Explainable_and_Data-Efficient_Deep_Learning_for_Enhanced_Attack_Detection_in_IIoT_Ecosystem

This article has been accepted for publication in IEEE Internet of Things Journal.
This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2024.3384374
Explainable and Data-Efficient Deep Learning for

Enhanced Attack Detection in IIoT Ecosystem
Danish Attique, Wang Hao, Wang Ping, Danish Javeed and Prabhat Kumar
Abstract—The Industrial Internet of Things (IIoT) is rapidly services, industrial processes, and automation [2]. The IIoT
evolving, and with this evolution, cyber threats have become a network comprises thousands of devices and communication
significant issue. IIoT networks, despite improving service quality, protocols [3]. Communication sensors are one of the crucial
are uniquely vulnerable to security threats due to their inherent
connectivity and the use of low-power devices. Traditional Deep elements that are responsible for collecting, processing, and
Learning-based IDS, while accurate, suffer from a “black box” transmitting data in an IoT-based industrial environment. There
issue that hides the reasoning behind their decisions, leading to a is an abundance of parameters that are responsible for effi-
decrease in user trust. To address this, our research presents an cient IoT communication in smart industries, i.e., robustness,
Explainable and intelligent mechanism for data-efficient intrusion minimal latency, and communication integrity. These param-
detection in IIoT. Our proposed IDS enhances data efficiency
by employing a Bidirectional Long-Short Term Memory (BiL- eters can be addressed by appropriate load balancing and
STM) model with a self-adaptive attention mechanism. The self- scheduled communication among the participant nodes [4].
adaptive attention mechanism is a novel feature of our IDS Modern industries are able to gather and analyze enormous
framework, designed specifically for IIoT environments. This amounts of data to come to intelligent business judgments
mechanism dynamically adjusts its focus to prioritize critical ele- due to a variety of devices, sensors, actuators, and controllers.
ments within a dataset, allocating more computational resources
to data segments likely to contain patterns or anomalies indicative These sensors and devices have limited memory, power, and
of security threats. When integrated with BiLSTM, which excels communication resources, hence they are considered resource-
at capturing temporal dependencies, the mechanism enhances constrained. IIoT has been used by several industries in recent
the IDS’s ability to learn efficiently from limited datasets. This years, including manufacturing, healthcare, agriculture, and
focus on significant data features and temporal patterns reduces unmanned aerial vehicles [5]. It provides several benefits, how-
the need for extensive training datasets, making it particularly
effective in IIoT settings where data may be sparse yet complex. ever, the prevalent nature, increased connected devices, and the
In addition, we enhance the proposed IDS’s transparency by in- resource-constrained nature of IIoT make them vulnerable to
corporating the SHapley Additive exPlanations mechanism from cyber attacks [6]. One compromised device may communicate
Explainable AI, thereby boosting the IDS’s trustworthiness and malicious data to cloud servers or permit unauthorized access
interpretability. Our system exhibits outstanding performance to confidential data of the company, such as business plans
on benchmark datasets such as CICIDS2017 and X-IIoTID,
attaining accuracies of 99.92% and 96.54%, respectively. and trade information, resulting in data loss and resource
corruption. Such an incident may lead the industry to financial
Index Terms—Cyber Attacks, Explainable AI (XAI), Intrusion loss, operational disruption, and reputation loss [7].
Detection System (IDS), IIoT, Proactive Defense
Ensuring IIoT security is one of the most important prob-
lems in modern industrial operations. It encompasses safe-
I. I NTRODUCTION guarding communication and physical privacy, protecting edge
The Industrial Internet of Things (IIoT) offers the potential devices from viruses, and preventing unwanted access. The
for enhancing service quality for new applications because of IIoT’s security, privacy, and dependability may be increased
the rise in the data generated by its connected devices [1]. IIoT by implementing sophisticated and strong security frameworks
and Industry 4.0 are concepts that might be closely connected. [8]. One of the most often utilized technologies for security
Intending to boost industries, this idea is quickly introducing and privacy in these sectors is IDS. It searches for particular
new trends in the expansion of industrial concepts, logistical signatures and patterns in network traffic to detect malicious
activity and unauthorized access. [9]. However, such an IDS
This research work is funded by the National Key R&D Program, The doesn’t have the capability of detecting sophisticated and
advanced research on new emergence and configuration technologies of
Industrial IoT under Grant number:2021YFB3301000. (Corresponding author: Advanced Persistent Threats (APT) [10]. Furthermore, the
Wang Hao). resource-constrained nature of devices in the IIoT environment
Danish Attique and Wang Hao are with the College of Computer Sci- makes it more challenging to design a lightweight and efficient
ence and Technology, Chongqing University of Posts and Telecommuni-
cations, Chongqing 400065, China Email: L202010008@stu.cqupt.edu.cn, IDS for its security. In the past few years, DL and ML have
wanghao@cqupt.edu.cn. been employed by different researchers to design an auto-
Wang Ping is with the Department of Automation, Chongqing University mated, lightweight, and resilient IDS for IIoT. IDS powered by
of Posts and Telecommunications, Chongqing 400065, China Email: wang-
ping@cqupt.edu.cn DL has proven itself to be efficient by achieving high detection
Danish Javeed is with the Software College, Northeastern University, accuracy [11]. However, such IDS are considered black boxes
Shenyang 110169, China. Email: 2027016@stu.neu.edu.cn by security analysts and users due to their complex nature and
Prabhat Kumar is with the Department of Software Engineering, LUT
