Emerging framework for attack detection in cyber-physical systems using heuristic-based optimization algorithm

MiTM

MiTM (Man-in-the-Middle) is a hijack attack that silently monitors the observation of transmission of data between two smart terminal devices. It does not affect the data in the network, but it disrupts the privacy of information. MiTM acts as eavesdropping and poses an extreme threat to the cyber security of hypertext transfer protocol (HTTP) in transferring data. During its transmission of information, this type of attacker can modify the original data by inserting false information into it.

DDoS

A distributed denial of service (DDoS) is a distributed system that generates unwanted traffic in the network and is created by a malicious user. Legitimate users are unaware of the unwanted traffic when transmitting a huge volume of data. Therefore, legitimate users have to wait for a long time to transmit the information. DDoS creates a server down and catastrophe environment in the network.

Phishing

Phising is when attackers steal legitimate users’ identity details by convincing them via social media platforms. By using stolen user credentials, attackers steal sensitive information in the network.

Spamming

The technique of stealing legitimate users’ information through social media platforms by email, pop-up messages, advertisements, etc. is called spamming. Through spam messages, viruses or worms enter the system and steal the information and upload it to the remote server.

Jamming

In the network, the jamming device targets the cellular data and wireless communication network and it jams the legitimate user’s device. This results in harming the access to the user’s services in the network.

Sniffing & spoofing

In sniffing, the attackers concentrate on the network’s data link layer and put a sniffer packet then the user captures that packet, and their network communication gets hacked. In the case of spoofing, the attacker acts like a legitimate user and steals all credential details of the user, and accesses their network.

Injection of false data

The attacker transmits false information about data packets in the company’s network. As a result, it creates negative pricing, the wrong billing process, a downfall in the economy, and a loss of revenue for the company.

Replay attack

In the system, the attacker employs the fatal attack, which allows the replaying of the attacking process and generates the rebooting of the system, which stores its function of the system.

War dialing

In the war dialing process, the attacker disconnects the communication link of the user. By applying for the freeware program, it randomly dials the phone number and establishes the connection via modem. In the communication system, the attacker detects the loophole and establishes a new connection, and steals the sensitive information of the user.

Data collection

The attack detection in the cyber-physical system using DCNN-HMACO and the data set used in this work are UNSW-NB15, and TON_IoT Train_Test Network.

Pre-processing

In the detection of attacks in the cyber-physical system, data is collected from various smart terminal devices. The collected raw data may generate false detection of attacks in the network. Therefore, pre-processing is required. Figure 3 shows the pre-processing of CPS in DCNN-HMACO.

The pre-processing module contains an implementation of feature scaling using a normalization technique, one hot encoding, replacement of missing values, and removal of redundancy.

Feature scaling

The data collected from various smart terminals has various characteristics. Therefore, handling these collected raw data will mislead the detection of the network properly. This article uses the feature scaling process of normalization. It normalized the range of values in the dataset by using Min–Max scaling. The range of normalization is between 0 and 1.

(1) $$fea\mathrm{\prime }=\left(fea-min(fea))/(max(fea\right)-min(fea))$$

Here $fea\mathrm{\prime }$ is the normalized features in the dataset, $fea$ is the original features in the dataset,

$Min$ and $max$ are values of features in the dataset.

Response coding based on categorical feature

For encoding the categorical features of the dataset, response coding is used which classifies the features based on their category and represents the probability $\left(prob\right)$ of data instances in the category. This can be implemented by:

(2) $$Prob\left(F\right)=\frac{Prob(F\cap X)}{Prob(F)}$$

Here, X denotes the class F F denotes the category feature.

Replacement of missing values

Rearranging the features of the dataset in ascending order and evaluating the median value. Replacing all missing values based on a median value.

Redundancy removal

Accurate and efficient detection of attacks in the network is achieved by eliminating the irrelevant features of the dataset.

Feature extraction

Linear discriminant analysis (LDA) is used to extract features in the data set. Sample data were collected and classified into $p$ pattern classes, data in the $i^{th}$ class has samples of ${\sum }_{i=1}^{r}y$. The total samples were collected and defined as $a_j$. Choose the $j^{th}$ sample of $i^{th}$ class in $n^{th}$ column vector. Evaluate the projection vector which minimizes the distance between the samples in the data class. LDA is used to construct the projection vector of:

(3) $$n=argarg\frac{n^s{V}_{c}n}{n^s{V}_{z}n}$$

Here $V_c$ and $V_z$ are scatter matrices in and between classes. These scatter matrices are evaluated by using:

(4) $$V_c=\frac{1}{b}{\displaystyle \sum _{i=1}^x{b}_i\left(w_i-w\right){\left(w_i-w\right)}^s}$$

(5) $$V_z=\frac{1}{b}{\displaystyle \sum _{i=1}^x{\displaystyle \sum _{j=1}^{b_j}\left(d_j^i-w_i\right){\left(d_j^i-w_i\right)}^s}}$$

(6) $$n=argarg{n}^s\left(V_z-\lambda V_n\right)n$$

Here $n$ is the column vector of sample $i.$ $b$ is the constant value of magnitude and it is a positive value. After implementing the Eq. (6), $f$ features are selected from the dataset and form the projection of the feature vector.

Deep CNN

First, the DCNN with HMACO is applied for network attack detection, then LDA is used for the extraction of features from the dataset. The selection of features is implemented using DCNN. Traditionally, a deep convolutional neural network consists of the input layer, convolution layer, pooling layer, full connection layer, and output layer (Wang, 2020; Yao et al., 2023). In the convolution layer, features are extracted from the data in the dataset, and the outcome is transmitted into the lower layer. In this layer, the activation function is applied. In the pooling layer, sub-sampling reduces data from the convolution layer. In the full connection layer, nodes are connected with all nodes of the previous layer. The output layer is used to detect attacks in the network by using the softmax function. In this proposed work, attack detection in the network Deep CNN has been enhanced with the bagging operation. This bagging operation has replaced the output layer of traditional-based CNN. The outcome of the convolution layer and pooling layer are fed as input to the bagging concept of the ensemble-based classifier. The detection of attack in the network is based on the maximum voting of the ensemble classifier. The architecture of Deep Bagging CNN is shown in Fig. 4 where the bagging method is used in the training of the network model.

Let us consider N as the number of network layers. Assume that the kernel size of the convolution network is $k$. The dimension of the kernel matrix is defined as D. The procedures involved in the DBCNN are given as follows:

Input: Data set D, Number of features $fn$.

Step 1: Initialize parameters of weight $w$t, bias $bi$ and the maximum number iteration $iter$ and the threshold $\epsilon$.

Step 2: In the training phase, the network model is trained by forward propagation, and backward propagation along with updating the weight between the layers, and bias value.

Step 3: The forward propagation phase, train the data set with given as input and its output is evaluated by:

Step 4: $Forconvl=2toN-1$

a) If $convl$ is the convolution layer, then the missing data after filling ( $a^{convl}$) is represented in Eq. (7)

(7) $$a^{convl}=ReLU\left(z^{convl}\right)=ReLU(a^{convl}\times w{t}^{convl}+b{i}^{convl})$$

b) If $convl$ is the pool layer then,

(8) $$a^{convl}=pool(a^{convl-1})$$

c) If $convl$ is a full connection layer then,

(9) $$a^{convl}=\sigma \left(z^{convl}\right)=\sigma (w{t}^{convl}{a}^{convl-1}+b{i}^{convl})$$

Step 5: End for

Step 6: The output layer of $ol$ is represented in Eq. (10)

(10) $$a^L=softmax\left(z^{oL}\right)=softmax(w{t}^{oL}{a}^{oL-1}+b{i}^{oL})$$

Step 7:In the Backward propagation phase, the error is evaluated between actual output with its corresponding output.

Step 8: $Forconvl=2toN-1$

a) If $convl$ is the fully connection layer then,

(11) $${\delta }^{i,convl}=(w{t}^{convl+1}{)}^T.{\delta }^{i,convl+1}\ominus \sigma (z^{i,convl})$$

b) If $convl$ is the convolution layer then,

(12) $${\delta }^{i,convll}={\delta }^{i,convl}\times rot{}^{180}w{t}^{convl+1}\ominus \sigma (z^{i,convl})$$

c) If $convl$ is pool layer then,

(13) $$a^{convl}=upsample({\delta }^{i,convl+1})\ominus \sigma (z^{i,cconvl})$$

Step 9: End for

Step 10: To minimize the error rate, update the weight and bias

Step 11: $Forcl=2toN-1$

a) If $convl$ is the fully connection layer then,

(14) $$w{t}^{convl}=w{t}^{convl}-\alpha {\displaystyle \sum _{i=1}^m{\delta }^{i,convl}{(a^{i,convl-1})}^{iter}}$$

(15) $$b{i}^{convl}=b{i}^{convl}-\alpha {\displaystyle \sum _{i=1}^m{\delta }^{i,convl}}$$

b) If $convl$ is the convolution layer then,

(16) $$w{t}^{convl}=w{t}^{convl}-\alpha {\displaystyle \sum _{i=1}^n{\delta }^{i,convl}\times (a^{i,convl-1})}$$

(17) $$b{i}^{convl}=b{i}^{convl}-\alpha {\displaystyle \sum _{i=1}^m{\displaystyle \sum _{\mu ,v}{\left({\stackrel{\mathrm{..}}{\text{a}}}^{i,convl}\right)}_{\mu ,v}}}$$

Step 12: End for

Step 13: Terminate condition of DCNN using:

$$if(\left|\left|a^{it+1}-a^{it}\right|\right|<\epsilon orit<iterthenloopends$$

Step 14: Else go to step 1.

Step 15: Implementing the Bagging process by using:

M is the number of base classifiers and the classification label is defined as Q = $\{$−1.+1 $\}$. The bagging method is declared in Eq. (18)

(18) $$Q=G\left(x\right)=sign({\displaystyle \sum _{i=1}^N{g}_i(x)}$$

Step 8: Output: return Q and the relation coefficient matrix $wt$ and $bi$.

Hence, the DCNN is used to select the optimal relevant features. To minimize the error rate and loss function, the Heuristic Multiswarm Ant colony Optimization (HMACO) is applied.

Heuristic multiswarm ant colony optimization HMSACO

The HMSACO algorithm is implemented for the optimal detection of attacks in the network. The implementation process of HMSACO contains $CN=\left\{c{n}_1,c{n}_2,\dots ,c{n}_m\right\}$ set of components (nodes) or features and E represents the collection of edges. A finite set of possible connections in the elements of CN is defined by a subset of CN of the Cartesian product of $CN\times CN$,

(19) $$E=\left\{\left(e_{c{n}_i,c{n}_j}\right)\in CN\right\},E=\left\{e_{c{n}_i,c{n}_j}|\left(c{n}_i,c{n}_j\right)\in CN\right\},\left|E\right|\le M_{cn}^2$$

For each $e_{c{n}_i,c{n}_j}$ is the cost function of connection between components in the period of time $t.$ Applying the transition rule by using Eq. (20).

(20) $$n{M}_{p,q}^l\left(s\right)=\frac{{\left[{\tau }_{p,q}\right]}^{\alpha }{\left[{\eta }_{p,q}\right]}^{\beta }}{{\sum }_{q\in R{a}_i^l}{\left[{\tau }_{p,q}\right]}^{\alpha }{\left[{\eta }_{p,q}\right]}^{\beta }}$$

Equation (20) is implemented when $i\in C{N}_i\left(j\right)$

After implementing the transition rule in the components, the process’s sequence is repeated until it satisfies the stop condition. During the repeating process, it updates the trials, evaluates the new solution, and remembers the optimal solution. Consider the graph $G=(CN,E)$. The feasible path of the graph is defined as G for the optimized solution. The Ant Colony Algorithm (ACO) aims to find the minimum cost of sequences of the path with its feasible solution concerning its constraints. In ACO, the colony’s population is considered agents or ants, which collectively identify the solution based on the graphical representation of the problem. The information gathered by the ants during its search process is defined as pheromone trails. The algorithmic procedure of HMSACO is given below:

Input: Optimal selection of relevant features

Output: Detection of attack $D{A}_{best}$

Step 1: $D{A}_{best}\leftarrow GenerateHwuristicsolution(Dataset)$

Step 2: Initialize the Pheromone with its parameters ${\tau }_{p,q}.$

Step 3: $D{A}_{best}\leftarrow cost(e_{cn})$

Step 4: While stop Iteration

Step 5: $For(y=1toparameters.M)$

Step 6: $e_{cn}\mathrm{\_}best\leftarrow buidsolution\left(Pheromone,graph,parameters\right)$

Step 7: If ${e_{cn}}_{best}\le D{A}_{best}$ then $D{A}_{best}\leftarrow {e_{cn}}_{best}$

Step 8: End

Step 9: Local Update and $delay-Pheromone\left(Pheromone,{e_{cn}}_{best}parameters\right)$

Step 10: End

Step 11: Global update and $delay-Pheromone\left(Pheromone,D{A}_{best}parameters\right)$

Step 12: End

Step 13: Return the attack detection $D{A}_{best}.$

In the above procedure, ants start it process from the initial state and move towards the feasible node of their neighborhood states and build a solution in a forward movement of the ant. The constriction process gets stopped when it satisfies at least one of the termination conditions. Applying the transitive rule, an ant $l$ is start from node $m$ to node $n$ and it updates its pheromone trail ${\tau }_{p,q}.$ This updating procedure is called a step-by-step pheromone. Once the solution is built, the ant has the capability to retrace the same path in the backward propagation method and updates its pheromone trails. This is called an online-delayed-pheromone