Introduction
Contribution
-
Advanced Feature Extraction with LSTM-SVAE: Introduction of a Long Short-Term Memory-based Sparse Variational Autoencoder (LSTM-SVAE) for efficient feature extraction in ICPSs. This model leverages Generative AI to process high-dimensional, sequential data, providing a robust foundation for accurate anomaly detection.
-
Innovative Bidirectional RNN with Hierarchical Attention (BiRNN-HAID): Development of a novel Bidirectional Recurrent Neural Network enhanced with a hierarchical attention mechanism. This approach significantly improves the detection of complex intrusion patterns by focusing on pertinent features in the data.
-
Cognitive Enhancement for Contextual Intrusion Awareness (CE-CIA): Integration of cognitive computing elements for refining intrusion detection predictions. This stage adds a layer of context-aware analysis, reducing false positives and enhancing the overall reliability of the system.
-
Interpretive Assurance through Activation Insights (IAA-IDM): Implementation of a method to visualize and interpret activation patterns within the neural network. This transparency in the decision-making process enhances the interpretability of the IDS, providing cybersecurity analysts with valuable insights.
Existing Literature
Cybersecurity IS Literature and Computational Design Science Guidelines
Computational Models for Intrusion Detection
Research Design
Proposed Cognitive Computing-Driven Interpretable Intrusion Detection in ICPSs
Stage 1: LSTM-Based Sparse Variational Autoencoder for Feature Extraction (LSTM-SVAE)
Stage 2: Bidirectional RNN with Hierarchical Attention for Intrusion Detection (BiRNN-HAID)
Stage 3: Cognitive Enhancement for Contextual Intrusion Awareness (CE-CIA)
Stage 4: Interpretive Analysis and Assurance of Intrusion Detection Mechanisms (IAA-IDM)
Performance Evaluation
Experimental Setup
Stage 1: LSTM-SVAE | |
---|---|
LSTM component | |
LSTM layers | 3 |
Units per LSTM layer | 128 |
Output layer function | Softmax |
Input layer nodes | 44 for ToN-IoT and 96 for Edge-IIoTset |
LSTM timestep | 1 |
SVAE component | |
Encoder layers | 2 (128 and 32 nodes) |
Encoder activation | tanh |
Decoder layers | 2 (32 and 128 nodes) |
Decoder activation | tanh |
Loss | Kullback-Leibler Divergence |
Epochs | 2000 |
Optimizer | Adam |
Batch size | 250 |
Stage 2: BiRNN-HAID | |
---|---|
BiRNN layers | 2 |
Number of units in each BiRNN layer | 64 |
Attention mechanism | Hierarchical |
Attention type | self-attention |
Output layer function | Softmax |
Input layer nodes | 10 for both datasets |
BiRNN timestep | 1 |
Optimizer | Adam |
Loss | Categorical cross-entropy |
Dataset | Class | Training set | Testing set |
---|---|---|---|
ToN-IoT | Backdoor | 12,991 | 6009 |
DDoS | 13,984 | 6016 | |
DoS | 13,951 | 6049 | |
Injection | 13,952 | 6048 | |
MiTM | 733 | 310 | |
Normal | 209,964 | 90,036 | |
Password | 14,100 | 5900 | |
Ransomeware | 14,011 | 5989 | |
Scanning | 14,032 | 5968 | |
XSS | 14,012 | 5988 | |
Edge-IIoTset | Normal | 966,595 | 414,263 |
DDoS UDP | 85,319 | 36,248 | |
DDoS ICMP | 47,626 | 20,313 | |
SQL Injection | 35,626 | 15,200 | |
DDoS TCP | 34984 | 15,078 | |
Vulnerability scanner | 34,735 | 15,291 | |
Password | 34,833 | 15,100 | |
DDoS HTTP | 34,508 | 14,695 | |
Uploading | 25,835 | 11,080 | |
Backdoor | 16,830 | 7196 | |
Port scanning | 14,082 | 5901 | |
XSS | 10,510 | 4556 | |
Ransomware | 6803 | 2886 | |
Fingerprinting | 574 | 279 | |
MITM | 252 | 106 |
Dataset and Preprocessing
Evaluation Metrics
Performance Evaluation of the proposed IDS
Parameters | Backdoor | DDoS | DoS | Injection | MITM | Normal | Password | Ransomware | Scanning | XSS |
---|---|---|---|---|---|---|---|---|---|---|
Precision (Pr) | 100.00 | 99.60 | 99.96 | 99.70 | 98.07 | 100.00 | 99.94 | 99.80 | 100.00 | 99.89 |
Recall (Re) | 99.76 | 99.96 | 99.70 | 99.58 | 98.70 | 100.00 | 99.86 | 100.00 | 100.00 | 100.00 |
F1-score (F1) | 99.88 | 99.78 | 99.83 | 99.64 | 98.39 | 100.00 | 99.90 | 99.89 | 100.00 | 99.94 |
False positive rate | 0.00005 | 0.00013 | 0.00002 | 0.00012 | 0.00 | 0.00004 | 0.00002 | 0.00014 | 0.00001 | 0.000007 |
Parameters | Normal | DDoS | DDoS | SQL | DDoS | Vulnerability | Password | DDoS | Uploading | Backdoor | Port | XSS | Ransomware | Fingerprinting | MITM |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
UDP | ICMP | Injection | TCP | Scanner | HTTP | Scanning | |||||||||
Precision (Pr) | 100.00 | 99.98 | 99.97 | 46.31 | 86.41 | 95.67 | 29.73 | 94.78 | 67.69 | 99.43 | 95.63 | 47.33 | 99.96 | 99.48 | 99.06 |
Recall (Re) | 99.99 | 100.00 | 99.99 | 88.80 | 100.00 | 44.11 | 21.07 | 81.34 | 54.65 | 98.33 | 60.90 | 77.78 | 96.77 | 69.53 | 100.00 |
F1-score (F1) | 99.99 | 99.99 | 99.98 | 60.87 | 92.71 | 60.38 | 24.66 | 87.54 | 60.48 | 98.88 | 74.41 | 58.85 | 98.34 | 81.85 | 99.53 |
False positive rate | 0.00 | 0.000001 | 0.000005 | 0.00046 | 0.00452 | 0.00076 | 0.03186 | 0.00092 | 0.00248 | 0.00009 | 0.00029 | 0.00671 | 0.000003 | 0.000003 | 0.00 |