An Intelligent Multi-Objective Evolutionary Model for Establishing Security in Cyber-Physical Systems

This section describes the detailed explanation regarding the design model of CPS to fulfill security and improve the system model. It is composed of three phases: pre-processing, global and local intrusion detection, and a hierarchical model is used for classification. Finally, some metrics like accuracy, F-score, recall, error rate, confusion matrix are evaluated to show the significance of the MOEA model. Figure 1 depicts the block diagram of the anticipated MOEA model.

2.1 NSL-KDD dataset

NSL-KDD is an improved version of KDD'99 dataset to resolve inherent problems. It is a benchmark dataset used to help the investigators to analyze the threats that occur over the generic system model. It has some set of records with reasonable training and testing sets. The preliminary advantage of using this dataset is its competency to run the experiments without selecting any smaller set of the dataset. The evaluation outcomes of these research works are more comparable and consistent. It may not hold any redundancy of records over the available training sets. Therefore, the classifier does not bias with any recurrent records. It may not have any duplicate records and therefore the learner’s performances are biased with better prediction rates. The numbers of chosen records are inversely proportional to the original dataset percentages. As an outcome, the classification rate changes extensively which is proficient for accurate computation. The number of training and testing sets records are sensible.

2.2 System model

Assume, a multi-objective evolutionary model as depicted in Figure 1. The model is composed of multiple edge servers and global servers. Generally, edge servers accomplish pre-processing and local intrusion detection (LID) of various device-based data patterns. The edge server forwards the data and processes it over the cloud and it performs global intrusion detection with higher computational capacity. The intelligent hierarchical model includes three stages:

Stage 1: The server is armed with higher computational capacity than servers and this server offloads the processed data to the server for global edge servers with the correlated data patterns over the data space, i.e. among the IoT devices. Global intrusion detection adopts learning methods that are commonly applied over natural language processing.

Stage 2: Multiple edge servers achieve processing and local intrusion detection among the CPS. The data is normalized and reframed over the heterogeneous devices. The servers adopt PCA for reducing the dimensionality and adopt mapping for diminishing the computational complexity for intrusion detection. The server uses a sequential prediction approach to identify anomalies of every device based on the historical data patterns.

Stage 3: IoT devices produce data over the servers.

1.png

Figure 1. Block diagram of MOEA model

Table 1. Redundant records in KDD testing set

Table 2. Redundant records in KDD training set

Table 3. NSL-KDD dataset attributes

The Table 1 and 2 describes the dataset attributes with 42 attributes in which 41 attributes are categorized into four diverse classes as shown below:

(1) Basic (B) Features are individual TCP connection attributes.

(2) Content (C) Features are connection recommended using domain knowledge attributes.

(3) Traffic (T) Features are evaluated two-second time window attributes.

(4) Host (H) Features are attacks that lack for two seconds.

2.3 Intrusion detection framework

This section offers an outline of the anticipated framework for intrusion detection (ID) in the context of incoming data. The flow chart is anticipated in Figure 2 which possesses three data processing stages: 1) pre-processing; 2) local intrusion detection (LID) and 3) global intrusion detection (GID). The description of the three-stage model is provided as below:

Stage 1: Pre-processing is the preliminary stage of the proposed hierarchical intelligent model which uses the NSL-KDD dataset as the input to the hierarchical CPS system. The preliminary process is executed over the server-side which is composed of three pre-processing steps: 1) normalization, dimensionality reduction, and mapping. As the CPS is heterogeneous, the processing unit requires data reframing in the same format and the device payloads vary from one another. Some device payloads are qualitative and quantitative where various payloads are normalized to execute the intrusion detection process. Some indicators of the CPS data over the heterogeneous environment remain the same and therefore it is redundant in the intrusion detection process. Therefore, the redundant indicators are discarded to reduce the computational complexity. This work adopts PCA for dimensionality reduction over heterogeneous data. The CPS is a typical appliance with some specific functions and its behavior patterns are static relatively and limited. Therefore, the hierarchical framework is competent to capture the probable benign nature of the IoT devices where benign patterns if every device is computed easily. The reduced data vectors are categorized with diverse classes in correspondence to the data behaviors. Every class is mapped to a certain data symbol $S_{t}^{i}$ where i specifies the device index and t specifies the time slot. Further, symbol mapping diminishes the multi-dimensionality vector computation improves the global and local intrusion detection feasibility.

