Enhanced Crow Search with Deep Learning-Based Cyberattack Detection in SDN-IoT Environment

1  Introduction

The Internet of Things (IoT) network is an interconnected and distributed network of embedded mechanisms that interact via wired or wireless communication technology [1]. It can also be described as a network of physical devices empowered with limited computation, memory and interactions abilities. These abilities are embedded in network connectivity software and electronic devices such as the actuators and the sensors for multiple purposes such as collecting, exchanging and processing the data [2]. The IoT gadgets produce a huge volume of data, due to which the conventional processing, collection and storage methods cannot meet the quality requirements or the customer’s needs. The huge volumes of data are utilized for multiple activities such as predictions, assessments, pattern analyses and behavioural analyses [3]. Moreover, the existing data processing systems find it challenging to handle the heterogeneous data generated by IoT gadgets. So, a need exists to develop novel data processing systems to gain insights from the data produced by IoT devices. Machine Learning (ML) is one of the data processing techniques suitable for evaluating computational patterns and providing embedded intelligence in IoT gadgets [4]. Fig. 1 illustrates the infrastructure of the Software-Defined Networking (SDN) approach.

Figure 1: Structure of the SDN architecture

ML techniques help companies and individuals to gain insights from human-generated data using smart devices and a set of relevant machines. It is described as the capability of a smart gadget to automate or change the behaviour or a situation related to the information and is considered to play an important role in IoT solutions [5]. ML methods are utilized in density estimation, classification, and regression tasks. Various applications like malware detection, Computer Vision (CV), bio-informatics, speech recognition, authentication and fraud detection utilize ML techniques [6]. Similarly, it is also used in the IoT platform to offer intelligent services. There is no integrated approach to secure the entire IoT structure. IoT security is an important networking parameter, and the history of cyberattacks imposes a severe need to develop security measures [7]. Currently, the SDN-assisted structure not only improves the heterogeneous capability of the IoT network and its dynamic atmosphere but also provides a chance to ease the network management process [8]. It offers an effective and efficient identification method without exhaustion and a platform for resource-limited gadgets that do not burden a security solution [9]. For SDN surveillance, an optimal technique was proposed by incorporating the Intrusion Detection System (IDS) in SDN architecture. Due to the quick evolution of the Artificial Intelligence (AI) technique that possesses the programmable attributes of the SDN environment, the security stages are enhanced by combining the SDN mechanism into an AI-related security solution [10]. Several AI-related methods are used as network traffic detection techniques, such as Decision Trees (DT), Genetic Algorithms (GA), Fuzzy Logic (FL), Naive Bayesian (NB), k-Nearest Neighbor (KNN) and ANNs with phenomenal accuracy levels and ideal outcomes.

Aslam et al. [11] devised an Adaptive ML-related SDN-assisted Distributed Denial of Service (DDoS) attack Detection and Mitigation (AMLSDM) structure. The presented AMLSDM structure involves the SDN-assisted security system for IoT gadgets with the help of the adaptive ML classification method. This study aimed to achieve an effective detection and mitigation of DDoS assaults. The presented structure used the ML approaches in an adaptive multi-layered feed-forwarding technique to successfully identify the DDoS assaults so as to evaluate the static attributes of the examined network traffic. Alzahrani et al. [12] illustrated the application of an ML technique as an IDS to observe the network traffic and identify the malicious performance in the SDN controller. Traditional tree-related ML approaches were selected and developed to demonstrate the attack detection outcomes.

Dake et al. [13] formulated a novel MADDPG-compiled multi-agent structure in SDN for effective multi-path routing optimization and malevolent DDoS traffic prevention and detection in the networks. Both the MARL negotiators collaborated in a similar atmosphere to accomplish a network optimization task in a short period. Nguyen et al. [14] introduced a new traffic monitoring structure like DeepMonitor for SDN-related IoT networks. This method aimed to provide a finely-grained traffic analysis report for various IoT traffic forms at the network edges. To be specific, the author initially used an intellectual flow rule match-field control scheme named DeepMonitor agent for the SDN-related IoT edges. In this study, the authors considered their maximal flow-table capability and the need for different granularity levels. The author applied the control optimization issue for every edge node by following the Markov Decision Procedure (MDP). Then, the author projected a Double Deep Q-network (DDQN) method to gain an optimum flow rule match-field method.

