in Deakin, he worked also in Federation University as a Research Fellow. Dr Huda worked as an Assistant professor in the Computer Science Department in Khulna University of Engineering and Technology (KUET), Bangladesh.
Suruz Miah is currently an Assistant Professor at the Department of Electrical and Computer Engineering (ECE) at the Bradley University. Dr. Miah is interested in pursuing research in the broad area of cyber–physical systems. In particular, he conducts research on mobile robot navigation, control systems, mechatronics, multi-agents systems and control, applications of Radio Frequency IDentification Technology (RFID). He is currently a research member of the Cyber-Physical Systems laboratory at Bradley and the Machine Intelligence, Robotics, and Mechatronics (MIRaM) laboratory at the University of Ottawa. Dr. Miah is an author/co-author of more than 40 technical papers, which are published in leading journals and conference proceedings.
John Yearwood received his Ph.D. degree in computer science Professor John Yearwood is the Head of School of Information Technology, Deakin University, Australia. His main research areas are machine learning, optimization and information security. He has published two books and over 200 refereed journal, book chapter and conference articles. Professor Yearwood was the Editor-in-Chief of the Journal of Research and Practice in Information Technology, and a reviewer for many journals.
Sultan Alyahya received his Ph.D. degree in Computer Science from Cardiff University, UK, in 2013. He also received his M.Sc. degree in Information Systems Engineering from the same university in 2007. The B.Sc. degree was obtained with honors in information systems from King Saud University. Dr. Sultan is currently an assistant professor at the College of Computer and Information Sciences, King Saud University. His main research interests are in the fields of Software Project Management, Agile Development and Computer Supported Co-operative Work (CSCW).
Hmood Al-Dossari received his Ph.D. degree in computer science is an Assistant Professor in College of Computer and Information Sciences at King Saud University. He holds a MS and Ph.D. in Computer Science from King Saud University and Cardiff University respectively. His research interests include quality of service assessment, trust and reputation management systems, human and computer interaction, sentiment analysis and social mining. He has several publications in international journals and conferences. He has attended various conferences and presented many seminars.
Robin Doss is the Deputy Head of the School of Information Technology at Deakin University, Australia. Robin leads the Internet of Things (IoT) and Cyber Physical Systems(CPS) security program at the Deakin Centre for Cyber Security Research (CSSR) and is the Co-Director of the IoT research cluster at Deakin University, Australia. His research has been funded by the National Security Science and Technology (NSST) branch of the office of national security in collaboration with the Defence Signals Directorate (DSD), the Australian Research Council (ARC) and industry partners. From 2008–2009. The high quality of his research is best evidenced by his strong track record of publications in high impact technical journals (IEEE Transactions) and top conferences (IEEE GLOBECOM, IEEE PERCOM, IEEE ICC) with more than 75 such publications. He is a senior member of the IEEE; founding chair of the future network systems and security (FNSS) conference series and associate editor of the journal of cyber physical systems.