A malicious threat detection model for cloud assisted internet of things (CoT) based industrial control system (ICS) networks using deep belief network

Internet of Things (IoT) devices are extensively used in modern industries combined with the conventional industrial control system (ICS) network through the industrial cloud to make the production data easily available to the corporate business management and easier control for highly profitable production systems. The different devices within the conventional ICS network originally manufactured to run on an isolated network and was not considered for the privacy and security of the control and production/architecture data being trafficked over the manufacturing plant to the corporate. Due to their extensive integration with the industrial cloud network over the internet, these ICS networks are exposed to a significant threat of malicious activities created by malicious software. Protecting ICS from such attacks requires continuous update of their database of anti-malware tools which requires efforts from manual experts on a regular basis. This limits real time protection of ICS. Earlier work by Huda et al. (2017) based on a semi-supervised approach performed well. However training process of the semi-supervised-approach (Huda et al., 2017) is complex procedure which requires a hybridization of feature selection, unsupervised clustering and supervised training techniques. Therefore, it could be time consuming for ICS network for real time protection. In this paper, we propose an adaptive threat detection model for industrial cloud of things (CoT) based on deep learning. Deep learning has been used in many domain of pattern recognition and a popular approach for its simple training procedure. Most importantly, deep learning can learn the hidden patterns of the domain in an unsupervised manner which can avoid the requirements of huge expensive labeled data. We used this particular characteristic of deep learning to design our detection model. Two different types of deep learning based detection models are proposed in this work. The first model uses a disjoint training and testing data for a deep belief network (DBN) and corresponding artificial neural network (ANN). In the second proposed detection model, DBN is trained using new unlabeled data to provide DBN with additional knowledge about the changes in the malicious attack patterns. Novelty of the proposed detection models is that the models are adaptive where training procedures is simpler than earlier work (Huda et al, 2017) and can adapt new malware behaviors from already available and cheap unlabeled data at the same time. This will avoid expensive manual labeling of new attacks and corresponding time complexity making it feasible for ICS networks. Performances of standard DBNs are sensitive to its configurations and values for the hyper-parameters including number of hidden nodes, learning rate and number epochs. Therefore proposed detection models find an optimal configuration by varying the structure of DBNs and other parameters. The proposed detection models are extensively tested on a real malware test bed. Experimental results show that the proposed approaches achieve higher accuracies than standard detection algorithms and obtain similar performances with earlier semi-supervised work (Huda et al., 2017) but provide a comparatively simplified training model.