Hybrid Deep Neural Network Model for Detection of Security Attacks in IoT Enabled Environment

The extensive use of Internet of Things (IoT) appliances has greatly contributed in the growth of smart cities. Moreover, the smart city deploys IoT-enabled applications, communications, and technologies to improve the quality of life, people’s wellbeing, quality of services for the service providers and increase the operational efficiency. Nevertheless, the expansion of smart city network has become the utmost hazard due to increased cyber security attacks and threats. Consequently, it is more significant to develop the system models for preventing the attacks and also to protect the IoT devices from hazards. This paper aims to present a novel deep hybrid attack detection method. The input data is subjected for preprocessing phase. Here, data normalization process is carried out. From the preprocessed data, the statistical and higher order statistical features are extracted. Finally, the extracted features are subjected to hybrid deep learning model for detecting the presence of attack. The proposed hybrid classifier combines the models like Convolution Neural Network (CNN) and Deep Belief Network (DBN). To make the detection more precise and accurate, the training of CNN and DBN is carried out by using Seagull Adopted Elephant Herding optimization (SAEHO) model by tuning the optimal weights. Keywords—Internet of things; deep learning; optimization; convolutional neural network; security attack detection


I. INTRODUCTION
IoT is an integration of services, people, interconnected entities, and physical infrastructure that process the information [1]. Moreover, the IoT systems are dynamically distribute, edge based computational resources and allocations of information. IoT devices communicate with one another by wireless communication systems and transfer the information to a centralized model [2] [3]. IoT is one of the interrelated models that supports seamless information among the devices (e.g.), automotive sensors, environmental sensor, industrial robots, road-side sensors, surveillance devices, medical devices and smart home sensors. The sum figure of the linked IoT devices has touched the usage of 27 billion in 2017. IoT devices used various technologies, service types, and protocols [4]. Consequently, it seems more complex to maintain the upcoming IoT framework as it leads to unwanted vulnerability in the environment. The cyber-attack could access the details in an illegal manner regarding each activity of citizens without the user's knowledge or can reconfigure the devices with the unsecured settings [5] [6].
The risk rendering through these attacks may affect the protection of IoT networks and the entire eco-system such as applications, web-sites, servers and social networks, through malicious smart device known as botnet (i.e.), robot networks. Also, a communication channels or single component in IoTbased systems can be compromised by paralyzing the complete or part of Internet network [7][8] [9]. Hence, the standard attack detection model is required, which could analyze the behavior of attacks in network. The rising of deep learning (DL) has alleviated the limitations of the conventional machine learning (ML) schemes due to the combined implementation of classifier and feature extraction, and its strong representative ability [10] [11] [12] Further, DL model is used for avoiding the overhead of manual selection of features, and that is an essential section for traditional classification systems [13] [14].
Several researchers have used the DL tools for solving the problems related to the communication which is progressively being carried out [15] [16]. Particularly, DBN is implemented based on the AMC scheme through SCF feature; however, it attains the restricted classification outcomes due to inadequate ability. Furthermore, an unsorted DNN is used for identifying the signal modulation systems with less computational complication [17] [18] [19] [20] [21]. Still, the deficiencies of the convolutional operation make it more complex for extracting the high-dimensional features. The IoT devices creates large amount of data. Moreover, the ML [22] [23] pipelines has performed the process of data collection, feature extraction, and binary classification in many systems or models for the detection of IoT traffic. Several ML algorithms [24] The key contributions of the proposed model are given below: • Introduces the Hybrid model for detection of attack in IoT.
• Proposed the Seagull Adopted Elephant Herding Optimization (SAEHO) algorithm for training the hybrid system through tuning the optimal weights.
In this paper, the literature review on attack detection in IoT is given in Section II. Overall description of the adopted attack detection model is determined in Section III. Preprocessing and feature extraction phase are described in 120 | P a g e www.ijacsa.thesai.org Section IV. Section V describes attack detection by proposed hybrid deep learning model. Section VI depicts the proposed seagull adopted elephant herding optimization algorithm for optimal training of hybrid model via tuning the weights. Section VII specifies the result and discussion. At the end, the conclusion of this paper is depicted in Section VIII.