Stage 2: The data processing is performed over the local intrusion detection through the deep network model which is carried out over the edge server. The data vector classification i, specifies the symbol sequences $S^{i}=\left[S_{1}^{i}, S_{2}^{i}, \ldots, S_{t}^{i}\right]$ are recorded over the local server where the symbol sequence specifies the device pattern. Here, the anomalies are predicted based on the probability of the symbol occurrence over the cyber-physical systems as the data devices generally follow certain historical patterns. The deep network model is used because of its time series prediction for tuning the parameters (less) compared to the existing LSTM.

Stage 3: The successive stage is the GID with the conditional random field which shows the identity of its sequential data patterns over the local server and every symbol is provided to the server for global prediction, i.e. every symbol is tested and its likelihood occurrence of every data symbol is analyzed based on the symbol correlation. Therefore, the conditional field is used for prediction purposes in the context of the global symbol space.

The KDD-test set is composed of 25192 instances and the KDD-training set is composed of 22544 instances. The attribute labeled 42 in the dataset is 'class attribute' specifies Table 3 that the given instances are normal or attack.

2.png

Figure 2. Overall framework of MOEA

2.4 Data model

With the provided raw dataset of CPS D $=\left\{D_{t}^{i} \in \mathbb{R}^{l_{i}} \mid t=\right.$ $1,2, \ldots, T, i=1,2, \ldots, N\}$ where $N$ specifies the number of devices and $l_{i}$ specifies the data vector length of the device $i$ where $D$ is normalized, re-framed, and mapped to the symbol set $\quad \mathbb{S}=\left\{S_{t}^{i} \mid t=1,2, \ldots, T, i=1,2, \ldots, N\right\} \quad$ where $\quad S_{t}^{i} \in$ $\left\{1,2, \ldots, J_{i}\right\}$ and $J_{i}$ specifies the number of data classes, i.e. number of data symbols of provided i. Thus, the data is an index using the available devices and time.

2.5 Element driven-problem definition

This work intends to evaluate the anomalous score of the CPS to determine the abnormality which is depicted globally and locally using the edge server. The symbol $S_{t}^{i}$ is related to the device i at t time determined as the local intrusion where the probability of the occurrence is below the local threshold $\theta_{l}$ is depicted as in Eq. (1):

$A_{l_{t}}^{i}=\left\{\begin{array}{cccc}1 & P_{l_{t}}^{i}=P\left(S_{t}^{i} \mid S_{t-1}^{i}, S_{t-2}^{i}, \ldots, S_{t-k}^{i}\right)<\theta_{-} l \\0& \text { else }\end{array}\right.$                  (1)

where, $P_{l_{t}}^{i}$ specifies the $S_{t}^{i}$ likelihood of historical device patterns and $A_{l_{t}}^{i}$ specifies local anomalous. The device symbol $S_{t}^{i}$ of the device at $t$ time is specified as the global intrusion when the global probability occurrence $P_{g t}^{t}$ is below the threshold level θ_g where the computation is mathematically expressed as in Eq. (2):

$A_{g_{t}}^{i}=\left\{\begin{array}{cccc}1 & P_{g_{t}}^{i}=P\left(S_{t}^{i} \mid S_{t}^{1}, S_{t}^{2}, \ldots, S_{t}^{N}\right)<\theta_{-} g \\0& \text { else }\end{array}\right.$                   (2)

where, $A_{g_{t}}^{i}$ specifies the $S_{t}^{i}$ as a global intrusion. In overall anomaly computation, whether $S_{t}^{i}$ is an intrusion or not and it is provided as the Boolean outcome of $A_{l_{t}}^{i}$ and $A_{g_{t}}^{i}$ is expressed as in Eq. (3):

$A_{t}^{i}=\left\{\begin{array}{cc}1 & A_{g_{t}}^{i} \| A_{l_{t}}^{i}==1 \\ 0 & \text { else }\end{array}\right.$                        (3)

where, $A_{t}^{i}=1$ specifies the $S_{t}^{i}$ intrusion.

