Next Article in Journal
LogInjector: Detecting Web Application Log Injection Vulnerabilities
Next Article in Special Issue
Application of Efficient Channel Attention Residual Mechanism in Blast Furnace Tuyere Image Anomaly Detection
Previous Article in Journal
Meta-Heuristics Optimization of Mirrors for Gravitational Wave Detectors: Cryogenic Case
Previous Article in Special Issue
Human Activity Recognition Based on Non-Contact Radar Data and Improved PCA Method
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 12
Issue 15
10.3390/app12157679
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

IIoT Malware Detection Using Edge Computing and Deep Learning for Cybersecurity in Smart Factories

by
Ho-myung Kim
and
Kyung-ho Lee
*
School of Cybersecurity, Korea University, Seoul 02481, Korea
*
Author to whom correspondence should be addressed.
Appl. Sci. 2022, 12(15), 7679; https://doi.org/10.3390/app12157679
Submission received: 26 May 2022 / Revised: 27 July 2022 / Accepted: 28 July 2022 / Published: 30 July 2022
(This article belongs to the Special Issue Applications of Deep Learning and Artificial Intelligence Methods)
Browse Figures
Versions Notes

Abstract

:
The smart factory environment has been transformed into an Industrial Internet of Things (IIoT) environment, which is an interconnected and open approach. This has made smart manufacturing plants vulnerable to cyberattacks that can directly lead to physical damage. Most cyberattacks targeting smart factories are carried out using malware. Thus, a solution that efficiently detects malware by monitoring and analyzing network traffic for malware attacks in smart factory IIoT environments is critical. However, achieving accurate real-time malware detection in such environments is difficult. To solve this problem, this study proposes an edge computing-based malware detection system that efficiently detects various cyberattacks (malware) by distributing vast amounts of smart factory IIoT traffic information to edge servers for deep learning processing. The proposed malware detection system consists of three layers (edge device, edge, and cloud layers) and utilizes four meaningful functions (model training and testing, model deployment, model inference, and training data transmission) for edge-based deep learning. In experiments conducted on the Malimg dataset, the proposed malware detection system incorporating a convolutional neural network with image visualization technology achieved an overall classification accuracy of 98.93%, precision of 98.93%, recall of 98.93%, and F1-score of 98.92%.

1. Introduction

Concomitant with advances in information and communication technology (ICT), the Industrial Internet of Things (IIoT) has developed rapidly. However, because IIoT is an interconnected and open approach, it is highly vulnerable to malware attacks [1,2,3]. Furthermore, as the IIoT sensors used for the industrial control systems (ICSs) [4] of smart factories are directly connected to the Internet, they are also vulnerable to cyberattacks such as malware, distributed denial of service (DDoS), brute-force attack, man-in-the-middle attack, SQL injection, data exfiltration, and phishing [5,6,7], threatening the normal operation of ICSs [8,9]. Consequently, accurate and efficient detection and classification of malware is critical for smart factory cybersecurity.
Smart sensors connected to the automated production network in the manufacturing facility process [10] are the core driving forces of the manufacturing industry, and IIoT is being installed in major industrial infrastructure [11,12]. Such IIoT enables communication between sensors and control systems as well as the monitoring and control of manufacturing systems in production lines and manufacturing processes. Furthermore, artificial intelligence (AI) technologies such as big data analysis and deep learning are being used to process and analyze data from various sources and perform advanced predictive analysis including defect level prediction, maintenance forecasting, and demand forecasting [13].
According to GE Digital, IIoT will enable manufacturing cost savings and benefit 46% of the global economy [14]. Additionally, International Data Corporation (IDC), an IT market research firm, has predicted that by 2025, 41.6 billion Internet of Things (IoT) devices will be connected, generating 794 zettabytes (ZB) of data [15]. As such, multifarious types of data are being generated following an increase in the use of IIoT devices in the manufacturing industry. The types and severity of cybersecurity threats through IIoT are also increasing proportionally with the adoption of IIoT in smart factories. Increasing cyberattacks against the supervisory control and data acquisition (SCADA), programmable logic controller (PLC), human–machine interface (HMI), remote terminal unit (RTU), and distributed control system (DCS) sensors, as well as intelligent electronic devices (IEDs) in Shodan, where IIoT devices connected to the Internet can be indexed and identified, verify that IIoT devices in the manufacturing industry connected to the Internet are targets for hackers. This makes manufacturing one of the industries that is most vulnerable to cyberattacks, and failure to upgrade or patch IIoT firmware in a timely manner leaves IIoT devices vulnerable to malicious attacks. This is because it is practically difficult to implement a security module for IoT terminals owing to the resource constraints of IIoT devices, such as low-capacity computational power. As manufacturers, communication, networking, data processing, data storage capacity, computational power, and transmission capabilities of IIoT devices vary, it is difficult to apply an existing security module or a unified security method [16]. Therefore, it is necessary to develop a security mechanism that can accurately detect and respond to malware for IIoT devices applied to smart factories.
It is difficult to achieve accurate intrusion detection in real time in the smart factory IIoT environment [17]. Most studies related to malware detection have either (i) taken the perspective of a general-purpose intrusion detection system (IDS) that includes the existing signature-based and the latest machine learning-based approaches as it is impossible to apply a universal model for all types of devices owing to the heterogeneity of IIoT devices; (ii) focused on a centralized malware detection method rather than a distributed edge architecture in terms of the deployment method, which has excellent scalability and detection time; or (iii) proposed malware detection methods that do not deeply consider the viability of devices with limited resources. Thus, malware detection approaches using edge computing-based deep learning are still rare.
As most IIoT devices are difficult to install on expensive hardware owing to the price–performance tradeoff, it is difficult to implement deep learning models directly on IIoT terminals [18]. Deep learning models have many parameters to adjust for effective data training and require much space and high computational resources as they have to be trained and refined repeatedly for many epochs. However, in distributed IIoT devices with limited resources, such as smart factories, the complexity and high computational overhead of deep learning become a problem. As this is the most time-consuming and laborious part of the neural network training process, it must be performed by offloading it to another device with good computational power. This problem can be solved using edge computing [19] to offload some or all of the deep learning calculation tasks to an edge or cloud server environment equipped with high-performance hardware for distributed processing [20].
This paper provides the following major contributions:
(i)
An edge computing and malware detection system is proposed for the distributed IIoT environments of smart factories.
(ii)
A convolutional neural network (CNN) model using image visualization techniques is incorporated for malware classification.
(iii)
The proposed malware detection system is validated on the Malimg dataset.
(iv)
A detection accuracy of 98.93% is achieved for 25 different malware types in experiments conducted.
The remainder of this paper is organized as follows. Section 2 reviews the general cybersecurity threats and types of cyberattacks that can occur in smart factories, smart factory cyberattack structures, and recent malware-based attack cases targeting the manufacturing industry presented in previous studies. Section 3 introduces the proposed approach by describing the use of edge computing and deep learning for smart factory IIoT cybersecurity, as well as edge computing and deep learning-based malware detection systems as countermeasures (solutions) to cyberattacks, their main functions, and deep learning (CNN) for malware detection. Section 4 outlines the experiments conducted to verify the efficacy of the proposed CNN-based malware classification system. Section 5 presents and analyzes the results obtained. Section 6 presents concluding remarks.

2. Literature Review

2.1. Security Threats for Smart Factories

With the combining of IT technologies such as the IoT, big data, and artificial intelligence with traditional manufacturing production, which traditionally had a closed structure, the industry has evolved to have an open structure with increased digitization and complex IT networks within and between factories. This has also increased the diversity and intelligence of contact points for potential attacks targeting the open-structure smart factories. The scale and damage of security threats are increasing as management targets [21], such as software bugs and hardware malfunctions, open Internet protocols and shared networks, numerous parties involved in production processors, and numerous accessible field devices, are also increasing.
Cybersecurity for manufacturing requires close attention. This sector poses special security challenges owing to the unique characteristics of cyber physical systems (CPS), including operational technologies (OT) such as ICS, SCADA systems, network equipment, sensors, and data software [22]. Tuptuk and Hailes [23] described the difference between the manufacturing system and the IT system by classifying each attribute (Table 1). The manufacturing system needs an operation and security strategy that is coordinated through threat and vulnerability analysis to fit the smart factory environment owing to many differences from existing IT systems.
Existing cybersecurity products and solutions designed to protect IT systems do not address supply chain cybersecurity threats that target interconnected vendor and customer systems. According to Burke et al. [24], today’s supply chain is transforming into a digital supply chain, a dynamic system in which all links (Develop, Plan, Source, Make, Deliver, Support, etc.) are interconnected. This network integrates various sources and various location information to produce and distribute the final product of the smart factory. This allows greater connections between domains that did not previously exist. Communication between different network parts is multi-directional and connections are made between traditionally unconnected links in the supply chain [3]. Insecure networks in these supply chains can affect the entire supply chain by providing an entry point for malicious software.
Cyberattacks on smart factories span a wide spectrum. Although some of these attacks are motivated by political reasons, most of the recent attacks, such as ransomware infections, are motivated by financial reasons. Cyberattacks typically pursue one of the following three goals [25].
  • Stealing personal data of end customers: Criminals use integrated customer relationship management (CRM) systems, e.g., operating system access through heating and air conditioning vendors.
  • Entire system down: This can cause dramatic losses associated with hacker attacks.
  • Industrial espionage and sabotage: This involves extortion of duties by exploiting technical vulnerabilities to gain a competitive advantage over competitors by stealing intellectual property and trade secrets.
Table 2 shows the security threat data provided by “Good Practices for Security of Internet of Things in the context of Smart Manufacturing” of the European Union Agency for Cybersecurity (ENISA) [26,27] and the “Security Model for Smart Factory” of the Korea Internet and Security Agency (KISA) [28], supplemented by using threat/vulnerability information that occurs in the manufacturing (OT) environment and IT environment of smart manufacturing companies. It should be noted that the threat data and scenarios provided are helpful for forecasting but may still be inconsistent with the various threat vectors in the field. In particular, most threats classified in the high-risk category can lead to service disruption or damage.
Owing to limited computational, communication, and processing resources, it is difficult to apply security technologies such as data encryption and secure communication protocol applications to most smart factory CPS devices. Consequently, many CPS devices do not use encryption in their machine-to-machine (M2M) [29] or server communications. It is important to note that if a hacker identifies and exploits this vulnerability, it can lead to a high-risk threat. Figure 1 shows cases in the last 10 years when hackers exploited these vulnerabilities to cause accidents such as power outages and failures. To mitigate these risks, it is important to thoroughly understand and implement cybersecurity standards [30].

2.1.1. Cyberattacks

When designing smart factory security, it is important to understand what the potential threats are and where they are likely to originate. This section introduces DoS, man-in-the-middle (MiTM), and malware attacks, which are major attacks that occur in smart factories, as well as general types of attacks that affect smart factories when they occur, among various other cyberattacks. Then, based on the IIoT architecture, various cyberattack types that can occur in smart factories are examined for each layer. The intention is to gain insight into the background of this study through the recent case of malware-based attacks targeting the manufacturing industry.
Denial of Service Attacks. Denial of service (DoS) attacks are specifically aimed at denying access to all forms of computing resources. A DoS attack incapacitates a system by effectively stopping the processes it controls [23]. Table 3 shows the types of DoS attacks, which are mainly attack types such as high-capacity traffic causing bandwidth exhaustion, exceeding the allowed number of connections causing session exhaustion, system resource exhaustion, and buffer overflow on communication protocols. For example, in a smart factory industrial control process, it may interfere with the communication that carries out the transmission of control commands and sensor signal information, causing access denial, control performance degradation, and instability with lower-level control systems or terminal devices [31].
Man-in-the-middle Attacks. Man-in-the-middle attacks are mainly performed based on vulnerabilities in network protocols. They steal control of communication in the middle between specific devices exchanging information over a network [33]. An attacker who has taken control of communication can eavesdrop on communication between devices and can also falsify information exchanged with malicious intent. For example, it is a powerful attack that allows an attacker to change the configuration value of an IIoT device in the automated manufacturing process of smart factories or modulate sensor information and control input signals to stop the failure or operation of the ICS. There are various types of man-in-the-middle attacks; the typical attack types are shown in Table 4.
Malware Attacks. Cyber criminals often use malware to launch cyberattacks. Malware is any software that performs unwanted and suspicious activities on a victim’s computer [36]. Table 5 shows the various types of malware created by attackers to damage industrial control devices, systems, and networks. These attacks may render industrial control systems or networks inoperable or cause catastrophic damage to the industrial control system of the production process, operating processes, and related data by allowing remote control of the system. In particular, a ransomware attack that causes paralysis of the Industrial Automation and Control System (IACS) of the production process and damage to the system integrity for the purpose of financial gain in the smart factory environment is fatal. In addition, these attacks affect safety, health, and the environment, causing serious damage.

2.1.2. Common Cyberattacks

Smart factory architecture is vulnerable to various kinds of cyberattacks [37]. Table 6 shows the common types of attacks occurring in smart factories in addition to the main attacks mentioned above. Among them, advanced persistent threats (APT) attacks are characterized by being operated through secret multilateral cooperation over a long period. A representative example showing the danger of APT attacks is Stuxnet [38], which paralyzed an Iranian nuclear power plant in July 2010. If the main control system of the smart factory is destroyed or stopped owing to such an APT attack, the continuity of production and service of the factory is also interrupted, inevitably incurring huge financial losses. Eavesdropping on the process control network of smart factory production equipment steals important process information such as recipes and control device accounts and passwords. Attacks against AI enable attackers to take control of an AI-loaded robot through machine learning poisoning in the smart factory manufacturing process. Such machine learning poisoning attacks can result in performance degradation and even shutdown of the smart factory, causing problems directly related to safety.

2.2. Smart Factory Cyberattack Structure Diagram

In a smart factory environment where security solutions are difficult to apply, a cyberattack can be initiated through all network links and various other entry points, such as corporate connections, connections through other networks at the control network layer, or field device level connections. For example, various IIoT devices in the smart factory may be directly connected to the external Internet network and communication may be eavesdropped or infected with a virus. An attacker may also visit for a firmware upgrade or facility maintenance check for malicious purposes and distribute malware by utilizing a USB. Figure 2 depicts a smart factory cyberattack structure diagram. It was constructed by referring to a five-layer IIoT architecture [51] considering various cyberattacks that may occur in smart factories. The five layers are Physical Sensing, Network/Protocol, Transport, Application, and Data and Cloud Services. The Physical Sensing Layer includes various sensors and IoT devices and is subject to side-channel, eavesdropping, and physical attacks. The Network/Protocol Layer includes various wired and wireless network protocols related to IIoT systems—such as Ethernet, 5 G, Wi-Fi, Bluetooth, and ZigBee—and is subject to DoS and MiTM attacks. The Transport Layer includes transmission-related protocols—such as TCP/IP and UDP/IP—and is subject to DoS, malware, and data tampering attacks. The Application Layer includes application protocols developed for low-power and low-capacity IIoT requirements—such as constrained application protocol (CoAP), advanced message queuing protocol (AMQP), and HTTP—and is subject to malware, false data injection, APT, zero-day, and phishing attacks [51]. The Data and Cloud Services Layer provides an IoT framework based on major cloud services—such as AWS, Google, and Cisco—and is subject to APT and zero-day attacks. If AI is used in the cloud, attacks against AI (e.g., insertion of incorrect data in the data collection stage) may occur in AI-related processes (collection, transmission, and processing).

2.3. Smart Factory Cyberattack Cases

Recent TSMC ransomware cyberattacks, SolarWinds network attacks, Colonial Pipeline, etc., show how vulnerable companies are to hacking attacks using malware on industrial control systems and manufacturing industrial facilities.
TSMC WannaCry ransomware attack in Taiwan (2018): In 2018, TSMC, the world’s largest semiconductor consignment manufacturer in Taiwan, suffered a production plant shutdown due to a WannaCry ransomware attack. In this attack, malware was introduced into the production facility via a universal serial bus (USB) infected with the WannaCry variant malware while the employee was upgrading the production facility software on a closed production computer that was blocked from outside access. As a result, more than 10,000 PCs and devices in the production process were infected, data were encrypted, and factory operations were suspended for two days. This resulted in an economic loss of approximately $250 million, equivalent to 3% of annual sales [52].
Hacking of SolarWinds Supply Chain (2020): The SolarWinds supply chain hacking incident was a case in which malware was inadvertently distributed in a legitimate manner using the automatic update function trusted and used by customers [53]. SolarWinds is an American company that supplies network systems and IT infrastructure software used by many manufacturing companies and public institutions worldwide. Figure 3 shows the operation process of the SolarWinds software supply chain attack. This attack hid the Trojan horse malware called SUNBURST in the update file of “Orion”, a monitoring solution from SolarWinds. More than 18,000 customers (3% of all customers) had their systems infected with malware when they updated the solution. As such, attackers are targeting the damage and severity of cyberattacks on supply chains as they are directly linked to the availability of smart factories.
Colonial Pipeline DarkSide ransomware attack in the US (2021): In May 2021, Colonial Pipeline, the largest oil pipeline company in the US, was attacked by the DarkSide ransomware, which led to supply constraints. This resulted in a six-day shutdown of fuel and other refined products that were transported through this pipeline (more than approximately 100 million gallons per day) over 5500-plus miles from Houston in Texas to New York in the southeast United States [54]. Gasoline futures prices reached their highest level in three years as the incident heightened concerns about fuel shortages in the US. Attackers infiltrated the computer systems of Colonial Pipeline by abusing legacy virtual private network (VPN) profile accounts that employees used to provide remote access to the company’s computer networks. The DarkSide ransomware was used to encrypt all files, and Colonial ended up paying $4.4 million for the decryption [55].
Based on these cases, the paths of cyberattacks that occur frequently in the smart factory industrial control network were found to include social engineering methods to use a USB infected with malware (physical) and the distribution of malware using legitimate service supply chain channels such as update and patch systems. Because of the ransomware malware attack, various control systems and management PCs in the smart factory could not perform their functions, failing to ensure availability. As cyberattacks targeting the smart factory industrial control system (ICS) may directly lead to physical damage, it is very important to implement security functions [56,57].

3. Edge Computing and Deep Learning-Based Malware Detection Method

3.1. Deep Learning for Malware Detection

Most malware attacks are variants of previously known cyberattacks, and there is a limit to the ability of a few experts to respond to the increasing range of variants. For handling malware variants, similarity-based machine learning methods using API call sequences [58], as well as Support Vector Machine (SVM) [59] and other various machine learning models (Decision Tree (DT) [60,61], Extreme Learning Machine (ELM) [62], k-Nearest Neighbors [63], Logistic Regression [64], Random Forest (RF) [65], Naïve Bayes [66], Neural Networks [67], and Multi-Layer Perception (MLP) [68]) have been presented [8]. However, because the performance of such machine learning-based malware detection methods largely depended on the extracted function, sophisticated function extraction was crucial. A local neighborhood binary pattern (LNBP) that extracts feature vectors using all neighborhoods to classify malicious codes has been proposed [69]. This feature extraction is performed manually by experts, which is a difficult task and is both time-consuming and requires extensive domain knowledge [70]. As such, traditional machine learning systems are not highly accurate in recognizing new variants as humans cannot directly create functions (patterns) and extract abstract features to distinguish new attacks or mutations.
Deep learning, an improvement model of machine learning (neural network), is a method used for feature extraction and classification that is well known in the areas of image recognition and data processing. Deep learning can predict or classify malware more accurately with improved task performance than machine learning by using multiple processing layers to extract complex patterns from raw data and analyze massive traffic volumes [71,72]. In addition, as deep learning is automatically designed by the algorithm itself rather than a manually designed feature extractor, as shown in Figure 4, it allows automatic extraction of complex and high-dimensional features without the need for coding by humans [73]. Even for small changes or modifications, such as new variants, it is possible to accurately classify malicious codes by learning the true properties (attack patterns) of the data.
An image similarity-based feature extraction method that classifies malware by learning similar features with similar structures by exploiting the advantages of deep learning has been proposed [74,75,76]. An executable file of malware is represented as matrices of hexadecimal or binary strings and can be converted into anything conceivable as images. To create new malware, malware authors typically add or change code from previous malware. This makes it easy to visualize small additions or changes in various sections of the file structure when viewed as an image. Nataraj et al. [76] demonstrated that it is possible to detect malicious codes more accurately by analyzing the texture characteristics of images than the existing malicious code analysis techniques. An image-based texture analysis that extracted the global image descriptors (GIST) characteristics of the malicious code image and classified the malicious code by K-Nearest Neighbors (KNN) was implemented. As such, malware classification using image processing technology in this way can be applied regardless of the operating system. As it does not require disassembly or separate code execution, it is faster than static and dynamic analysis and has the advantage of being able to process obfuscation technologies such as encryption and packed malware [77]. Most of the malware detection approaches using deep learning are based on supervised learning.

3.2. Deep Learning for Malware Detection in Smart Factory

However, in distributed IIoT devices with limited resources, such as smart factories, the complexity and high computational overhead of deep learning becomes a problem. Because neural network training is the most time-consuming and laborious part of the process, handling this directly on IIoT devices in smart factories is problematic. Nguyen et al. [78] proposed a lightweight DNN-based NIDS (Realguard) that operates directly on resource-constrained IIoT edge gateways to protect local IIoT devices within the network. The labeled CIC-IDS-2017 dataset was used for model training and testing, with the proposed system exhibiting a high accuracy of 99.57%, on average. As labeled sample data were required to train the malware detection model, building such labeled data was difficult. It was also difficult to detect newly emerged malware as it had different characteristics from the original sample used for training. To address this, Wang et al. [79] proposed a malware detection method based on unsupervised domain adaptation (UDA) by jointly linking the distribution of known and unknown malware.
The recurrent neural network (RNN) has a problem in that context information cannot be continuously learned over a long period owing to gradient loss. Conversely, long short-term memory (LSTM), an extended implementation of RNN, can keep information about previous states and is used when long/short time dependence (data from the current time point is more likely to be related to a previous point in time or in the past) is required [80]. As LSTM can recognize repetition of attack patterns in long packet sequences, it can be applied to the learning of functions and patterns of network data to classify them as positive or attack in malware detection, and it is effective for training on unstructured datasets such as IIoT [81]. In the approach suggested by Wu et al. [82], LSTM was used for detecting outliers of attacks in IIoT. This method used the stacked LSTM-NN, a variant of RNN that can solve time-dependent data processing and gradient loss problems, and the LSTM–Gaussian Bayes method to classify the attack, with the Gaussian Bayes model using the predicted results from the LSTM.
Malware detection using CNN in the smart factory field automatically utilizes two preprocessing steps, feature extraction and feature selection, and uses sparse interaction and parameter sharing to reduce data parameters. Several studies have used CNNs for IIoT security [83,84,85,86]. Yang et al. [87] designed and implemented a deep learning-based intrusion detection solution for a SCADA industrial control system. The intrusion detection method used a CNN to characterize the behavioral patterns of temporal network traffic of SCADA hosts, classifying and assigning abnormal patterns to labels (e.g., normal/abnormal), allowing SCADA operators to check these classified labels and take appropriate countermeasures.
In a smart factory environment, it is important to detect and mitigate cyberattacks on ICSs that can disrupt physical industrial processes and cause potential injuries to workers. Perales Gómez et al. [88] proposed SafeMan, an integrated management framework for monitoring network traffic, workspace, and worker activity based on edge computing to achieve low latency and fast deployment of applications. Three industrial scenario cases were introduced and compared, and for validation of the proposed SafeMan, the runtime performance was measured based on machine learning and deep learning using Modbus TCP and Electra, an open industrial dataset generated by S7Comm. As a result of the measurement, 217 feature vectors were inspected per second through Electra.

3.3. Edge Computing and Deep Learning-Based Malware Detection System

The large-scale use of IIoT in industrial control systems in smart factory, hardware resource constraints, and the global accessibility of IIoT systems make them a very desirable cyberattack target for attackers. The disadvantages of traditional machine learning in cyberattack detection are its lack of automatic feature engineering, low detection rates, and inability to detect slight mutations in conventional attacks. These limitations can be overcome by adopting deep learning [89]. Deep learning can find complicated features by automatically mapping inputs to outputs without the manual intervention of specialists by constructing high-level representations of features. It can also benefit from automatic hierarchical feature learning from raw data, which better depicts underlying network traffic patterns and improves model accuracy for unknown or mutated threats.
However, deep learning models require huge computational resources for training owing to their many parameters and repeated epochs. Therefore, the high computational overhead of deep learning is a problem in IIoT devices with limited hardware resources. To solve this problem, deep learning operations must be performed by offloading them to other devices with high (sufficient) computational power. In other words, the model should learn parameters from other devices with high-performance computing power and then transmit (distribute) to the edge device where the model is to be operated. If a large number of users make an offloading request to one central cloud server at this time, the response speed may decrease and the expected performance may not be obtained. For this reason, instead of one central cloud server, edge computing with several servers geographically distributed is used.
There is currently no standard for distributed edge computing architectures for IIoT deep learning. In the literature, various architectures have been proposed for distributed edge computing, such as a two-layer architecture consisting of edge and cloud layers [19]; three-layer architectures consisting of edge, network, and application layers or IoT, fog, and cloud layers [89,90]; and a four-layer architecture consisting of IoT, network, fog, and cloud layers [91]. This paper proposes a three-layer architecture comprising edge device, edge, and cloud layers. Specifically, the deep learning model is trained in the local domain on edge servers in the edge layer. A large-capacity cloud server in the cloud layer is then used to train the global integrated deep learning model of each edge server. Figure 5 shows the edge computing and deep learning-based IIoT malware detection system architecture proposed in this paper. The main functions of each layer are presented below.
Edge device layer: This layer consists of edge IIoT sensor terminals that are in direct contact with the data to be collected. The edge device is an embedded device (e.g., an IIoT sensor) connected to the end of the network for information collection and processing, such as a sensor in a smart factory. Most edge IIoT devices belonging to this layer have limited resources, which limits the use of detection or large-scale deep learning models.
Edge layer: This layer consists of several edge devices (e.g., network Router/Gateway) and edge servers that perform detection using deep learning models on the local edge network. Here, the edge device has enough computational power to quickly perform detection, and the edge server can train a deep learning model by processing local area (edge network) data, but the computational power is insufficient to train or update a global integrated deep learning model by processing large amounts of data. As such, edge computing devices (e.g., edge servers) include a model training engine. After creating a classification or prediction model through this, inference (malware detection) is performed according to the prediction or judgment model by sending the model to the edge device. The edge server is physically closer to the IIoT sensor layer than the cloud, with a lower network cost to the terminal.
Cloud layer: This layer consists of a server that performs the function of training a global deep learning model. The cloud server has superior computational power compared to the edge server, which enables training and detection with a global integrated deep learning model. However, because it is physically far from the IIoT sensor layer, the network cost for communication with the terminal is high, and network delays may occur.
To detect malware in an environment that requires real-time service such as a smart factory, processing through remote cloud is not suitable owing to the network delay problem. Edge computing [92] has been proposed to solve this, as it works by offloading [93] the computation to an edge server with high-performance hardware that is close to the IIoT device or data source from which the data were created and processed. This processing method can increase availability and reliability as the distributed edge computing device continues to operate even when the remote cloud is unavailable owing to a DDoS attack, etc. Because the edge server that offloads deep learning operations is geographically close to the client, it provides several advantages, such as reducing data transmission latency, saving bandwidth resources for remote clouds [29], energy efficiency, and mitigating privacy and security issues [92,94].

3.4. Main Functions of the Edge Computing Deep Learning-Based Malware Detection System

For edge computing-based deep learning tasks for malware detection in a smart factory environment, four key functions are required: model training and testing, model deployment, model inference, and training data transmission. Figure 6 shows the overall structure of the edge computing deep learning-based malware detection system that supports these four core functions.

3.4.1. Model Training and Testing

The data to be analyzed (malware classification) are transmitted from the IIoT sensor to the edge device (G/W), which extracts the characteristics of the collected data to be analyzed (Src/Dst IP/Port, Protocol, Flow metadata, etc.). Subsequently, the extracted features data are transmitted (offloaded) to the edge server, with the model created by performing local (partial) deep learning model learning. The generated model should be sufficiently light to be operated in the resource-constrained environment of the edge device. To improve the accuracy and detection performance of the global deep learning model, local model training information is sent to the cloud server to create an optimized global deep learning model.

3.4.2. Model Deployment

After evaluating the malware detection rate (accuracy) of the completed deep learning model and inference program, a global (integrated) deep learning model is deployed from an edge server to each edge device and periodically optimized. It is also updated and deployed from the cloud server to each edge server and managed. In other words, the global deep learning model is updated by receiving local information generated from multiple edge server networks, and the optimized security model can be shared and applied on the local edge network. Older models with poor accuracy are replaced with new, trained models. This global model-sharing method improves the accuracy of the corresponding traffic and reduces overfitting, enabling efficient attack detection within the network with the optimized global model.

3.4.3. Model Inference

The edge device extracts (preprocessing) the characteristics of the collected data to be analyzed and performs inference (attack detection) with the distributed deep learning model. If malware is suspected as a result of detection, the system administrator is notified or measures are taken to automatically block the packet. The deep learning detection should be performed in real time using the limited hardware resources of each edge device (G/W).

3.4.4. Training Data Transmission

To continuously improve deep learning models, it is necessary to be able to collect the necessary training data from each IIoT and send them to an edge or cloud server. In other words, for training of the deep learning model that requires high-performance computing power, the extracted function is transmitted to the edge server with better processing performance than the edge device for operation.
The malware detection method proposed in this study is a distributed edge deep learning detection method, which is different from the existing centralized deep learning malware detection method. From smart factory IIoT sensor data, the data to be analyzed are collected and sent to an edge server for training of the deep learning model to create a local model. Additionally, a global model is created by integrating the local model information sent to the cloud server to monitor the performance of the deep learning model and improve its performance. A trained model is then installed at the edge (G/W) of the edge node to detect malware.

3.5. Convolutional Neural Network (CNN) for Malware Detection

There are various types of deep learning architectures [95]. A new method of analyzing malware is to convert the binary of the malware file into image pixels. A specific pattern (feature extraction/signature) of each malware can be clearly visualized by converting a one-dimensional array of binary malware into a two-dimensional image array [96]. As the color image has sharper features than the grayscale image, better accuracy in classifying malware can be achieved by converting the images to color images [97]. When the malware file is converted into an image, feature extraction is performed automatically, without manual feature extraction or prior domain knowledge, making it a very powerful and efficient deep learning network. Therefore, this study proposes a CNN-based deep learning model using image visualization technology for malware detection and classification in smart factories.
The CNN is a deep learning model that accepts an image as input and classifies learnable parameters by assigning importance to various objects in the image using weights. CNNs are commonly used for pattern and image classification and may have many hidden layers consisting of convolutional layers, pooling layers, fully connected layers, and regularization layers [98].
The CNN model proposed in this study consists of nine convolutional layers (CLs); each CL consists of a grid-shaped neuron grid, and each CL has a filter size between 8 and 128. As the kernel function, an output vector is generated based on the product of image weights and a rectified linear unit (ReLU) activation function. A pooling layer can be added after each CL, with the resulting image generated from the CL merged and supplied as an input to the max pooling layer. Further, a dropout of 0.45 and batch normalization are used to reduce overfitting and increase training speed [99]. The dropout layer is used to delete neurons at a specific rate in the neural network to prevent overfitting of the training data. The fully connected layer has a filter size of 128 and performs advanced detection of neural networks. This fully connected layer executes the merge operation and binds all neurons in the previous layer to each and every neuron in the subsequent layers of the architecture [100]. In the final output layer, the probability of input images belonging to each malicious code class is calculated through the Softmax activation function to classify multiple malware classes. The malware class with the highest probability score is finally assigned to the image.
Figure 7 shows the process of classifying the malicious code family using the malicious code image generation and CNN model. Table 7 provides the description of the processing contents for each classification stage.

4. Experimental Evaluation

In general, as the installation of patches and security solutions is limited to ensure the availability of the IIoT smart factory, it can detect cyberattacks that exploit new and variant malicious codes. This is carried out using a malicious code detection system built by deploying a deep learning-based malicious code detection model to Edge G/W of the edge layer, which is an intermediate node. Therefore, this section describes the information and results analysis of experiments conducted to classify multiple malware classes using CNN for the implementation of the edge computing and deep learning-based malware detection system.
Since CNN is an image detection algorithm, the implementation of the predictive indicators such as accuracy, precision, recall, and F1-score involves multiple steps such as data collection, data processing, feature extraction, training, testing, etc. [101]. However, the data collection and data processing steps are excluded from the experimental scope of this study. As shown in Figure 5, assuming that the malicious code is converted into an image in the Edge G/W of the edge layer and sent to the Edge Server, we limited our experiment to the classification of malware, using the CNN algorithm in the Edge Server.

4.1. Dataset and Experiment Setup

The Malimg dataset was used in this experiment. It is one of the malware datasets frequently used in CNN experiments [102] and is publicly available. This dataset was created by the Vision Research Lab at the University of California and contains 9339 malware image samples belonging to 25 different malware families/classes, which have been previously converted to grayscale images. Figure 8 shows the composition of 25 malware families included in the Malimg dataset. In the composition of this dataset, it can be seen that there is a sample data imbalance (e.g., Allaple.A: 31.5%, Skintrim.N: 0.8%) among various malware classes.
The experimental setup used for this experiment was implemented with Python 3.9 (Open Source, https://www.python.org/downloads/, Python Software Foundation, USA) using Keras 2.9 (Open Source, github.com/keras-team/keras, MIT License, USA) and TensorFlow 2.9 (Open Source, github.com/tensorflow/tensorflow, Apache License, USA) as backend computing frameworks on an Intel© Core i7-3537U CPU, with 8 GB RAM and Windows 10 (Microsoft, EULA (End-User License Agreement), USA) environment. Training and test data were randomly selected from the dataset used in this experiment, with 70% of the total data used for training and 30% used for validation. The main hyperparameters used in this experiment are shown in Table 8.

4.2. Evaluation Metrics

To evaluate the performance of the proposed CNN-based model, four standard performance metrics that are widely used in the existing research community [103,104] were applied: accuracy, precision, recall, and F1-score. The four indicators are explained with the aid of the four parameters in Table 9.
Accuracy is calculated using Equation (1); it is defined as the ratio of the number of correctly classified (identified) samples to the total number of samples:
A c c u r a c y = T P + T N T P + T N + F P + F N
Precision is calculated using Equation (2); it is defined as the ratio of samples that are actually positive among the samples classified as positive:
P r e c i s i o n = T P T P + F P
Recall is calculated using Equation (3); it is defined as the ratio of samples classified as positive among the samples that are actually positive:
R e c a l l = T P T P + F N
In some cases, it may be necessary to maximize precision or recall at the expense of other metrics. To find the best combination of precision and recall, the F1-score can be used. The F1-score is calculated using Equation (4); it is defined as the harmonic average of precision and recall:
F 1 - s c o r e = 2 × P r e c i s i o n × R e c a l l P r e c i s i o n + R e c a l l

5. Results and Discussion

In the CNN performance evaluation experiment, among the 9339 grayscale malware image samples included in the Malimg dataset, 70% (6537 pieces) were used for training, and 30% (2802 pieces) were used for validation. Table 10 compares and analyzes the performance while changing the input image size and two important hyperparameters (dropout and learning rate) to find the optimal hyperparameters in the experimental process [105]. For the input image of the neural network, the training performed with 112 × 112 pixel size and hyperparameters of ② showed the best results.
Table 11 shows the specific performance evaluation results for ② in Table 10. The overall classification accuracy achieved for 9339 samples of 25 malware classes was as follows: accuracy of 98.93%, precision of 98.93%, recall of 98.93%, and F1-score of 98.92%.
The Malimg dataset used in this experiment had a problem of class imbalance. As a class with a small number of samples had poor predictive ability, the imbalance in the data was handled by assigning class weights to solve this problem [100]. This method automatically adjusted weights that were inversely proportional to the class frequencies of the input data, which was a method where a higher weight was given to the minority class hierarchy and a lower weight was given to the majority class hierarchy. In the imbalanced data, F1-score is important in addition to accuracy. The F1-score is the weighted average of the precision and recall values. Because it considers false positives and false negatives, it is a more useful index than accuracy to evaluate a model when the classes of the collected data are imbalanced.
Figure 9 shows the (a) training accuracy and (b) training loss achieved by the proposed CNN-based malware classification learning model. A steady increase in training accuracy and a decrease in training loss can be confirmed in these graphs. This indicates that the proposed model does not have overfitting or underfitting problems.
Figure 10 shows a heatmap of the confusion matrix generated from the Malimg dataset to verify the performance of the proposed CNN model. However, there is some confusion between Swizzor.gen!E and Swizzor.gen!l. This may be due to the high similarity between these class samples, suggesting that these are variant samples belonging to the same family. Therefore, additional samples seem to be required to accurately learn the hidden characteristics among these malware families. With the exception of that issue, the overall classification is accurate.
To evaluate the objective performance of the proposed CNN algorithm, the classification accuracy was compared with the results of other studies performed on the same dataset (Malimg) used in this study (Table 12).
Among the proposed methods in the results comparison table, it can be seen that the architecture in [98] provides better performance. In the case of the architecture in [98], a multi-mode (VGG16 + Pyramid CNN) learning method was used, as shown in Table 13, for more differentiated feature extraction. This allowed the combination of two different types of deep learning architectures to obtain better classification performance. Because more weights are added to the existing millions of parameters in the model derived by using a pre-trained transfer learning-based model (VGG16) and Pyramid CNN [106] together, it requires a very large memory space, huge computational resources, and a long time for training. Therefore, it is unsuitable for distributed IIoT environments with limited hardware resources, such as smart factories, where a deep learning model using a simple architecture such as the model proposed in this paper is more efficient. On the other hand, the model using a hybrid architecture [96,99] (e.g., CNN + LSTM) for malware classification did not show a significant increase in performance.
The model proposed in this study does not use color image conversion and a resource-consuming transfer learning method, but it exhibits a high classification accuracy of 98.93% with lower computational cost. It can thus be stated that this is the most suitable model for the smart factory IIoT environment compared to other deep learning models.

6. Conclusions

The smart factory environment has been transformed into an IIoT environment, which is an interconnected and open approach. This has resulted in many manufacturing plants becoming vulnerable to cyberattacks over the years. Most of these cyberattacks have been carried out by malware. To explain these cyberattacks, we reviewed general cybersecurity threats, the types of cyberattacks that could occur in smart factories, and recent cases of malware-based attacks targeting the manufacturing industry. Cyberattacks targeting smart factories may keep various control systems from performing their functions, without ensuring availability. Furthermore, the implementation of security functions is very important as it can directly lead to physical damage. Therefore, as a measure to counter these cyberattacks, we proposed an edge computing and deep learning-based malware detection system after explaining the architecture composed of three layers and the four core functions required for edge-based deep learning. We evaluated the performance of the model through experiments on the Malimg dataset and achieved an overall classification accuracy of 98.93%, precision of 98.93%, recall of 98.93%, and F1-score of 98.92%. Therefore, it is possible to build a smart factory IIoT industry environment that is safer against malware attacks using this proposed CNN-based malware detection solution.
Finally, the malware detection and prevention techniques proposed in many studies do not provide a complete solution to various types of malware attacks. Some of the techniques only work for certain types of attacks. Therefore, additional research is required on detection techniques for new malware variants and varieties of malware for smart factory IIoT security in the future. Accordingly, we plan to conduct research on approaches that can detect smart factory IIoT target attacks more accurately by specifying deep learning models created at the edge node based on various types of feature datasets.

Author Contributions

Conceptualization, H.-m.K.; Data curation, H.-m.K.; Formal analysis, H.-m.K.; Methodology, H.-m.K.; Project administration, K.-h.L.; Resources, H.-m.K.; Software, H.-m.K.; Supervision, K.-h.L.; Validation, H.-m.K.; Visualization, H.-m.K.; Writing—original draft, H.-m.K.; Writing—review & editing, H.-m.K. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Hussain, Z.; Akhunzada, A.; Iqbal, J.; Bibi, I.; Gani, A. Secure IIoT-enabled industry 4.0. Sustainability 2021, 13, 12384. [Google Scholar] [CrossRef]
  2. Kim, H.L.; Nguyen, M.H.; Tran, T.D.; Tran, N.D. IMIDS: An Intelligent Intrusion Detection System against Cyber Threats in IoT. Electronics 2022, 11, 524. [Google Scholar]
  3. Zorić, P.; Musa, M.; Mijo Kuljanić, T. Smart Factory Environment: Review of Security Threats and Risks. In Proceedings of the International Conference on Future Access Enablers of Ubiquitous and Intelligent Infrastructures, FABULOUS 2021, Virtual Event, 6–7 May 2021; pp. 203–214. [Google Scholar]
  4. Wu, Y.; Dai, H.N.; Wang, H. Convergence of Blockchain and Edge Computing for Secure and Scalable IIoT Critical Infrastructures in Industry 4.0. IEEE Internet Things J. 2020, 8, 2300–2317. [Google Scholar] [CrossRef]
  5. Dorobantu, O.G.; Halunga, S. Security threats in IoT. In Proceedings of the 2020 International Symposium on Electronics and Telecommunications (ISETC), Timisoara, Romania, 5–6 November 2020; pp. 1–4. [Google Scholar]
  6. Falco, G.; Caldera, C.; Shrobe, H. IIoT Cybersecurity Risk Modeling for SCADA Systems. IEEE Internet Things J. 2018, 5, 4486–4495. [Google Scholar] [CrossRef]
  7. Stellios, I.; Kotzanikolaou, P.; Psarakis, M.; Alcaraz, C.; Lopez, J. A Survey of IoT-Enabled Cyberattacks: Assessing Attack Paths to Critical Infrastructures and Services. IEEE Commun. Surv. Tutor. 2018, 20, 3453–3495. [Google Scholar] [CrossRef]
  8. Paes, R.; Mazur, D.C.; Venne, B.K.; Ostrzenski, J. A Guide to Securing Industrial Control Networks: Integrating IT and OT Systems. IEEE Ind. Appl. Mag. 2020, 26, 47–53. [Google Scholar] [CrossRef]
  9. Pan, F.; Pang, Z.; Luvisotto, M.; Xiao, M.; Wen, H. Physical layer security for industrial wireless control systems: Basics and future directions. IEEE Ind. Electron. Mag. 2018, 12, 18–27. [Google Scholar] [CrossRef]
  10. Lee, K.T. Smart Factory Industrial R & D Strategy. Open Standards and ICT Association, Korea Internet Conference. 2015. Available online: http://past.krnet.or.kr/board/include/download.php?no=1924&db=dprogram&fileno=2 (accessed on 20 May 2022).
  11. Georgakopoulos, D.; Jayaraman, P.P.; Fazia, M.; Villari, M.; Ranjan, R. Internet of Things and Edge Cloud Computing Roadmap for Manufacturing. IEEE Cloud Comput. 2016, 4, 66–73. [Google Scholar] [CrossRef]
  12. Yang, H.; Alphones, A.; Zhong, W.D.; Chen, C.; Xie, X. Learning-Based Energy-Efficient Resource Management by Heterogeneous RF/VLC for Ultra-Reliable Low-Latency Industrial IoT Networks. IEEE Trans. Ind. Inform. 2020, 16, 5565–5576. [Google Scholar] [CrossRef]
  13. Wen, S.; Jiajia, L.; Yanlin, Y. AI-Enhanced Offloading in Edge Computing: When Machine Learning Meets Industrial IoT. IEEE Netw. 2019, 33, 68–74. [Google Scholar]
  14. GE Report. Everything you Need Know About Industrial Internet of Things. GE. 2017. Available online: https://www.gereports.kr/everything-you-need-know-about-industrial-internet-of-things/ (accessed on 20 May 2022).
  15. Wu, Y.; Huang, H.; Wang, C.X.; Pan, Y. 5G-Enabled Internet of Things; CRC Press: Boca Raton, FL, USA, 2019. [Google Scholar]
  16. Zhang, J.; Chen, H.; Gong, L.; Cao, J.; Gu, Z. The Current Research of IoT Security. In Proceedings of the 2019 IEEE Fourth International Conference on Data Science in Cyberspace (DSC), Hangzhou, China, 23–25 June 2019; pp. 346–353. [Google Scholar]
  17. Libri, A.; Bartolini, A.; Benini, L. pAElla: Edge AI-Based Real-Time Malware Detection in Data Centers. IEEE Internet Things J. 2020, 7, 9589–9599. [Google Scholar] [CrossRef] [Green Version]
  18. Chen, J.; Ran, X. Deep Learning with Edge Computing: A Review. Proc. IEEE 2019, 107, 1655–1674. [Google Scholar] [CrossRef]
  19. Li, H.; Ota, K.; Dong, M. Learning IoT in Edge: Deep Learning for the Internet of Things with Edge Computing. IEEE Netw. 2018, 32, 96–101. [Google Scholar] [CrossRef] [Green Version]
  20. Wang, Z.; Tian, J.; Fang, H.; Chen, L.; Qin, J. LightLog: A lightweight temporal convolutional network for log anomaly detection on the edge. Comput. Netw. 2022, 203, 108616. [Google Scholar] [CrossRef]
  21. Häckel, B.; Hänsch, F.; Hertel, M.; Übelhör, J. Assessing IT availability risks in smart factory networks. Bus. Res. 2018, 12, 523–558. [Google Scholar] [CrossRef] [Green Version]
  22. Davis, J. Cybersecurity for Manufacturers: Securing the Digitized and Connected Factory; MForesight, Computing Community Consortium. 2017. Available online: https://cra.org/ccc/wp-content/uploads/sites/2/2017/10/MForesight-Cybersecurity-Report.pdf (accessed on 20 May 2022).
  23. Tuptuk, N.; Hailes, S. Security of smart manufacturing systems. J. Manuf. Syst. 2018, 47, 93–106. [Google Scholar] [CrossRef]
  24. Burke, R.; Mussomeli, A.; Laaper, S.; Hartigan, M.; Sniderman, B. The Smart Factory; Deloitte University Press: Westlake, TX, USA, 2017. [Google Scholar]
  25. FTP Software. 5 Ways to Mitigate Cybersecurity Risks in Smart Manufacturing. Available online: https://www.fpt-software.com/5-ways-to-mitigate-cybersecurity-risks-in-smart-manufacturing/ (accessed on 20 May 2022).
  26. The European Union Agency for Cybersecurity. Good Practices for Security of Internet of Things in the Context of Smart Manufacturing; ENISA: Athens, Greece, 2018; Available online: https://www.enisa.europa.eu/publications/good-practices-for-security-of-iot (accessed on 20 May 2022).
  27. Dhirani, L.L.; Newe, T.; Armstrong, E. Industrial IoT, Cyber Threats, and Standards Landscape: Evaluation and Roadmap. Sensors 2021, 21, 3901. [Google Scholar] [CrossRef]
  28. KISA. Security Model for Smart Factory; Korea Internet & Security Agency: Seoul, Korea, 2020; Available online: https://www.kisa.or.kr/post/fileDownload?menuSeq=2060205&postSeq=11&attachSeq=2&lang_type=KO (accessed on 20 May 2022).
  29. Yu, W.; Liang, F.; He, X.; Hatcher, W.G.; Lu, C.; Lin, J.; Yang, X. A Survey on the Edge Computing for the Internet of Things. IEEE Access 2017, 6, 6900–6919. [Google Scholar] [CrossRef]
  30. Lu, Y.; Morris, K.; Frechette, S. Current Standards Landscape for Smart Manufacturing Systems; NISTIR-8107; NIST. 2016. Available online: https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8107.pdf (accessed on 20 May 2022).
  31. Paharia, B.; Bhushan, K. A comprehensive review of distributed denial of service (DDoS) attacks in fog computing environment. In Handbook of Computer Networks and Cyber Security; Springer: Cham, Switzerland, 2020; pp. 493–524. [Google Scholar] [CrossRef]
  32. Tu, S.; Waqas, M.; Rehman, S.U.; Aamir, M.; Rehman, O.U.; Zhang, J.; Chang, C.C. Security in fog computing: A novel technique to tackle an impersonation attack. IEEE Access 2018, 6, 74993–75001. [Google Scholar] [CrossRef]
  33. Rajendran, G.; Nivash, R.S.R.; Parthy, P.P.; Balamurugan, S. Modern security threats in the Internet of Things (IoT): Attacks and Countermeasures. In Proceedings of the 2019 International Carnahan Conference on Security Technology (ICCST), Chennai, India, 1–3 October 2019. [Google Scholar]
  34. Conti, M.; Dragoni, N.; Lesyk, V. A survey of man in the middle attacks. IEEE Commun. Surv. Tutor. 2016, 18, 2027–2051. [Google Scholar] [CrossRef]
  35. Abbas, N.; Asim, M.; Tariq, N.; Baker, T.; Abbas, S. A Mechanism for Securing IoT-enabled Applications at the Fog Layer. J. Sens. Actuator Netw. 2019, 8, 16. [Google Scholar] [CrossRef] [Green Version]
  36. Aslan, O.; Yilmaz, A.A. A New Malware Classification Framework Based on Deep Learning Algorithms. IEEE Access 2021, 9, 87936–87951. [Google Scholar] [CrossRef]
  37. Pedreira, V.; Barros, D.; Pinto, P. A Review of Attacks, Vulnerabilities, and Defenses in Industry 4.0 with New Challenges on Data Sovereignty Ahead. Sensors 2021, 21, 5189. [Google Scholar] [CrossRef] [PubMed]
  38. Bakić, B.; Milić, M.; Antović, I.; Savić, D.; Stojanović, T. 10 years since Stuxnet: What have we learned from this mysterious computer software worm? In Proceedings of the 2021 25th International Conference on Information Technology (IT), Zabljak, Montenegro, 16–20 February 2021.
  39. Tang, M.; Luo, M.; Zhou, J.; Yang, Z.; Guo, Z.; Yan, F.; Liu, L. Side-Channel Attacks in a Real Scenario. Tsinghua Sci. Technol. 2018, 23, 586–598. [Google Scholar] [CrossRef]
  40. Liang, J.; Zhang, M.; Leung, V.C.M. A Reliable Trust Computing Mechanism Based on Multisource Feedback and Fog Computing in Social Sensor Cloud. IEEE Internet Things J. 2020, 7, 5481–5490. [Google Scholar] [CrossRef]
  41. Khalid, A.; Zainal, A.; Maarof, M.A.; Ghaleb, F.A. Advanced Persistent Threat Detection: A Survey. In Proceedings of the 2021 3rd International Cyber Resilience Conference (CRC), Langkawi Island, Malaysia, 29–31 January 2021. [Google Scholar]
  42. Javed, S.H.; Ahmad, M.B.; Asif, M.; Almotiri, S.H.; Masood, K.; Ghamdi, M.A.A. An Intelligent System to Detect Advanced Persistent Threats in Industrial Internet of Things (I-IoT). Electronics 2022, 11, 742. [Google Scholar] [CrossRef]
  43. Li, S.; Zhang, Q.; Wu, X.; Han, W.; Tian, Z. Attribution Classification Method of APT Malware in IoT Using Machine Learning Techniques. Secur. Commun. Netw. 2021, 2021, 9396141. [Google Scholar] [CrossRef]
  44. Bilge, L.; Dumitras, T. Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World. In Proceedings of the 2012 ACM conference on Computer and Communications Security, Raleigh, NC, USA, 16–18 October 2012; pp. 833–844. [Google Scholar]
  45. Zhang, W.; Guo, W.; Liu, X.; Liu, Y.; Zhou, J.; Li, B.; Lu, Q.; Yang, S. LSTM-Based Analysis of Industrial IoT Equipment. IEEE Access 2018, 6, 23551–23560. [Google Scholar] [CrossRef]
  46. Baracaldo, N.; Chen, B.; Ludwig, H.; Safavi, A.; Zhang, R. Detecting Poisoning Attacks on Machine Learning in IoT Environments. In Proceedings of the 2018 IEEE International Congress on Internet of Things (ICIOT), San Francisco, CA, USA, 2–7 July 2018. [Google Scholar]
  47. Papernot, N.; McDaniel, P.; Goodfellow, I.; Jha, S.; Celik, Z.B.; Swami, A. Practical Black-Box Attacks against Machine Learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates, 2–6 April 2017. [Google Scholar]
  48. Alam, M.N.; Sarma, D.; Lima, F.F.; Saha, I.; Ulfath, R.E.; Hossain, S. Phishing attacks detection using machine learning approach. In Proceedings of the 2020 Third International Conference on Smart Systems and Inventive Technology (ICSSIT), Tirunelveli, India, 20–22 August 2020. [Google Scholar]
  49. Trend Micro. What Is Phishing? Trend Micro. Available online: https://www.trendmicro.com/en_us/what-is/phishing.html (accessed on 20 May 2022).
  50. Hernandez, G.; Arias, O.; Buentello, D.; Jin, Y. Smart Nest Thermostat: A Smart Spy in Your Home; Black Hat USA: San Francisco, CA, USA, 2014. [Google Scholar]
  51. Mrabet, H.; Belguith, S.; Alhomoud, A.; Jemai, A. A Survey of IoT Security Based on a Layered Architecture of Sensing and Data Analysis. Sensors 2020, 20, 3625. [Google Scholar] [CrossRef]
  52. Jang, J.; Kim, Y.; Park, J. Current Status of Cyber Attacks and Response System in Smart Factory Environment. IITP Weekly Technology Trends. 2022. Available online: https://www.itfind.or.kr/publication/regular/weeklytrend/weekly/view.do?boardParam1=8265&boardParam2=8265 (accessed on 20 May 2022).
  53. Kisielius, J. Breaking Down the SolarWinds Supply Chain Attack. Available online: https://spycloud.com/solarwinds-attack-breakdown/ (accessed on 20 May 2022).
  54. Tsvetanov, T.; Slaria, S. The effect of the Colonial Pipeline shutdown on gasoline prices. Econ. Lett. 2021, 209, 110122. [Google Scholar] [CrossRef]
  55. Nguyen, L. Cybersecurity and Defending Critical Infrastructure. In Proceedings of the Harvard Model Congress 2022, Boston, MA, USA, 23–26 February 2022. [Google Scholar]
  56. Hajda, J.; Jakuszewski, R.; Ogonowski, S. Security Challenges in Industry 4.0 PLC Systems. Appl. Sci. 2021, 11, 9785. [Google Scholar] [CrossRef]
  57. Oueslati, N.E.; Mrabet, H.; Jemai, A.; Alhomoud, A. Comparative Study of the Common Cyber-physical Attacks in Industry 4.0. In Proceedings of the 2019 International Conference on Internet of Things, Embedded Systems and Communications (IINTEC), Tunis, Tunisia, 20–22 December 2019. [Google Scholar]
  58. Alazab, M. Proling and classifying the behavior of malicious codes. J. Syst. Softw. 2015, 100, 91–102. [Google Scholar] [CrossRef]
  59. Liu, Y.; Pi, D. A novel kernel SVM algorithm with game theory for network intrusion detection. KSII Trans. Internet Inf. Syst. 2017, 11, 4043–4060. [Google Scholar]
  60. Mohamed Amine, F.; Maglaras, L.; Ahmim, A.; Derdour, M.; Janicke, H. RDTIDS: Rules and decision tree-based intrusion detection system for internet-of-things networks. Future Internet 2020, 12, 44. [Google Scholar]
  61. Madhawa, S.; Balakrishnan, P.; Arumugam, U. Roll forward validation based decision tree classification for detecting data integrity attacks in industrial internet of things. J. Intell. Fuzzy Syst. 2019, 36, 2355–2366. [Google Scholar] [CrossRef]
  62. Prabavathy, S.; Sundarakantham, K.; Shalinie, S. Design of cognitive fog computing for intrusion detection in Internet of Things. J. Commun. Netw. 2018, 20, 291–298. [Google Scholar] [CrossRef]
  63. Liu, Y.S.; Lai, Y.K.; Wang, Z.H.; Yan, H.B. A new learning approach to malware classification using discriminative feature extraction. IEEE Access 2019, 7, 13015–13023. [Google Scholar] [CrossRef]
  64. Hasan, M.; Islam, M.M.; Zarif, M.I.I.; Hashem, M. Attack and anomaly detection in IoT sensors in IoT sites using machine learning approaches. Internet Things 2019, 7, 100059. [Google Scholar] [CrossRef]
  65. Li, J.; Zhao, Z.; Li, R.; Zhang, H. AI-Based Two-Stage Intrusion Detection for Software Defined IoT Networks. IEEE Internet Things J. 2019, 6, 2093–2102. [Google Scholar] [CrossRef] [Green Version]
  66. Mehmood, A.; Mukherjee, M.; Ahmed, S.H.; Song, H.; Malik, K.M. NBC-MAIDS: Naïve Bayesian classification technique in multi-agent system-enriched IDS for securing IoT against DDoS attacks. J. Supercomput. 2018, 74, 5156–5170. [Google Scholar] [CrossRef]
  67. Hodo, E.; Bellekens, X.; Hamilton, A.; Dubouilh, P.L.; Iorkyase, E.; Tachtatzis, C.; Atkinson, R. Threat analysis of IoT networks Using Artificial Neural Network Intrusion Detection System. In Proceedings of the 2016 International Symposium on Networks, Computers and Communications (ISNCC), Yasmine Hammamet, Tunisia, 11–13 May 2016; pp. 1–6. [Google Scholar]
  68. Kulkarni, R.; Venayagamoorthy, G. Neural network based secure media access control protocol for wireless sensor networks. In Proceedings of the 2009 International Joint Conference on Neural Networks(IJCNN), Atlanta, GA, USA, 14–19 June 2009; pp. 1680–1687. [Google Scholar]
  69. Tuncer, T.; Ertam, F.; Dogan, S. Automated malware recognition method based on local neighborhood binary pattern. Multimed. Tools Appl. 2020, 79, 27815–27832. [Google Scholar] [CrossRef]
  70. Kan, Z.; Wang, H.; Xu, G.; Guo, Y.; Chen, X. Towards Light-Weight Deep Learning Based Malware Detection. In Proceedings of the 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), Tokyo, Japan, 23–27 July 2018. [Google Scholar]
  71. Raff, E.; Barker, J.; Sylvester, J.; Brandon, R.; Catanzaro, B.; Nicholas, C. Malware Detection by Eating a Whole EXE. Comput. Sci. 2017. [Google Scholar]
  72. AL-Hawawreh, M.; Moustafa, N.; Sitnikova, E. Identification of malicious activities in industrial internet of things based on deep learning models. J. Inf. Secur. Appl. 2018, 41, 1–11. [Google Scholar] [CrossRef]
  73. LeCun, Y.; Bengio, Y.; Hinton, G. Deep learning. Nature 2015, 521, 436–444. [Google Scholar] [CrossRef] [PubMed]
  74. Nataraj, L. A Signal Processing Approach to Malware Analysis; University of California: Santa Barbara, CA, USA, 2015. [Google Scholar]
  75. Nataraja, L.; Jacobb, G.; Manjunatha, B. Detecting Packed Executables Based on Raw Binary Data; Technical Report; University of California: Santa Barbara, CA, USA, 2010. [Google Scholar]
  76. Nataraj, L.; Yegneswaran, V.; Porras, P.; Zhang, J. A comparative assessment of malware classication using binary texture analysis and dynamic analysis. In Proceedings of the 4th ACM workshop on Security and artificial intelligence, New York, NY, USA, 21 October 2011; pp. 21–30. [Google Scholar]
  77. Nataraj, L.; Kirat, D.; Manjunath, B.S.; Vigna, G. Sarvam: Search and retrieVAL of malware. In Proceedings of the Annual Computer Security Applications Conference (ACSAC) Workshop on Next Generation Malware Attacks and Defense (NGMAD), New Orleans, LA, USA, 9–13 December 2013. [Google Scholar]
  78. Nguyen, X.H.; Nguyen, X.D.; Huynh, H.H.; Le, K.H. Realguard: A Lightweight Network Intrusion Detection System for IoT Gateways. Sensors 2022, 22, 432. [Google Scholar] [CrossRef]
  79. Falana, O.J.; Sodiya, A.S.; Onashoga, S.A.; Badmus, B.S. Mal-Detect An intelligent visualization approach for malware detection. J. King Saud Univ. Comput. Inf. Sci. 2022, 34, 1968–1983. [Google Scholar] [CrossRef]
  80. Althubiti, S.A.; Jones, E.M.; Roy, K. LSTM for Anomaly-Based Network Intrusion Detection. In Proceedings of the 2018 28th International Telecommunication Networks and Applications Conference (ITNAC), Sydney, NSW, Australia, 21–23 November 2018. [Google Scholar]
  81. Diro, A.; Chilamkurti, N. Leveraging LSTM Networks for Attack Detection in Fog-to-Things Communications. IEEE Commun. Mag. 2018, 56, 124–130. [Google Scholar] [CrossRef]
  82. Wu, D.; Jiang, Z.; Xie, X.; Wei, X.; Yu, W.; Li, R. LSTM Learning with Bayesian and Gaussian Processing for Anomaly Detection in Industrial IoT. IEEE Trans. Ind. Inform. 2020, 16, 5244–5253. [Google Scholar] [CrossRef] [Green Version]
  83. Vasan, D.; Alazab, M.; Wassan, S.; Safaei, B.; Zheng, Q. Image-based malware classification using ensemble of CNN architectures (IMCEC). Comput. Secur. 2020, 92, 101748. [Google Scholar] [CrossRef]
  84. Jo, W.; Kim, S.; Lee, C.; Shon, T. Packet Preprocessing in CNN-Based Network Intrusion Detection System. Electronics 2020, 9, 1151. [Google Scholar] [CrossRef]
  85. Wang, C.; Zhao, Z.; Wang, F.; Li, Q. A novel malware detection and family classification scheme for IoT based on DEAM and densenet. Secur. Commun. Netw. 2021, 2021, 6658842. [Google Scholar] [CrossRef]
  86. Catak, F.O.; Ahmed, J.; Sahinbas, K.; Khand, Z.H. Data augmentation based malware detection using convolutional neural networks. PeerJ Comput. Sci. 2021, 7, 1–26. [Google Scholar] [CrossRef] [PubMed]
  87. Yang, H.; Chengy, L.; Chuahz, M.C. Deep-Learning-Based Network Intrusion Detection for SCADA Systems. In Proceedings of the 2019 IEEE Conference on Communications and Network Security (CNS), Washington, DC, USA, 10–12 June 2019. [Google Scholar]
  88. Perales Gómez, Á.L.; Fernández Maimó, L.; Huertas Celdrán, A.; García Clemente, F.J.; Gil Pérez, M.; Martínez Pérez, G. SafeMan: A unified framework to manage cybersecurity and safety in manufacturing industry. Softw.-Pract. Exp. 2021, 51, 607–627. [Google Scholar] [CrossRef]
  89. Abeshu, A.; Chilamkurti, N. Deep Learning: The Frontier for Distributed Attack Detection in Fog-to-Things Computing. IEEE Commun. Mag. 2018, 56, 169–175. [Google Scholar] [CrossRef]
  90. HaddadPajouh, H.; Khayami, R.; Dehghantanha, A.; Choo, K.K.R.; Parizi, R.M. AI4SAFE-IoT: An AI-powered secure architecture for edge layer of Internet of thing. Neural Comput. Appl. 2020, 32, 16119–16133. [Google Scholar] [CrossRef]
  91. Alshahrani, H.M. Coll-iot: A collaborative intruder detection system for internet of things devices. Electronics 2021, 10, 848. [Google Scholar] [CrossRef]
  92. Shi, W.; Cao, J.; Zhang, Q.; Li, Y.; Xu, L. Edge Computing: Vision and Challenges. IEEE Internet Things J. 2016, 3, 637–646. [Google Scholar] [CrossRef]
  93. Cui, L.; Su, D.; Zhou, Y.; Zhang, L.; Wu, Y.; Chen, S. Edge Learning for Surveillance Video Uploading Sharing in Public Transport Systems. IEEE Trans. Intell. Transp. Syst. 2021, 22, 2274–2285. [Google Scholar] [CrossRef]
  94. Mao, Y.; You, C.; Zhang, J.; Huang, K.; Letaief, K.B. A survey on mobile edge computing: The communication perspective. IEEE Commun. Surv. Tuts. 2017, 19, 2322–2358. [Google Scholar] [CrossRef] [Green Version]
  95. The Asimov Institute. The Neural Network Zoo. 2022. Available online: https://www.asimovinstitute.org/neural-network-zoo/ (accessed on 20 May 2022).
  96. Akarsh, S.; Simran, K.; Poornachandran, P.; Menon, V.K.; Soman, K.P. Deep Learning Framework and Visualization for Malware Classification. In Proceedings of the 2019 5th International Conference on Advanced Computing & Communication Systems (ICACCS), Coimbatore, India, 15–16 March 2019. [Google Scholar]
  97. Vasan, D.; Alazab, M.; Wassan, S.; Naeem, H.; Safaei, B.; Zheng, Q. IMCFN: Image-based malware classification using fine-tuned convolutional neural network architecture. Comput. Netw. 2020, 171, 107138. [Google Scholar] [CrossRef]
  98. Demirezen, M.U. Image Based Malware Classification with Multimodal Deep Learning. Int. J. Inf. Secur. Sci. 2021, 10, 42–59. [Google Scholar]
  99. Vinayakumar, R.; Alazab, M.; Soman, K.; Poornachandran, P.; Venkatraman, S. Robust intelligent malware detection using deep learning. IEEE Access 2019, 7, 46717–46738. [Google Scholar] [CrossRef]
  100. Zhong, F.; Chen, Z.; Xu, M.; Zhang, G.; Yu, D.; Cheng, X. Malware-on-the-Brain: Illuminating Malware Byte Codes with Images for Malware Classification. IEEE Trans. Comput. 2022. [Google Scholar] [CrossRef]
  101. Krithika, V.; Vijaya, M. Malware Detection Using Gist Features and Deep Neural Network. In Proceedings of the 2020 6th International Conference on Advanced Computing and Communication Systems (ICACCS), Coimbatore, India, India, 6–7 March 2020. [Google Scholar]
  102. Nataraj, L.; Karthikeyan, S.; Jacob, G.; Manjunath, B. Malware images: Visualization and automatic classification. In Proceedings of the 2011 International Symposium on Visualization for Cyber Security, Pittsburgh, PA, USA, 20 July 2011. [Google Scholar]
  103. Jian, Y.; Kuang, H.; Ren, C.; Ma, Z.; Wang, H. A novel framework for image-based malware detection with a deep neural network. Comput. Secur. 2021, 109, 102400. [Google Scholar] [CrossRef]
  104. Saridou, B.; Rose, J.R.; Shiaeles, S.; Papadopoulos, B. SAGMAD-A Signature Agnostic Malware Detection System Based on Binary Visualisation and Fuzzy Sets. Electronics 2022, 11, 1044. [Google Scholar] [CrossRef]
  105. Awan, M.J.; Masood, O.A.; Mohammed, M.A.; Yasin, A.; Zain, A.M.; Damaševičius, R.; Abdulkareem, K.H. Image-Based Malware Classification Using VGG19 Network and Spatial Convolutional Attention. Electronics 2021, 10, 2444. [Google Scholar] [CrossRef]
  106. Liu, H.; Kamata, S.I.; Li, Y. Hybrid Featured based Pyramid Structured CNN for Texture Classification. In Proceedings of the 2019 IEEE International Conference on Signal and Image Processing Applications (ICSIPA), Kuala Lumpur, Malaysia, 17–19 September 2019. [Google Scholar]
Applsci 12 07679 g001 550
Figure 1. History and timeline of international industrial control system (ICS) cyberattacks.
Figure 1. History and timeline of international industrial control system (ICS) cyberattacks.
Applsci 12 07679 g001
Applsci 12 07679 g002 550
Figure 2. Smart factory cyberattack structure diagram.
Figure 2. Smart factory cyberattack structure diagram.
Applsci 12 07679 g002
Applsci 12 07679 g003 550
Figure 3. Conceptual diagram of the SolarWinds software supply chain attack.
Figure 3. Conceptual diagram of the SolarWinds software supply chain attack.
Applsci 12 07679 g003
Applsci 12 07679 g004 550
Figure 4. Comparison of function extraction methods.
Figure 4. Comparison of function extraction methods.
Applsci 12 07679 g004
Applsci 12 07679 g005 550
Figure 5. The proposed edge computing architecture for IIoT deep learning-based malware detection.
Figure 5. The proposed edge computing architecture for IIoT deep learning-based malware detection.
Applsci 12 07679 g005
Applsci 12 07679 g006 550
Figure 6. Primary functions of the proposed edge computing deep learning-based malware detection system.
Figure 6. Primary functions of the proposed edge computing deep learning-based malware detection system.
Applsci 12 07679 g006
Applsci 12 07679 g007 550
Figure 7. Malware image generation and malware classification process using the proposed CNN-based architecture.
Figure 7. Malware image generation and malware classification process using the proposed CNN-based architecture.
Applsci 12 07679 g007
Applsci 12 07679 g008 550
Figure 8. Composition of 25 malware families included in the Malimg dataset.
Figure 8. Composition of 25 malware families included in the Malimg dataset.
Applsci 12 07679 g008
Applsci 12 07679 g009 550
Figure 9. Graphs of training accuracy and training loss of the proposed model.
Figure 9. Graphs of training accuracy and training loss of the proposed model.
Applsci 12 07679 g009
Applsci 12 07679 g010 550
Figure 10. The produced confusion matrix on the Malimg dataset for 25 malware variants of the proposed model.
Figure 10. The produced confusion matrix on the Malimg dataset for 25 malware variants of the proposed model.
Applsci 12 07679 g010
Table
Table 1. Differences between manufacturing systems security and IT systems security.
Table 1. Differences between manufacturing systems security and IT systems security.
Security ItemManufacturing SystemsIT Systems
System‣ HMI, PLC, sensor, actuator, etc.
‣ Mechanical control		‣ ERP, SCM, MES, WMS, etc.
‣ Data or corporate resource management
OS‣ Use of dedicated OS/real-time OS‣ Use of general-purpose OS (Windows, Linux)
Components‣ Heterogeneous‣ Homogenous
Lifecycle‣ Long (5–20 years)‣ Short (3–5 years)
Communication‣ Mixing industrial protocols and standard communication protocols‣ Standard communication protocols
Network requirements‣ Emphasis on robustness and real-time requirements
‣ Response time is important and communication delay is not allowed		‣ Focus on non-real time and overall throughput
‣ Reliability of response is important, and some communication delay is allowed
Availability‣ Critical, 24 × 7, planned downtime‣ Not always available, outages, rebooting tolerable
Time dependency‣ Delays accepted ‣ Critical
Resources‣ Limited‣ Enough resources for security
Patch (including security patch)‣ Difficult maintenance such as patching‣ Easy maintenance such as patching
Security priority‣ Availability > Integrity > Confidentiality‣ Confidentiality > Integrity > Availability
Security awareness‣ Not familiar with security in general‣ Awareness of the importance of security
Prevention‣ Physical protection for field devices‣ In-depth defense
Forensics‣ Limited‣ Available
Antivirus‣ Non-general with difficulty applying to general IT products‣ General for wide use
Impact of accident‣ Fatal damage and large-scale physical and economic damage due to industrial site operation disruption‣ Relatively insignificant economic damage such as work inconvenience and delay
Table
Table 2. Classification of security threats in the smart factory environment.
Table 2. Classification of security threats in the smart factory environment.
Threat VectorThreat ClassificationRisk Impact
Work area‣ Malicious activities (stealing, misuse, alteration, theft, destruction of information about business ICT systems, networks, and infrastructure)
‣ Business network failure through malware infection		Medium to High
Process control network‣ Malfunctions and interruptions due to denial of service (DoS) attacks
‣ PLC malfunction and interruption through control command modulation
‣ Obtaining and leaking recipes and control device account/password through eavesdropping
‣ Intrusion of a Wi-Fi wireless network via public SSID		High
Supply chain‣ Modulation of normal operating setpoints through maintenance channels
‣ Ransomware infection through external public services and ports
‣ DoS attack using remote access vulnerability		High
External Internet‣ DoS attack using server OS and software vulnerabilities
‣ Infection with malware, such as phishing, spyware, and Trojans, via email		High
Physical attacks‣ Damage to devices and supporting facilities
‣ Normal operation setpoint and firmware modification
‣ Ransomware infection via USB port
‣ Malfunctions and interruptions through arbitrary process manipulation		High
Others‣ Disasters (accidents, force majeure, etc.)
‣ Unintentional/accidental failure (malfunction and downtime due to user error)
‣ Laws (laws relating to third-party subcontractors, GDPR issues, etc.)		Medium to High
Table
Table 3. Denial of service (DoS) attack types.
Table 3. Denial of service (DoS) attack types.
AttackDescriptionAttack by (Packets, etc.)
FloodingAn attack in which the server receives many connection requests but does not respond to complete the handshake.TCP, UDP, ICMP
SmurfNetwork layer DoS attack due to misconfiguration of network equipmentIP, ICMP
Ping of DeathAttacks that use ping to make large ICMP packets and create a load to process all the fragmented packets.ICMP
TeardropAn attack in which numerous Internet protocol (IP) data fragments are transmitted over a network and cannot be reassembled into the original packet, resulting in an overflow.Variants such as Bonk, Boink, etc.
JammingAttacks that disrupt normal communication through illegal wireless communication disturbance [32].Mobile communication network, GPS, radio wave (RF)
Table
Table 4. Types of man-in-the-middle attacks.
Table 4. Types of man-in-the-middle attacks.
AttackDescriptionAttack by (Packets, etc.)
SniffingEavesdropping on network traffic (e.g., data packets of other people) between systems connected to the network.Sniffer
SpoofingAttacks that trick hostnames, IPs, MACs, email addresses, etc. [34].IP/ARP/DNS/DHCP/Email Spoofing
Session HijackingAttacks that control communication by intercepting a session in which the connection between two systems is active (e.g., logged in) [35].TCP, RDP
Packet InjectionAttacks that inject malicious data along with normal data.
ReplayAttacks that copy and retransmit messages and packets that have the same effect even if reused.
Table
Table 5. Malware classification.
Table 5. Malware classification.
MalwareDescription
WormsThey are not parasitic on other programs. They exist and run independently and self-replicate.
VirusesIt is possible to self-replicate while infecting and parasitizing other programs, but they cannot spread independently.
TrojansThey hide their original purpose without self-replication and perform malicious actions by disguising as normal programs.
SpywareThey are installed secretly without the consent of users and operate in a manner to collect and steal information from users.
RansomwareThey encrypt sensitive data of users and operate in a manner requiring money in exchange for decryption.
BackdoorThey operate in a manner that allows bypass access through the communication connection path installed secretly without a normal authentication procedure.
Table
Table 6. Common attacks in smart factories.
Table 6. Common attacks in smart factories.
AttackDescriptionCitation
Side-ChannelUsing technology to collect and analyze various types of information leaking from the hardware and software of industrial equipment, such as analysis of power consumption, electromagnetic waves, optical signals, traffic flow (e.g., network), etc., secret information is decrypted to carry out an attack.[39]
EavesdroppingBy monitoring network traffic, attackers can obtain sensitive information, such as how a particular system or production process operates, which can be used for further attacks in the future.[28]
Data tamperingData tampering attacks are those in which data (e.g., industrial control data) are stored or transmitted without permission for malicious purposes.[40]
False Data InjectionIndustrial control systems without an authentication mechanism can use this attack to inject malicious code and malformed commands.[23]
Advanced Persistent Threats (APT)APTs are highly intelligent attacks that set clear targets, collect information over the long term, and perform more sophisticated attacks by combining new technologies and various attack methods.[38,41,42,43]
Zero-DayThese attacks exploit a security vulnerability that has not yet been disclosed, and it is difficult to defend and develop a patch as only a small number of people are aware of such a vulnerability until it is disclosed to the public.[44]
Attacks against AI (machine learning and data analytics)These attacks change the input data supplied to the system causing the AI system to malfunction, damaging the learning process by tampering with the measurement values of IIoT sensors and manipulating training data, and stealing information about the training model by extracting the data used to train the AI model.[45,46,47]
PhishingAs the most common cyberthreat, phishing refers to the act of stealing useful information or attempting theft through a connected device (a link to a fake bank website, an email infected with malware, etc.) disguised as a legitimate message.[48,49]
PhysicalThis refers to the illegal manipulation, changing, or causing of physical damage to accessible devices (e.g., sensors, industrial IoT terminals, production facilities) by an attacker with physical access.[50]
Table
Table 7. Step-by-step malware classification process.
Table 7. Step-by-step malware classification process.
StepDescription
1The raw malware binary files are converted into images. A one-dimensional array of malware raw binary files is converted to grayscale image pixels with values ranging from 0 (black) to 255 (white) and reconstructed into a two-dimensional array.
2The image is normalized to the size of 112 × 112 pixels. During the dimensionality reduction stage, certain important features may be omitted, but most of the malware images in the Malimg dataset maintain their texture properties in the normalization stage.
3The dataset is split into a training set (70%) and a test set (30%).
4The data converted into images are applied to the CNN.
5CNN is converted to flatten. As the last layer of the CNN is in the form of an n-dimensional matrix, it is flattened. Flattening refers to the conversion of an n-dimensional matrix into a one-dimensional column matrix.
6The malware family is classified by the CNN model and Softmax is used for multiclass classification.
Table
Table 8. Main hyperparameters of the proposed model.
Table 8. Main hyperparameters of the proposed model.
ParameterValue
Input shape112 × 112 × 3
Epochs40
Dropout0.45
Learning rate0.0001
Batch size32
Loss functionCategorical cross entropy
OptimizerAdam
Trainable parameters1,009,761
Non-trainable parameters800
Table
Table 9. Performance metric parameters.
Table 9. Performance metric parameters.
ParameterDescription
True Positive (TP)Number of malware correctly identified as malware
True Negative (TN)Number of non-malware correctly identified as non-malware
False Positive (FP)Number of non-malware incorrectly identified as malware
False Negative (FN)Number of malware incorrectly identified as non-malware
Table
Table 10. Performance comparison according to input image and hyperparameter setting changes.
Table 10. Performance comparison according to input image and hyperparameter setting changes.
No.Image SizeDropoutLearning RateAccuracy (%)Precision (%)Recall (%)F1-Score (%)
64 × 640.450.000197.9398.0297.9197.96
112 × 1120.450.000198.9398.9398.9398.92
192 × 1920.450.000198.3698.4798.3098.38
112 × 1120.450.000595.5495.6095.5695.58
112 × 1120.450.001097.8697.8797.8797.87
112 × 1120.350.000198.0498.0598.0198.03
112 × 1120.550.000198.3298.4498.2098.32
Table
Table 11. Classification performance analysis table.
Table 11. Classification performance analysis table.
IDClass NameMalware TypePrecisionRecallF1-ScoreSupport
0Adialer.CDialer1.001.001.0037
1Agent.FYIBackdoor1.001.001.0035
2Allaple.AWorm0.991.001.00885
3Allaple.LWorm1.001.001.00477
4Alueron.gen!JWorm0.981.000.9959
5Autorun.KWorm: AutoIT1.001.001.0032
6C2LOP.PTrojan0.950.860.9044
7C2LOP.gen!gTrojan0.920.970.9460
8Dialplatform.BDialer1.001.001.0053
9Dontovo.ATrojan Downloader1.001.001.0049
10FakereanRogue1.000.980.99114
11InstantaccessDialer1.001.001.00129
12Lolyda.AA1PWS1.001.001.0064
13Lolyda.AA2PWS1.001.001.0055
14Lolyda.AA3PWS1.001.001.0037
15Lolyda.ATPWS1.000.980.9948
16Malex.gen!JTrojan1.000.950.9741
17Obfuscator.ADTrojan Downloader1.001.001.0043
18Rbot!genBackdoor1.001.001.0047
19Skintrim.NTrojan1.001.001.0024
20Swizzor.gen!ETrojan Downloader0.830.760.7938
21Swizzor.gen!ITrojan Downloader0.810.850.8340
22VB.ATWorm1.001.001.00122
23Wintrim.BXTrojan Downloader0.900.970.9329
24Yuner.AWorm1.001.001.00240
accuracy 0.992802
macro avg0.980.970.972802
weighted avg0.990.990.992802
Table
Table 12. Comparison with the latest malware detection models on the Malimg dataset.
Table 12. Comparison with the latest malware detection models on the Malimg dataset.
CitationYearProposed MethodsAccuracy (%)Precision (%)Recall (%)F1-Score (%)
[96]2019CNN, LSTM + gray95.5095.5095.5095.50
[99]2019CNN(2), LSTM + gray96.3096.3096.2096.20
[69]2020LNBP + LDA + gray89.4091.0089.0090.00
[97]2020CNN + Color98.8298.8598.8198.75
[105]2021CNN(VGG19) + gray97.6297.6897.5097.20
[98]2021CNN(VGG16) + Color99.7299.7299.6099.66
[79]2022CNN + gray95.6395.3495.3094.98
[100]2022CNN + gray96.0095.3096.0095.20
Our model2022CNN + gray98.9398.9398.9398.92
Table
Table 13. Comparison with model using VGG16 + Pyramid CNN architecture [98].
Table 13. Comparison with model using VGG16 + Pyramid CNN architecture [98].
Division[98]Our Model
Input imageColor (224 × 224 pixel)Gray (112 × 112 pixel)
Epochs100040
Dropout0.50.45
Batch size6432
Deep learning architectureVGG16 + Pyramid CNNCNN
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Kim, H.-m.; Lee, K.-h. IIoT Malware Detection Using Edge Computing and Deep Learning for Cybersecurity in Smart Factories. Appl. Sci. 2022, 12, 7679. https://doi.org/10.3390/app12157679

AMA Style

Kim H-m, Lee K-h. IIoT Malware Detection Using Edge Computing and Deep Learning for Cybersecurity in Smart Factories. Applied Sciences. 2022; 12(15):7679. https://doi.org/10.3390/app12157679

Chicago/Turabian Style

Kim, Ho-myung, and Kyung-ho Lee. 2022. "IIoT Malware Detection Using Edge Computing and Deep Learning for Cybersecurity in Smart Factories" Applied Sciences 12, no. 15: 7679. https://doi.org/10.3390/app12157679

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop