Securing Industrial Internet of Things Against Botnet Attacks Using Hybrid Deep Learning Approach

Industrial Internet of Things (IIoT) formation of a richer ecosystem of intelligent, interconnected devices while enabling new levels of digital innovation has transformed and revolutionized global manufacturing and industry 4.0. Conversely, the general distributed nature of IIoT, Industrial 5 G, underlying IoT sensing devices, IT/OT convergence, Edge Computing, and Time Sensitive Networking makes it an impressive and potential target for cyber-attackers. Multi-variant persistent and sophisticated bot attacks are considered catastrophic for connected IIoTs. Besides, botnet attack detection is highly complex and decisive. Thus, efficient and timely detection of IIoT botnets is a dire need of the day. We propose a hybrid intelligent Deep Learning (DL) mechanism to secure IIoT infrastructure from lethal and sophisticated multi-variant botnet attacks. The proposed mechanism has been rigorously evaluated with the latest dataset, standard and extended performance evaluation metrics, and current DL benchmark algorithms. Besides, cross-validation of our results is also performed to show overall performance clearly. The proposed mechanisms outperform accurately identifying multi-variant sophisticated bot attacks by achieving a 99.94% detection rate. Besides, our proposed technique attains 0.066(ms) time, which also shows promising results in terms of speed efficiency.


I. INTRODUCTION
N O DOUBT, the Industrial Internet of Things (IIoT) is exponentially growing to make an incredible digital landscape and thus becoming part and parcel of our daily lives [1]- [3].The IIoT ecosystems are contributing to smart agriculture, e-health, e-government, smart cities, e-logistics, home automation, industrial systems, e-wearables, and transportation [4], [5].The shift from traditional network to IoTs have revolutionized the global world.Smart devices are intelligent, interconnected, and location-aware while generating big IoT data that is the new gold mine to be subsequently used for various behavioral analytic, varied computational intelligence [6] and decision-making [7], [8].In recent statistical report, approximately 75 billion IoT smart devices are expected to be connected by the end of 2025 [9], [10].
However, the diverse landscape of IoT protocols, heterogeneity in transmission of data and devices, resource constraints, and one time embedded deployment of IoT [11], [12] devices; make them more insecure towards prevalent cyber threats and attacks [13].The diverse attacks, including phishing, denial of service (DoS), man-in-the-middle (MITM), and Botnet are executed on victimized IoT devices for information theft, data loss, and full compromise of the entire system [14].Among the attacks mentioned above, Botnets are considered the most sophisticated and lethal attack used to paralyze network as a whole [15].Botnet is purposefully crafted malware that possesses the capability to propagate over the network and intelligent devices through exploiting vulnerabilities, in turn leveraging remote access to cyber adversaries [16], [17].
For the security of heterogeneous IIoT devices and generated traffic [18], existing solutions for the identification of cyber threats and attacks predominantly focused on pre-defined signature vectors for pattern matching, which is also known as signature-based detection.However, this approach proves to be insufficient in the digital infrastructure of IoT as it requires continuous updates of signatures for the latest prevalent threats.Therefore, it is incapable of detecting zero-day threats, attacks, and vulnerabilities due to its dynamic and heterogeneous nature [19].The DL-driven intelligence-based solutions can empower zero-day threat detection and are considered adaptive, resilient, reliable, and efficient for botnet identification in IIoT [20].Therefore, in this work, we propose a hybrid novel DL-Driven intelligent threat detection mechanism to combat sophisticated Botnet threats and attacks in IIoT environment, as shown in Fig. 1.

Contributions:
The core contributions of our work are as follows: An efficient, scalable and flexible AI-enabled hybrid model for effective identification of lethal IIoT-based multi-variant attacks employing Long short-term memory-Deep Neural Network (LSTM-DNN).
For multi-class attack classification, well known IoT dataset (i.e., N_BaIoT) has been utilized.The standard performance parameters are practiced to compute the actual potential of the proposed technique to provide a thorough evaluation.
We have also compared our proposed method to other hybrid algorithms and current DL benchmarks.Our devised mechanism outperforms detection accuracy with a minor trade-off in time efficiency.
In addition, a 10-fold cross-validation technique is used to ensure that the results are unbiased.Structure: The rest of the work is organized as follows.The background and related work are discussed in Section II.Section III defines the suggested methodology, including a description of the framework, dataset and initialization, DL architectures, experimental setup, and assessment metrics.While Results and discussion are presented in Section IV.The paper concludes with Section V, which discusses future road maps.