2.6 Refining data vectors

This section initiates the data refinement process where the data packets (raw) $D_{t}^{i}$ over the sequential data packet $D_{i}^{l}, D_{i}^{2}, \ldots, D_{i}^{t}$ of $i$ devices are normalized and reframed to $C_{t}^{i}$ based on the dataset features with specific characteristics $\left(c_{l}\right.$, $\left.c_{2}, \ldots, c_{s}\right)$. The data is diminished to $X_{t}^{i}$ through PCA and mapped as data symbols $S_{t}^{i}$.

2.7 Normalizing and reframing

The reframed data packet normalized is based on the chosen features as depicted. The features are chosen based on the PCA technique where the data values c₁, c₂, …, c₈ are linearly normalized from $0 \rightarrow 1$ about the maximal and minimal feature values (binary values). Therefore, all the features are normalized among 0 and 1 to attain generic processing over the packets received on the CPS devices. It is expressed as in Eq. (4):

$\left[C_{1}, C_{2}, \ldots, C_{N}\right]^{t r}=\left[\begin{array}{cccc}C_{t}^{1} & C_{t-1}^{1} & \ldots & C_{t-k}^{l} \\ \ldots & \ldots & \ldots & \ldots \\ C_{t}^{N} & C_{t-1}^{N} & \ldots & C_{t-k}^{N}\end{array}\right]$                  (4)

where, $C_{i}=\left[C_{t}^{i}, C_{t-1}^{i}, \ldots, C_{t-k}^{i}\right]^{t r}$ specifies the sequential data of device i with window k time slots and A^tr specifies the transposition matric of A.

2.8 Dimensionality reduction

The normalized and reframed data from $D_{t}^{i}$ to $C_{t}^{i}$ specifies the data refinement by filtering the redundant features through the PCA. Here, $C_{t}^{i}$ specifies the value transformed linearly with zero mean and it is expressed as in Eq. (5):

$\bar{C}_{t}^{i}=C_{t}^{i}-\frac{1}{8} \sum_{j=1}^{8} C_{t}^{i, j}$                    (5)

where, m=1, 2, …, 8 specifies the entry index $C_{t}^{i}$. Therefore, the square sum of every entry specifies the $\bar{C}_{t}^{i}$ where covariance matrix is expressed as in Eq. (6):

Covariance $e^{i}=\bar{C}^{i}\left(\bar{C}^{i}\right)^{t r}$                 (6)

${Covariance}^{i}=\left[\begin{array}{cccc}\bar{C}_{t}^{i}\left(\bar{C}_{t}^{i}\right)^{t r} & \bar{C}_{t}^{i}\left(\bar{C}_{t-1}^{i}\right)^{t r} & \ldots & \bar{C}_{t}^{i}\left(\bar{C}_{t-k}^{i}\right)^{t r} \\\ldots & \ldots & \ldots & \ldots \\\bar{C}_{t-k}^{i}\left(\bar{C}_{t}^{i}\right)^{t r} & \bar{C}_{t-k}^{i}\left(\bar{C}_{t-1}^{i}\right)^{t r} & \ldots & \bar{C}_{t-k}^{i}\left(\bar{C}_{t-k}^{i}\right)^{t r}

\end{array}\right]$                (7)

where, $\bar{C}^{i}=\left[\bar{C}_{t}^{i}, \bar{C}_{t-1}^{i}, \ldots, \bar{C}_{t-k}^{i}\right]^{t r}$. The covⁱ specifies the real-diagonalizable matrix and it is expressed as in Eq. (8):

$A_{i}=\left[\begin{array}{ccc}\lambda_{i, 1} & \cdots & \lambda_{i, n} \\ \vdots & \ddots & \vdots \\ \cdots & \cdots & \lambda_{i, k+1}\end{array}\right]$                   (8)

where, λ_i,j specifies the j^th Eigenvalue of covⁱ. The redundant Eigenvectors are related to the small eigenvalues that are discarded from another sequence. Thus, the analysis from $\bar{C}^{i}$ to $X^{i}$ with dimensionality reduction and $\bar{C}_{t}^{i}$ is converted to $X_{t}^{i.}$.

