A Hybrid Intelligent Framework to Combat Sophisticated Threats in Secure Industries

With the new advancements in Internet of Things (IoT) and its applications in different sectors, such as the industrial sector, by connecting billions of devices and instruments, IoT has evolved as a new paradigm known as the Industrial Internet of Things (IIoT). Nonetheless, its benefits and applications have been approved in different areas, but there are possibilities for various cyberattacks because of its extensive connectivity and diverse nature. Such attacks result in financial loss and data breaches, which urge a consequential need to secure IIoT infrastructure. To combat the threats in the IIoT environment, we proposed a deep-learning SDN-enabled intelligent framework. A hybrid classifier is used for threat detection purposes, i.e., Cu-LSTMGRU + Cu-BLSTM. The proposed model achieved a better detection accuracy with low false-positive rate. We have conducted 10-fold cross-validation to show the unbiasdness of the results. The proposed scheme results are compared with Cu-DNNLSTM and Cu-DNNGRU classifiers, which were tested and trained on the same dataset. We have further compared the proposed model with other existing standard classifiers for a thorough performance evaluation. Results achieved by our proposed scheme are impressive with respect to speed efficiency, F1 score, accuracy, precision, and other evaluation metrics.


Introduction
The Industrial Internet of Things (IIoT) connects physical machines, sensors, and devices with the Internet. It then uses various software to perform deep analytics and transform vast amounts of data into powerful insights and intelligence [1]. This term highlights the IoT and its applications in sectors such as the Industrial sector, with strong attention on machine-to-machine (M2M) communication, machine learning (ML), and big data. Things covered in this domain include connecting wastewater systems, electric meters, flow gauges, manufacturing robots, other connected systems and industrial devices. With IIoT, enterprises and industries have better reliability and efficiency in their work [2,3]. The connecting working ability of multiple devices with the Internet allowes different threat actors to perform anomalous activities. There are a growing number of vulnerabilities and loopholes in the protocol used by IIoT architecture that threat actors can breach using sophisticated attack approaches [4,5]. An attacker's motives behind the exploit are to gain valuable information, money theft, and to corrupt the resources [6]. By the end of 2030, cyberthreats could cost up to USD 90 trillion to the IIoT if no promising solution is presented until then [7,8]. With the rapid increase in connecting IoT devices, securing critical assets and infrastructure is becoming a serious concern for various businesses. With all this, IoT brings three challenges: the first one is the IoT's heterogeneous network [9,10]. The second is its massively dispersed architecture, whereas the third is the protocols that IoT introduced for issues such as computation limitation and power in network sensors. In environments such as IIoT, the most common threat is Zero-day vulnerability leveraged by malware [11,12]. The attacker's main objective is to infect the critical devices to obtain control and change their operations using various techniques such as Distributed Denial of Service (DDoS), Advanced Persistent Threats (APT), and Denial of Service (DoS) attacks. For example, in 2010, the Iranian Nuclear Program was attacked by Stuxnet Worm. After that, in 2013, Iranian hackers got into the ICS of New York's Dam. In 2015, 230,000 customers in Ukraine suffered from a power outage due to black energy malware [13]. Hence, these occurrences proved that traditional cybersecurity procedures are no longer effective, including the authentication, security policies, firewall, and Intrusion Detection System (IDS). We propose an intelligent, SDN-enabled framework for timely and effective threat detection in IIoTs. The experimentation is conducted using the N-BaIoT dataset.

•
We propose a novel SDN-enabled Intillegent framework for early and efficient threat detection in the IIoTs. • Cu-LSTMGRU + Cu-BLSTM hybrid model is used for effective threat detection. • We compare the performance of the proposed model with current benchmark algorithms, i.e., Cu-DNNLSTM and Cu-DNNGRU, trained and evaluated on the same dataset. • For further performance evaluation, we compare the proposed model with existing literature. • We have employed standard evaluation metrics for a thorough evaluation. • Finally, 10-fold cross-validation is employed for verification purposes of our results.
The remaining paper is arranged as follows. In Section 2, we discuss the background and existing work. Section 3 is about the proposed methodology, dataset, and other details. Section 4 is dedicated to experimentation and evaluation criteria. Section 5 is about the experimental results, while the conclusion is discussed in Section 6.

Background and Existing Literature
SDN appears to be the most favorable networking model to be used in the coming years. The architecture of SDN comprises a data plane, control plane, and application plane with their APIs, i.e., northbound API and southbound API. The interface of northbound refers to the domain of protocol-based communication between the controller and applications or higher-layer control programs. Communication with the switch fabric, network virtualization protocols, and the integration of a distributed computing network are all functions of southbound APIs. According to SDNs architecture, we have a control plane isolated from the application and data plane. The control plane provides a review of the underlying basic network and is a centralized and intelligent unit. Apart from this, the control plane is a centralized decision-making and data-processing unit. Further, it has the potential to forward data to the whole network. However, the data plane represents the SDN agents and forwarding devices' collection. The control plane is programmable, and it has the ability to enhance its functionality by implementing different modules as the entire framework depends on the control plane. Hence, SDN provides flexibility and innovation, and its detailed architecture is presented in [14,15]. All SDN controllers are capable of extending different modules. Because of this, the detection scheme proposed by the authors is implemented on the control plane. For different SDN controllers, the architecture and design for most of them are the same; however, they differ in functionalities. From controller to controller, the implementation language differs. For example, Java is the implementation language of floodlight, while Python is used for writing POX.
The deep-learning models have aided the area of computer science through their applications, which are used in almost every sector of business; from medical devices to autonomous vehicles. The models of DL use the architecture of neural networks, which is why these model are referred to as deep neural networks. These models use a large set of labeled data for training, that automatically extracts features from data without the requirement for manual feature extraction. Some other applications of DL are voice recognition, fraud detection, image classification, and threat detection, and it is also used for the detection of pedestrians which results in a decrease in accidents.
The contemporary scientific evolution has witnessed the manifested competencies of the Internet of Things (IoT) that encompass every facet of our lives. The conveniently acquirable nature of IoT makes it impressionable to a diverse domain of security threats that need to be addressed. Software-Defined Networks (SDN) are an imperative evolutionary technology that provide promising solutions toward the security and integrity of IoT. Several scientific contributions have been made to overcome the susceptible nature of IoT; however, SDN-based security solutions prove their effectiveness at pre-eminent ranking [16]. SDN also interacts with other relevant cutting-edge technologies to efficiently play the role under contention. The integration of SDN and blockchain is, presented which comprises all the crucial security concerns regarding IoT in a futuristic perspective. Preservation against Denial of Services (DoS) attacks, spoofing attacks, and routing attacks are the core aptitude of that amalgamation [17]. SDN-enabled security solutions are considered to be marvelous in terms of resource utilization. The constitutional scheduling mechanism of the SDN central controller always comes with remarkable management of network resources. Hence, SDN-enabled intrusion detection schemes inherit that feature and facilitate IoT in gratifying protection frameworks, disbursing the least possible resources [18]. Another security model needs to be mentioned here that is formulated to insulate sensitive IoT environments against a broader range of potential security threats. The proposed model consists of an SDN-enabled blockchain-inspired approach for large-scale receptive atmospheres. The performance of the concerned model is evaluated, where favorable results seem to make it an ideal choice for large-scale IoT networks [19]. SDN also shakes hands with convolutional neural networks (CNN) to equip a distinguished safeguard for IoT against the wide variety of legitimate concerns. The Distributed Denial of Services (DDoS)-based attacks tree is an alarming sign against the smooth flow of communication in an IoT-based automated environment. This phenomenon caught researchers' attention, resulting in the designing of an SDN-enabled CNN-based security framework for resource-constrained IoT networks. The most significant feature of the proposed framework is efficient detection of security threats with less consumption of network resources [20].
In recent years, researchers have put their remarkable interest in deep learning and its applications in different research areas such as automotive designs, law, and the health sector. Moreover, lots of work exists in the area of NIDS in SDN [21]. A DL-based intrusiondetection framework was proposed by authors in [17], and employed RBM (Restricted Boltzmann Machine) in SDN. For experimental setup, this scheme used the KDD99 dataset and CMU dataset. For binary classification, this technique achieved 99.98% accuracy. Another scheme proposed in [18] utilized IDS based on GRU-RNN (Gated Recurrent Unit-Recurrent Neural Network) with CICIDS2017 and NSL-KDD datasets. The results showed an accuracy of 89% for different classifications. Although SDN architecture is flow based, the dataset NSL-KDD which was used is not flow-based. For attacks and threat detection in SDN networks, authors in [17] presented a DL (deep learning) system in which multilayer perception (MLP) is used. This scheme used the CTU-13 dataset, and performance results showed 98.7% detection accuracy. A connection-based technique is referred to as Credit-Based Threshold Random Walk (CB-TRW). Further, the authors implemented rate limiting in [19] with intrusion detection and prevention systems. For experimentation, network traffic was captured for five minutes. The results showed that false positive rate (FPR) is 0% with 97% CPU utilization for captured traffic of 10,000 packets at the rate of one second. In [20,21], the authors used the RNN, CNN, and LSTM for the network intrusion-detection framework. This framework used the ISCX2012 dataset. The model achieved an accuracy of 98%. The authors of [22,23] employed GRU-RNN for network intrusion detection systems (NIDS). The authors used the NSL-KDD dataset with six basic features. Results showed that the framework achieved an accuracy of 89%, which is not good for current evolving cyberattacks and threats. Authors in [24,25] proposed a method of anomaly detection entirely based on deep learning. This system used CNN, LSTM, and MLP. For experimentation, data were collected via T-Shark and Wireshark.
Authors in [26] proposed a DL method on a DNN for flow-based intrusion. This framework used Snort (network intrusion-detection system) with Barnyard and achieved 85% detection accuracy. Further, authors in [27,28] used a diverse variety of classifiers based on machine learning (ML) and a DL model. The authors used extreme learning machine (ELE), Ada-Boost, support vector machine (SVM), and decision tree. The authors proposed an intelligent intrusion-detection System (IDS) in SDN, using the dataset NSL-KDD, and acquired 80% detection accuracy. To address the issues of the Botnet detection mechanism, authors in [29,30] presented a scheme in SDN, which depends on multilayer perception (MLP). For experimentation, real data were used with an achieved accuracy of 98%. The authors in [31,32] presented an IDS using RNN and this IDS was trained by using the NSL-KDD dataset. The evaluation was performed on the network traffic. This model achieved 81.29% of accuracy for the classification of multiclass. Authors in [33] presented an SDN-based, intelligent scheme for intrusion detection in IoT. The authors used the CICIDS2017 dataset for training and experimentation using deep-learning classifiers and achieved a better detection accuracy. The literature review is summarized in Table 1.  The complexity of the dataset is not explored properly.
Diverse features are not used for enhancement of classifier.

Proposed Methodology
The purpose of this research is to propose an intelligent DL-driven scheme for threat detection in IIoT environments. This section is dedicated to the methodology of our work, i.e., hybrid threat-detection framework, preprocessing of dataset, proposed network model, and dataset description.

Proposed Network Model and Detection Scheme
During the past several years, SDN has emerged as an integrated network design. The SDN's application plane is designed to run a variety of applications in order to provide different services to endusers. The application mechanisms, on the other hand, are managed by the SDN's control plane, which handles data transfers, routing decisions, and traffic monitoring. For simplification and flexibility purposes in the SDN design, the data plane and control plane are separated. In addition to this, the control plane came up with the network's global view and central control functions, which simplified the assembling of network statistics. For the environment of IIoT, we proposed hybrid DL-driven, SDNenabled architecture to detect threats and intrusion. Figure 1 depicts the proposed model (Cu-LSTMGRU + Cu-BLSTM) which is placed in the control plane of SDN. There are many reasons for establishing the proposed model in the control plane. First, it is completely programmable, and also it can extend the IIoT devices on the data plane. Second, open flow switches are used in SDN, which is the solution for heterogeneity among IIoT devices and SDN controllers. Furthermore, without any exhaustion, the control plane can manage the main devices of IIoT in its data plane. The data plane is in charge of forwarding actual IP packets and to transport data packets from the source to the destination. The SDN framework and IIoT incorporation propose a better way to deeply examine the network traffic to look for intrusions, unauthorized events, and attacks, with the advantage of being cost-effective and centralized. Further, the authors propose a DL-driven hybrid model, i.e., Cu-LSTMGRU + Cu-BLSTM, for threat detection in IIoT. To detect various threats, a very powerful, versatile, and cost-effective scheme is developed that is visualized in Figure 2. This scheme comprises Cu-LSTMGRU and Cu-BLSTM models for sophisticated malware detection in the IIoT environment. The N-BaIoT dataset is tested and trained on the hybrid algorithms of deep learning with high detection rates and fewer false positives (FP). This scheme comprises multiple layers, i.e., Cu-LSTMGRU consists of 200 neurons and Cu-BLSTM has 100 neurons in one layer. We have used softmax in the output layer for the activation function and Relu function for other layers. For better results, the experimentation has been performed with 32 batch sizes until five epochs. We have used the Cuda-enabled version for experimentation purposes for faster multiplication of matrices. In addition to this, a comparison of our hybrid model is made with existing models, and the results are depicted in Table 6. By multiplication of matrixes, the whole performance of the system improves. In Table 2, an in-depth description of our DL classifiers is presented. However, the pseudocode of the proposed model is also provided as Algorithm 1. Calculate reset gate to determine how much of past information to forget. 10: Starting with the usage of reset gate, new memory content which will use reset gate to store information. 11: Calculating ht-Vector which holds information of the current position. 12: else 13: Generate a feature vector. 14: end if 15: if select.layer[l] = cuBLSTM then 16: Randomly generate the w and b of BLSTM 17: Compute the Hidden layers of BLSTM 18: Compute the output of Hybrid GRULSTM-BLSTM 19: end if 20: end for 21: end for 22: end procedure

Dataset
For the evaluation of threat-detection scheme performance, the use of an appropriate dataset significantly matters. For threat detection in the IIoT environment, the literature review shows that different authors used different datasets, e.g., NSLKDD [43][44][45], KDD CUP99 [46,47], etc. Most of them do not have the IIoTs supportive feature. For IIoT devices, some attackers scan them and then take control of these devices. In addition to this, they also use DNS rebinding and malicious scripts for locating and attacking the IIoT devices. Hence, the dataset used for the proposed model is a publicly available dataset N-BaIoT [48]. This dataset constitutes the network flow and IIoT supportive features, and it comprises the most dangerous malwares, i.e., Bashlite and Mirai. It consists of eight attacks and up to 115 traffic features. The dataset instances distribution is presented in Table 3 below.

Preprocessing of DataSet
The proposed work performed the preprocessing of the dataset by the following steps. At the first step, we detected all the blank rows, rows with nan values, and then deleted all of them as they can impact the performance of the evaluation model and data quality. During the next step, using the label encoder, i.e., sklearn, we converted all non-numeric values into numeric values as mostly numeric data can be processed by DL algorithms. In addition, to diminish the chances of unexpected results, we executed one-hot encoding on the output label as model performance can also be reduced due to category ordering. Minmax Scaler is used for the purpose of data normalization, which enhances the model's effectiveness.

Experimental Setup
For experimentation purposes, we used graphic processing unit (GPU) and Core i7-7700. Moreover, we used Keras to train the proposed module with a 3.8 version of Python. In Table 4, the software and hardware specifications are given.

Evaluation Metrics
Using the standard evaluation metrics such as precision, recall, accuracy, and F1score, we evaluated the performance of the proposed architecture. For certain parameters' calculation, we have to calculate the false omission rate (FOR), true positive (TP), false positive (FP), true negative (TN), false negative (FN), and Matthew's correlation coefficient (MCC).

Result and Discussion
This section presents the complete results of the proposed hybrid model (Cu-LSTMGRU + Cu-BLSTM). For detailed performance evaluation, we compared this model with two other hybrid models, Cu-DNN-LSTM and Cu-DNN-GRU, along with existing techniques in the literature. The following standard metrics of evaluation evaluate the performance of the proposed model.

Roc Curve Analysis
The Roc is a key parameter for checking the performance of any intrusion-detection system (IDS). True negative rates (TNR) and true positive rates (TPR) are correlated, and Roc plots the results. The Roc curve of our scheme is given below in Figure 3. This figure depicts the relationship between a true negative and a true positive.

Confusion Matrix Analysis
This evaluation matrix show the output of the classification model. As per the confusion matrix results, Cu-LSTMGRU + Cu-BLSTM recognizes the classes accurately. The confusion metrics of the three models are given in Figure 4. It depicts that the proposed model correctly identifies the classes and surpasses the other two models, (Cu-DNN-LSTM and Cu-DNN-GRU).

Cross-Validation
We used 10-fold cross-validation to prove the neutrality of our results. A detailed description of each fold is given in Table 5.

Accuracy, Recall, F1-Score, and Precision
The efficiency and performance of a classifier are demonstrated by accuracy. It shows how many samples are accurately identified by the proposed scheme. In Figure 5, we presented the accuracy performance of our proposed scheme (Cu-LSTMGRU + Cu-BLSTM). This hybrid model achieves 99.45% accuracy with 98.49% of recall. The records which are identified correctly indicate precision. The proposed model has a precision of 99.34% with a 99.47% F1 score. The 10-fold results are depicted in Table 5 for recall, precision, accuracy, and F1-score. Figure 5. Accuracy, recall, F1-score, and precision.

FPR, FOR, FNR, and FDR Analysis
To effectively evaluate our proposed scheme, we calculated the FOR, FPR, FDR, and FNR. The results are presented in Figure 6. We can see that our proposed model has FOR and FPR of 0.004% and 0.003%, respectively, while the FDR and FNR values are 0.002% and 0.0020%. Hence, our proposed model Cu-LSTM-GRU outperforms the other two models. In addition to this, DNN-GRU performs better than DNN-LSTM.

TPR, TNR, and MCC Analysis
To evaluate further, we used a confusion matrix for in-depth analysis of the proposed model to obtain the TPR, TNR, and MCC analysis values. In Figure 7, TNR, TPR and MCC are shown with values of 99.33%, 99.13%, and 98.03%, respectively. By casting an analytical look at the Figure 7, it is concluded that Cu-LSTMGRU+Cu-BLSTM has better performance.

Speed Efficiency
The time taken by the proposed model for testing is shown in Figure 8. Here, we are not considering the training phase as it was mostly performed offline. While illustrating the model's performance and efficiency, testing is very important. The time consumed by our proposed hybrid model is 9.79 ms, which is computationally efficient. However, for the other two models, DNNLSTM is computationally better than DNNGRU, with a testing time of 12.9 ms.

Cu-LSTM-GRU-Cu-BLSTM Comparison with Existing Literature
To highlight the efficacy of the proposed scheme, we compared it with two existing hybrid DL models (Cu-DNN-LSTM and CU-DNN-GRU). For evaluation, we used the same metrics for both models and all of the three models were tested and trained on the same dataset N-BaIoT. The details of these models are given in Table 2.
Moreover, a comparison is also made with other benchmark algorithms. In Table 6, the proposed model's comparison with the existing literature is given. It can be seen that Cu-LSTMGRU + Cu-BLSTM outperforms in terms of precision, F1-Score, accuracy, and speed efficiency. Furthermore, the testing time of the proposed model is 9.79 ms, which is significantly better than the existing benchmarks.

Limitations of the Proposed Model
The proposed hybrid model is a potential intrusion-detection system in an IIoT environment. Despite the considerable performance of our proposed method, there are some limitations that we will address in the future, i.e., the proposed model requires well-labeled data for training. On the other hand, these data are infrequent, and obtaining them necessitates a significant amount of effort. Further, the proposed intrusion-detection model outperformed the existing techniques; however, it will be more effective if it can detect insider attacks where intruders can harm the network without affecting the traffic flow between the sensor network and the internet.

Conclusions
There is a need for flexible and secure IIoT infrastructure. This can be achieved using Cuda-enabled deep-learning classifiers. Intrusion-detection systems based on DL can have the ability to detect any emerging cyberthreats. We proposed SDN-enabled, intelligent architecture to protect the IIoT environment from sophisticated threats. For successful threat detection, we have used a hybrid classifier (Cu-LSTMGRU + Cu-BLSTM). The proposed scheme is scalable, and also it has a low cost. Moreover, we compared the results with other hybrid algorithms, i.e., Cuda-DNNLSTM and Cuda-DNNGRU. Results showed that our proposed scheme outperforms the other two hybrid models and those existing in the literature. We have used standard evaluation metrics to evaluate the model, i.e., speed efficiency, F1 Score, accuracy, precision, recall, TPR, FPR, etc. The proposed scheme consumes a testing time of only 9.79 ms with 0.0035% FPR and 99.45% accuracy. Our model has better results as compared to the existing literature. In the future, the authors aim to use different hybrid classifiers along with blockchain and SDN for efficient threat detection, and will propose a scheme for isolating the compromised IIoT devices. Lastly, the authors endorse SDN-based intelligent frameworks for the security of IIoT environments.

Conflicts of Interest:
The authors declare no conflicts of interest associated with this research work.

Abbreviations
The abbreviations used in this paper are as follows