II. BACKGROUND AND RELATED WORK
With the rise of emerging AI-empowered technology, deep learning architectures draw the wide attention of many academic and industrial researches in the field of information security, computer vision, sound and text analysis, and pattern recognition because of their self-learning ability which helps to accomplish high classification accuracy in complex environments [21].Table I outlines the current literature detailing attacks, dataset, strengths, limitations, and future directions.For cyber threat and attack detection, [22] shows a DL-based mechanism using LSTM for detecting botnet.The dataset is collected by examining the network packets of Technical University called Czech.The algorithm gets 99.90% detection rate.The authors in [23], demonstrate a framework for identifying the botnet by analyzing the packets using Bidirectional LSTM.The self-generated Mirai and benign instances dataset has been considered and acquired 96% accuracy.Meanwhile, [24] observe the network flow by deploying the CNN and RNN in contradiction.The CTU-13 and ISOT dataset execute that holds the signature of normal as well as attack records.The proposed system gained detection percentage of 99.3%.In [25], the exploitation by enhancing the power of LSTM has been performed to detect the attack.The scheme gain the accuracy of 98%; whereas the dataset gathered from the Cresci and collaborators.The authors in [26], proposed DL techniques by practicing on LSTM, RNN and CNN for detection of malicious domain.The dataset comprised of normal samples gathered from OPEN-DNS and Alexa.However, the malevolent records are collected from 17-DGA.The identification rate of the proposed scheme is 90%.
The authors in [27] implemented an intrusion detection to safeguard the IoT by deploying SDN and depict the testing rate of 95%.The KDD99 dataset considers attack detection (i.e., DoS, Login, and Probe) with Restricted Boltzmann Machine (RBM).Consequently, [28] presented a botnet traffic analyzer based Convolutional Neural Network (CNN) and Auto-encoder and achieved 91% rate.The Botnet Traffic Shark (BoT-Shark) uses for network arrangements, and the utilized data is ISCX.In [29], the authors proposed an approach that prevents the detection of host after infection by using deep learning in SDN.The ISOT and CTU-13 dataset has been considered for implementation.The detection accuracy of the work is 99.2% by considering MLP.Moreover, [21] proposed the varied attack detection framework in IoT through GRULSTM with the NSLKDD dataset.The proposed model attained an accuracy of 87.9% and compared the traditional schemes.The authors in [30], developed an application for providing security policies and access control in various IoTs using the open-flow interface.The research also discussed the significant security vulnerabilities in IoT networks and the potential of SDN for providing security in IoT.In [31], the authors proposed a network flow capability scheme to identify botnet attacks.Ml algorithm called Decision Tree Algorithm (DT) is employed to deal with the attack.ISCX2012 and ISOT dataset has been utilized and gets 99% rate.The author, in [32], used ML models such as Naive Bayes (NB), J48, and Bayesian to detect the botnet.The detection rate of FNR, FPR is defined as 1020 % and 3040 %, respectively.The dataset is collected from the Dartmouth campus wireless network and tagged via detectors.In [33], the authors detect the DDoS attack by considering the Random Forest algorithm and achieve 99% percentage.The self-generated dataset is Wireshark through port mirroring on the switch to catch network traffic data.The author in [34] presents DIOT, a distributed self-learning system for efficiently detecting compromised IoT devices.The proposed method detects devices compromised by the Mirai attack using Gated Recurrent Unit (GRU).Data is collected from implementation settings in the lab and in the real world.The proposed framework achieved a detection rate of 95.6%.In [35], the author shows the system that can memorize the behavior of harmful network activities, detect and prevent different types of Botnet infections.The devised approach achieved a detection accuracy of 98% employing the KDD99 dataset.In the [20], the author proposed the IoT-based paper that considered the power of DL based algorithm (i.e.LSTM) for the detection of botnet attack.The paper utilized the N_IoT 2018 dataset, which contained varied IoT devices' data and got a detection rate of 99.90%.
The current literature either does not have a detailed evaluation against state-of-the-art IoT-based datasets, or fewer instances are used for training and testing.Conversely, our proposed hybrid DL-algorithm that leverages Long-short-term memory (LSTM) [36] and Deep Neural Network (DNN) [37], [38] is devised.Our proposed work is efficient and highly scalable IIoT botnet detection framework.Besides, it comprehensively identifies lethal and sophisticated multi attacks in the IIoT environment.