In the study conducted earlier [15], an SDN-enabled Deep Learning (DL)-driven structure was devised to detect the threats in the IoT atmosphere. The existing Cuda-Deep Neural Network (DNN)-Gated Recurrent Unit (GRU), i.e., Cu-DNNGRU and Cuda-bidirectional LSTM (Cu-BLSTM) methods, were implemented for an effectual threat detection outcome. Ribeiro et al. [16] introduced an anomaly-related technique that employed the ML approaches over continuous data streams for the purpose of identifying intrusions in the SDN-enabled IoT atmosphere. In order to characterize the anomalies, the author examined structure assault, a type of DDoS assault. This attack type considered the effects of resource depletion and bandwidth depletion. Further, these kinds of attacks exert a heavy impact on the complete SDN environment. The other type of attack, i.e., the bandwidth depletion attack, targets the channel between the controller and the switches either by HTTP or UDP flooding protocols.

The current study introduces an effective Enhanced Crow Search Algorithm with Deep Learning-Driven Cyberattack Detection (ECSADL-CAD) model for the SDN-enabled IoT environment. The presented ECSADL-CAD approach aims to identify and classify the cyberattacks in the SDN-enabled IoT environment. To attain this, the proposed ECSADL-CAD model pre-processes the initial data. In the presented ECSADL-CAD model, the Reinforced Deep Belief Network (RDBN) model is employed for attack detection. At last, the ECSA-based hyperparameter tuning process is executed to boost the overall classification outcomes. A series of experiments were conducted to ensure the improved outcomes of the proposed ECSADL-CAD model.

2  The Proposed ECSADL-CAD Model

The current study introduced a new ECSADL-CAD model for attack detection in the SDN-enabled IoT environment. The presented ECSADL-CAD approach aims to identify and classify the cyberattacks in the SDN-enabled IoT environment. To attain this, the proposed ECSADL-CAD model pre-processes the data at the initial stage. In the presented ECSADL-CAD model, the RDBN model is employed for attack detection. At last, the ECSA-based hyperparameter tuning process is executed to boost the overall classification outcomes. Fig. 2 illustrates the overall process of the ECSADL-CAD approach.

Figure 2: Overall process of the ECSADL-CAD approach

2.1 RDBN-Based Data Classification

In the presented ECSADL-CAD model, the RDBN model is employed for attack detection. Restricted Boltzmann Machine (RBM) is an undirected probability graph method that depends on the energy using the visible layer (VL) and the hidden layer (HL) [17]. The RBM structure is denoted by (a). The VL is comprised of N input parameter, v=(v1,v2, …,vN);  and HL is comprised of  M input parameter, h=(h1,h2, …,hM). In this work, every VL is interconnected to the HL with the weighted variable  W, and the similar layer remains unrelated. Suppose vj∈{0,1}, hj∈{0,1}; the joint likelihood distribution of v and h is represented as follows.

P(v,h)=1Zexp(−E(v,h)),(1)

In Eq. (1), Z refers to the normalization constant.

Z=∑v ∑h exp(−E(v,h)),(2)

The energy function is determined as follows.

E(v, h)=−∑i=1Naivi−∑j=1Mbihi−∑i=1N∑j=1Mwijvihj′(3)

In Eq. (3), ai and bj show the biases of v and h, wij indicates the weight between vi and hj, and W indicates the weight matrix between VLs and the HLs.

In this study, the HL input is a binary value, and the VL input v is a real value. Hence, the RBM exploits the Gaussian-Bernoulli method.

E(v,h)=−∑i=1N(vi−ai)22σi2−∑j=1Mbihi−∑i=1N∑j=1Mwijviσihj.(4)

Based on the conditional distribution, P(h|v, θ) and P(v|h, θ) is determined as follows.

P(hj=1|v, θ)=s(bj+∑i viwij),

P(vi=1|h, θ)=N(ai+σi∑j hjwij′σi2),(5)

Now, (x)=1/(1+exp(−x)) and (μ,σ2) indicate the Gaussian distribution. The variance parameter σi2 is normally set as the predefined value instead of learning from the trained dataset. The σi2=1 is valued for a suitable calculation. The RBM variable θ={a,b,W} is trained based on the Contrastive Divergence (CD) method.

Δwij=[ED(vihj)−EM(vihj)]⋅α(6)

Here, ED shows the observed values, EM denotes the predicted values of the distribution, and α shows the learning factor. In addition, the offset that upgrades Δai and Δbj is estimated correspondingly.

The DBN approach has multiple HLs and a two-hidden layer. It represents a combination of the undirected and the directed relations. The two topmost layers are directly connected, whereas the others are directly connected. The L-layer DNB has L weight matrix: W(1),W(2), …,W(L), L+1 offset vector: a(0),a(1), …,a(L) and a(0) indicate the offset of VL as shown below.

P(hi(l)=1|h(l+1))=s(ai(l)+W:,i(l+1)Th(l+1)),

P(vi=1|h(1))=s(ai(0)+W:,i(1)Th(1)),(7)

In Eq. (7), l=1,2,…, L, s indicates the sigmoid function. If v is a real value, then VL and the initial HLs are defined using Eq. (5). In DBN, the previous layer is assumed to be the VL of the upper HLs. Once the primary RBM is trained, the network parameter is retained. The second RBM is also trained then until it acquires the topmost layer. At the time of training the DBN, the unsupervised learning approach is utilized for training the previous RBM. The supervised learning process finishes the classification of the topmost layer and accomplishes an optimized output through the BP model.

The RDBN training method is the same as that of the DBN approach. The supervised and unsupervised learning methods are integrated into the training method. Initially, the previous training model exploits the unsupervised learning method to attain the primary RBM network parameter. Next, the RL model is incorporated with the trained RBM to establish the reinforced RBM (RRBM). Then, the RRBM contains the stacked RDBN. The supervised learning approach completes the network training process through the labels that are interconnected with the topmost layer using the BP approach.

The weight matrices in the RRBM are trained to complete the representation among its neighbouring layers. In this study, the distribution of the weighted matrix W(k) reflects the features of the input emitter signal dataset. After executing the unsupervised training process, the interconnected weight matrix is retained. Then, the supervised training process completes the last distribution of W(k) to identify eight kinds of radar-emitted signals. Here, W(k) and the distinct wij(k) values worked differently. If the complete value of wij(k) is higher, then its significance, i.e., hi(k−1)(vi) of the VL, increases up to hj(k) in the HL. Hence, the RRBN approach handles the interconnected weighted matrixes after completing the unsupervised learning process in every RBM. The RL process is employed upon W(k) and involves three parts: initially, the threshold ε is evaluated for every row of W(k). Then, the ε is compared using all the weighted values of wij. Afterwards, the wij value is adapted based on the comparison outcomes, and then the value is returned. This study follows a concrete adjustment approach, whereas each output W^(k) replaces the old interconnected weighted matrix W(k) for the following supervised learning.

2.2 ECSA Based Hyperparameter Tuning

The ECSA-based hyperparameter tuning process is executed to boost the overall classification outcomes. The CSA approach has some specific limitations that get reflected in two subsequent features [18]. (1) The population diversity is adapted using Awp in the CSA approach. However, the Awp parameter denotes some specific values to limit the iterative model’s coordinative capability and (2) The fight step size in the CSA approach is a predetermined value and does not change with the iteration count. Thus, the local exploitation and the crow’s global search abilities are limited.

Various CSA techniques are suggested to resolve this limitation. The chaotic CSA method exploits the chaotic searching method’s randomness and ergodicity to enhance its optimization capability. But, in the case of a large space with multi-parameter optimization issues, the chaotic CSA approach experiences a few challenges, for instance, lengthy computation time. Further, it is also incapable of finding the optimum solution. The dynamic CSA approach and an adoptive CSA method upgrade the location dynamically based on the adoptive approach to fit into the iteration variations. In the fuzzy-based CSA approach, the fuzzy concept is presented in the CSA method that accelerates the convergence efficacy to a specific range. The ENCSA approach follows two methods such as the periodic fight migration approach and an adaptive fight step adjustment method. The local development and the global exploration capabilities can be improved via an adaptive fight step adjustment approach. Furthermore, the diversity of the population is also preserved with the help of the periodic fight migration approach to prevent the model from getting trapped in local maxima.

Periodic fight migration strategy

The Migration Frequency (MF) is incorporated by preserving the crow population diversity. Initially, the crows that are judged should migrate. When a crow needs to migrate, the crow flies to another place to search. Once there is no need for a crow to migrate, the crow either follows or searches for others, as shown below:

{Posjiter+1=Posjiter+R×L×(mbest−Posjiter)L=efj+εfj−j−fbest(8)

In Eq. (8), R characterizes an arbitrary value within [0,1]; mbest denotes the location of the optimum crow in a crow group; fj signifies the targeted value of the crow j;fbest characterizes the targeted value of an optimum individual and ε signifies the minimum value that guarantees the significance of the fraction.

The crow’s migration formulation is devised so that the crow group doesn’t transfer to an arbitrary location. However, it follows the crow with an optimum location from the group.

Adaptive fight step adjustment strategy

In this work, the fight distance is a predetermined value. Hence, the searching capability of a crow cannot be modified by increasing the number of iterations. An adoptive fight step size is developed. The searching capability of the crows has altered once the iteration count increases, which is mathematically expressed below.

FLji;er=0.2×eMiteriter(9)

By expanding the search, the fight step size becomes progressively smaller. Initially, the crow is a large fight step size that makes the crow have a strong global searching ability. Then, the fight step size of the crow becomes small, which in turn makes the crow reinforce the local development ability.

Acceleration search factor

The adaptive searching step can reinforce local development and global searching abilities. The Acceleration Search Coefficient (ASC) is proposed to improve the optimization ability additionally and is mathematically expressed herewith.

ASC=ASCmin+(ASCmax−ASCmin)×e(−15×iterMiter)5(10)

In Eq. (10), ASCmax(ASCmax=0.9) and ASCmin(ASCmin=0.2) denote the maximal and minimal values respectively.

Initially, the ASC values make the crows have a strong global searching ability. When the ASC values become smaller, this phenomenon makes the crows develop a strong local development capability. ACS creates a fine balance between the global and local convergences. This characteristic increases the efficiency of the presented method. The updated formula of the crow’s location is shown below.

Posjiter+1=ASC×Posjiter+R×FLjiter×(mjiter−Posjiter)(11)

3  Experimental Validation

The proposed ECSADL-CAD approach was experimentally validated utilizing the CICIDS-2018 dataset. The test dataset includes a total of 84,792 samples under six class labels, and the details are depicted in Table 1.

The classification outcomes of the proposed ECSADL-CAD model are presented in the form of a confusion matrix in Fig. 3. With the entire dataset, the proposed ECSADL-CAD model categorized 69,047 samples as class 0, 2,865 samples as class 1, 3,020 samples as class 2, 2,956 samples as class 3, 2,946 samples as class 4 and 2,825 samples as class 5. On the other hand, with 70% of the TR dataset, the ECSADL-CAD approach categorized 48,328 samples under class 0, 2,012 samples under class 1, 2,123 samples under class 2, 2,046 samples under class 3, 2,075 samples under class 4 and 1,961 samples under class 5. Moreover, with 30% of the TS dataset, the proposed ECSADL-CAD system categorized 20,719 samples as class 0, 853 samples as class 1, 897 samples as class 2, 910 samples as class 3, 871 samples as class 4 and 864 samples as class 5.

Figure 3: Confusion matrices of the ECSADL-CAD approach (a) Entire dataset, (b) 70% of TR data, and (c) 30% of TS data

Table 2 and Fig. 4 depict the results of the proposed ECSADL-CAD technique on the entire dataset. The ECSADL-CAD method recognized the class 0 samples with accuy, precn, recal, Fscore  and MCC values such as 99.14%, 99.82%, 99.13%, 99.47% and 97.11%, respectively. Further, the class 1 samples were identified with accuy, precn, recal,  Fscore  and MCC values such as 99.68%, 94.62%, 96.24%, 95.42% and 95.26%, correspondingly. Moreover, the class 2 samples were classified with accuy, precn, recal,  Fscore  and MCC values such as 99.74%, 94.64%, 98.50%, 96.53% and 96.42%, correspondingly. In addition to these, the class 3 samples were categorized with accuy, precn, recal,  Fscore  and MCC values such as 99.54%, 89.90%, 98.04%, 93.80% and 93.65%, correspondingly. At last, the class 4 samples were identified with accuy, precn, recal,  Fscore  and MCC values such as 99.64%, 93.14%, 97%, 95.03% and 94.86%, correspondingly.

Figure 4: Analytical results of the ECSADL-CAD approach on the entire dataset

Fig. 5 provides the average results of the ECSADL-CAD model on different classes. These results confirmed the effectual performance of the proposed ECSADL-CAD model with average accuy, precn, recal, Fscore,  and MCC values such as 99.55%, 94.65%, 96.96%, 95.76% and 95.23%, respectively.

Figure 5: Average analytical results of the ECSADL-CAD approach on entire dataset

Table 3 and Fig. 6 demonstrate the outcomes of the proposed ECSADL-CAD approach on 70% of the TR data. The ECSADL-CAD technique recognized the class 0 samples with accuy, precn, recal, Fscore  and MCC values such as 99.12%, 99.81%, 99.11%, 99.46% and 97.05%, correspondingly. Besides, the class 1 samples were identified with accuy, precn, recal,  Fscore  and MCC values such as 99.68%, 94.77%, 96.31%, 95.54% and 95.38%, respectively. Additionally, the class 2 samples were categorized with accuy, precn, recal,  Fscore  and MCC values such as 99.74%, 94.48%, 98.47%, 96.43% and 96.32%, correspondingly. Followed by the class 3 samples were categorized with accuy, precn, recal,  Fscore  and MCC values such as 99.52%, 89.42%, 98.04%, 93.53% and 93.39%, correspondingly. Eventually, the class 4 samples were classified with accuy, precn, recal,  Fscore  and MCC values such as 99.63%, 93.22%, 96.74%, 94.94% and 94.77%, correspondingly.

Figure 6: Analytical results of the ECSADL-CAD approach on 70% of the TR data

Fig. 7 offers the average outcomes of the ECSADL-CAD approach under distinct classes. These outcomes reveal the effectual performance of the ECSADL-CAD approach with average accuy, precn, recal, Fscore  and MCC values such as 99.55%, 94.55%, 96.89%, 95.67% and 95.14%, correspondingly.

Figure 7: Average analytical results of the ECSADL-CAD approach on 70% of the TR dataset

Table 4 and Fig. 8 illustrate the outcomes of the ECSADL-CAD approach on 30% of the TS data. The ECSADL-CAD technique recognized the class 0 samples with accuy, precn, recal, Fscore  and MCC values such as 99.18%, 99.83%, 99.17%, 99.50% and 97.25%, correspondingly. In addition, the class 1 samples were classified with accuy, precn, recal,  Fscore  and MCC values such as 99.66%, 94.25%, 96.06%, 95.15% and 94.98%, respectively. The class 2 samples were also categorized with accuy, precn, recal,  Fscore  and MCC values such as 99.76%, 95.02%, 98.57%, 96.76% and 96.66%, correspondingly. Likewise, the class 3 samples were categorized with accuy, precn, recal,  Fscore  and MCC values such as 99.58%, 91%, 98.06%, 94.40% and 94.25%, correspondingly. Finally, the class 4 samples were classified with accuy, precn, recal,  Fscore  and MCC values such as 99.66%, 92.96%, 97.65%, 95.24% and 95.10%, correspondingly.

Figure 8: Analytical results of the ECSADL-CAD approach on 30% of the TS data

Fig. 9 illustrates the average results accomplished by the proposed ECSADL-CAD technique under different classes. These outcomes reveal the effectual performance of the ECSADL-CAD technique with average accuy, precn, recal, Fscore  and MCC values such as 99.58%, 94.88%, 97.12%, 95.96% and 95.46%, correspondingly.

Figure 9: Average analysis results of the ECSADL-CAD approach on 30% of the TS data

Both Training Accuracy (TRA) and Validation Accuracy (VLA) values, acquired by the proposed ECSADL-CAD approach on the test dataset, are shown in Fig. 10. The experimental results infer that the proposed ECSADL-CAD approach achieved the maximal TRA and VLA values, whereas the VLA values were superior to the TRA values.

Figure 10: TRA and VLA analyses results of the ECSADL-CAD approach

Both Training Loss (TRL) and Validation Loss (VLL) values, realized by the ECSADL-CAD methodology on the test dataset, are depicted in Fig. 11. The experimental results reveal that the ECSADL-CAD system achieved the least TRL and VLL values, whereas the VLL values were lesser than the TRL values.

Figure 11: TRL and VLL analyses results of the ECSADL-CAD approach

In order to validate the superior performance of the ECSADL-CAD approach, an extensive comparative analysis was conducted, and the results are shown in Table 5 [15]. Fig. 12 reports the detailed accuy inspection outcomes achieved by the ECSADL-CAD approach and other recent DL techniques. The outcomes reveal that the CNN and the GRU-RNN models accomplished poor performance with minimal accuy values such as 90.91% and 88.67%. Then, the 2L-ZED-IDS model reported a slightly increased accuy of 95.57%. The LSTM-CNN model reached a considerable performance with an accuy of 98.48%. Next, the hybrid DL model produced a near optimal accuy of 99.32%. But, the proposed ECSADL-CAD model achieved enhanced results with an accuy of 99.58%.

Figure 12: Accuy analysis results of the ECSADL-CAD approach and other recent algorithms

Fig. 13 shows the detailed CT inspection results of the ECSADL-CAD approach and other recent DL techniques. The outcomes denote that 2L-ZED-IDS and the GRU-RNN systems attained the least performance with maximum CT values such as 1.13 and 1.10 s correspondingly. Afterwards, the LSTM-CNN technique reported a low CT value of 1.08 s. Besides, the CNN technique gained considerable performance with a CT of 0.96 s.

Figure 13: CT analysis results of the ECSADL-CAD approach and other recent algorithms

Following, the hybrid DL algorithm produced a near-optimum CT of 0.88 s. But, the proposed ECSADL-CAD technique demonstrated an enhanced outcome with a CT of 0.53 s. Hence, the ECSADL-CAD model can be established as a productive tool to secure the IoT environment.

4  Conclusion

The current article introduced a new ECSADL-CAD model for attack detection in the SDN-enabled IoT environment. The presented ECSADL-CAD approach aims to identify and classify the cyberattacks in the SDN-enabled IoT environment. To attain this, the ECSADL-CAD model pre-processes the data at the initial stage. In the presented ECSADL-CAD model, the RDBN model is employed for attack detection. At last, the ECSA-based hyperparameter tuning process gets executed to boost the overall classification outcomes. A series of simulations were conducted to validate the enhanced outcomes of the proposed ECSADL-CAD model. The experimental values confirmed the superior performance of the ECSADL-CAD model over other existing methodologies with a maximum accuracy of 99.58%. In the future, the feature selection approaches and the outlier removal processes can be incorporated to improve the classification results.

Funding Statement: Princess Nourah bint Abdulrahman University Researchers Supporting Project Number (PNURSP2022R77), Princess Nourah bint Abdulrahman University, Riyadh, Saudi Arabia. The authors would like to thank the Deanship of Scientific Research at Umm Al-Qura University for supporting this work by Grant Code: (22UQU4331004DSR15).

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.