A. Related Works
In [34] Li, et al., (2019) has introduced the information security approach of block chain on the basis of intrusion detection technique in the IoT. Moreover, the intrusion detection technology was used for analyzing the recognition technology on the basics of dissimilar systems, and the security of block chain information. From hacker attack, the intrusion detection model was one of the security technologies for protecting the network resources. IDS were more beneficial enhancement to the firewall that would assist the network approach for enhancing the integrity of the information security framework and detecting the attacks quickly. Finally, the proposed intrusion detection technique was used for the block chain information security system, and the experimental outcomes have shown better fault tolerance and higher detection efficiency.
In [35] Boubeta, et al., (2020) has proposed an intelligent architecture which combined ML paradigm and the CEP technology for detecting various categories of security attacks in real time IoT. Additionally, the proposed architecture was accomplished for managing the event patterns easily and the conditions depend on values attained via ML models. Moreover, an automatic code generation and a model-driven graphical device were provided for pattern definition in security attack and it hides all the complication attained from execution information of domain experts. The simulation outcome of the adopted model has demonstrated better performance than other schemes.
In [36] Marcos, et al., (2020) have adopted a near real-time SDN security model in which it secures the basis of SDN controller besides the traffic destruction and avoids the DDoS attacks in the source-end network. Further, the CNN for DDoS detection was tested and applied, and determined the system alleviate the identified attacks. A GT based technique was used to mitigate the attack in which it optimized the packet discard rate and concern within the SDN's central controller. At the end, the experimental results of the presented SDN security scheme have shown better outcomes against nextgeneration DDoS attacks.
In [37] Mabodi, et al., (2020) have determined a hybrid system based on the cryptographic authentication. In addition, the adopted model includes four stages like gray hole attack discovery, testing the routes, the malicious attack removal procedure in MTISS-IoT, and the IoT identifying node trust. The adopted system was assessed via extensive simulations that were done in the NS-3 tool. At the end, the experimental results of four circumstances have determined that the MTISS-IoT model has shown better FPR, FNR, and detection rate than other models.
In [38] Chunsheng, et al., (2020) have implemented a MMFN for identifying the signal modulations via a new feature known as PCCs. Furthermore, a PCCP was implemented for converting the raw modulated signals into PCCs, and it was the inputs given to MMFN. The multimodule fusion model was proposed in MMFN for acquiring the higher representation capability. Moreover, the characterization module was implemented for balancing the tradeoff among the dimensions of the extracted features and the number of parameters. At the end, the experimental results of the presented MMFN approach have achieved 90% accuracy at 1 dB SNR and superior classification performance.
In [39] Mohammed, et al., (2020) has discussed the IoT-ED possibility with implanted HT which provides serious privacy, security, and available issues to the IoT based HAN. Moreover, the traditional network attack detection models have worked the network protocol layers, while the IoT-ED with HT leads to the demonstration of attack at the firmware or/and physical level. The adopted model was used for identifying the multiple attacks and differentiated the various attack types. Further, the IoT-ED behaviors have been studied for 5 various random attacks that includes the DoS, impersonation attacks, power depletion, ARQ, and covert channel. The adopted method could distinguish with 92% accuracy for all the attacks simultaneously.
In [40] Sahay, et al., (2020) have determined a layered scheme of IoT routing security for analyzing the susceptibility linked with every phase of the routing method. The adopted system has explored the leverage of inherent features in blockchain for enhancing the security in IoT-LLNs. Moreover, the blockchain network operated as a protected data link among the attack detection mechanism and the IoT-LLN to enhance the outcomes of XGBoost algorithm. Finally, the blockchain-based model was implemented with elegant contract to generate the real-time alerts for identifying the sensor nodes.
In [41] Alabady, et al., (2020) have introduced a novel security system in the IoT era for cooperative virtual networks. The proposed model has determined the attacks and risks in switches, network security vulnerabilities, threats, routers and firewalls, along with a policy for mitigating those risks. The adopted method has offered the basics of secure networking scheme that includes router, firewall, VLAN technology and AAA server. At last, the simulation results of the adopted approach have demonstrated an effective security execution with excellent network services and speed. Table I shows the review on attack detection system in IoT. Originally, the Mapping UML model was determined in [41] that presents higher detection efficiency, fault tolerance and better accuracy; however, the data selection sensor technique was not incorporated into the computer environment. Moreover, the CEP and ML models were deployed in [24] that provide better precision, higher recall, and maximum F1 score. Nevertheless, more event patterns were not defined in the proposed model for detecting other types of attacks. CNN model was exploited in [42] that offer higher accuracy, improved precision rate, and maximum recall, but need to maximize the host count in the simulated SDN environment. Likewise, MTISS-IoT model was exploited in [23], which offers better FPR, low FNR and maximum detection rate. However, the firefly optimization was not used in the proposed work to lower consumption energy and malicious attacks on the IoT. MMFN method was exploited in [29] that have robustness, higher classification accuracy, and strong characterization ability; however, the small-scale data-driven DL-AMC model with less training time was needed for training the neural network (NN). In addition, an IoT-based HAN model was determined in [28], which offers better accuracy, reduced false positives, and high precision. However, the proposed work needs to suggest the moving data process nearer to the network edge. XGBoost Classifier was suggested in [33] that offers secured network, maximum accuracy, higher recall and improved operational efficiency. However, need to investigate an efficient mechanism to address and analyze the challenges. Finally, the VLAN was introduced in [35], that offers effective security execution, best network speed and services, but the VLAN technology were not utilized in the LAN environment. Thus, the challenges have to be taken into account based on attack detection method in IoT in the present work efficiently.