III. PRELIMINARIES
In this section, the algorithms used in this paper are described.
A. Long-Short-Term Memory (LSTM) The most advanced variant of the Recurrent Neural Network (RNN) family is LSTM which addresses the problem of limited learning in simple RNN.RNN suffered from the problem of learning long sequences as RNN has short term memory [36].The LSTM model was initially proposed to address the learning of longer sequences in data to solve these issues.LSTM has a similar control flow as an RNN for long-term memory [39] which bridges the time gap to solve the gradient vanishing problem.Recurrent neural network (RNN) utilized fewer data pre-processing efforts by learning from past sequences through back-propagation [40].The back-propagation eliminates error signals that make the execution of the system poorer.The main concept of LSTM is based on cell state, activation functions, and gates.The cell state act as a communicator which transfers meaningful information to the next cell.It acts as a "memory" of the current LSTM cell.The cell state carries important information all through the process.
As the cell state goes on, information get's added or taken out from the cell state through the memory gate.The gate can learn what information is relevant and is necessary to keep or forget during training.

B. Deep Neural Network (DNN)
Deep Neural Network is a neural network designed to simulate the activities of the human brain to recognize patterns [37].DNN architecture has an input layer, output layer, and hidden layer.Each layer in DNN is comprised of neurons.In contrast, these neurons take information and pass on to the next layer till the output layer by performing addition and multiplication operation on weights [41].The computation in DNN is performed on neurons which is the single unit for the multi-step procedure of pattern recognition [38].The node performs computation on input data and weights and passes the information to the next layer until it reaches the output layer.By following the subsequent occurrence, the framework would be fit for improving the analysis of the botnet and perhaps leading defensive measures.

IV. METHODOLOGY
The proposed hybrid Deep Learning (DL) based attack detection framework for IIoT infrastructure is presented in this section.The proposed model aims to secure IoT devices from varied attacks.The initial step is to utilize a state-of-theart updated dataset for thorough experimentation.Moreover, the sequence diagram of IIoT presented in Fig. 3 shows the communication process between layers.Further, we have performed pre-processing of the dataset, including removing data redundancy, data cleansing, transformation, visualization, and feature engineering.After the pre-processing aspect, the data is practiced to be entered into classifiers to identify multiple IIoT attacks.

A. Dataset
For the training of the proposed algorithm, we considered the recent updated N_BaIoT [42] IoT dataset.The dataset consists of benign and latest IoT malware (i.e., Gafgyt, Mirai) that are two malware from Botnet family specifically designed to target IoT devices.The dataset contains network traces from execution of Gafgyt and Mirai on 9 different IoT devices (i.e., Doorbells, Thermostat, Baby Monitor, Security Camera's and Webcam).The complete distribution of N_BaIoT dataset for proposed approach is outlined in Table III.

B. Pre-Processing
The pre-processing of N_ BaIoT is performed to improve the effectiveness and performance of our proposed hybrid deep learning methodology.Initially, we verified data integrity by scanning and removing missing nan and infinity values from the dataset.Moreover, To enhance the learning process, we used MinMaxScaler to normalize data between 0 and 1.We also performed One-hot Encoding (OHE) on target labels to train the deep learning algorithm.
The steps followed for model construction are also depicted in Fig. 7 as a flow chart.

C. Proposed Framework
The proposed deep learning framework is intended to detect botnet attacks in IIoT by combining Long short-term memory (LSTM) and Deep Neural networks (DNN) to design a hybrid model.Hybrid models are highly efficient to achieve high detection accuracy in less time [43].Subsequently, to simultaneously benefit from various deep learning classifiers, we have considered LSTM and DNN to Save Output for N 17: end for 18: end Function improve overall results.Consequently, in the proposed hybrid framework, LSTM is considered due to its ability to achieve effective learning for longer sequences of data.As IIoT devices generate massive surge data quickly, DNN is used to enhance the algorithm's predictive power by improving speed efficiency.The detailed arrangement of our proposed hybrid architecture is elaborated in Table II, while the modeling phases of our proposed model are portrayed in Fig. 2.

