Intelligent Forensic Investigation Using Optimal Stacked Autoencoder for Critical Industrial Infrastructures

Abdullah S.AL-Malaise AL-Ghamdi,Mahmoud Ragab,F.J.Alsolami,Hani Choudhry and Ibrahim Rizqallah Alzahrani

1Information Systems Department,Faculty of Computing and Information Technology King Abdulaziz University,Jeddah,21589,Saudi Arabia

2Information Technology Department,Faculty of Computing and Information Technology,King Abdulaziz University,Jeddah,21589,Saudi Arabia

3Centre of Artificial Intelligence for Precision Medicines,King Abdulaziz University,Jeddah,21589,Saudi Arabia

4Mathematics Department,Faculty of Science,Al-Azhar University,Naser City,11884,Cairo,Egypt

5Computer Science Department,Faculty of Computing and Information Technology King Abdulaziz University,Jeddah,21589,Saudi Arabia

6Biochemistry Department,Faculty of Science,King Abdulaziz University,Jeddah,21589,Saudi Arabia

7Computer Science and Engineering Department,College of Computer Science and Engineering,University of Hafr Al Batin,Al Jamiah,Hafar Al Batin,39524,Saudi Arabia

Abstract: Industrial Control Systems(ICS)can be employed on the industrial processes in order to reduce the manual labor and handle the complicated industrial system processes as well as communicate effectively.Internet of Things (IoT) integrates numerous sets of sensors and devices via a data network enabling independent processes.The incorporation of the IoT in the industrial sector leads to the design of Industrial Internet of Things (IIoT),which find use in water distribution system,power plants,etc.Since the IIoT is susceptible to different kinds of attacks due to the utilization of Internet connection,an effective forensic investigation process becomes essential.This study offers the design of an intelligent forensic investigation using optimal stacked autoencoder for critical industrial infrastructures.The proposed strategy involves the design of manta ray foraging optimization (MRFO) based feature selection with optimal stacked autoencoder (OSAE) model,named MFROFS-OSAE approach.The primary objective of the MFROFS-OSAE technique is to determine the presence of abnormal events in critical industrial infrastructures.The MFROFS-OSAE approach involves several subprocesses namely data gathering,data handling,feature selection,classification,and parameter tuning.Besides,the MRFO based feature selection approach is designed for the optimal selection of feature subsets.Moreover,the OSAE based classifier is derived to detect abnormal events and the parameter tuning process is carried out via the coyote optimization algorithm (COA).The performance validation of the MFROFS-OSAE technique takes place using the benchmark dataset and the experimental results reported the betterment of the MFROFS-OSAE technique over the recent approaches interms of different measures.

Keywords: Industrial control systems;internet of things;artificial intelligence;feature selection;deep learning

1 Introduction

In recent time,new technologies for example Cloud computing(CC)[1]and Internet of Things(IoT) depends largely on Internet and network services for data communication and exchange.Cybersecurity has become an effective area for several experts worldwide in diverse areas of researches like Critical Infrastructure Security,Data Hiding,Big Data Security,cloud,and IoT forensics [2].Industrial Control System (ICS) comprises different classes of control system namely Distributed Control Systems (DCS),Programmable Logic Controllers (PLC),and Supervisory Control and Data Acquisition (SCADA) [3].Each control scheme is found in the crucial infrastructure and industrial sectors namely transportation network,Gas Pipelines,water distribution network,gas,nuclear power generation,and electric power distribution network[4].The major variation among the conventional Information Technology(IT)environments and ICSs is that ICS strongly interacts with the physical devices and instruments.At the present time,ICS is considered cyber-system,hence,they are susceptible to attacks from outside and inside environments.ICS is very difficult when compared to conventional IT systems since they involve various parts found in single geographical area [5].From a cybersecurity viewpoint,the ICS system consists of Field,Enterprise,and Control tiers.Fig.1 illustrates the process involved in digital forensics method.

