Identification of the False Data Injection Cyberattacks on the Internet of Things by using Deep Learning

—With the expanding utilization of cyber-physical structures and communication networks, cyberattacks have become a serious threat in various networks, including the Internet of Things (IoT) sensors. The state estimation algorithms play an important role in defining the present operational scenario of the IoT sensors. The attack of the false data injection (FDI) is the earnest menace for these estimation strategies (adopted by the operators of the IoT sensor) with the injection of the wicked data into the earned mensuration. The real-time recognition of this group of attacks increases the network resilience while it ensures secure network operation. This paper presents a new method for real-time FDI attack detection that uses a state prediction method basis on deep learning along with a new officiousness identification approach with the use of the matrix of the error covariance. The architecture of the presented method, along with its optimal group of meta-parameters, shows a real-time, scalable, effective state prediction method along with a minimal error border. The earned results display that the proposed method performs better than some recent literature about the prediction of the remaining useful life (RUL) with the use of the C-MAPSS dataset. In the following, two types of attacks of the false data injection are modeled, and then, their effectiveness is evaluated by using the proposed method. The earned results show that the attacks of the FDI, even on the low number of the sensors of the IoT, can severely disrupt the prediction of the RUL in all instances. In addition, our proposed model outperforms the FDI attack in terms of accuracy and flexibility.


I. INTRODUCTION
The current developments and the rapid growth of the Internet of Things sensors have increased the possibility of predictive maintenance.This capability is a method for the prevention of asset damage by the generation of data analysis and the template identification for the prediction of the subjects before which they occur.Using these PdM techniques leads to an increment in productivity, a 35%−45% decrease in downtime and the 25%−20% decrease in maintenance cost [1].Due to this good feature, the equipped PdM solutions with machine learning and IoT sensors are transforming the transportation, oil, gas, aerospace, automotive, national defense and construction industries.For example, recently, the algorithms of deep learning have displayed massive achievement in these applications [2].However, unfortunately, the sensors of the IoT and the algorithms of deep learning widely are delicate to cyberattacks [3].This bad feature is a considerable menace to the overall system of the PdM.Due to the provided reportage by Malwarebytes, the cyber menace versus the factories/occupations has enhanced to over 200% in the prior year [4].
In particular, recognizing covert attacks like the false data injection (FDI) attack [5] in the PdM system is quite challenging due to the unique nature of this attack type.The attack of the false data injection (FDI) [5] is in such a way that an attacker secretly compromises the measurements of the sensors of IoT.This is done by the method that the measurements of the manipulated sensor bypass the original detection method of the "defective data" by the sensors.Then they propagate into the output of the sensor.The attack of FDI can be fulfilled by completing the communication network of the sensors, the physical sensors and the processing applications of the data.These types of attacks in the system of PdM may not even display their effect.But, in lieu, the attack propagates aboard the sensor to the machine learning part of the system of PdM.Next, it tricks the system with the prediction of the possession defeat and or the interval of the delayed maintenance.It may evince a considerable cost with the creation of an unplanned defeat and or human life loss on the applications of the safety-critical [6], [7], [8].In the past, the attacks of the FDI have made the very incidents of the known catastrophic.The most important example is the Northeast blackout in the United States in 2003 and the attack on the Ukrainian power grid.These attacks have influenced more than 230,000 people.They have been without power for multiple hours.A vast investigation has been done about the identification and reduction of the attacks of FDI in the field of cyber-physical systems [9], [10], [11].The current users of this type of system for aircraft engine maintenance are Honeywell, Rolls-Royce, Pratt & Whitney, US Air Force and General Electronics [6], [12], [13].
The proposed solutions for sensor attack detection, which are provided so far in the field of the system of cyber-physical and IoT, are not enough for the solution of this subject because utmost of the existing method travail from the scalability subjects and the resource overhead when they deployed individually on thousands of the sensors.Many IoT sensors have limited power and limited resources.This paper presents a real-time attendance recognition method for these attacks in earned mensuration by applying the models of deep learning for the precise state prediction along with an impressive abnormal identification approach in the predicted www.ijacsa.thesai.orgstates with the use of the matrix of the error covariance.When the change rate of the eigenvalues of the error covariance matrix exceeds a predefined threshold, then the network operator indicates the presence of the attack of FDI on a collection of the accessible mensuration.This shows an effective deployment of the scalable 920D.Therefore, our article contributions are as the below:  By effectively adjusting the presented deep learningbased method parameters, a collection of the indices of the minimum error have been obtained.An encyclopedic compersion between two non-uniform deep learning-based methods and a conventional MLbased method, such as the SVM and an actuarial prediction method, such as the integrated moving average of the autoregressive, is carried out in this work.
 By incorporating the noise into the existing mensuration, the presented deep learning-based method provides flexible action with minimal changes on the indices of the error.
 The presented abnormal recognition scheme shows a robust, real-time and excellent FDI attack recognition approach with the tracking of the change rate of the eigenvalues of the matrix of the error covariance.
 Since our presented method does not require the major modification of the standard BDD, therefore, it represents a cost-impressive method.
The continuation of this paper is as the below: In Section II, the related works is presented.In Section III of the paper, the proposed algorithm details are presented.Then, Section IV presents the earned results from the designed experiments.Eventually, Section V presents the potential conclusions and future perspectives.