D. Experimental Setup
This section provides the experimentation and evaluation of our proposed attack detection and performance mechanism.The experimental setup comprises of tensor-flow framework [44].Python library named Keras [45] is also utilized to design and implement the proposed hybrid model for botnet detection.The performance evaluation of the proposed system is conducted using the sklearn library.The details of our experimental setup are presented in Table IV.

E. Evaluation Parameters
Various diverse evaluation parameters are used to evaluate the capabilities of the proposed hybrid deep learning algorithm.The primary classification of true positive, true negative, false positive and false negative is presented through a confusion matrix.In contrast, other basic evaluation metrics like accuracy, precision, recall, and F1-score values are derived from confusion metrics.The mathematical formulas and basic description is defined below.
Accuracy: Accuracy shows the numbers of correctly classify records.Accuracy is the primary metric to determines the performance of the algorithm.
Precision: Precision is also called the Positive Predictive Value (PPV) which shows the closeness of two or more values with each other.
Recall: Recall known as True Positive Rate (TPR) referred as the percentage of total correctly classified values by algorithm.
F1-Score: It is a measure of test accuracy using the average between precision and recall.
ROC Curve: The ROC curve plots the TP and FP rates in 2D and illustrates the system's detection ability.The overall performance of the system is the area under the curve.The ROC curve of various algorithms are depicted in Fig. 6.

V. RESULTS AND DISCUSSION
We conducted a rigorous evaluation based on multiple parameters to fully demonstrate the performance of our proposed detection framework.Besides, we carried out 10fold cross validation shown in Fig. 4. The confusion matrix presents in Fig. 5 to show the overall performance of our proposed hybrid DL technique.
The proposed algorithms gain the detection rate are shown in Fig. 8.Our hybrid DNN-LSTM performed best with 99.94% detection accuracy compare to contemporary algorithms.The Hybrid model CNN2D-LSTM and DNN-DNN reached 99.93% detection accuracy; Whereas, the hybrid model CNN2D-CNN3D attain 99.92% detection accuracy.
An algorithm with low prediction values of FPR, FNR, FDR, and FOR is considered an effective and efficient model.False Positive Rate (FPR) shows the correlation between known attack samples precisely classified from total attack records.False Discovery Rate (FDR) is a statistical approach used in testing to correct for multiple contrasts.False Omission Rate (FOR) complements the PPV and NPV, which measures the ratio of false negatives that are incorrectly rejected.The False Negative Rate (FNR) is the ratio of benign records that were incorrectly identified.The hybrid model of DNN-LSTM achieved FPR, FDR, FNR, and FOR of 0.0051%, 0.0071%, 0.0031%, and 0.0039% respectively, as shown in Fig. 9. Hybrid CNN2D-LSTM achieved 0.0048%, 0.0013%, 0.0013%, and 0.0051% for FPR, FDR, FNR and FOR respectively.On the contrary, the hybrid model DNN-DNN achieved 0.0045%, 0.0013%, 0.0012%, and 0.0047% for FPR, FDR, FNR, and FOR, respectively.Consequently, the hybrid CNN2D-CNN3D model achieved 0.0053%, 0.0072%, 0.0021%, and 0.0065% values of FPR, FDR, FNR, and FOR.
The proposed algorithm's time and space complexity are significant because they measure the technique's inherent demand for computation and storage complexity regarding the ability to resolve the problem.The time complexity of proposed algorithms is manifest in Fig. 11.Hybrid model DNN-LSTM model took 0.066 (milliseconds); whereas the testing time of hybrid CNN2D-LSTM and DNN-DNN algorithms were 0.061 and 0.068 (milliseconds) respectively.Consequently, the testing time of the hybrid CNN2D-CNN3D model is 0.067 (milliseconds).
We compared our proposed hybrid DNN-LSTM model with current advanced algorithms for detailed analysis.Table V compares benchmark algorithms based on the proposed algorithm, dataset, evaluation parameters, and detection time.The table represents that our proposed algorithm is highly efficient in detection accuracy and speed efficiency.Moreover, our proposed model also attained higher results for other metrics (i.e., Precision, Recall, F1-score).