Over the last decades,Smart device has been turning out at fast speed.The IoT is an emerging innovation that allows the capability to connect objects or things to the computerized world for information forwarding [6].But,most of these IoT object is easily compromised and hacked.Accordingly,the security of IoT has become a challenging consideration.The risk revealed to the smart device should be resolved [7].The battle among malware designers and security experts is an everlasting fight.Current studies emphasize the growth of things as a result of which the pattern of malware is emerging.For identifying and detecting this malware the ML method is employed.To remain conscious of malware,security specialists and experts should continually extend their cyber defences.One key element is a maximal secured system at the endpoint.Endpoint defence offers a set of security strategies e.g.,email security,firewall,anti-spam,sandboxing,and URL filtering.Currently,ML method plays an important role in cyber-security for detecting anomalies.Various methods like behavioural-based methods,anomaly-based methods,signature-based systems,and so on.But,behavioural-based method is very effective when compared to the anomaly and signaturebased methods.Because of the heterogeneous norm of IoT deployment,emerging an effective network forensic solution demand depth-analysis for detecting and tracing attacks[8-10].

Koroniotis et al.[11]proposed a network forensic architecture called Particle Deep Framework(PDF),depending on deep learning and optimization method.Next,usage of optimization technique based PSO to choose the hyperparameter of the DNN.Then,the comparison and of evaluation the performances demonstrated by the DNN with another classification method.Chhabra et al.[12]presented a method for big data forensics,with effective precision and sensitivity.In the suggested method,a comprehensive forensic architecture was presented that uses Google programming method,MapReduce as the support for traffic analysis,translation,and extraction of dynamic traffic feature.For the presented method,researchers have employed publicly available tools such as Mahout,Hadoop,and Hive.

Selim et al.[13]introduced investigative research of finding malicious activities,cyberattacks,and anomalies in a cyber-physical of crucial water framework in the IIoT architecture.This work employs different ML methods for classifying the anomalies event including IIoT hardware failures and attacks.A real-time data set covering fifteen anomaly events of standard system activity were examined for the study of presented model.The test situation includes a wider-ranging of occurrences from hardware failure to water SCADA device damage.Usman et al.[14]presented a hybrid model based on Cyber Threat Intelligence,Dynamic Malware Analysis,Data Forensics,and ML.The presented technique compute severity and highlight the big data forensic problems,assessing the confidence,risk score as well as lifespan at the same time.

Cui et al.[15]examined the usage of a multilayer model to security which generates an exhausttrail of digital evidence,based on the features of the system attacks.Then,this method is estimated regarding general features of system breaches,and a set of considerations and characteristics for structure designer has been introduced.Zheng et al.[16]proposed a secured storage auditing system that supports effective key updates and is utilized in cognitive industrial IoT platforms.Furthermore,the presented method prolonged to assist batch auditing viz.appropriate for many end devices to audit the data block instantaneously.

This study offers the design of a manta ray foraging optimization(MRFO)based feature selection with optimal stacked autoencoder(OSAE)model,named MFROFS-OSAE model.The primary aim of the MFROFS-OSAE system is to determine the presence of abnormal events in critical industrial infrastructures.The MFROFS-OSAE technique involves several subprocesses namely data gathering,data handling,feature selection,classification,and parameter tuning.Besides,the MRFO based feature selection approach is designed for the optimal selection of feature subsets.Moreover,the OSAE based classifier is derived to detect abnormal events and the parameter tuning process is carried out via the coyote optimization algorithm (COA).The performance validation of the MFROFS-OSAE technique takes place using the benchmark dataset.

The rest of the paper is planned as follows.Section 2 introduces the proposed model,Section 3 develops the experimental validation,and Section 4 draws the conclusion.

2 The Proposed Model

This study has designed an MFROFS-OSAE technique for intelligent forensic investigation on critical industrial infrastructures.The proposed model effectively determines the presence of abnormal events in critical industrial infrastructures.The MFROFS-OSAE technique involves several subprocesses namely data gathering,data handling,MFRO based feature selection,SAE based classification,and COA parameter tuning.Fig.2 demonstrates the overall process of MFROFS-OSAE technique.

Figure 2:Overall process of MFROFS-OSAE technique

2.1 Data Collection Process

IoT device has been deployed on a network which is under examination.The device has been organized in a promiscuous model,therefore allowing us to view each traffic in a local network.Then,Network packets is performed by applying network capturing tools namely Ettercap,Wireshark,and Tcpdump.The gathered pcap files are later transmitted to the data gathering phase.

2.2 Data Handling Process

This is the initial phase in the network investigation method,where the information is collected in a form that could be further examined and analyzed,namely the UNSW-NB15 and BoT-IoT datasets.At first,for the preservation purpose,an SHA-256 hashing function is applied for maintaining the privacy of the gathered information.By using this hashing function,the generated digest of the gathered files is utilized post-investigation to declare that the primary information hasn’t been compromised.Then,the gathered pcaps are treated by data flow extraction models such as Bro or Argus,which extracts the network flow from the pcap file.A further step during this phase is pre-processing,by managing unuseful and missing feature values,producing and re-scaling original features that could help a model training.Afterward cleaning and filtering data sets,the OSAE method is employed for discovering cyberattacks and traces their origin.