School of Engineering Science, LUT University, 53850 Lappeenranta, Fin- lack of explanation and interpretation for their decisions, such
land. Email: prabhat.kumar@lut.fi. as gaining an understanding of the primary data proof of the
Authorized licensed use limited to: NATIONAL UNIVERSITY OF IRELAND GALWAY. Downloaded on July 12,2024 at 11:43:11 UTC from IEEE Xplore. Restrictions apply.
© 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and
decision-making processes for the proposed model behavior II. E XISTING L ITERATURE
[12]. As a result, there is a lack of trust in the decision of the
model, and their output cannot be utilized to further enhance Intrusion detection in IoT-empowered smart Industries using
the behavior and logic provided by the model. DL is a fascinating concept procuring considerable attention
Explainable AI (XAI) is grabbing significant consideration in the present era. The literature is surrounded by abundant
because of its advanced attributes that overshine conventional such studies, and we have addressed some of them here. The
ML/DL concepts [13]. XAI-based IDS provides consumers authors of [15] employed a hybrid DL autoencoder combined
with systematic and understandable reasons for its actions. It with Multilayer Perceptron (MLP). The proposed model is
has become crucial for interpreting the decisions of ML/DL- capable of extracting the features automatically. They trained
based models by enabling security specialists and developers their proposed framework using the publicly available CICD-
to comprehend the primary data and the influence of the DoS2019 dataset and attained 98.34% detection accuracy. In
malevolent data in any IDS. The current literature heavily [27], the authors used a DL-based model for implementing a
emphasizes the detection accuracy of DL-based IDS. However, modular Software-Defined Networking (SDN)-based network
they do not provide the reasoning and explanations of the to provide a solution for DDoS detection in transport and
decisions provided by their proposed IDS [14]. Hence, their application layers. The authors in [16] recommended a Multi-
model lacks trust and transparency. Additionally, the XAI- CNN fusion-based scheme for efficient attack detection in IoT
based IDS are still in their early stages and need improvement. networks. They trained and evaluated their proposed technique
Motivated by this, we propose an explainable DL-based IDS using the NSL-KDD dataset, where the model recognized the
for enhanced trust management and interpretation by providing attack classes successfully. They compared the performance of
the interpretation of the IDS decision-making process to their proposed model with ML-based techniques and claimed
help the security analysts understand the rationale behind the to outclass them with 86.95% accuracy.
decision of our proposed IDS. In [17], the authors suggested an IDS for the IIoT environ-
ments. They employed a hybrid model of DNN and K-Nearest
A. Contribution Neighbors (KNN) for binary classification. The authors used
The aim of this work is to develop a proactive threat detec- the NSL-KDD and CICIDS datasets for experimentation pur-
tion framework for IIoT networks to maintain their security poses. In [18], the authors proposed a hybrid model based on
and privacy. This study presents an AI-based Intelligent threat CNN and LSTM. They used real traffic of nine commercial
detection mechanism to identify and prevent hidden threats in IoT devices, infected with Bashlite and Mirai botnet attacks.
such a network. The following are the contributions of this Their proposed model uses word embedding for identifying
work; and changing the representation of text to an integer. The
• The research presents a novel Intrusion Detection System model shows efficiency in threat detection, however, it has
(IDS) specifically designed for the Industrial Internet of a high processing time and resource overhead. The authors
Things (IIoT). The proposed IDS enhances data efficiency of [26] employed a Bidirectional LSTM-based model for
by using a BiLSTM model integrated with a self-adaptive efficient threat detection. They employed the KDDCUP-99
attention mechanism. This mechanism dynamically prior- and UNSW-NB15 datasets to train and evaluate their proposed
itizes critical elements within a dataset, allocating more model. Further, the authors of [19] proposed an intelligent
computational resources to data segments likely to con- IDS based on DNN and employed RELU as an activation
tain patterns or anomalies indicative of security threats. function to detect and mitigate DDoS attacks in the industrial
• We further employed the SHAP mechanism of the XAI network. Their model accomplished an accuracy of 94%. In
to explain and interpret the decision of the proposed IDS. [20], the authors employed a Federated Learning (FL)-based
Such an explanation and interpretation will aid the users IDS combined with Edge computing to identify botnets in
in understanding the rationale behind the IDS decision the IIoT network and attained an efficient detection accuracy
and aid the Security Operation Center (SOC) analysts of 98%. Furthermore, the authors of [21] designed an IDS
in designing new and efficient IDS for the industrial for IoT-enabled large-scale vehicular networks. The proposed
networks. framework incorporates Shapley additive explanations (SHAP)
• We evaluate the proposed IDS’s performance by using that provide comprehensive insights regarding the procedural
the CICIDS2017 and X-IIoTID datasets and compare its flow of DL. The authors trained their model on the ToN-
performance with some traditional and recent frameworks IoT dataset that contains detailed impressions of frequently
from the literature. The performance comparison endorses occurring attacks in the respective Internet of Vehicles (IoV)
the dominance of the proposed IDS against these frame- environment. The performance regarding threat detection accu-
works and proves it an efficient IDS for such industries. racy and other evaluation metrics are examined. Additionally,
This work is further organized as follows. Section II dis- the performance is compared with some phenomenal threat
cusses the relevant literature and its limitations. Section III detection frameworks from the literature. The proposed model