II. RELATED WORKS
The available studies on the data injection attacks on smart networks are listed in [27] to [35].The work in [29] introduces an analysis of the economic effects of data injection on electricity markets in the smart power grid.In this reference, it is assumed that an attacker participates in the virtual transactions of the electricity market with complete information that he has from the network and it designs his attack strategy based on the manipulation of the electricity price in order to maximize the profitability and by observing all the limitations of the attack.In [30], the operation of the data injection attack in the electricity market environment is considered for a connected micro-grid to the power system.This attack can affect the optimal outputs of micro-grid energy management, such as the total cost of production.The research in [31] suggests the monetization of malicious data attack on electric energy production markets and the necessary strategy to maximize the revenue.The study in [32] proposes LR as a type of FDIA that the load distribution attack can affect the operation of the smart grid by attacking the economic load distribution bound by the security constraints (SCED).To solve this problem, [33] has introduced the problem of the distributed resilient economic load distribution under cyber-attacks.With the aim of directly controlling local marginal prices (LMPs) in real time through FDIA, [34], a control theory based on a method is presented to analyze the effect of attack implements pricing stability.
In [35] and [36], a zero-sum game is formulated between an attacker and a defender, in which the attacker changes the estimated throughput of the lines to manipulate the prices.According to this game theory, a two-level optimization problem is formed.In [37] and [38], the economic effect of the structured information attacks as a generalized type of FDIA in electricity markets by using the virtual bidding activities is studied.The structured information of smart grids is used to exploit the system for management.The network is very vital in a safe way, but this information can be manipulated by a cyber-attacker by changing the on/off state of the power switches.In addition to these, recently in [39], an attack strategy has been proposed in which a cyber-attacker can effectively change LMPs by manipulating some vital parameters of the model and achieve the financial gain.Also, an FDIA can be well matched with a coordinated physical attack and actually create a coordinated physical-cyber-attack (CCPA), which has a more destructive effect on the normal operation of the smart network.
In [40], the coordinated attack includes connecting the physical shortening of the transmission lines, after infiltrating the communication network with the cyber protection layers.The research in [41] has designed a CCPA with the aim of maximizing disruption in the day-ahead (DA) and real-time electricity markets.The study in [42], an attack of a CCPA based on AC state estimation proposes to disrupt the operation of the electricity market by manipulating the nodal prices.All the above related studies are based on the hypothesis that the cyber attacker has complete knowledge about the target smart grid information, which includes the network topology, the branch parameters, etc.In fact, in any given smart grid, the network information is vast and highly secure and vital.Moreover, information is dynamic; because the network topology can be reconfigured in both normal and event situations.Therefore, in practice, it is very difficult for a limited attacker to access the complete information of the network.In several recent works based on [33] to [35], this aggressive challenge in FDIA design has been addressed to some extent according to different tools, techniques and requirements.
In study [43], the attacker has formulated a secret profitable attack without prior knowledge of network topology and only through phasor observations by using the linear independent component analysis.In study [44], the attacker designs an online attack strategy against the real-time electricity market based only on real-time information received from measuring devices and without the need for the network topology information.A profitable data injection attack on electricity markets by limited attackers with incomplete network information is studied in [45].In this reference, the uncertainties associated with random network information, a model and a possible framework for designing an undetectable and profitable attack are presented.One of the problems in this reference is the need for past data to properly www.ijacsa.thesai.orgestimate the probability distribution functions of the parameters.

III. PROPOSED SCHEME FOR THE FDI ATTACK DETECTION
In this section, the presented method for detecting the attacks of false data injection is detailed.For this purpose, first, a brief explanation of these types of attacks and how the definition of them are provided.In the following, the proposed scheme is expressed.

A. Definition of FDI Attack
At first, it should be stated that the only purpose of the attack of the FDI is the bypassing of the remaining test in the centers of control with the attenuation of the climacteric vulnerabilities of the sensors and RTUs.This progressive cyberattack scheme in various networks (such as the Internet of Things) leads to the change of a group of the state estimations from a group of the obtained mensuration.A vector expansion approach of the indiscoverable covert attack for the nonlinear algorithm of the state prediction is presented, which shows: where, represents the vector of the injected attack to the obtained collection of the mensuration for the presentation of a group of the corrupt mensuration .Therefore, it creates a set of the false estimation states ̂ . The statistical remaining test, which is performed by the BDD in the above conditions, can be seen as follows: From the above equations, it can be seen which vector of the extended attack can bypass as successfully the remaining test.Therefore, it leads to climacteric operational scenarios.
The existing operators in the center of the control adopt the algorithms of the state prediction for the definition of the climacteric network actions, such as the load prediction, the load distribution of the economy, and so on [14].The mensuration in the SCADA is broadcasted via BDDs to meet the integrity and the quality of the mensuration.Then the bad information removes according to the noise in the networks of communication, the meter malfunction, and so on.In most of the unfavorable papers [15], [16], [17], a method of the nonlinear state prediction is presented, that is shown as follows: (5) where, represents the available measurements which are obtained from the BDDs.Also, represents the set of operational states while displays the vector of the error for the prediction method.Furthermore, represents the nonlinear function that draws a collection of the obtained mensuration by the network operational states.For the estimation of a collection of the operational states with the use of the method of the nonlinear state prediction as displayed in Eq. ( 5), a flattish start method is adopted, as is displayed in Eq. ( 6): With the use of the flattish start method, an iterative Gauss-Newton approach is performed for the determination of a set of estimated states.In it, the matrix of Jacobian is reformulated in each epoch.The exiting BDD in the EMS module on the SCADA performs the remaining test of the actuarial that is shown below: where depends on the degrees of freedom throughout the specified system, since the obtained mensuration has enough redundancy on them, the mensuration, which shows the remaining higher than , successfully scraped as the worst possible information.

B. Proposed Scheme
The accurate and impressive performance of the analysis based on the regression has been demonstrated by the methods of deep learning.This data-driven prediction approach has shown the onomastic error in forecasting [18], [19], [20].The current article considers MAE, MSE and RMSE for the performance parameters that are defined below: The estimated operational states with is denoted and the actual operational states with is denoted.The bald number of the instances for the estimation is .With the effective optimization of the meta-parameter, the presented neural network by the scenario of the network steady-state effectively can estimate the predicted states by the lowest value for the performance parameters.In the current article, a strong nonlinear structure of the LSTM is proposed.
The LSTM model is a particular architecture from the RNN that helps with the learning of the patterns of the complex temporal, which are provided in the dataset of the training.This particular type of RNN is able to the nature maintaining of the data at a given step of the time.Thus, the LSTM provides the possibility to read, retain, and remove the data from the memory cells by setting three distinct controllable gates, which is named the gate of the forget , the gate of the input also, the gate of the output .Fig. 1 shows the structure with the single cell for a module of LSTM.Also, the model of the presented LSTM is displayed in Fig. 2. www.ijacsa.thesai.orgThe admission or the rejection of the information in the form of the binary ( or ), which is related to the current state of the cells, depends on the gate .The forget gate is defined by Eq. (11).On the modules of LSTM, the activation function of sigmoid is used.
represents the gate of the input from the module of LSTM, which is displayed in Eq. (13).For the updation of the state of the current cell, generally, a decision of the binary by means of the gate of the input is taken.For the module of LSTM, the updated cell state is denoted with also, the novel contributor is .As shown in Eq. ( 15), the accumulated data is discharged to the next neurons.The weights with is denoted.Also, the outputs are denoted with , the inputs are denoted with and finally, the biases are denoted with .These cases are shown in Eq. ( 11) to Eq. ( 16).The concatenation operation is indicated by Fig. 2 displays which the model of the presented LSTM has layers hidden along with one layer of the output and one layer of the input.It can be viewed that in the second layer of the hidden, the model is divided into the layers of the subhidden.These layers of the sub-hidden combine the structures of LSTM by the neural networks of the dense for improvement of the efficiency of the state prediction.These models of the nonlinear are found by the layers of the subhidden for the representation of a superior approach for the prediction.Finally, all layers of the sub-hidden are compromised in a common layer which is called the layer of the concatenation.Two layers of the dense are placed in place of the layer of the concatenation, and then the layer of the output is placed.The drop-out regularization is effectively adopted for the avoidance of the model over-inflating.The proposed nonlinear method is fed with the activation function of ReLU to each layer which is expressed by Eq. ( 17).(17) For layer , the set of predicted features is equal to and the input features are equal to .Other parameters of a specific layer consist of bias and weight .The output of the layer of LSTM from the presented nonlinear method is directly entered into the next layer of the dense that this layer has the activation function of ReLU.The layer of the www.ijacsa.thesai.orgoutput of this nonlinear method includes an activation function of ReLU according to Eq. ( 17).The proposed model is trained in iterations and using the optimizer of Adam.The initial rate for the learning of the proposed method is equal to .
By effectively training the model, a superior policy can be demonstrated for the estimation of states by the indices of the minimum error.The scheme of the real-time FDI attack recognition, which is the basis of the matrix of the error covariance, is presented in Fig. 3.The algorithm of the presented anomaly detection performs the vector of the developed error according to the predicted operational states and predicted operational states in the SCADA.

̂ ̂ (18)
̂ represents the predicted set from the estimated states, which is obtained by the benchmark of the scalable nonlinear neural network and ̂ represents the predicted states of the step of the time which are recovered with the use of the algorithm of the state prediction.Also, represents the error vector.The main purpose of the method of anomaly recognition is the identification of the eigenvalues change rate of the matrix of the error covariance, which is displayed as follows: (19) (20) represents the eigenvector for the matrix of the error covariance which is generated pending the time of the current sampling .Since and are the matrices of the symmetric positive definite covariance.Therefore, these matrices have the same eigenvalues and the same eigenvectors.The change rate of the eigenvalues among two intervals of the consecutive time andcan be shown by Eq. ( 19) and Eq. ( 20), respectively.The proposed detection scheme for the FDI attack that performs the change rate of eigenvalues is described as follows: where displays the criterion of the recognition that is adjusted with .Thus, if the change rate of eigenvalues in a specific time exceeds a particular threshold, as is displayed in Eq. ( 21), it shows the presence of the FDI attack inside the obtained measurements.displays a numerical constant with a very small positive value which belongs to the operator knowledge.This parameter inherently is insignificant because the model of the nonlinear state prediction shows better accuracy for prediction.

IV. EVALUATION RESULTS OF THE PROPOSED METHOD
In this section, the results of the evaluation of the presented method are examined.First, the used dataset is described.In the following, the results of the proposed deep learning method for the prediction of RUL are evaluated.Then, the continuous and temporary signatures from the FDI attack are provided, and then the attack's impact on the prediction of RUL is stated.The Python programming language has been used for the implementation of these tests.The presented method is implemented on a computer which has a Core (TM) i7 CPU, 3.0 GHz Intel(R) and 8G RAM.

A. Used Dataset
For the performance evaluation of the presented method, the dataset of the NASA C-MAPSS turbofan engine destruction simulation is used.The used dataset consists of data of the sensor by the number of the conditions of the operational and the conditions of the different error.On the used dataset, four subsets (FD001-04) are defined.Each subset includes the data from the training and the data from the test.The data of the test is reached to the data of the defeat from the multiple engines with the same group.In the data of the test, each row is a cycle of time that is defined as one hour of working.A cycle of time has columns which column www.ijacsa.thesai.orgdisplays the ID of the engine and column displays the number of cycles of the current operation.Columns to column display the three settings of the operational and also, the columns to column display the values of the sensor.The data of the time series is only terminated when it encounters an error.The data of the test consist of only the information for some cycles of the time because our purpose is the estimation of the cycles of the time of the remaining operational before the occurrence of a defect.