2.3 MRFO Based Feature Selection Process

At this stage,the MRFO algorithm can be used to choose an optimal subset of features.Zhao et al.[17]proposed a meta heuristic optimization method called manta ray foraging optimizer(MRFO) stimulated from the manta rays in catching the prey and the foraging behavior.Followed,chain,somersault,and cyclone foraging are the three foraging operators.The chain foraging is mathematically formulated by:

In whichx(it)represent the ith individual location at iterationt,rindicates an arbitrary vector in range;indicates the optimal solution at iterationt,Nshows the amount of manta rays andαsignifies a weight coefficients:

Regarding the location of ith individual excepting the initial one is reliant on the optimal oneand the location of(i-1)thindividual.

whereωrepresent an arbitrary value in range of Da Luz etα(2020),

In whichβrepresent a weighting factor:In the equation,tsignifies the existing iteration,Trepresent the maximal amount of iterations andr1denotes an arbitrary value in range.The cyclone foraging has better exploitation for the optimal solution space since each manta rays do search procedure for the food according to the reference position[18].Furthermore,this procedure improves the exploration method by forcing the individual to search for novel position that is farther from the present optimal one.It is executed by allotting an arbitrary location in the searching space:

In whichLbandUbindicate the lower and upper bounds of the problem variable,χrandsignifies an arbitrary location allotted for the searching space.The somersault foraging is last stage followed in MRFO where the food is observed as a hinge.In this phase,all the manta rays tend to swim back and forth around the tumble and hinge to a novel location:

WhereasSdenotes a factor of somersault applied in determining the manta rays somersault range,r2&r3represent arbitrary numbers in range.In this stage,the distances among the best one and the manta ray position decrease that implying converge to the optimum solution.The feature selection using the FS method is represented as aNsized vector in whichNsignifies the amount of features.Now,all the locations of the vector could assume the value as 0 or 1 in which 0 indicates the feature isn’t selected and 1 represents the features is elected.The transfer function shows the probability of differing position vector components from zero to one and vice versa more effectively and easily.A transfer function greatly impacts the result of the FS method during searching the optimum set of features related to avoiding local optimal issues and maintaining the tradeoffs amongst exploitation as well as exploration procedures.As abovementioned,the fitness function(FF)for deciding solution from this state crated to attain balance among the 2 objectives as:

ΔR(D)indicates the classification error rate.|Y|indicates the size of subset and|T|overall number of features included from the present data sets.αdescribes the variable ∈[0,1]compared to the weight of error rate of classification howeverβ=1-αimplies the consequence of feature reduction.

2.4 OSAE Based Classification Process

During classification process,the chosen subset of features is passed into the OSAE model.From the fundamental viewpoint,the AE is an axisymmetric SLNN[19].The AE encoded the input sensor information by utilizing the hidden state,estimating the minimal error,and attaining the optimumfeature hidden state term.For sample,the AE doesn’t learn some practical features with copy and input memory as to implicit state,but it is recreate input data with maximum precision.In order to the adhesion state recognition of locomotive,kgroups of observing information{x1,x2,x3,...,xn}occur that are recreated as toN×Mdataset{x(1),x(2),x(3),...,x(N)},x(i)∈RM.This data is utilized as input matrix X.An input information encoding by AE was utilized for constructing a mapping connection.During this case,the activation function of AE is sigmoid that is planned for obtaining an optimum demonstration of input information:h(X,W,b)=σ(WX+b).The sparse penalty as included to sparse AE cost function for limiting the average activation value of hidden state neurons.Usually,once the resultant value of neuron is one,it can be active,and the neuron has inactive once its resultant value is zero.The determination of applying sparsity is for limiting the unwanted activation.aj(x)is fixed asjthactivation values.During the procedure of feature learning,the activation values of hidden state neurons are generally written asa=sigmoid(WX+b),whileWimplies the weight matrix andbrepresents the deviation matrix[20].The mean activation value ofjthneurons from the hidden state is determined as:

The hidden state was retained at lesser value for ensuring that standard activation value of sparse variable was determined asρ,as well as the penalty expression was utilized for preventingρjin deviate in parameterρ.The Kullback-Leibler (KL) divergence was employed under this analysis of the fundamental of punishment:

Whenρjdoesn’t differ in parameterρ,the KL divergence values are zero;else,the KL divergence value is slowly improved with deviations.The cost function of NN is set asC(W,b).Afterward,the cost function of increasing the sparse penalty expression as:

whereS2refers to the amount of neurons from the implicit state andβsignifies the weight of sparse drawback expression.The trained focus on NN is for finding the suitable weight and threshold parameters(W,b).Next,the sparse penalty expression was determined,the sparse term is attained by reducing the sparse cost function.For optimal tuning of the parameters involved in the SAE model,the COA is utilized.COA is a recently developed metaheuristic method that is presented by Qais et al.[21].COA has a stimulating method to get a balance among exploitation and exploration.The method begins withNPamount of populations andNcamount of coyotes as the candidate solution:

In which,cdetermines the number andpdetermined the group andtdescribes the simulation time for the model variable.In the beginning,random cayote has been produced as a solution candidate in the searching space as follows

In the equation,η∈[0,1]indicates is a random value andUrjandLrjdetermines the upper and lower ranges of jth dimension in the searching space as follows[21]:

The process randomly upgrades the group position.As well,the candidate updated their location by leaving their groups to another one as follows:

The optimal solution of all the iterations is taken into account as the alpha coyotes in the equation:

The general characteristics of the coyote for the culture transformation are given in the following:

Let,Rp,tbe the coyote,social condition ranking for group numberpat timetfor the dimensionj:

In the equation,rj∈[0,1]determines a random value andr2signifies an arbitrary coyotes in the groupp,σjdefines an arbitrary values within the design variable limits,j1andj2determined random design variable,andpraandprsrepresents the scatter and association likelihoods,correspondingly states that the coyote cultural diversity from the group as follows[22]:

Whileddefines the dimension for variable.The cultural transition amongst the groups is determined byδ1andδ2factors:

Consider,δ1signifies the culture difference among the designated coyote(cr1)and the leader(alpha)andδ2represent the cultural differences amongst the selected coyote(cr2)and group culture trending.To upgrade the social behaviour according to the group and the leader impact,the subsequent formula has been applied:

Whereasr1andr2indicates random numbers among zero and one.Consider the update equation,the new cost can be attained by:

A significant part of this technique is its capacity to escape from the local optimal point.

3 Experimental Validation

The performance validation of the MFROFS-OSAE technique takes place using two benchmark datasets namely Bot-IoT and UNSW_NB15 datasets.

Tab.1 and Fig.3 offer a brief result analysis of the MFROFS-OSAE technique under various epochs.The results show that the MFROFS-OSAE technique has effectually attained maximum detection performance.For instance,with 10 epochs,the MFROFS-OSAE technique has obtained accuracy,precision,recall,and F-score of 99.94%,100%,99.94%,and 99.92%respectively.Moreover,with 30 epochs,the MFROFS-OSAE method has achieved accuracy,precision,recall,and F-score of 99.92%,100%,99.95%,and 99.93%correspondingly.Simultaneously,with 50 epochs,the MFROFSOSAE algorithm has gained accuracy,precision,recall,and F-score of 99.91%,100%,99.91%,and 99.91% respectively.Concurrently,with 60 epochs,the MFROFS-OSAE methodology has reached accuracy,precision,recall,and F-score of 99.94%,100%,99.95%,and 99.94%correspondingly.

Table 1:Result analysis of MFROFS-OSAE technique with different measures

Figure 3:Result analysis of MFROFS-OSAE technique with varying measures

Fig.4 illustrates the ROC analysis of the MFROFS-OSAE system on the test dataset.The figure shows that the MFROFS-OSAE technique has reached increased outcomes with the minimal ROC of 99.8869.

Figure 4:ROC analysis of MFROFS-OSAE technique

Fig.5 demonstrates the ROC analysis of the OSAE algorithm on the test dataset.The figure depicted that the OSAE method has gained improved outcomes with the lower ROC of 99.8341.

Figure 5:ROC analysis of OSAE technique

Fig.6 showcases the ROC analysis of the SAE technique on the test dataset.The figure revealed that the SAE algorithm has achieved enhanced outcomes with the minimal ROC of 99.7124.