III. SYSTEM MODEL OF INTRUSION DETECTION ON IOT FRAMEWORK
The IoT plays significant role in the information age, and it is a significant component of the novel information technology. Moreover, the IoT server is the functional core of the entire IoT business scheme. The essential functions of terminal sensor processing, data collection and return the processing outcomes are all designed through the server. Further, the security vital in cyber life as it relies with great advancement of IoT techniques. In addition, the IDS are the protector for the Internet servers. Fig. 1 indicates the circumstances in which the IDS are concerned in the IoT network. Many of the IoT devices and IoT servers are exposed directly to the public Internet due to the feature of remote control. In addition, the attackers would capture the vulnerabilities for intruding the IoT servers. However, the IDS are extremely needed for protecting and detecting the IoT servers from the attackers. The IDS usage would protect the terminal users and also protect the service providers from the hazards on the Internet. The security protections are not fully achieved in the IoT application as it reduces the attack plane. The lowering of the attack plane is limited extremely, and intruders may find the path to crack the assured node in the network. This work seeks the strategy of deep learning concept in the intrusion detection system. Fig. 1 illustrates the IoT framework.

IV. OVERALL DESCRIPTION OF THE ADOPTED ATTACK DETECTION MODEL IN IOT
This proposal intends to introduce a novel deep hybrid attack detection system that consists of three phases: "(i) preprocessing (ii) Feature extraction (iii) Classification". Originally, the input data is preprocessed under data normalization process. Subsequently, the preprocessed data is subjected to the feature extraction stage, where the higher order statistical features and statistical features are extracted. Moreover, the statistical features include mean, median, SD, mode, HM, RMS, peak amplitude and pitch angle; and the higher order statistical features include kurtosis, skewness, energy, entropy, mean frequency, and percentile are extracted. Moreover, the extracted features are provided as the input to the detection phase with hybrid model that combines the models like CNN and DBN. It is obvious that the detection model must be trained in a proper manner, such that the detection accuracy increases in this way. To make this possible, this work adhere the utilization of optimization logic that could make the training process more optimal. Thereby, the weights of both the CNN and DBN are optimally tuned by a new SAEHO algorithm. This is the proposed hybrid algorithm, which combine the logic of both the EHO and SOA algorithm. Fig. 2 illustrates the architecture of proposed detection system. The proposed hybrid model follows the parallel execution of both the models with the extracted feature set, and finally averages the outcomes obtained from each model, which is considered as the final detection results.

A. Optimized CNN Model
The extracted features are provided as input to optimized CNN [43]. Convolutional Networks are the trainable multistage framework that includes numerous stages. The input and output of every stage are group of arrays recognized as feature maps. In addition, the well-recognized classifier is CNN that consists of 3 layers like "fully connected layer, pooling layer, and convolution layers". Furthermore, the convolution layer contains of several convolution kernels. The entire feature map was determined by the numerous kernels. Moreover, the ℎ layers matched to ℎ feature map and feature values in the place( , ) is denoted as , , , and it is given in Eq. (1). Similarly, the ℎ filter value is provided in the ℎ layer. Consequently, the optimal tuning of the weight is performed using the adopted SAEHO scheme. The linked input patches in the ℎ layer at location( , ) are determined using , . The non-linearity is attained through the activation function which predicts the nonlinear features of multi-layer networks. Moreover, � , , � and (•) are defined in Eq. (2). Even though, the shift-variance in the pooling layer is deployed through minimizing the resolution of feature maps as given in Eq. (3).
Pooling layer: "In CNN, the pooling layer has performed the processes of down sampling with the resultant attained from the convolutional layers. Further, the 2 renowned pooling types such as max pooling and average pooling are used. The max pooling has attained the higher value; but the average value is observed in the average pooling".
Fully connected layer: It works within the flattened inputs. In general, the results attained from the pooling layer are given as the input of fully connected layer and thus the inputs are connected to all layers. In the CNN structure, the fully connected layer occurs at its edges. The output of CNN is denoted as .

B. DBN based Attack Detection
In 1986, Smolensky implemented DBN [44] with multiple layers, and there is a visible and hidden neuron in each of the layer. The visible neurons are fully interconnected with the hidden neurons. Naturally, the stochastic neuron's outcome is probabilistic in the Boltzmann networks. The DBN is fully trained to distinguish the occurrence of attackers within the network grounded on the extracted features. DBN framework is an intellectual model that includes of hidden neurons, visible neurons and layers form output layer. Furthermore, there found connotation exists via hidden and input neurons; yet, no relation in visible neurons, the association rule is not existing among hidden neurons. The link existing among visible and hidden neurons is symmetric and exclusive.
The output of the neurons is probabilistic in the Boltzmann network. The output � is grounded on the probability function ( )in Eq. (5). The probability function has used the sigmoid-shaped function.
In DBN architecture, the path of the feature processing is shown by a collection of RBM layers, and the classification procedure shown by MLP. The mathematical model depict Boltzmann machine energy in the method of neuron or binary state as portrayed in Eq. (8) and Eq. (9). Where, , indicates the weights amid neurons, which is optimally adjusted or tuned by a new proposed SAEHO model and specifies the biases.
The growth of energy grounded on combined conformation in visible or hidden neurons ( , )is described in Eq. (10), Eq. (11) and Eq. (12), where, and portrays the binary state of hidden unit and visible unit. and indicates the biases and , signifies the weight among them.
RBM training achieves the resultant weight allocation and the distributed probabilities are stated as in Eq. (13). The probability distribution in RBM method for the visible and hidden vectors pair� ⃗, → �is given in Eq. (14). The partition function is specified in Eq. (15).

A. Solution Encoding and Fitness Evaluation
The weight of both DBN and CNN are optimally adjusted or tuned via the adopted SAEHO. The input solution subjected to the adopted SAEHO scheme is demonstrated in Fig. 3, where, 1 , 2 ,…. shows the weights of CNN, 1 , 2 ,….
shows the weights of DBN, indicates the total counts of weight in CNN, and denotes the total number of weights in DBN. The fitnessobjective of adopted detection model is stated in Eq. (17). Here, indicates the detection error.

B. Proposed SAEHO Model
This paper implements a new hybrid SAEHO scheme which combines the logic of EHO [45] and SOA [46], respectively. While the traditional EHO gives better performance; the disadvantage is that it will not use the required data to identify the present and future searches. The existing SOA model has solved the challenging large-scale constrained issues and hence solve 7 constrained real-life industrial applications; still, the constraints are very tedious and computational complexity. This becomes the issue while solving optimization problems. This makes us to combine the logics of both the algorithm since the Hybrid models are reported to be promising for certain search problems with better convergence speed [23]. Here, the logic of SOA is integrated with EHO, and thereby named as SAEHO.
Naturally, the elephants live in social groups called clans and each clan stay with Matriarch, the female elephant leader. The grown male elephant lives separately from their groups. The elephant population is produced randomly and it splits into a number of clans according to their fitness value.EHO algorithm having three major rules to follows.
• The elephant population consists of number of clans with fixed number of female and male elephants in every clan.
• Some of male elephants live far from the clans individually.
• The elephant lives together with the leader of all clans, matriarch (i.e.,) female elephant in each clan.

1) Clan updating:
In this operator, each clan updating is done individually. Conventionally, the subsequent position is influenced by matriarch h and for each elephant in clan h for the clan updating operators. However, as per the proposed SAEHO method, the SOA updation function is used for clan updation as given in Eq. (18).
In Eq. (18), indicates the locations of seagull search agent ̑t owards the best fit search agent (i.e., fittest seagull), d enotes the search agent's current position, r efers to the current iteration, and the behavior ̑i s randomized used for proper balancing among exploitation and exploration.
Moreover, for the best fit elephant, the updation is achieved by Eq. (19).
In Eq. (19), [0,1] is the center of clan ℎ. The new individual ,ℎ, is expressed from the information obtained by all elephants in clanℎ.
,ℎ represent the centre of clan ℎ, and it is given in Eq. (20).
2) Separating operator: The grown male elephants in clan starts live separately. The separating operator is determined after the separating process while solving the optimization problem. As per the proposed SAEHO logic, for enhancing the search ability, the worst fitness of elephant at each generation in the separating operator is defined as per the proposed evaluation given in Eq. (21).
Here, indicates the minimum bounds in the positions of single elephant.
,ℎ indicates the worst elephant individuals of clan and value is calculated using Chebyshev chaotic map. The value ranges from 0 to 1.
The pseudo code of adopted approach is given in Algorithm 1.

VI. CONCLUSION
This paper has introduced a novel deep hybrid attack detection method. The input data subjected for preprocessing phase and data normalization process was carried out. From the preprocessed data, the statistical and higher order statistical features were extracted. Finally, the extracted features were given to hybrid deep learning model for detecting the presence of attack. The proposed hybrid classifier combines the models like DBN and CNN. To make the detection more precise and accurate algorithm named SAEHO proposed which used for tuning the optimal weights. SAEHO combines the logic of EHO and SOA. In the algorithm, two kinds of operator used i.e., clan updating and separating. Clan updating is done by EHO providing it able to find the best position else SOA is used to find the solution. As our next task, the performance of the proposed model will be computed over the present methods in terms of various metrics like FNR, MCC, Rand index, sensitivity, FPR, specificity, FDR, precision, NPV, accuracy, and FMS, correspondingly.