A malicious threat detection model for cloud assisted internet of things (CoT) based industrial control system (ICS) networks using deep belief network

https://doi.org/10.1016/j.jpdc.2018.04.005Get rights and content

Highlights

  • An adaptive malicious threat detection model have been proposed for CoT based ICS networks.

  • The proposed model is simpler than conventional semi-supervised approaches.

  • Optimal deep belief networks (DBNs) have been used in the proposed model.

  • The performance of the detection system has been verified using real malware test-bed.

Abstract

Internet of Things (IoT) devices are extensively used in modern industries combined with the conventional industrial control system (ICS) network through the industrial cloud to make the production data easily available to the corporate business management and easier control for highly profitable production systems. The different devices within the conventional ICS network originally manufactured to run on an isolated network and was not considered for the privacy and security of the control and production/architecture data being trafficked over the manufacturing plant to the corporate. Due to their extensive integration with the industrial cloud network over the internet, these ICS networks are exposed to a significant threat of malicious activities created by malicious software. Protecting ICS from such attacks requires continuous update of their database of anti-malware tools which requires efforts from manual experts on a regular basis. This limits real time protection of ICS.

Earlier work by Huda et al. (2017) based on a semi-supervised approach performed well. However training process of the semi-supervised-approach (Huda et al., 2017) is complex procedure which requires a hybridization of feature selection, unsupervised clustering and supervised training techniques. Therefore, it could be time consuming for ICS network for real time protection. In this paper, we propose an adaptive threat detection model for industrial cloud of things (CoT) based on deep learning. Deep learning has been used in many domain of pattern recognition and a popular approach for its simple training procedure. Most importantly, deep learning can learn the hidden patterns of the domain in an unsupervised manner which can avoid the requirements of huge expensive labeled data. We used this particular characteristic of deep learning to design our detection model.

Two different types of deep learning based detection models are proposed in this work. The first model uses a disjoint training and testing data for a deep belief network (DBN) and corresponding artificial neural network (ANN). In the second proposed detection model, DBN is trained using new unlabeled data to provide DBN with additional knowledge about the changes in the malicious attack patterns. Novelty of the proposed detection models is that the models are adaptive where training procedures is simpler than earlier work (Huda et al, 2017) and can adapt new malware behaviors from already available and cheap unlabeled data at the same time. This will avoid expensive manual labeling of new attacks and corresponding time complexity making it feasible for ICS networks. Performances of standard DBNs are sensitive to its configurations and values for the hyper-parameters including number of hidden nodes, learning rate and number epochs. Therefore proposed detection models find an optimal configuration by varying the structure of DBNs and other parameters. The proposed detection models are extensively tested on a real malware test bed. Experimental results show that the proposed approaches achieve higher accuracies than standard detection algorithms and obtain similar performances with earlier semi-supervised work (Huda et al., 2017) but provide a comparatively simplified training model.

Introduction

With the advancement of cloud and Internet of Things (IoT) technologies, their applications in the modern industries are growing at an unprecedented rate [[8], [24], [36]]. Cloud platform enables highly efficient monitoring and controlling of ICS networks in the industries by the application of cloud assisted Internet of Things (CoT) [25] which facilitates faster and cheaper intelligent data acquisition and processing resulting in a maximum profit from the plant. The devices in the ICS were initially manufactured considering an isolated operating environment which ignore the privacy and security of data and control traffic. However, due to the extensive integration of ICS networks with cloud network in modern industries, the CoT devices with smart sensing capabilities, PLCs, actuators, intelligent electronic devices (IEDs) of ICS are exposed to external malicious attacks from corporate network [[6], [17], [24]].