presents the details of the proposed IDS for IIoT. Section IV seems to outclass existing intrusion detection schemes.
presents the experimental setup. In Section V, we analyze the The authors of [22] used LSTM-based IDS to detect DoS
experimental results, performance analysis, and comparison and MiTM attacks in IoT systems and attained an accuracy of
of the proposed IDS. Finally, in Section VI, we conclude this 92.76%. Likewise, the authors in [23] developed an intelligent
research work. IDS based on the DL Feature Fusion (FF) approach combined
TABLE I: Literature Overview.
Reference Approach Model Used Dataset Multiclass Classification Explainable AI (XAI) Limitations
[15] DL Autoencoder, MLP CICDDoS2019 ✓ × The proposed model is black-box
[16] DL Multi-CNN NSL-KDD ✓ × Obsolete dataset
[17] DL/ML DNN, KNN NSL-KDD, CICIDS2017 × × The model is black-box and lacks comparison
[18] DL CNN, LSTM N-BaIoT ✓ × Not specified
[19] DL DNN BoT-IoT ✓ × Comparison is not provided
[20] FL - UNSWNB-15 × × Black-box model
[21] DL CNN ToN IoT ✓ ✓ Computationally expensive and intensive
[22] ML/DL XGBoost, LSTM, GRU MQTT ✓ × No comparison
[23] DL FF, MC KDD-Cup-1999, UNSW-NB15, WSN-DS, CICIDS-2017 ✓ × Computationally complex and black-box
[24] DL MLP WUSTL-IIOT-2021 × ✓ Not specified
[25] DL CNN BoT-IoT, IoT Network Intrusion, MQTT-IoT-IDS2020, IoT-23 × × The model is black-box
[26] DL BiLSTM KDD-CUP99, UNSW-NB15 ✓ × Black-box model
Terms & Abbreviations: MLP: Multilayer perception; CNN: Convolutional Neural Network; KNN: k-nearest Neighbors; LSTM: Long short-term Memory
Networks; FF: Feature Fusion; MC: Meta Classifier.
with an ensemble Meta Classifier (MC) and attained 99% LSTM model, the flow of information is in one direction, i.e.,
accuracy respectively. In [24], the authors employed XAI and from past to future or future to past. However, in BiLSTM,
DL to develop an efficient and robust IDS (DeepIIoT) for the input sequence (IS) is processed in both directions at
IIoT networks. They employed the WUSTL-IIoT2021 dataset the same time, allowing the model to capture dependencies
to train and evaluate their proposed model and achieved an from both the past and the future. BiLSTM comprises two
enhanced detection accuracy of 99%. layers of LSTM, one processes the IS in forward (→), and
Security analysis of DDoS attacks in IoT (SAD-IoT) is the other processes it in the backward direction (←). The
a searching framework designed by aggregating various DL forward layer receives the IS and computes its hidden state
algorithms. The framework is evaluated and trained on BoT- (ht ) and output by considering the past context. On the other
IoT and UNSW datasets where the system achieved a no- hand, the backward layer receives the IS in reverse order
ticeable threat detection accuracy [28]. An intelligent attack and computes its output by considering the future context.
detection scheme to provide extensive security in edge IIoT The information flow in both directions makes the BiLSTM
devices is presented in [29]. The designed scheme used the effective in capturing the long-range context and dependencies
best characteristics from Spider Monkey (SM), Principal Com- in the input sequence. It uses its gating mechanism, i.e.,
ponent Analysis (PCA), and Correlation Attribute Evaluation forget gate (F orGate ), input gate (InpGate ), and output gate
(CAE) to analyze traffic patterns. The model demonstrates (OutGate ) to solve the problem of exploding gradients. The
noticeable accuracy and precision in terms of efficient attack following equations perform the operations of the BiLSTM’s
detection. In [25], another anomaly detection mechanism is forward process (→) [30].
presented to safeguard IIoT-based networks from advanced −−−−−→ −−−→ −−→ −−→ −−→
threats. The authors used the MQT-IoT-IDS2020 dataset to F orGate = α(WF or ∗ [ht−1 , PF or ] + BF or ) (1)
train and evaluate their CNN-based module. Upon evaluation, −−−−−→ −−−→ −−→ −−→ −−→
InpGate = α(WInp ∗ [ht−1 , PInp ] + BInp ) (2)
it achieved an attack detection accuracy of 98.80%. There
−−−−−→ → −−→ −
− → −
→
has been a variety of DL and ML-based IDS proposed by C Inpt = tanh (Wc ∗ [ht−1 , Pc ] + Bc ) (3)
researchers in the past few years as summarized in Table I. −
→ −−−−−→ −−→ −−−−−→ −−−−−→
Ct = (F orGate ∗ ct−1 ) + (InpGate ∗ C Inpt ) (4)
III. P ROPOSED E XPLAINABLE -D EEP L EARNING −−−−−→ −−−→ −−→ −−→ −−→
OutGate = α(WOut ∗ [ht−1 , POut ] + BOut ) (5)
(XDL)- BASED IDS FOR II OT
→
− −−−−−→ −
→
In this section, we present the methodology of the proposed ht = OutGate ∗ tanh(Ct ) (6)
IDS. We first describe BiLSTM followed by the self-adaptive −
→ −−−−−→
where Ct is the cell state, C Inpt represents the candidate
attention Mechanism. Further, we provide details about the −
→ −−→ −−→ − → −−→
for Ct and PF or , PInp , Pc , and POut denotes the inputs for
XAI mechanism. Finally, we provide complete details of −−−−−→ −−−−−→ −−−−−→ −−−−−→ −−→
the F orGate , InpGate , C Inpt , and OutGate , while ht−1
hyperparameters in this section. The proposed scheme auto-
represents the prior LSTM block’s output for the (→) process.
matically learns and upholds the vital features of flow-based −−−→ −−−→ − → −−−→
network traffic from the CICIDS2017 and X-IIoTID datasets The WF or , WInp , Wc , and WOut are the weights. Further, σ
−−→ −−→ − →
to detect intrusions and cyber-attacks. Further, the proposed denotes the sigmoid activation function and BF or , BInp , Bc ,
−−→
IDS assists security analysts by relieving them of strenuous and BOut are the Bias terms.
investigation tasks and protecting the safety of such enterprises Furthermore, the following equations are used to perform
from cyber-attacks, ensuring their safety against cyber threats the operations of the BiLSTM’s backward process (←).
and intrusions. Algorithm 1 provides the Proposed IDS’s ←−−−−− ←−−− ←−− ←−− ←−−
F orGate = α(WF or ∗ [ht+1 , PF or ] + BF or ) (7)
working mechanism.
←−−−−− ←−−− ←−− ←−− ←−−
InpGate = α(WInp ∗ [ht+1 , PInp ] + BInp ) (8)
A. BiLSTM ←−−−−− ←− ←−− ← − ← −
C Inpt = tanh (Wc ∗ [ht+1 , Pc ] + Bc ) (9)
It is a type of RNN architecture that combines the power
←
− ←−−−−− ←−− ←−−−−− ←−−−−−
of both forward and backward information flow. In a simple Ct = (F orGate ∗ ct+1 ) + (InpGate ∗ C Inpt ) (10)
Fig. 1: Proposed IDS Architecture
←−−−−− ←−−− ←−− ←−− ←−−