2.9 Mapping symbol

For every row vector $X_{i}$ specifies $X_{t}^{i}$ which is related to the device data at $t$. The objective is to evaluate data from vectors, i.e. mapping. The model adopts clustering algorithm for data device clustering into $J_{i}$ classes. Thus, the device set is specified as $\mathbb{S}^{i}=\left\{S_{t}^{i} \mid 1,2, \ldots, J_{i}\right\}$ where $\mathbb{S}^{i} \subset \mathbb{S}, J_{i}$ specifies the correlation coefficient to compute the data cluster using various parameters. The mapped data towards the symbol set and the CPS data volume is dimensioned further. The noise data interference is smoothed as the data over the provided cluster is specified using the cluster center and the data variations of the clusters are eliminated. Figure 3 depicts the MOEA framework for security establishment in CPS.

3.png

Figure 3. MOEA framework

2.10 Intelligent hierarchical model for global and local intrusion detection

The anticipated model anticipates an approach for anomaly detection in the CPS system by determining the global and local intrusion models. Here, a novel deep network model is used for performing local intrusion detection over the local servers. The existing network model merges the input and forget gate as the simple gate format. The recurrent unit captures the dependencies adaptively over certain time scales. Therefore, the enabling of the deep network model is revealed based on the symbol correlation of various CPS devices with the provided time. The learning ability of the network model is preserved and the provided deep structure diminishes the computational cost. The proposed intelligent hierarchical model is applied where x_t provides the present input state $S_{t}^{i}$ and ${\widehat{y_{t}}}_{i}^{i}$ specifies the probability of the occurrence and the weighted coefficient matrices of the deep network model. W_r and W_z specify the trained data samples. In the proposed MOEA framework, the sensing data of CPS is considered as the sentence where t^th is used for training the system model. The sentences are processed individually over the CPS server over t time slot where the network unit evaluates the input, output, and prior memory content through the above-mentioned equations. The input and output parameters are expressed as in Eq. (9):

$\left\{\begin{array}{c}x^{i}=\left[S_{1}^{i}, S_{2}^{i}, \ldots, S_{t}^{i} l \in \mathbb{R}^{1 * T}\right. \\ \hat{y}_{t}^{i}=\left[p(1), p(2), \ldots, p\left(J_{i}\right)\right] \in \mathbb{R}^{1 * J_{i}} \\ W_{z}^{i} \cdot W_{r}^{i}, W^{i} \in \mathbb{R}^{k *(k+1)} \\ h_{t}^{i}, r_{t}^{i}, Z_{t}^{i} \in \mathbb{R}^{k * 1} \\ V^{i} \in \mathbb{R}^{J_{i}^{*} k} \\ y_{t}^{i} \in \mathbb{R}^{J^{*} * 1}\end{array}\right.$                   (9)

where, $k$ specifies the internal network memory, $\widehat{y}_{i}^{t}$ specifies the probability vector and $y_{i}^{t}$ specifies the ground-truth value at $t$ time. The cross-entropy $L_{i}^{t}$ is mathematically expressed as in Eq. (10):

$L_{t}^{i}=-{\widehat{y_{t}}}^{i}\left(\log y_{t}^{i}\right)$                    (10)

where, the log specifies the logarithm (element-wise) function. The total cross-entropy loss is expressed as in Eq. (11):

$\Theta^{i *}=\arg \min _{\Theta^{i}} L^{i}$                    (11)

where, $\Theta^{i}=\left\{W_{Z}^{i}, W_{r}^{i}, W^{i}, V^{i}\right\}$. The trained network model is used for computing the probability vector $\widehat{y}_{l}^{t}$ is provided to predict the local intrusion of every device i. The input data probability is evaluated and the threshold probability θ_l is adjusted automatically from 1 to 0 by the server. The detection metrics like TPR, FPR, accuracy, precision, and F-score are evaluated. The threshold model is analyzed based on maximal precision. The threshold and parameters are trained and the network model is used for local intrusion detection. The nature of network traffic is changed and the trained and parameters are re-trained.