In general, ICS are given protection against malicious attacks using standard ICT security systems. Standard ICT security systems are familiar with only known and common malware behavior which may not be same for ICS. Anti-malware techniques suggested in the literature to date are mostly tailored towards updating their database tools by manual experts on a regular basis, which limits their applicability in protecting ICSs, [[7], [31], [34]], for example, in real time [[22], [23], [31]]. Malware detection systems for ICS needs to be capable of defending against unknown behavior of malware without manual labeling by experts where data needs to be collected on a regular basis to keep the system up to date. In addition, it is very challenging to preserve the availability and integrity of the services provided by the ICS against malicious code [[1], [12], [12]], which therefore, demands the development of specialized malware detection techniques [[6], [24], [33]]. As such, developing an automated cyber defense model in safeguarding ICS against unknown malicious attacks by advanced malicious software is well motivated.

Static signature-based or dynamic behavior based supervised approaches [[16], [29], [32]] of malware detection in conventional information technology (IT) network security have limitations for the cases when malware dynamically change their internal structure and attacking patterns [[4], [18], [27]]. The static signature-based approach uses a byte sequence) [16] known as malware signature. Detection engine requires a list of signatures from all known malware which is computed by manual experts. This makes the detection system expensive. Unpacking of malware also increases computational complexity. In real time to update manually the malware signatures stored in the detection engine’s database on a regular basis is infeasible for a large number of malware. Obfuscation techniques [[10], [26]] in static analysis can disguise the detection engine by changing the code and thereby the signature of malware. But when malware is in run-time, behavior may remain same. Therefore dynamic analysis [[10], [26]] can extract better feature sets than static approaches as it uses run time behavior of malware which is collected by triggering the malware in a virtual machine environment (no requirements of any unpacking like static approaches) [[2], [23], [26], [27]]. Fig. 1 shows the usage of Application Program Interface (APIs) during the run time which was extracted by run time behavior collection. These are very dynamic and similar in terms of most of the API usage for different malware. These dynamic nature in the API usage render the malware difficult to understand, analyze and detect by most supervised learning based current detection methods. Both static and dynamic analysis based approaches are supervised and require regular update of the malware feature database for the detection engine and retraining of the detection system. This limits their applicability for cloud based ICS networks.

Huda et al. [14] proposed a semi-supervised approach to avoid manual update of detection engine. This approach use a hybridized training procedure using feature processing, feature selection, unsupervised clustering and supervised training. This [14] makes database update procedure very complex. ICS master terminal units (MTU) and remote terminal unit (RTU) servers have limited computational resources, run on comparatively older operating systems (OSs) and operated differently form the traditional IT computational resources. Therefore a complex database update procedure could limit regular operations of ICS network or may be difficult to implement such complex updating system [14] on these MTU/RTUs. Therefore, a simplified approach how to discover the behavioral variations in the new variants and update the engine’s knowledge-base without any manual effort is a critical research question, which is the main research direction of our current work.

Deep learning is an emergent [35] technique and extensively used in many pattern recognition problems due its capability to learn from unsupervised data. In this work we proposes cyber-threat detection model for CoT based ICS networks. In this work, we propose two different detection models based on deep belief network (DBN). In first proposed model, we use a disjoint training and testing set with DBN. By the application of different obfuscation techniques including polymorphism and metamorphism, malware authors generate numerous variations of malware which changes the attack patterns dynamically. The explosive growth of new variants can be used for extracting the new and unknown patterns. In our second proposed model, we use all available known/labeled and unlabeled executables for the trailing of DBN which provides additional knowledge of hidden patterns from the new variants. Novelty of the proposed DBN based detection model are that the training procedure of DBN based models is similar to the semi-supervised approach in their adaptive nature. But DBN based models do not require any additional processing like feature reduction and un-supervised clustering before they are trained using supervised learning. Thus making the training procedure simpler which is more feasible to implement in ICS networks.