OutGate = α(WOut ∗ [ht+1 , POut ] + BOut ) (11) where SV represents the context vector, capturing the most
←
− ←−−−−− ←− relevant information across the sequence as determined by
ht = OutGate ∗ tanh(Ct ) (12)
the self-adaptive attention mechanism. This context vector is
←− ←−−−−−
where Ct is the cell state, C Inpt represents the candidate then used for subsequent processing or classification tasks,
←− ←−− ←−− ← − ←−−
for Ct and PF or , PInp , Pc , and POut denotes the inputs for enabling the model to make informed decisions based on the
←−−−−− ←−−−−− ←−−−−− ←−−−−− ←−− dynamically learned importance of different parts of the input
the F orGate , InpGate , C Inpt , and OutGate , while ht+1
represents the next LSTM block’s output for the (←) process. sequence.
←−−− ←−−− ← − ←−−−
The WF or , WInp , Wc , and WOut are the weights. Further,
←−− ←−− ← − ←−−
BF or , BInp , Bc , and BOut are the Bias for the weights. C. XAI Mechanism
The DL-based IDS gained popularity in recent years due
B. Self-adaptive attention Mechanism
to its outstanding performance. However, they are treated as
In our approach, the self-adaptive attention mechanism black boxes. XAI on the other hand explains and interprets the
dynamically learns to focus on the most relevant parts of decision of IDS. It provides human users with rational and
the input sequence. Given a sequence of hidden states M = understandable justifications for their conduct [31]. Such an
{M1 , M2 , ..., MZ } from a BiLSTM layer, we compute the explanation and interpretation help the users to understand the
self-adaptive attention as follows. Each hidden state Mt is rationale behind the IDS decision. In this work, we employed
transformed into query Qt and key Kt vectors through weight the SHAP mechanism of XAI to explain the decision of
matrices Wq and Wk respectively, where t indexes the timestep our proposed IDS. By figuring out how much each attribute
within the sequence. contributed to the final judgment or prediction, SHAP explains
The self-adaptive attention weights Wt for each timestep t the predictions of an instance. The contribution can be positive
are computed based on the similarity between the query and or negative. The following equations can be used to obtain an
key vectors across all timesteps, as shown below: instance’s SHAP explanation:
St,j = QTt Kj (13) N
X
exp(St,t ) G(S) = Vo + Vi Si (16)
Wt = P Z (14) k=1
j=1 exp(St,j )
where St,j represents the attention score between the query where S represents the simplified feature, N denotes the
vector at timestep t and the key vector at timestep j. The maximum size, and Vi represents the SHapely value SV . If
softmax function is applied to ensure that the weights across the value of Vi is high for a feature, it means that this feature
all timesteps sum to 1, enabling a probabilistic interpretation contributed the most to the decision of a model. Further, the
of attention weights. most important features are selected by using the following
The output of the attention mechanism, SV, is then com- equation:
M
puted as a weighted sum of the hidden states, scaled by the IFj =
X
||Vj (Xi )|| (17)
computed attention weights: k=1
Z
X where M represents the number of samples, IFj denotes the
SV = W t Mt (15)
t=1
average SV of the k th input feature.
Algorithm 1 Proposed data-efficient algorithm for intrusion TABLE II: CICIDS2017 Dataset Details
detection Class Type Label Instances
1: Input: CICIDS2017 and X-IIoTID Datasets (D) Benign 0 161465
2: Normalization and preprocessing of D with feature ex- FTP-Patator 1 7540
SSH-Patator 2 5449
traction DoS-GoldenEye 3 7938
3: Split D into training set Dtrain and testing set Dtest Botnet 4 1960
4: Function Train Enhanced BiLSTM Model PortScan 5 31480
DoS-Slowloris 6 5480
5: Initialize weights W and biases B for BiLSTM layers
XSS 7 435
6: Incorporate self-adaptive attention mechanism in BiLSTM
network TABLE III: X-IIoTID Dataset Details
7: for Epoch ← 1 to E do
Class Type Label Instances
8: Batch training on Dtrain with batch size B Normal 0 421417
9: Apply self-adaptive attention to focus on relevant Reconnaissance 1 127590
sequence parts RDoS 2 141261
10: Calculate and minimize enhanced BiLSTM loss func- Weaponization 3 67260
C&C 4 2863
tion crypto-ransomware 5 154
11: Update W, B, and attention parameters using back- Exfiltration 6 5094
propagation Exploitation 7 1133
Lateral movement 8 31596
12: end for
Tampering 9 5094
13: Return trained Enhanced BiLSTM model with self-
adaptive attention
14: end Function number of layers to two because the results stop to improve
15: Function Test Enhanced BiLSTM Model (model, Dtest ) after two layers. Integrated after the BiLSTM layers, the
16: while not End of Dtest do self-adaptive attention mechanism assigns different weights to
17: Evaluate the model on Dtest various inputs in the sequence, enabling the model to focus
18: Generate and record output classifications on the most relevant features for accurate intrusion detection.
19: end while Further, we performed the simulations for ten epochs with a
20: Return test results batch size of 64. Moreover, we used ADAM optimizer for
21: end Function optimization, RELU as the activation function, and CC-E as
22: Enhanced BiLSTM Model ← the loss function. Finally, the Softmax classifier is used in the
Train Enhanced BiLSTM Model() output layer. The schematic architecture of the proposed IDS
23: Invoke Test Enhanced BiLSTM Model with is presented in Fig. 1.
Enhanced BiLSTM Model and Dtest
24: Assign output to Test Results IV. E XPERIMENTAL S ETUP AND E VALUATION M ETRICS
25: Function Analyze Results (Test Results)
This section presents the complete details of the experi-
26: for each result in Test Results do
mental setup, datasets, and pre-processing. We further provide
27: if result is 0 then
details about the metrics we used for the evaluation of the
28: Label as N ormal activity
proposed threat detection model.
29: else
30: Label as one of the multiple Attack types (e.g.,
XSS, Botnet, etc.) A. Experimental Setup
31: end if The experimentations are performed using an Alien-ware
32: end for PC, processing @ 2.7Ghz with 32 GB RAM and an RTX 4080
33: Return analyzed results with multi-class attack identifica- GPU. Further, we employed the Keras library of Tensorflow to
tion develop the proposed IDS and used Python to run the scripts.
34: end Function
35: Final Results ← Analyze Results(Test Results) 1) Dataset and Preprocessing: In this work, we employed
36: Output and save Final Results the CICIDS2017 [32] and X-IIoTID [33] datasets to evaluate
the performance of the proposed IDS. These datasets contain
real-time IoT network traffic of Normal and attack instances.
D. Hyperparameters The attack classes include RDoS, XSS, DoS GoldenEye, SSH,
FTP Patator, Botnet, PortScan C&C, Exploitation, Tampering,
We have investigated many parameters to find the most and many more. However, this work is concerned with eight
pre-eminent values to tune the proposed model. Several pa- classes of the CICIDS2017 dataset including seven classes of
rameters, i.e., epochs, layers, neurons, and batch size were attacks and one normal class, and ten classes of X-IIoTID
considered. We employed two layers of BiLSTM with 100 including nine classes of attacks and one normal class. The
and 50 neurons followed by one dense layer with 20 neurons. complete details about the classes and instances used for
To avoid overfitting, we used a dropout of 0.2%. We kept the experiments are provided in Tables II and III. Further, the
dataset is divided into two sets, i.e., the Training set and the 7UDLQLQJ/RVV
9DOLGDWLRQ/RVV
Testing set [34]. We used 70% data from the CICIDS2017 and
X-IIoTID datasets to train the proposed IDS and the remaining