B. Results of the Proposed Method of RUL Prediction
For the confirmation of the proper efficiency of the presented algorithm, which is the basis of the LSTM, this method has been evaluated on the dataset of C-MAPSS.For the performance evaluation of predictors, RMSE, MSE and MAE are used.These metrics are widely used as the criteria of evaluation in the studies of the evaluation of the model.The results are related to the network, which this network has nodes in the layers hidden from the first layer.In addition, it has nodes in the layers hidden from the second layer and 100 nodes in the layers hidden from the third layer.Furthermore, the length of its sequence is equal to .Table I shows the meta-parameters of the proposed LSTM model (inspired by [21]).Fig. 4 shows the performance results of the presented method.Also, Table II shows the results of the error evaluation for the presented method and the similar presented methods in [22], [23] and [24].[22] 150.961 8.925 9.711 Proposed in [23] 166.922 10.052 13.324 Proposed in [24] It is evident from Fig. 4 and Table II that the proposed algorithm with a sequence length equal to 80 has the lowest amount of error.This means that the presented method is very precise about the prediction of RUL on the used dataset.It should be noted that the displayed results in Table II state that the prediction method basis on LSTM does much better than the presented works on [22], [23] and [24].In the next stage, the attack of FDI in the proposed LSTM-based method is modeled for the evaluation of their resilience against the attack of FDI.

C. Modeling Two FDI Attack Scenarios and the Impact Examination of these Attacks in RUL Prediction
The average engine degradation point , for the FD001 dataset, is taken to be [25].It is assumed that the system of the monitoring dispatches cycles of the time ( ) from the data to the side of the ground.The dataset of the training and the dataset of the test have data of the sensor.The attack of FDI is performed in sensors.However, for the creation of the realistic attack, the FDI attack only in sensors ( , and ) is performed.The details of sensors are provided in [26].On the first FDI attack scenario, www.ijacsa.thesai.orgi.e. the scenario of the continuous, the attacker has begun the attacks since (that is equal to -time cycles) and the duration of the attacks is up to the engine life's end.In the second scenario of an FDI attack, i.e. scenario temporary, the attacker has begun the attacks since (that is equal to cycles of time).The duration of these attacks is hours.With respect to the attack begins, since cycles of the time, only the engines with data greater than cycles are considered.In the FD001 dataset, the number of these engines is equal to .The resulting dataset is re-appraised with the use of the proposed LSTM-based model.The obtained values for RMSE, MSE and MAE are respectively equal to , and .
To model the FDI attack on the sensors, a null vector is added to the main vector that changes the output of the sensor with a so little border equal to to for a random FDI attack and equal to for a biased FDI attack.Here, the random FDI attack means that the added noise to the output of the sensor has a span equal to to .At the same time, the biased FDI attack adds a fixed noise value to the output of the sensor.Fig. 5 displays a collation of the signal of the output of the main FDI attack and the signal of the output of the biased FDI attack from the second sensor for the engine with an ID equal to 3. On the continuous attack of FDI, the output of the sensor from cycles of time up to the engine life end is attacked.In the case of a biased attack of FDI for a period of the temporary, similar to Fig. 6, the duration of the attack only is cycles of the time ( cycles of the time to cycles of the time).Be careful; on the limited attack, the attacker has restricted accessibility to the sensors.Similar to Fig. 5 and Fig. 6, the attack signature is very analogous to the main signal.Its detection makes it hard even with the common defense mechanisms.Now, the effect of the scenarios of the attack of FDI on the proposed LSTM-based method is investigated.To demonstrate the effect of attack of the attack of FDI on the system of monitoring, an attack by the mentioned scenario is ran.The FDI attack in three sensors ( , and ) is performed instead of the attack in all sensors of the dataset.In the scenario of the continuous FDI attack, the attacker makes the attacks from cycles of time until the end of the engine life.It is clear from Fig. 7 that the proposed LSTMbased method is greatly affected by the continuous attack of www.ijacsa.thesai.orgFDI.About the fortuitous FDI attack and the biased FDI attack, the random FDI attack has shown a significant impact on the proposed LSTM-based model.Table III shows the relevant results.
In the scenario of the temporary FDI attack, the attacker makes the attacks between cycles of time and cycles of time.It is clear from Fig. 8 that the proposed LSTM-based method is greatly affected by the temporary attack of FDI.Table IV shows the relevant results.With the comparison between the continuous FDI attack and the temporary FDI attack, it can be seen that the error of a continuous attack of FDI is almost twice the error of a temporary attack of FDI.Hence, continuous FDI attacks are stronger than temporary FDI attacks.