When DBN is trained with all available (labeled and unlabeled) data as it does not require any labeling of data and completely unsupervised, DBN can learn the hidden intrinsic patterns of new unlabeled malware data through a layered structure of representation where higher layer represents more abstract characteristics of malware behavior. Higher layer learns and constructs behavioral features based on the feature of lower layers forming more significant features. Later, the trained DBN can easily be used in detection engine. However, DBN’s performances vary depending on its configuration which requires that the hyper-parameters to be set appropriately. Generally, the size of mini batch, weight initialization, chosen epochs, number of hidden layers and units in each layer, learning rate and momentum constitute the set of hyper-parameters. In this work we proposed an optimal DBN by a varying structure of DBN iteratively and the number of epochs. Thus our proposed models can extract changes in the attack patterns in an unsupervised manner from the incoming unlabeled executables through a more simplified training procedure by using optimal DBN structures. This keeps the detection engine up-to-date automatically without any manual effort. Proposed DBN based model can be used in process control network layer [[21], [37]] of industrial control system as an intrusion detection system [[13], [37]].

The rest of the paper is organized as follows. The next section describes a mathematical formulation of the problem and motivation of DBN based approach. Section 3 describes the proposed approaches with their mathematical formulations, different metrics to extract intrinsic characteristics of new variants, and training procedures of detection systems. This section also describes a sandbox environment to collect dynamic behavior based features. Experimental results and analysis are given in Section 4 followed by a conclusion in Section 5.

Section snippets

Problem formulation

Cloud assisted Internet of Things (CoTs) [[6], [15], [24], [28]] are extensively used and integrated in ICS in today’s industrial systems. This has many advantages over conventional ICS which includes faster computation and availability of huge storage facilities, central monitoring and control facilities of RTUs and CoTs from a remote corporate locations resulting in an enormous increase in productivity and economic benefit of industries [[3], [11], [19], [20], [36]]. Although this integration

Proposed DBN based detection models

In this section, we present the proposed DBN based detection models. The detailed design of our proposed threat detection model is presented using an architecture as mentioned in Fig. 2. The proposed models have several components which include malware triggering in a virtual machine and collection of behavioral logs, preprocessing of the log files and feature extraction, training of the DBN and finally detection of malware with automatic database update. The next sections describe the

Malware data set, feature extraction, results and discussion

To demonstrate the efficiency of our proposed approach in malware detection, experimental data from [14] and Vx heaven1 are used. A total of 485 executables were collected manually from various versions of Win32 based systems. The total numbers of malware samples used in our experiments is 967. The malware and their types used in the experiment are presented in Table 1. All executable files are run in the sandbox environment [14] and then the API

Conclusion

SCADA system are increasingly being integrated through the cloud and IoT platforms. This facilitates low cost data acquisition, transmission and easy multi-user decentralized remote monitoring. Initially devices in ICS were manufactured to run on isolated networks, so considered low security measures. Due to the integration, SCADA networks over open TCP/IP networks are exposed to severe malicious threats. Since, the characteristics of ICS networks and their operations (which mostly runs on real

Acknowledgments

The authors would like to extend their sincere appreciation to the Deanship of Scientific Research at king Saud University for its participation in funding this Research-group NO (RGP-1436–039).

Shamsul Huda received his Ph.D. degree in computer science. He is a Lecturer in School of Information Technology, Deakin University, Australia. He has published more than 50 journal and conference papers in well reputed journals including IEEE Transactions. His main research area is information security, cyber–physical systems, computational intelligence and machine learning. Earlier to join in Deakin, he worked also in Federation University as a Research Fellow. Dr Huda worked as an Assistant

References (37)

  • ChawlaN.V. et al.

    Smote: Synthetic minority over-sampling technique

    J. Artificial Intelligence Res.

    (2002)
  • CheminodM. et al.

    Review of security issues in industrial networks

    IEEE Trans. Ind. Inf.

    (2013)
  • A.A. Crdenas, S. Aminy, B. Sinopoliz, A. Giani, A. Perrigz, S. Sas, Challenges for securing cyber physical systems, in:...
  • DeSmitaZ. et al.

    An approach to cyber-physical vulnerability assessment for intelligent manufacturing systems

    J. Manuf. Syst.

    (2017)
  • DhillonY. et al.

