Lin Zhao,Bohu Li,Mu Gu

DOI: https://doi.org/10.1007/978-3-031-28990-3_21

2023-01-01

Abstract:With the rapid development of Internet of Things (IoT), the applications of cloud manufacturing system are growing dramatically, resulting in increasing network heterogeneity and complexity. Network traffic prediction plays an important role in the stable operation of cloud manufacturing systems and the optimal configuration of network systems. However, existing works perform poorly confronting the data which has long time series properties and complex temporal features. To address this problem, we construct a malicious network traffic prediction model based on long and short-term memory (LSTM) neural network and dual attention mechanism. Integrated with the dual attention units of feature space and time sequence, our LSTM model can realize the dynamic correlation between malicious traffic and features series. We first obtain the weight parameters of the input data based on feature attention mechanism, and then leverage LSTM model with the attention mechanism to form a temporal attention module. These two modules strengthen the influence of key historical information. Finally, the malicious traffic prediction result of cloud manufacturing systems can be obtained from our model. The experimental results on real industrial dataset show that the prediction effect of LSTM-DAM model is better than LSTM and CNN-LSTM. Based on CIC-IDS-2017 dataset, the method also performs well in Internet malicious traffic prediction, representing great generalization ability.

Laisen Nie,Zhaolong Ning,Xiaojie Wang,Xiping Hu,Jun Cheng,Yongkang Li

DOI: https://doi.org/10.1109/tnse.2020.2990984

IF: 6.6

2020-01-01

IEEE Transactions on Network Science and Engineering

Abstract:As an industrial application of Internet of Things (IoT), Internet of Vehicles (IoV) is one of the most crucial techniques for Intelligent Transportation System (ITS), which is a basic element of smart cities. The primary issue for the deployment of ITS based on IoV is the security for both users and infrastructures. The Intrusion Detection System (IDS) is important for IoV users to keep them away from various attacks via the malware and ensure the security of users and infrastructures. In this paper, we design a data-driven IDS by analyzing the link load behaviors of the Road Side Unit (RSU) in the IoV against various attacks leading to the irregular fluctuations of traffic flows. A deep learning architecture based on the Convolutional Neural Network (CNN) is designed to extract the features of link loads, and detect the intrusion aiming at RSUs. The proposed architecture is composed of a traditional CNN and a fundamental error term in view of the convergence of the backpropagation algorithm. Meanwhile, a theoretical analysis of the convergence is provided by the probabilistic representation for the proposed CNN-based deep architecture. We finally evaluate the accuracy of our method by way of implementing it over the testbed.

Xiaodong Zang,Tongliang Wang,Xinchang Zhang,Jian Gong,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110598

IF: 5.493

2024-01-01

Computer Networks

Abstract:The focus on privacy protection has brought much-encrypted network traffic. However, attackers always abuse traffic encryption to conceal malicious behaviors. Although researchers have proposed several enlightening detection methods, they must enhance the generalization ability or improve detection performance. Our inspiration is that the packet header fields, as do the underlying grammatical rules for constructing sentences, have a strict order. We consider the original packet as text and devise a robust approach with natural language processing and a deep learning model to improve the generalization ability and detection performance. We capture the critical keywords as characteristic representations of the traffic and design an adaptive domain generalization algorithm with a new loss function. It is robust against various datasets by generating more malicious samples to augment the minority of malicious samples. Simultaneously, we design an efficient feature selection algorithm, which obtains an optimal feature subset and reduces feature dimensions by 75.3%. To evaluate our work, we conducted extensive experiments with open-source datasets (CICIDS 2017, CICDDoS 2019, and USTC-TFC 2016), the synthetic dataset from IoT-23, and Internet backbone traffic (CERNET). Experimental results demonstrate that our proposal improves detection accuracy by up to 22.8% compared to others not using domain generalization algorithms and achieves an average detection latency of 0.67 s in the backbone. Besides, our work applies to the Industrial Internet of Things (IIoT) environment. It can be deployed at edge nodes to provide network security support for IIoT devices.

Linfeng Wu,Wei Ruan,Keda Sun,Liang Chen,Liu Yang,Tingting Ye

DOI: https://doi.org/10.1109/ICNSC52481.2021.9702185

2021-01-01

Abstract:At present, the security situation in the industrial internet is becoming more and more serious. Various threats such as network attacks, malicious code and vulnerability utilization are gradually increasing. Consequently, it is urgent to study industrial threat detection methods. In order to tackle typical network attacks, system vulnerabilities and malicious operations, a real-time intelligent industrial threat detection method is proposed by analyzing the network data in the industrial control system. Particularly, artificial intelligence technique, adversarial sample generation technique and deep learning model are used in the method. Besides, the proposed method is achieved in the real network, and the corresponding industrial threat detection platform is developed. The results show that the developed threat detection platform can detect a variety of typical network attacks, system vulnerabilities, malicious code, etc. At the same time, the platform has good throughput and compatibility and is suitable for the actual industrial environment.

Xinghua Li,Mengfan Xu,Pandi Vijayakumar,Neeraj Kumar,Ximeng Liu

DOI: https://doi.org/10.1109/tvt.2020.2995133

IF: 6.8

2020-01-01

IEEE Transactions on Vehicular Technology

Abstract:The increasingly sophisticated cyber attacks have become a serious challenge for Industrial Internet of Things (IIoT), which presents two new characteristics: low frequency and multi-stage. That is, hackers could gain authority to attack industrial equipment/infrastructure gradually in a long interval through lurking, lateral intrusion and privilege escalation. While, the existing Machine Learning (ML) based intrusion detection schemes all require the participation of expert knowledge, so it is difficult to adaptively select an attack interval and a retraining period of the detection model in IIoT, resulting in poor detection performance. To solve above problems, a bidirectional long and short-term memory network with multi-feature layer (B-MLSTM) is designed. Firstly, sequence and stage feature layers are introduced in the model training phase model which can learn the corresponding attack interval from historical data, so that the model can effectively detect attacks with different intervals. Then, a double-layer reverse unit is introduced to update the detection model. By collecting information from test data and making association analysis with historical data, the retraining period is adaptively selected to match the new attack interval. Compared with the previous works, our proposed scheme has a lower false positive rate than existing schemes by at least 46.79%, and the false negative rate is reduced by at least 79.85%, which are carried out on three classic IIoT datasets.

Kai Jin,Lei Zhang,Yujie Zhang,Duo Sun,Xiaoyuan Zheng

DOI: https://doi.org/10.3390/electronics12204329

IF: 2.9

2023-10-19

Electronics

Abstract:The current mainstream intrusion detection models often have a high false negative rate, significantly affecting intrusion detection systems' (IDSs) practicability. To address this issue, we propose an intrusion detection model based on a multi-scale one-dimensional convolutional neural network module (MS1DCNN), an efficient channel attention module (ECA), and two bidirectional long short-term memory modules (BiLSTMs). The proposed hybrid MS1DCNN-ECA-BiLSTM model uses the MS1DCNN module to extract features with a different granularity from the input data and uses the ECA module to enhance the weight of important features. Finally, the model carries out sequence learning through two BiLSTM layers. We use the dung beetle optimizer (DBO) to optimize the hyperparameters in the model to obtain better classification results. Additionally, we use the synthetic minority oversampling technique (SMOTE) to fill several samples to reduce the local false negative rate. In this paper, we train and test the model using accurate network data from a water storage industrial control system. In the multi-classification experiment, the model's accuracy was 97.04%, the precision was 97.17%, and the false negative rate was 2.95%; in the binary classification experiment, the accuracy and false negative rate were 99.30% and 0.7%. Compared with other mainstream methods, our model has a higher score. This study provides a new algorithm for the intrusion detection of industrial control systems.

engineering, electrical & electronic,computer science, information systems,physics, applied

Chaopeng Li,Jinlin Wang,Xiaozhou Ye

DOI: https://doi.org/10.14704/nq.2018.16.5.1391

2018-01-01

NeuroQuantology

Abstract:In the studies of intrusion detection/prevention systems (IDS/IPS) and network security situational awareness, malicious traffic detection has been given significantly more attention to prevent malicious traffic. Meanwhile, with the development of machine learning technology, an increasing number of algorithms and models have been employed for attack detection. Previous studies generally used common and typical machine learning models such as SVM, KNN, or a random forest. However, the bottleneck of these types of approaches is two-fold. The input of the model is constructed using the feature engineering method of artificially designed representation, which requires a substantial amounts expertise. Additionally, most detection methods ignore the temporal information between network packets in one micro-flow. In this paper, we regard malicious traffic detection as a classification task and propose a hybrid model that combines a recurrent neural network (RNN) with restricted Boltzmann machines (RBM) which take byte-level raw data as input without feature engineering. Specifically, distributed embedding is utilized to pre-process network data to make it more suitable for deep neural network models. Subsequently, an RBM model is used to extract the feature vectors of the network packets and an RNN model is used to extract the flow feature vector. Finally, the flow vectors are sent to the Softmax layer to obtain the detection result. Experiments based on the ISCX-2012 and DARPA-1998 published datasets show that our proposed RNN-RBM model has a greater detection accuracy, recall rate, and lower false alarm rate than most traditional machine learning models. This proves the effectiveness of the proposed RNN-RBM model in malicious traffic detection.

Jiadai Wang,Jiajia Liu

DOI: https://doi.org/10.1109/jiot.2021.3126633

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Software-defined networking (SDN) has become an attractive solution to carry out centralized and efficient control in Industrial Internet of Things (IIoT). However, its security has received little attention when applied to IIoT, and no comprehensive consideration has been given to attacks against forwarding nodes (FNs), the basic elements of the data plane. Therefore, in this article, we aim to investigate attacks against FNs from multiple perspectives in software-defined IIoT. To the best of our knowledge, we are the first to systematically consider this kind of attacks. Since it is difficult to predeploy all defense methods against various attacks, we propose a deep reinforcement learning (DRL)-based general attack tolerance scheme to guide the benign traffic flow bypass the attacked FNs. Furthermore, in view of the situation that the real data set is rare and the standard model-based data set is likely to be impractical, we use generative adversarial network (GAN), a representative deep generative model (DGM), to flexibly generate real-like network traffic for more sufficient and effective experimental verification on the attack tolerance scheme. Experimental results show that our proposed scheme can significantly improve the successful arrival rate of IIoT traffic and achieve near-optimal results.

Mahmoud Said Elsayed,Nhien-An Le-Khac,Soumyabrata Dev,Anca Delia Jurcut

DOI: https://doi.org/10.1109/ISNCC49221.2020.9297358

2020-01-01

Abstract: With the rapid technological advancements, organizations need to rapidly scale up their information technology (IT) infrastructure viz. hardware, software, and services, at a low cost. However, the dynamic growth in the network services and applications creates security vulnerabilities and new risks that can be exploited by various attacks. For example, User to Root (U2R) and Remote to Local (R2L) attack categories can cause a significant damage and paralyze the entire network system. Such attacks are not easy to detect due to the high degree of similarity to normal traffic. While network anomaly detection systems are being widely used to classify and detect malicious traffic, there are many challenges to discover and identify the minority attacks in imbalanced datasets. In this paper, we provide a detailed and systematic analysis of the existing Machine Learning (ML) approaches that can tackle most of these attacks. Furthermore, we propose a Deep Learning (DL) based framework using Long Short Term Memory (LSTM) autoencoder that can accurately detect malicious traffics in network traffic. We perform our experiments in a publicly available dataset of Intrusion Detection Systems (IDSs). We obtain a significant improvement in attack detection, as compared to other benchmarking methods. Hence, our method provides great confidence in securing these networks from malicious traffic.