30% to test and validate its performance. Finally, we employed
the necessary steps to preprocess and normalize the datasets
$FFXUDF\

/RVV
[30].

B. Evaluation Metrics
7UDLQLQJ$FFXUDF\
Various metrics of evaluation have been employed to thor- 9DOLGDWLRQ$FFXUDF\
oughly evaluate the performance of the proposed IDS, i.e.,
(SRFKV (SRFKV
Accuracy (Acc), Precision (Pre), Recall (Rec), F1-score (F1),
(a) CICIDS2017 Dataset
Receiver Operating Characteristics (Roc) Curve, Confusion
7UDLQLQJ/RVV
Matrix (Cm), etc. The following equations are used to calculate 9DOLGDWLRQ/RVV

the Acc, Pre, Rec, and F1:

Tpr + Tnr
Acc = (18)

Tpr + Tnr + Fpr + Fnr
$FFXUDF\
/RVV
Tpr
Pre = (19)
Tpr + Fpr

Tpr
Rec = (20) 7UDLQLQJ$FFXUDF\
Tpr + Fnr 9DOLGDWLRQ$FFXUDF\

Pre ∗ Rec (SRFKV (SRFKV
F1 = 2 ∗ (21)
Pre + Rec (b) X-IIoTID Dataset
where Tpr and Tnr are true positive and true negative rates, Fig. 2: Acc Vs Loss of the Proposed IDS
while Fpr and Fnr represents the false postive and false
negative rates.
validation dataset is quantified as validation loss. Ensuring that
V. R ESULTS AND D ISCUSSION training and validation loss reduce over time and at a similar
In this section, we discuss and analyze the performance of pace is a key challenge in model development. Overfitting is
the proposed IDS, followed by its interpretation. Finally, we indicated by a divergence, where training loss keeps going
discuss its comparison with some recent IDSs from the current down but validation loss goes up. This indicates that the
literature. prediction ability of the model on unseen, validation data is
The degree to which a model accurately recognizes or declining due to its overfitting to the training set. Fig. 2a
forecasts outcomes from the dataset it was trained on is depicts the training vs validation loss using the CICIDS2017
known as its training Acc. The model’s ability to identify dataset, while Fig. 2b depicts the training vs validation loss
patterns and correlations in the training data is demonstrated using the X-IIoTID dataset. It can be seen that both the training
by high training Acc. However, assessing a model’s overall and validation loss decrease with time, thus proving that the
performance requires more than just one statistic. Validation proposed model is not overfitting and is an optimal fit. A Cm
Acc is important in this situation. Validation Acc evaluates how is used in ML and DL-based threat detection schemes to show
well the model performs on an independent, unseen dataset. how well a classification model is performing. It displays the
It offers perceptions of the model’s capacity to generalize its number of accurate and inaccurate predictions the model made
learning to new data, which is crucial to its usefulness in real- on test data. It is typically depicted as a square matrix, with
world scenarios. Overfitting is a prevalent problem that arises the actual and predicted classes represented by the rows and
when a model performs well during training but badly during columns, respectively. Fig. 3a depicts the Cm of our proposed
validation. Therefore we present the testing Acc vs validation scheme using the CICIDS2017 dataset, while Fig. 3b depicts
Acc of the proposed threat detection framework in Fig. 2 Fig. the Cm using the X-IIoTID dataset. It can be seen that it
2a depicts the testing vs validation Acc using the CICIDS2017 identified all of the classes of the dataset efficiently with a
dataset, while Fig. 2b presents it for the X-IIoTID dataset. It high Tpr and low Fpr. Additionally, The Roc offers valuable
can be seen that the model has shown an efficient performance intuits into the trade-off between the Tpr and the Fpr. The
in terms of validation Acc and proves that the model is not performance of the classification model is frequently assessed
overfitting. using the Area Under the Curve (AUC − ROC) as a summary
Furthermore, loss functions offer a more nuanced per- metric. Better discrimination power and model performance
spective by measuring the difference between expected and are indicated by a larger AUC − Roc value; a perfect classifier
actual results. Training loss measures how well the model is has a AUC − Roc of 1. The Roc of our proposed IDS is
performing on the training data, with lower values indicating presented in Fig. 4a for the CICIDS2017 and Fig. 4b for the
better performance. However, the error rate on the unseen X-IIoTID dataset. The effectiveness of the proposed IDS is
TABLE IV: Class-wise Performance of the Proposed IDS using CICIDS2017

Metrics Benign FTP-Patator SSH-Patator DoS-GoldenEye Botnet PortScan DoS-Slowloris XSS
Precision (Pre) 99.89 99.60 99.68 96.28 98.54 99.91 99.71 99.67
F1-score (F1) 99.88 99.60 99.78 97.64 98.51 99.69 99.64 98.41
Recall (Rec) 99.87 99.60 99.88 99.04 98.48 99.47 99.21 97.17
False Positive Rate (Fpr) 0.72265 0.00 0.43167 0.31943 0.00 0.00 0.89992 0.10426
TABLE V: Class-wise Performance of the Proposed IDS using X-IIoTID

Metrics Normal Reconnaissance RDoS Weaponization C&C crypto-ransomware Exfiltration Exploitation Lateral movement Tampering
Precision (Pre) 95.67 96.91 99.92 95.19 99.76 98.33 91.70 98.06 97.87 99.63
F1-score (F1) 97.18 93.47 99.92 96.86 66.71 95.93 92.09 72.89 91.24 82.71
Recall (Rec) 98.74 90.26 99.92 98.59 50.11 93.65 92.48 58.00 85.45 70.70
False Positive Rate (Fpr) 0.97183 0.93471 0.99925 0.96865 0.66719 0.95934 0.92096 0.72890 0.91244 0.82711
(a) CICIDS2017 Dataset (b) X-IIoTID Dataset

Fig. 3: Cm of the Proposed IDS

Fig. 4: Roc of the Proposed IDS
demonstrated by the fact that the ROC curve for the proposed Table IV using the CICIDS2017 dataset. It has achieved the
scheme is 1 for both datasets. highest Pre of 99.91% and the lowest of 96.28%. Regarding
F1, it has achieved values between 97.64% to 99.88%. For
Moreover, an IDS can be considered efficient if it achieves Rec, it has the highest Rec of 99.88% for the SSH-Patator
high values for Pre, F1, Rec, and low values for Fpr. We class and the lowest of 97.17% for the XSS class. Finally, it
provide the class-wise performance of our proposed IDS in

Fig. 5: Overall Performance Analysis of the Proposed IDS
has achieved the lowest Fpr of 0.00% for FTP-Patator, Botnet,

and PortScan classes and the highest of 0.8992% for the XSS
class. The class-wise performance using the X-IIoTIDT dataset
is provided in Table V. The proposed IDS achieved Pre
between 91.70% to 99.92% for all the classes. Regarding F1
and Rec, it has achieved the highest F1 of 99.92% RDOS class
and lowest of 66.71% for C&C class. Regarding other classes,
it has F1 between 72.89% to 96.86% respectively. Further, it
has the highest Rec of 99.92% for RDOS class and lowest of
50.00% and 58.00% for C&C and Exploitation classes. For
other classes, it achieved Rec values in between 70.70% and
98.74%. Moving forward, it has the highest Fpr of 0.99925
for the RDoS class and the lowest Fpr of 0.82711% for
the tampering class. Furthermore, we provide the overall
performance analysis of our proposed IDS in terms Acc, Pre,
Rec, and F1. Fig. 5a depicts the performance analysis using
the CICIDS2017 dataset. The proposed framework achieved
Acc OF 99.92% with Pre of 99.15%, Rec of 99.09%, and
F1 of 99.22%. Regarding, the X-IIoTID dataset, it achieved
96.54% Acc, 90.94 Pre and Rec and F1 of 83.79% and
88.90% respectively.
Moreover, we used the Summary Plot (Splot ), Waterfall Plot
(Wplot ), and Decision Plot (Dplot ) of the SHAP mechanism of
XAI to interpret the predictions of our proposed IDS. The Splot
presents the essential features that contribute the most to the
model decision-making. It presents the important features at
the top, while the less important features are presented at the
bottom. Such a plot has a great impact on the model decision,
so the features with high magnitude are considered the most
significant. Fig. 6 depicts the Splot , where 6a depicts the Splot
using the CICIDS2017 and Fig. 6b depicts the Splot using
the X-IIoTID datasets. These figures present the most and
least important features of the datasets, that contributed to the
decision-making of our proposed IDS. Additionally, a Wplot (b) X-IIoTID Dataset
illustrates the progressive addition or subtraction of the impact Fig. 6: SHAP values using SP lot
of each feature from an initial baseline or baseline prediction
to the forecast produced by the model. It enables the prediction
to be broken down into the various contributions of the input the X-IIoTID dataset. It further shows the overall effect of all
variables. It starts with the original forecast or starting point. the features up to that point when each feature’s contribution
The impact of each attribute on prediction is then demonstrated is increased or decreased. The red and blue bars present the
as shown in Fig. 7a for the CICIDS2017 dataset and Fig. 7b for features that contribute the most to the classification score of
TABLE VI: Comparison with Existing Works

Authors Year Model XAI Dataset Acc Pre Rec F1
[35] 2018 CNN × CICIDS2017 82.00% - - 89.00%
[26] 2021 BiLSTM × KDD-CUP99, UNSW-NB15 99.50% - - -
[9] 2022 GT-CSDNN × CICIDS2017 97.96% 98.65% 98.47% 99.00%
CICIDS2017 99.92% 99.15% 99.09% 99.12%
Proposed IDS 2023 SABiLSTM ✓
X-IIoTID 96.54% 90.94% 83.79% 88.90%
Terms & Abbreviations: CNN: Convolutional Neural Network; MLP: Multilayer Perception; DNN: Deep Neural Network; SABiLSTM: self-adaptive attention
Bidirectional Long short-term Memory Network.
100
Test Performance (Accuracy %)

80
Proposed IDS
60 LSTM
BiLSTM
20 40 60 80 100
Size of Testing Data
(a) Learning Curve on Testing Data for CICIDS2017
Dataset
100
Test Performance (Accuracy %)
80
Proposed IDS
60 LSTM
BiLSTM
20 40 60 80 100
Size of Testing Data
(b) Learning Curve on Testing Data for X-IIoTID dataset
(b) X-IIoTID Dataset
Fig. 8: Comparison of data-efficiency with some baseline
Fig. 7: SHAP values using WP lot
models
the proposed model. Finally, it provides the final prediction,

which is the cumulative contributions of all features. indicating that the Proposed IDS model requires fewer data
points to learn and adapt, making it more suitable for sce-
narios with limited data availability. The steeper slope of the
A. Comparison of Data efficiency with some commonly used Proposed IDS curve, especially in the initial stages, suggests
models that it is capable of extracting more meaningful information
Fig. 8 illustrates the learning curves of three models – Pro- from smaller datasets compared to the other models. Fig. 8b
posed IDS, LSTM, and BiLSTM – over two different datasets, depicts the learning curve on the X-IIoTID dataset, where the
offering insights into the data efficiency of these models, Proposed IDS model starts with a notably high accuracy of
particularly focusing on the performance of the proposed IDS. 92% even with the smallest training dataset size. This again
Fig. 8a showcases the performance on CICIDS2017 Dataset. reflects the model’s superior data efficiency, as it is able to
Here, the proposed IDS model outperforms the LSTM and achieve high performance without the need for large amounts
BiLSTM models, achieving higher accuracy with less training of data. The ability of the Proposed IDS model to maintain its
data. This characteristic is a hallmark of data efficiency, lead in performance with increasing data sizes further solidifies
10
its position as a data-efficient model. [4] A. Kim, J. Oh, J. Ryu, and K. Lee, “A review of insider threat detection
approaches with iot perspective,” IEEE Access, vol. 8, pp. 78 847–
78 867, 2020.
B. Comparison with recent IDSs from literature [5] M. Xi, H. Dai, J. He, W. Li, J. Wen, S. Xiao, and J. Yang, “A lightweight
reinforcement learning-based real-time path planning method for un-
At last, we compare the proposed IDS performance with manned aerial vehicles,” IEEE Internet of Things Journal, 2024.
recent IDSs from the current literature to further prove its [6] B. Esmaeili, A. Azmoodeh, A. Dehghantanha, H. Karimipour,
superiority. i.e., [35], [26], [9]. Table VI depicts the com- B. Zolfaghari, and M. Hammoudeh, “Iiot deep malware threat hunting:
from adversarial example detection to adversarial scenario detection,”
plete comparison. The authors in [35] employed a CNN- IEEE Transactions on Industrial Informatics, vol. 18, no. 12, pp. 8477–
based approach for developing a new encoding mechanism to 8486, 2022.
identify anomalous activities in the network. They trained their [7] A. Buja, M. Apostolova, A. Luma, and Y. Januzaj, “Cyber security
standards for the industrial internet of things (iiot)–a systematic review,”
proposed IDS on the CICIDS2017 dataset and achieved Acc in 2022 International Congress on Human-Computer Interaction, Opti-
of 82% and F1 of 89% respectively. They haven’t provided mization and Robotic Applications (HORA). IEEE, 2022, pp. 1–6.
any details about the Pre and Rec. Further, the authors in [8] I. A. Khan, M. Keshk, D. Pi, N. Khan, Y. Hussain, and H. Soliman,
“Enhancing iiot networks protection: A robust security model for attack
[26] employed a BiLSTM-based approach for threat detection. detection in internet industrial control systems,” Ad Hoc Networks, vol.
They trained their proposed IDS on the KDD-CUP99 and 134, p. 102930, 2022.
UNSW-NB15 datasets and achieved an average Acc of 99.50% [9] E. Balamurugan, A. Mehbodniya, E. Kariri, K. Yadav, A. Kumar, and
M. A. Haq, “Network optimization using defender system in cloud
respectively. The results in terms of Pre, Rec, and F1 is computing security based intrusion detection system withgame theory
missing in their article. Moreover, the authors of [9] have deep neural network (idsgt-dnn),” Pattern Recognition Letters, vol. 156,
designed an efficient IDS based on Game Theory and DNN pp. 142–151, 2022.
(GT-DNN) to improve the security of cloud computing. They [10] M. Mohy-Eddine, A. Guezzaz, S. Benkirane, M. Azrour, and
Y. Farhaoui, “An ensemble learning based intrusion detection model for
have trained their model using the CICIDS2017 dataset and industrial iot security,” Big Data Mining and Analytics, vol. 6, no. 3,
attained Acc of 97.96%, Pre of 98.65%, Rec of 98.47%, pp. 273–287, 2023.
and F1 of 99%. The comparison in Table VI shows that our [11] Y. Otoum, D. Liu, and A. Nayak, “Dl-ids: a deep learning–based intru-
sion detection framework for securing iot,” Transactions on Emerging
proposed framework outperformed the recent frameworks, thus Telecommunications Technologies, vol. 33, no. 3, p. e3803, 2022.
further proving its efficacy. [12] P. M. Dassanayake, A. Anjum, A. K. Bashir, J. Bacon, R. Saleem,
and W. Manning, “A deep learning based explainable control system
for reconfigurable networks of edge devices,” IEEE Transactions on
VI. C ONCLUSION Network Science and Engineering, vol. 9, no. 1, pp. 7–19, 2021.
This article developed an enhanced and explainable threat [13] D. Javeed, T. Gao, P. Kumar, and A. Jolfaei, “An explainable and
resilient intrusion detection system for industry 5.0,” IEEE Transactions
detection system for IIoT networks by combining explainable on Consumer Electronics, 2023.
artificial intelligence with a deep learning-based methodology. [14] P. Sun, P. Liu, Q. Li, C. Liu, X. Lu, R. Hao, and J. Chen, “Dl-ids:
In particular, we use BiLSTM in conjunction with a self- Extracting features using cnn-lstm hybrid network for intrusion detection
system,” Security and communication networks, vol. 2020, pp. 1–11,
adaptive attention mechanism and Softmax to develop an 2020.
intrusion detection system. Additionally, we utilized the SHAP [15] Y. Wei, J. Jang-Jaccard, F. Sabrina, A. Singh, W. Xu, and S. Camtepe,
mechanism of explainable artificial intelligence to analyze the “Ae-mlp: A hybrid deep learning approach for ddos detection and
classification,” IEEE Access, vol. 9, pp. 146 810–146 821, 2021.
key features of the datasets that influence the model’s decision- [16] Y. Li, Y. Xu, Z. Liu, H. Hou, Y. Zheng, Y. Xin, Y. Zhao, and L. Cui,
making in order to clarify the prediction or decision of our “Robust detection for network intrusion of industrial iot based on multi-
proposed IDS. This explanation of the decision will make cnn fusion,” Measurement, vol. 154, p. 107450, 2020.
[17] C. A. De Souza, C. B. Westphall, R. B. Machado, J. B. M. Sobral,
it easier for security analysts to comprehend the reasoning and G. dos Santos Vieira, “Hybrid approach to intrusion detection in
behind our proposed IDS decision. The proposed IDS achieved fog-based iot environments,” Computer Networks, vol. 180, p. 107417,
a high detection accuracy of 99.92% and 96.54% respectively. 2020.
[18] H. Alkahtani and T. H. Aldhyani, “Botnet attack detection by using
The performance of the proposed IDS is compared with cnn-lstm model for internet of things applications,” Security and Com-
traditional and recent frameworks from the current literature. munication Networks, vol. 2021, pp. 1–23, 2021.
Upon comparison, the proposed IDS outclassed the other [19] J. Shareena, A. Ramdas, and H. AP, “Intrusion detection system for iot
botnet attacks using deep learning,” SN Computer Science, vol. 2, no. 3,
schemes. Thus, endorses the dominance of the proposed IDS p. 205, 2021.
against these frameworks and proves it an efficient security [20] J. Li, L. Lyu, X. Liu, X. Zhang, and X. Lyu, “Fleam: A federated
solution for such an industrial network. Future research will learning empowered architecture to mitigate ddos in industrial iot,” IEEE
include combining blockchain and federated learning to design Transactions on Industrial Informatics, vol. 18, no. 6, pp. 4059–4068,
2021.
an IDS for the Industrial network. [21] A. Oseni, N. Moustafa, G. Creech, N. Sohrabi, A. Strelzoff, Z. Tari,
and I. Linkov, “An explainable deep learning framework for resilient
intrusion detection in iot-enabled transportation networks,” IEEE Trans-
R EFERENCES actions on Intelligent Transportation Systems, 2022.
[1] A. Corallo, M. Lazoi, M. Lezzi, and A. Luperto, “Cybersecurity aware- [22] H. Alaiz-Moreton, J. Aveleira-Mata, J. Ondicol-Garcia, A. L. Muñoz-
ness in the context of the industrial internet of things: A systematic Castañeda, I. Garcı́a, and C. Benavides, “Multiclass classification proce-
literature review,” Computers in Industry, vol. 137, p. 103614, 2022. dure for detecting attacks on mqtt-iot protocol,” Complexity, vol. 2019,
[2] J. Wen, H. Dai, J. He, M. Xi, S. Xiao, and J. Yang, “Federated offline 2019.
reinforcement learning with multimodal data,” IEEE Transactions on [23] V. Ravi, R. Chaganti, and M. Alazab, “Recurrent deep learning-based
Consumer Electronics, 2023. feature fusion ensemble meta-classifier approach for intelligent network
[3] E. Sisinni, A. Saifullah, S. Han, U. Jennehag, and M. Gidlund, “Indus- intrusion detection system,” Computers and Electrical Engineering, vol.
trial internet of things: Challenges, opportunities, and directions,” IEEE 102, p. 108156, 2022.
transactions on industrial informatics, vol. 14, no. 11, pp. 4724–4734, [24] M. M. Alani, E. Damiani, and U. Ghosh, “Deepiiot: An explainable
2018. deep learning based intrusion detection system for industrial iot,” in
11
2022 IEEE 42nd International Conference on Distributed Computing

Systems Workshops (ICDCSW). IEEE, 2022, pp. 169–174.
[25] I. Ullah and Q. H. Mahmoud, “Design and development of a deep
learning-based model for anomaly detection in iot networks,” IEEE
Access, vol. 9, pp. 103 906–103 926, 2021.
[26] T. Pooja and P. Shrinivasacharya, “Evaluating neural networks using bi-
directional lstm for network ids (intrusion detection systems) in cyber
security,” Global Transitions Proceedings, vol. 2, no. 2, pp. 448–454,
2021.
[27] N. M. Yungaicela-Naula, C. Vargas-Rosales, and J. A. Perez-Diaz,
“Sdn-based architecture for transport and application layer ddos attack
detection by using machine and deep learning,” IEEE Access, vol. 9, pp.
108 495–108 512, 2021.
[28] P. Kumar, H. Bagga, B. S. Netam, and V. Uduthalapally, “Sad-iot:
Security analysis of ddos attacks in iot networks,” Wireless Personal
Communications, vol. 122, no. 1, pp. 87–108, 2022.
[29] M. Nasir, A. R. Javed, M. A. Tariq, M. Asim, and T. Baker, “Feature
engineering and deep learning-based intrusion detection framework for
securing edge iot,” The Journal of Supercomputing, pp. 1–15, 2022.
[30] D. Javeed, T. Gao, M. S. Saeed, and M. T. Khan, “Fog-empowered
augmented intelligence-based proactive defensive mechanism for iot-
enabled smart industries,” IEEE Internet of Things Journal, 2023.
[31] R. Dwivedi, D. Dave, H. Naik, S. Singhal, R. Omer, P. Patel, B. Qian,
Z. Wen, T. Shah, G. Morgan et al., “Explainable ai (xai): Core ideas,
techniques, and solutions,” ACM Computing Surveys, vol. 55, no. 9, pp.
1–33, 2023.
[32] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating
a new intrusion detection dataset and intrusion traffic characterization.”
ICISSp, vol. 1, pp. 108–116, 2018.
[33] M. Al-Hawawreh, E. Sitnikova, and N. Aboutorab, “X-iiotid: A
connectivity-agnostic and device-agnostic intrusion data set for industrial
internet of things,” IEEE Internet of Things Journal, vol. 9, no. 5, pp.
3962–3977, 2021.
[34] J. Yang, C. Cheng, S. Xiao, G. Lan, and J. Wen, “High fidelity face-
swapping with style convtransformer and latent space selection,” IEEE
Transactions on Multimedia, 2023.
[35] T. Kim, S. C. Suh, H. Kim, J. Kim, and J. Kim, “An encoding technique
for cnn-based network anomaly detection,” in 2018 IEEE International
Conference on Big Data (Big Data). IEEE, 2018, pp. 2960–2965.

Explainable_and_Data-Efficient_Deep_Learning_for_Enhanced_Attack_Detection_in_IIoT_Ecosystem

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Explainable_and_Data-Efficient_Deep_Learning_for_Enhanced_Attack_Detection_in_IIoT_Ecosystem

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in IEEE Internet of Things Journal.

Explainable and Data-Efficient Deep Learning for

TABLE I: Literature Overview.

Fig. 1: Proposed IDS Architecture

←−−−−− ←−−− ←−− ←−− ←−−

the necessary steps to preprocess and normalize the datasets

TABLE IV: Class-wise Performance of the Proposed IDS using CICIDS2017

TABLE V: Class-wise Performance of the Proposed IDS using X-IIoTID

(a) CICIDS2017 Dataset (b) X-IIoTID Dataset

(a) CICIDS2017 Dataset (b) X-IIoTID Dataset

(a) CICIDS2017 Dataset (b) X-IIoTID Dataset

has achieved the lowest Fpr of 0.00% for FTP-Patator, Botnet,

TABLE VI: Comparison with Existing Works

Test Performance (Accuracy %)

the proposed model. Finally, it provides the final prediction,

2022 IEEE 42nd International Conference on Distributed Computing

You might also like