Figure 6:ROC analysis of SAE technique

The DR analysis of the MFROFS-OSAE method with FS-DNN model on the Bot-IoT dataset is given in Tab.2 and Fig.7.The results show that the MFROFS-OSAE system has resulted in maximal efficiency over the other one.For instance,the MFROFS-OSAE algorithm has classified the instances under DDoS class with the higher DR of 99.21%whereas the FS-DNN technique has obtained lower DR of 99%.Similarly,the MFROFS-OSAE technique has classified the instances under DoS class with the increased DR of 99.30%whereas the FS-DNN method has attained decreased DR of 99%.Followed by,the MFROFS-OSAE method has classified the instances under Information theft class with the superior DR of 99.01%whereas the FS-DNN system has reached a reduced DR of 99%.At last,the MFROFS-OSAE approach has classified the instances under Normal class with the superior DR of 99.30%whereas the FS-DNN technique has attained lower DR of 99%.

Table 2:Detection rate analysis of MFROFS-OSAE technique on Bot-IoT dataset

Figure 7:DR analysis of MFROFS-OSAE technique on Bot-IoT dataset

The DR analysis of the MFROFS-OSAE technique with FS-DNN model on the UNSW_NB15 dataset is given in Tab.3 and Fig.8.The results show that the MFROFS-OSAE technique has resulted in maximum efficiency over the other one.For instance,the MFROFS-OSAE technique has classified the instances under Normal class with the higher DR of 99.92%whereas the FS-DNN technique has attained lower DR of 99.90%.Likewise,the MFROFS-OSAE approach has classified the instances under Backdoor class with the superior DR of 99.93% whereas the FS-DNN system has attained minimum DR of 99.90%.Similarly,the MFROFS-OSAE technique has classified the instances under Generic class with the maixmum DR of 99.93%whereas the FS-DNN technique has gained minimal DR of 99.90%.Eventually,the MFROFS-OSAE methodology has classified the instances under Shellcode class with the higher DR of 99.92%whereas the FS-DNN algorithm has achieved reduced DR of 99.90%.

Table 3:Detection rate analysis of MFROFS-OSAE technique on UNSW_NB15 dataset

Figure 8:DR analysis of MFROFS-OSAE technique on UNSW_NB15 dataset

Finally,a detailed comparative result analysis of the MFROFS-OSAE technique with existing techniques is made in Tab.4.

Table 4:Comparative analysis of MFROFS-OSAE technique with existing approaches

Fig.9 offers the accuracy and precision analysis of the MFROFS-OSAE technique with recent methods.The results show that the MLP,DT,and SVM models have obtained ineffectual outcomes with lower values of accuracy and precision.Followed by,the NB model has reported moderate accuracy and precision of 93.20%and 94.80%respectively.Though the FS-DNN and RNN models have demonstrated competitive performance,the MFROFS-OSAE technique has resulted in higher accuracy and precision of 99.93%and 100%respectively.

Figure 9:Accuracy and precision analysis of MFROFS-OSAE technique

Fig.10 provides the recall and F-measure analysis of the MFROFS-OSAE technique with recent approaches.The results demonstrated that the MLP,DT,and SVM techniques have obtained ineffectual outcomes with the minimum values of recall and F-measure.Afterward,the NB methodology has reported moderate recall and F-measure of 94.40% and 94.60% correspondingly.But,the FS-DNN and RNN techniques have demonstrated competitive performance,the MFROFS-OSAE approach has resulted in superior recall and F-measure of 99.94%and 99.93%correspondingly.

Figure 10:Recall and F-measure analysis of MFROFS-OSAE technique

4 Conclusion

This study has designed an MFROFS-OSAE technique for intelligent forensic investigation on critical industrial infrastructures.The proposed model effectively determines the presence of abnormal events in critical industrial infrastructures.The MFROFS-OSAE technique involves several subprocesses namely data gathering,data handling,MFRO based feature selection,SAE based classification,and COA parameter tuning.The OSAE based classifier is derived to detect abnormal events and the parameter tuning process is carried out via the COA.The performance validation of the MFROFS-OSAE technique takes place using the benchmark dataset and the experimental results reported the betterment of the MFROFS-OSAE technique over the recent approaches interms of different measures.In future,advanced DL models can be used instead of SAE to accomplish maximum detection rate.

Acknowledgement:The authors extend their appreciation to the Deputyship for Research &Innovation,Ministry of Education in Saudi Arabia for funding this research work through the Project Number(IFPIP-153-611-1442)and King Abdulaziz University,DSR,Jeddah,Saudi Arabia.

Funding Statement:This project was supported financially by Institution Fund projects under Grant No.(IFPIP-153-611-1442).

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.