    Efficient clustering of very large document collections

    Data Mining Sci. Eng. Appl.

    (2001)
  • C.-I. Fan, H.-W. Hsiao, C.-H. Chou, Y.-F. Tseng, Malware detection systems based on API log data mining, in: IEEE 39th...
  • HehenbergeraP. et al.

    Design, modelling, simulation and integration of cyber physical systems: Methods and applications

    Comput. Ind.

    (2016)
  • A.K. Hemangi Laxman Gawanda, K.R. Bhattacharjee, Online monitoring of a cyber physical system against control aware...
  • Cited by (51)

    • Deep learning for malware detection: Literature review

      2024, Journal of Theoretical and Applied Information Technology
    View all citing articles on Scopus

    Shamsul Huda received his Ph.D. degree in computer science. He is a Lecturer in School of Information Technology, Deakin University, Australia. He has published more than 50 journal and conference papers in well reputed journals including IEEE Transactions. His main research area is information security, cyber–physical systems, computational intelligence and machine learning. Earlier to join in Deakin, he worked also in Federation University as a Research Fellow. Dr Huda worked as an Assistant professor in the Computer Science Department in Khulna University of Engineering and Technology (KUET), Bangladesh.

    Suruz Miah is currently an Assistant Professor at the Department of Electrical and Computer Engineering (ECE) at the Bradley University. Dr. Miah is interested in pursuing research in the broad area of cyber–physical systems. In particular, he conducts research on mobile robot navigation, control systems, mechatronics, multi-agents systems and control, applications of Radio Frequency IDentification Technology (RFID). He is currently a research member of the Cyber-Physical Systems laboratory at Bradley and the Machine Intelligence, Robotics, and Mechatronics (MIRaM) laboratory at the University of Ottawa. Dr. Miah is an author/co-author of more than 40 technical papers, which are published in leading journals and conference proceedings.

    John Yearwood received his Ph.D. degree in computer science Professor John Yearwood is the Head of School of Information Technology, Deakin University, Australia. His main research areas are machine learning, optimization and information security. He has published two books and over 200 refereed journal, book chapter and conference articles. Professor Yearwood was the Editor-in-Chief of the Journal of Research and Practice in Information Technology, and a reviewer for many journals.

    Sultan Alyahya received his Ph.D. degree in Computer Science from Cardiff University, UK, in 2013. He also received his M.Sc. degree in Information Systems Engineering from the same university in 2007. The B.Sc. degree was obtained with honors in information systems from King Saud University. Dr. Sultan is currently an assistant professor at the College of Computer and Information Sciences, King Saud University. His main research interests are in the fields of Software Project Management, Agile Development and Computer Supported Co-operative Work (CSCW).

    Hmood Al-Dossari received his Ph.D. degree in computer science is an Assistant Professor in College of Computer and Information Sciences at King Saud University. He holds a MS and Ph.D. in Computer Science from King Saud University and Cardiff University respectively. His research interests include quality of service assessment, trust and reputation management systems, human and computer interaction, sentiment analysis and social mining. He has several publications in international journals and conferences. He has attended various conferences and presented many seminars.

    Robin Doss is the Deputy Head of the School of Information Technology at Deakin University, Australia. Robin leads the Internet of Things (IoT) and Cyber Physical Systems(CPS) security program at the Deakin Centre for Cyber Security Research (CSSR) and is the Co-Director of the IoT research cluster at Deakin University, Australia. His research has been funded by the National Security Science and Technology (NSST) branch of the office of national security in collaboration with the Defence Signals Directorate (DSD), the Australian Research Council (ARC) and industry partners. From 2008–2009. The high quality of his research is best evidenced by his strong track record of publications in high impact technical journals (IEEE Transactions) and top conferences (IEEE GLOBECOM, IEEE PERCOM, IEEE ICC) with more than 75 such publications. He is a senior member of the IEEE; founding chair of the future network systems and security (FNSS) conference series and associate editor of the journal of cyber physical systems.

    View full text