D. Discussion
In this work, the proposed method is evaluated on the dataset of C-MAPSS, and the obtained results show the great prospects for deep learning in PdM.It is also observed that sequence length and network architecture are very important in accurately predicting RUL.The proposed work shows that the proposed method is several times better than recent works that use deep learning on the dataset of C-MAPSS.The analysis of the impact of an FDI attack on aircraft sensors in the dataset of CMAPSS provides interesting insights.It is observed that the CNN-based model is strongly affected by random and biased FDI.In the case of temporary FDI, the random and biased RMSE of CNN is several times higher than the true RMSE, and in the case of continuous, the random and biased RMSE is several times higher than the true RMSE.Also, it is observed that the CNN-based model is more flexible in both random and biased cases in compared to other models.In the case of temporary attack, the random and biased RMSE is several times higher than the true RMSE, which makes it disastrous for the PdM system.This may lead to delays in timely maintenance of the aircraft engine and ultimately lead to engine failure in some cases.
Note, the FDI attack signature is very close to the original sensor output, which makes it more difficult to detect by common defense mechanisms in the engine health monitoring system.A piecewise prediction approach is used in visualizing the impact of attacks on sensors, which clearly shows that the PdM system is susceptible to sensor attacks.The CNN-based prediction results show that special measures should be taken when designing and by using PdM systems because they are very sensitive to FDI.Such an analysis can serve as empirical guidance for the development of subsequent data-driven PdM systems.All these obtained results show that DL-based PdM systems have good prospects for aircraft maintenance; however, they are highly susceptible to sensor attacks.Hence, it is necessary to explore suitable detection techniques to identify such stealth attacks and special care should be taken when building IoT sensors for DL/AI applications.For this reason, when designing a PdM system, the designer should also consider the flexibility of the DL algorithm instead of emphasizing the accuracy of the algorithm.

V. CONCLUSIONS AND SUGGESTIONS
With the expansion of the use of cyber-physical structures and communication networks, cyberattacks have become a serious threat in various networks, including the sensors of the Internet of Things.These attacks create the so assailable conditions.Therefore, the main consideration of this current paper is the detection in real-time of the done FDI attack on the Internet of Things, which is related to the estimated RUL prediction.The robust and nonlinear structure of the LSTM shows a better view of the RUL prediction compared to similar methods.The method of the presented nonlinear LSTM is successfully implemented in real-time because the efficiency of its computational (the time of the test and the time of the training) is on the scope of the microseconds.In the future, the method of the presented detection can be performed by the scenarios of the contingency of the smart networks and by a more intransigent constraint on the criterion of detection, which ultimately results in a stronger feasibility of the FDI attack detection.Also, an end-to-end method can be developed for the recognition and reduction of attacks on the sensor in a system of network health monitoring.

Fig. 3 .
Fig. 3.The proposed method for the detection of the attack of FDI.

Fig. 4 .
Fig. 4. The comparison results of the prediction of RUL by the proposed scheme and the actual RUL value.

Fig. 7 .
Fig. 7.The relevant results to the RUL prediction in the scenario of the continuous attack of FDI.

Fig. 8 .
Fig. 8.The relevant results to the RUL prediction in the temporary FDI attack scenario.

TABLE I .
THE HYPER-PARAMETERS SETTINGS OF THE PRESENTED LSTM MODEL

TABLE II .
THE COMPARISON RESULTS BETWEEN THE PRESENTED METHOD AND THE SIMILAR METHODS

TABLE III .
THE RELEVANT RESULTS TO THE SCENARIO OF THE CONTINUOUS ATTACK OF FDI

TABLE IV .
THE RELEVANT RESULTS TO THE TEMPORARY FDI ATTACK SCENARIO Model Under Biased FDI Attack www.ijacsa.thesai.org