Zixiao Zhao,Qinghe Du,Houbing Song

DOI: https://doi.org/10.1109/tii.2022.3218722

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:The fifth generation network offers a powerful infrastructure for Industrial internet of things (IoT) in that its support on massive machine-type communications (mMTC). Recently, grant-free access has been recognized as the promising new access approach for mMTC; however, it also introduces the potential risk. To timely discover intrusion, in this article, we propose a learning network by extracting traffic load information from the states (success, collision, and idle) of access resources observed at media access control and physical layers. In particular, our learning network consists of three concatenated function modules, i.e., traffic load estimation, traffic load prediction, and intrusion identification. Moreover, our proposed learning network is able to identify two types of intrusion, i.e., false data dissemination and congestion attack. Simulation results indicate that the proposed scheme can effectively capture the number of active devices, provide reasonable prediction by using history records, and eventually, achieve more accurate detection compared with baseline approaches.

Yingxu Lai,Jingwen Zhang,Zenghui Liu

DOI: https://doi.org/10.1155/2019/8124254

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:The massive use of information technology has brought certain security risks to the industrial production process. In recent years, cyber-physical attacks against industrial control systems have occurred frequently. Anomaly detection technology is an essential technical means to ensure the safety of industrial control systems. Considering the shortcomings of traditional methods and to facilitate the timely analysis and location of anomalies, this study proposes a solution based on the deep learning method for industrial traffic anomaly detection and attack classification. We use a convolutional neural network deep learning representation model as the detection model. The original one-dimensional data are mapped using the feature mapping method to make them suitable for model processing. The deep learning method can automatically extract critical features and achieve accurate attack classification. We performed a model evaluation using real network attack data from a supervisory control and data acquisition (SCADA) system. The experimental results showed that the proposed method met the anomaly detection and attack classification needs of a SCADA system. The proposed method also promotes the application of deep learning methods in industrial anomaly detection.

Jinhui Ning,Guan Gui,Yu Wang,Jie Yang,Bamidele Adebisi,Song Ci,Haris Gacanin,Fumiyuki Adachi

DOI: https://doi.org/10.1109/jiot.2021.3131981

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Malware traffic classification (MTC) is a key technology for anomaly and intrusion detection in secure Industrial Internet of Things (IIoT). Traditional MTC methods based on port, payload, and statistic depend on the manual-designed features, which have low accuracy. Recently, deep-learning methods have attracted a significant attention due to their high accuracy in terms of classification. However, in practical application scenarios, deep-learning methods require a large amount of labeled samples for training, while the available labeled samples for training are very rare. Furthermore, the preparation of a large amount of labeled samples requires a lot of labor costs. To solve these problems, this article proposes three methods based on semisupervised learning (SSL), transfer learning (TL), and domain adaptive (DA), respectively. Our proposed methods use a large amount of unlabeled data collected in the Internet traffic, which can greatly improve the classification accuracy with few labeled samples. Then, we use the DA method to solve the mismatch problem between the source domain and the target domain in the TL process. The proposed method is not only applicable to the shallow network but also to the deep neural network structure, and can achieve better classification results. Experimental results show that our proposed methods can satisfy the requirement of MTC in the case of few labeled samples in IIoT. The source code for all the experiments is available at GitHub.The code of this article can be downloaded from GitHub link: https://github.com/yzjh/Keras-MTC-DA-Ladder.

Maoli Wang,Bowen Zhang,Xiaodong Zang,Kang Wang,Xu Ma

DOI: https://doi.org/10.3390/math11183951

IF: 2.4

2023-09-18

Mathematics

Abstract:The proliferation of smart devices in the 5G era of industrial IoT (IIoT) produces significant traffic data, some of which is encrypted malicious traffic, creating a significant problem for malicious traffic detection. Malicious traffic classification is one of the most efficient techniques for detecting malicious traffic. Although it is a labor-intensive and time-consuming process to gather large labeled datasets, the majority of prior studies on the classification of malicious traffic use supervised learning approaches and provide decent classification results when a substantial quantity of labeled data is available. This paper proposes a semi-supervised learning approach for classifying malicious IIoT traffic. The approach utilizes the encoder–decoder model framework to classify the traffic, even with a limited amount of labeled data available. We sample and normalize the data during the data-processing stage. In the semi-supervised model-building stage, we first pre-train a model on a large unlabeled dataset. Subsequently, we transfer the learned weights to a new model, which is then retrained using a small labeled dataset. We also offer an edge intelligence model that considers aspects such as computation latency, transmission latency, and privacy protection to improve the model's performance. To achieve the lowest total latency and to reduce the risk of privacy leakage, we first create latency and privacy-protection models for each local, edge, and cloud. Then, we optimize the total latency and overall privacy level. In the study of IIoT malicious traffic classification, experimental results demonstrate that our method reduces the model training and classification time with 97.55% accuracy; moreover, our approach boosts the privacy-protection factor.

mathematics

Zhulian Chen,Aiqin Hou,Chase Q. Wu,Xinji Qu,Yukun Wang,Le Ru

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys60770.2023.00040

2023-01-01

Abstract:Software-Defined Networking (SDN) is a promising technology for the future Internet. However, the SDN paradigm opens the door to new attack vectors that do not exist in traditional networks, such as flow table overflow attacks and flow rule injection attacks, which traditional intrusion detection systems are no longer sufficient to identify. To address this problem, we propose a new method that uses deep learning for attack detection in an SDN environment. In this method, we first utilize fisher score to remove insignificant features, then design a network model combining bi-directional long short-term memory network (BiLSTM) and gated convolutional neural network (GCNN) to capture the spatio-temporal features of network traffic, and finally use a fully connected layer to perform seven classifications of data. We choose focal loss as the loss function due to the imbalance of samples. The proposed model is evaluated based on the InSDN dataset, which is the latest IDS dataset developed specifically for SDN environments, and the CIC-IDS2017 dataset. The results show that the proposed model improves the performance for anomaly detection and achieves an accuracy of 99.80% and 98.85% on the InSDN and CIC-IDS2017 datasets, respectively. This level of detection accuracy provides great confidence in protecting SDN networks from anomalous traffic.

Dan Li,Paritosh Ramanan,Nagi Gebraeel,Kamran Paynabar

DOI: https://doi.org/10.1109/icmla51294.2020.00075

2020-12-01

Abstract:Cybersecurity of Industrial Control Systems (ICS) is drawing significant concerns as data communication increasingly leverages wireless networks. A lot of data-driven methods were developed for detecting cyberattacks, but few are focused on distinguishing them from equipment faults. In this paper, we develop a data-driven framework that can be used to detect, diagnose, and localize a type of cyberattack called covert attacks on smart grids. The framework has a hybrid design that combines an autoencoder, a recurrent neural network (RNN) with a Long-Short-Term-Memory (LSTM) layer, and a Deep Neural Network (DNN). This data-driven framework considers the temporal behavior of a generic physical system that extracts features from the time series of the sensor measurements that can be used for detecting covert attacks, distinguishing them from equipment faults, as well as localize the attack/fault. We evaluate the performance of the proposed method through a realistic simulation study on the IEEE 14-bus model as a typical example of ICS. We compare the performance of the proposed method with the traditional model-based method to show its applicability and efficacy.

Yantian Luo,Xu Chen,Ning Ge,Wei Feng,Jianhua Lu

DOI: https://doi.org/10.1109/ICC45855.2022.9838882

2022-01-01

Abstract:Due to the heterogeneity of Internet of Things (IoT) devices and the diversity of IoT communication protocols, it is challenging to defend against malicious traffic from IoT devices. In this paper, a novel malicious traffic detection method is proposed based on the deep learning method. Specifically, a Transformer-based encoder is designed to automatically select key features of IoT traffic for the detection task, which avoids the cumbersome feature screening process that has been widely used in traditional machine learning methods. To address the complexity of the feature space and improve the efficiency of model training, we exploit the correlation between the characteristics of malicious traffic and the device type of IoT bots to further improve the detection accuracy by introducing a device classification auxiliary loss in the training phase. Experimental results show that our method outperforms the state-of-the-art machine learning-based methods in terms of accuracy, precision, recall and f1-score on real IoT traffic traces. In addition, the benefit of device type information on detection efficiency is verified.

Zequn Niu,Jingfeng Xue,Dacheng Qu,Yong Wang,Jun Zheng,Hongfei Zhu

DOI: https://doi.org/10.1016/j.ins.2022.04.018

IF: 8.1

2022-01-01

Information Sciences

Abstract:The continuous emergence of new malware has been a severe threat to Industrial Internet of Things (IIoT), while identifying malware through detecting malicious traffic in encrypted, drift, and imbalanced traffic streams is a challenge. This paper proposes an approach based on adaptive online analysis to accurately determine the families of malware by analyzing traffic streams which are encrypted, drift, and imbalanced. This approach is based on Improved Adaptive Random Forests (IARF), to obtain the ability of adaptive update of parameters when processing new types of malware traffic in traffic streams and being sensitive to families of malware with few samples in imbalanced traffic. We build a prototype of this approach and evaluate the performance through experiments. The experiments are based on a mixed dataset composed of data from malware-traffic-analysis.net, Lastline Inc, MCFP dataset, and CTU-13 dataset. In addition, our approach is also compared with three state-of-the-art methods. The results of the experiments show that we have obtained a 99.66% F1-score in the classification of malware families, and our classifier also performs better than the other classifiers.

Mohammad Shahin,F. Frank Chen,Hamed Bouzary,Ali Hosseinzadeh,Rasoul Rashidifar

DOI: https://doi.org/10.1007/s00170-022-10259-3

IF: 3.563

2022-10-26

The International Journal of Advanced Manufacturing Technology

Abstract:Recently, Internet of things (IoT) devices have been widely implemented and technologically advanced in manufacturing settings to monitor, collect, exchange, analyze, and deliver data. However, this transition has increased the risk of cyber-attacks, exponentially. Subsequently, developing effective intrusion detection systems based on deep learning algorithms has proven to become a reliable intelligence tool to protect Industrial IoT devices against cyber threats. This paper presents the implementation of two different classifications and detection utilizing the long short-term memory (LSTM) architecture to address cybersecurity concerns on three benchmark industrial IoT datasets (BoT-IoT, UNSW-NB15, and TON-IoT) which take advantage of various deep learning algorithms. An overall analysis of the performance of the proposed models is provided. Augmenting the LSTM with convolutional neural network (CNN) and fully convolutional neural network (FCN) achieves state-of-the-art performance in detecting cybersecurity threats.

engineering, manufacturing,automation & control systems

Yantian Luo,Hancun Sun,Xu Chen,Ning Ge,Wei Feng,Jianhua Lu

DOI: https://doi.org/10.23919/jcc.fa.2022-0783.202304

2023-01-01

China Communications

Abstract:In the upcoming large-scale Internet of Things (IoT), it is increasingly challenging to defend against malicious traffic, due to the heterogeneity of IoT devices and the diversity of IoT communication protocols. In this paper, we propose a semi-supervised learning-based approach to detect malicious traffic at the access side. It overcomes the resource-bottleneck problem of traditional malicious traffic defenders which are deployed at the victim side, and also is free of labeled traffic data in model training. Specifically, we design a coarse-grained behavior model of IoT devices by self-supervised learning with unlabeled traffic data. Then, we fine-tune this model to improve its accuracy in malicious traffic detection by adopting a transfer learning method using a small amount of labeled data. Experimental results show that our method can achieve the accuracy of 99.52% and the F1-score of 99.52% with only 1% of the labeled training data based on the CICDDoS2019 dataset. Moreover, our method outperforms the state-of-the-art supervised learning-based methods in terms of accuracy, precision, recall and F1-score with 1% of the training data.