2.11 Global intrusion detection

Here, a conditional random field is adopted for measuring global intrusion detection where the conditional distributions of hidden states are evaluated based on the provided observations. In the proposed MOEA model, the conditional random field model is used for constructing the probability distribution of every state and measures the labeling of every CPS-based data. Assume, the global intrusion state of the CPS system at t tie which is represented as $\left[A_{g t}^{1}, A_{g t}^{2}, \ldots, A_{g t}^{N}\right]$ which is known as Markov-chain, and the input is provided in a sequential form $x_{t}=\left[S_{1}^{t}, \ldots, S_{N}^{t}\right]$ which is adopted for language processing. The conditional random fields (CRF) are appropriate for categorizing and modeling CPS data as the data is intrinsically considered based on the t time slot. The data produced by the device i at t time is based on the probability distribution of variables modeled through the random field which provides the probability factorized into functional product over intrinsic features. The probability of the variable state intrusion $A_{g t}=\left[A_{g t}^{1}, A_{g t}^{2}, \ldots, A_{g t}^{N}\right]$ which is provided as in Eq. (12):

$P\left(A_{g t} \mid x_{t}\right)=\frac{1}{Z\left(x_{t}\right)} \exp \left\{\sum_{i=1}^{N} \sum_{w=1}^{W} \mu_{w} f_{w}\left(i, A_{g t}^{i}, A_{g t}^{i-1}, x_{t}\right)\right\}$               (12)

where, f_w specifies the feature function and its weight factor μ_w. Z(x_t). It is expressed as in Eq. (13):

$Z\left(x_{t}\right)=\sum_{A_{g t}^{\prime}} \exp \left\{\sum_{i=1}^{N} \sum_{w=1}^{W} \mu_{w} f_{w}\left(i, A_{g t}^{i}, A_{g t}^{i-1}, \quad x_{t}\right)\right\}$                        (13)

where, $A_{g t}^{i}$ specifies the probability vector of the state vector $\left[A_{g t}^{i}, A_{g t}^{2}, \ldots, A_{g t}^{N}\right]$ at t time. The feature function is an indication that demonstrates the adjacent state pair and the random field is completely characterized by the weighted factor/feature set, i.e. ($f, \mu$). It is a supervised model which intends to process the training stage and it evaluates the model parameters based on the labeled data samples. The objective function is expressed as in Eq. (14):

$\sum_{t=1}^{T} \log P\left(A_{g t} \mid x_{t}\right)=\sum_{t=1}^{T} \sum_{i=1}^{N} \sum_{w=1}^{W} \mu_{w} f_{w}\left(i, A_{g t}^{i}\right.\left.x_{t}, A_{a t}^{i-1}\right)-\sum_{t=1}^{T} \log Z\left(x_{t}\right)$              (14)

To train the model parameters, the value of the objective function needs to be maximized as it is due to the convex nature of the objective function. The optimization is guaranteed to attain a global solution. The random field model is trained and it is functional to identify the input data state x_t at time t through the proposed hierarchical model. It is expressed as in Eq. (15):

$A_{g t}^{*}=\arg \max _{A_{g t}} P\left(A_{g t} \mid x_{t}\right)$              (15)

where, $A_{g t}^{*}$ specifies the intrusion detection mechanism with maximal likelihood. The training process of the local intrusion detection is based on the probability of acquired input, threshold probability which is adjusted automatically from 1-0 using the CPS server model. The threshold value is acquired based on the maximal precision value. The network-changing nature relies on the proposed hierarchical model. The algorithm of the anticipated intelligent hierarchical model is depicted in Algorithm 1: