A Classy Multifacet Clustering and Fused Optimization Based Classification Methodologies for SCADA Security

Abstract

Detecting intrusions from the supervisory control and data acquisition (SCADA) systems is one of the most essential and challenging processes in recent times. Most of the conventional works aim to develop an efficient intrusion detection system (IDS) framework for increasing the security of SCADA against networking attacks. Nonetheless, it faces the problems of complexity in classification, requiring more time for training and testing, as well as increased misprediction results and error outputs. Hence, this research work intends to develop a novel IDS framework by implementing a combination of methodologies, such as clustering, optimization, and classification. The most popular and extensively utilized SCADA attacking datasets are taken for this system’s proposed IDS framework implementation and validation. The main contribution of this work is to accurately detect the intrusions from the given SCADA datasets with minimized computational operations and increased accuracy of classification. Additionally the proposed work aims to develop a simple and efficient classification technique for improving the security of SCADA systems. Initially, the dataset preprocessing and clustering processes were performed using the multifacet data clustering model (MDCM) in order to simplify the classification process. Then, the hybrid gradient descent spider monkey optimization (GDSMO) mechanism is implemented for selecting the optimal parameters from the clustered datasets, based on the global best solution. The main purpose of using the optimization methodology is to train the classifier with the optimized features to increase accuracy and reduce processing time. Moreover, the deep sequential long short term memory (DS-LSTM) is employed to identify the intrusions from the clustered datasets with efficient data model training. Finally, the proposed optimization-based classification methodology’s performance and results are validated and compared using various evaluation metrics.

1. Introduction

Supervisory control and data acquisition (SCADA) [1,2] is a software application system extensively utilized in many industrial sectors to monitor, control, and analyze manufacturing units. Due to its increased efficiency and performance, SCADA is utilized worldwide in different fields and industries to facilitate proper industrial operations. Additionally, SCADA systems [3,4,5] are mainly used to monitor, control, and automate the industrial processes by collecting the data from remote units and equipment, such as human machine interfaces (HMI), programmable logic controllers (PLC), and remote terminal units (RTU). However, providing security to SCADA against network attacks [6,7] is one of the most challenging and difficult tasks in the current era due to the rapid increase in attacks. Therefore, to safeguard SCADA systems, the intrusion detection system (IDS) has been developed to help identify harmful intrusions or attacks against networking operations [8,9]. Additionally, it directs the attacking alerts to the network administrators in order to ensure the security of systems. Typically, the IDS is considered as the most suitable and alternative security approach, and it is highly preferred by many researchers [10]. In this framework, the software program can be used to monitor and detect malicious activities, such as breaking of protocols, interrupting the network communication/data transmission, and data theft. Moreover, it is more suitable [11,12] for detecting both the known and unknown attacks in the network created by internal/external attackers. However, most of the conventional IDS approaches are not able to handle the complex nature of cyber-attacks. Hence, ensuring the security of SCADA systems remains a challenging process.

Some of the existing works [13,14] aim to incorporate the clustering, optimization, and classification methodologies with the IDS framework to resolve this problem. Recently, machine learning and deep learning techniques are increasingly utilized by many researchers to detect network intrusions by extracting dataset features [15]. These include the mechanisms [16,17] of the naïve Bayes (NB), the support vector machine (SVM), logistic regression (LR), linear discriminant analysis (LDA), the decision tree (DT), the random forest (RF), the multilayer perceptron (MLP), ensemble learning (EL), the deep neural network (DNN), the recurrent neural network (RNN), and the convolutional neural network (CNN). Yet, it faces problems [18,19] and challenges related to complex computational operations, increased time consumption for training and testing, and a high misclassification and error rate. Hence, the proposed work intends to implement an intelligent and hybrid IDS framework using sophisticated optimization and classification methodologies for spotting intrusions from SCADA IDS datasets. The novelty of this system is to group the attributes into the form of clusters before selecting the optimal number of features for training the classifier. The main contribution of the proposed work is to detect intrusions from the given SCADA datasets with reduced computational complexity and increased accuracy. For this purpose, a combination of methodologies are used to construct a simple and efficient intrusion detection framework for ensuring the security of SCADA systems. Additionally, the proposed objective is to implement intelligent and advanced clustering, optimization, and classification methodologies for developing the proposed security framework.

The primary objectives of the research methodology are as follows:

• To preprocess and normalize the given IDS dataset by grouping the attributes into the form of clusters, the multifacet data clustering model (MDCM) is implemented, which helps to simplify the process of classification.
• To optimally select the features for increasing the efficiency of classifier training, the gradient descent spider monkey optimization (GDSMO) mechanism is utilized, which minimizes the time of processing and increases the convergence rate.
• To exactly spot the intrusions from the clustered datasets based on the optimal set of features, the deep sequential long short term memory (DS-LSTM) technique is employed.
• To assess the performance of the proposed GDSMO-DSLSTM-based IDS framework, various evaluation measures have been utilized, and the obtained results are compared with other recent IDS approaches.

The remaining units of this paper are segregated into the following: some of the conventional clustering, optimization, and classification techniques used to increase SCADA systems’ security are reviewed with their advantages and disadvantages in Section 2. The working methodology of the proposed system is illustrated with its overall flow and algorithmic representations in Section 3. The performance analysis of the proposed IDS framework is validated and compared by using various evaluation metrics in Section 4. Finally, the overall paper is summarized with its future scope in Section 5.

2. Related Works

This section reviews some of the conventional approaches used for developing an IDS in SCADA systems. Additionally, it investigates the benefits and limitations of each mechanism based on its characteristics and working operations.

Ref. [20] implemented a deep learning model for detecting intrusions in SCADA systems, where the network-based cyber-attack primitives were highly concentrated. Additionally, it mainly aims to extract the features and salient temporal patterns of individual packets by using the convolutional neural network (CNN) algorithm. [21] presented a comprehensive review of various IDS methodologies for increasing the security of SCADA systems. The primary factor of this work was to analyze the different types of methodologies used for detecting the attacks, which include the following types: intrusion detection technologies, intrusion detection methodologies, and intrusion detection approaches. Moreover, an effective IDS should satisfy the following constraints:

• Accurate detection
• Improved system reliability
• Reduced false positives
• Ability to handle large dimensional datasets
• Fast processing

Ref. [22] implemented a hybrid multilevel (HML) IDS mechanism incorporated with the nearest neighbor rule algorithm for detecting industrial attacks. The main purpose of this work was to exactly detect the anomalies with reduced false positives and an increased detection rate. Here, three different feature selection mechanisms have been analyzed and compared for improving the dimensionality of features. In addition to that, the Bloom filtering approach was utilized for categorizing the normal network patterns and anomalies by constructing the hash lookup table. The key advantages of this work were optimal performance and minimal resource consumption. Yet, it faced the problems of complex analysis, as well as the inability to handle different types of attacks. Ref. [23] developed an anomaly-based IDS (Ab-IDS) for spotting cyber-attacks in SCADA systems. This work mainly aims to identify malicious packets in the network with reduced system disturbances and network traffic. For validating the performance of this approach, two different IDS security tools, such as Snort and Bro, have been utilized.

Ref. [24] employed a long short term memory (LSTM) classification technique for detecting intrusions in the SCADA system. This work mainly aimed to identify temporal uncorrelated attacks by analyzing the specific features from the given dataset. It includes nearly 19 different types of features, such as port number, sequence number, traffic type, threshold value, speed, register data, etc. Typically, LSTM is a kind of deep learning-based classification technique that helps to predict accurate labels for given problems. Here, the many-to-many (MTM) and many-to-one (MTO) architectures have been developed for improving the performance of attack detection. Still, it has limits, such as the problems of increased time consumption for forming the hidden layers, and complexity in handling the large data. Ref. [25] presented a novel intrusion detection framework for identifying malicious activities in SCADA systems. This paper analyzed the performance and efficiency of two different and popular IDS technologies, such as Snort and Suricata, for categorizing the types of intrusions. Moreover, it investigated some of the security challenges in SCADA systems, which includes the following: lack of security in communication, inefficient data training, authentication, and controlling.

Ref. [26] deployed an auto-encoder-based network IDS for locating critical attacks in SCADA systems based on the 17 distinct data features. Here, the distributed network protocol 3 (DNP3) has been utilized for ensuring reliable communication in the network. In addition to this, hyper-parameter optimization was performed in this work for training the auto-encoder based on the hyper-parameters. Additionally, the effectiveness of this model has been validated and compared based on the measures of accuracy, precision, recall, and false positives [15]. The benefits of this work were minimized error value and processing time due to the hyper-parameter tuning. Ref. [27] employed a feed-forward neural network (FNN) mechanism for identifying correlated and uncorrelated attacks with ensured performance outcomes. Here, the omni attack detector has been developed for distinguishing the different types of attacks. The detection performance of this work could be enhanced based on the features of communication traffic and threshold value. Yet, it has the drawbacks of reduced scalability, reliability, and real-time monitoring was not possible in this system. Ref. [28] presented a comprehensive analysis of various machine learning techniques used for detecting intrusions in SCADA networks, which include the mechanisms of the support vector machine (SVM), the random forest (RF), the J48 classifier, the naïve Bayes (NB), and the decision tree. The key factor of this work was to select the most suitable technique used for increasing the performance of IDS. Based on this study, it was identified that the random forest classifier technique outperforms the other techniques with reduced error rate and false positives.

Ref. [29] implemented an elephant herding optimization (EHO)-based recurrent neural network (RNN) classification technique for detecting intrusions in IoT-SCADA systems. Here, the Caesar ciphering model integrated with the elliptic curve cryptography mechanism was utilized for improving the security level of SCADA systems. The primary advantages of this work were increased detection accuracy, security, and reduced training time. Ref. [30] introduced a new SCADA framework for industrial applications with ensured security and reliable data communication. This work mainly intends to analyze the major risk factors that could affect the performance of SCADA systems. Here, some of the common characteristics, such as data base injections, communication, and prioritization of tasks have been investigated for improving the performance of SCADA systems. Moreover, the detailed vulnerability assessment test has been conducted for validating the detection efficiency of intrusion detection and classification. Ref. [31] examined the performance of various machine learning classification approaches, such as SVM, RF, DT, logistic regression, NB, and KNN for developing an efficient SCADA-IDS. For this analysis, the online real-time traffic data has been utilized, while the training and testing assessments were performed for attack identification and categorization.

Ref. [32] introduced a new framework named as the Dnp3 intrusion detection prevention system (DIDEROT) for increasing the security of SCADA systems. Here, the attack detection was performed based on the analysis of network topology, and the developed framework was used to mitigate both the anomalies and DNP3 cyber-attacks. Moreover, it includes the modules of preprocessing, training and prediction, in which the data preprocessing could be performed based upon min-max scaling, normalization, and robust scaling. After that, the machine learning classification methodology was implemented to train the preprocessed data to detect the anomalies. The key benefit of this work was that it was capable of operating in both NIDS and HIDS. Ref. [33] developed a biased intrusion scheme for increasing the security of SCADA systems, which comprises the phases of optimization, classification, and security. Here, the modified GWO technique was implemented to analyze the features of data in order to sort the malfunctions. Then, the entropy-based ELM technique was utilized to detect the intruders based on the parameters of date, time, and file location. Finally, a hybrid ECC technique was employed to select the trusted routing path [34] for securing the information against the attackers. Ref. [35] aimed to identify the potential breaches and vulnerabilities in the SCADA systems by providing some recommendations to ensure the security of network. Here, the different types of overflow vulnerabilities, such as stack-based, multiple buffer, heap-based, multiple heap-based, multiple stack-based, and buffer overflows could be investigated with the strategy of attacks and interruptions. Ref. [36] employed a chicken swarm optimization-based deep CNN technique for detecting cracks on the concrete structures. The main purpose of this work was to analyze the structural condition of concretes for identifying the damages of cracks, spalling, exposure, and rebar buckling. Here, group statistical evaluation metrics have been used to validate the results of this scheme. Ref. [37] utilized a GA-based CNN technique for detecting the concrete cracks with increased accuracy. Here, the hyper-parameter optimization [38] could be performed for tuning the parameters of learning rate, number of layers, and optimization function.

According to this review, it is studied that the existing works are highly concentrating on developing the IDS frameworks with the data clustering, optimization, and classification approaches. Yet, this approach faces the problems and challenges related to the following:

• Inability in handling large datasets
• High false positives and error outputs
• Misclassification results
• Requires high time consumption for training data
• Follows complex computational operations for classification

Hence, the proposed work aims to develop an advanced and intelligent optimization -based classification methodology for developing the intrusion detection framework in SCADA systems.

3. Proposed Methodology

This section presents the working methodology of the proposed IDS system used for detecting intrusions from the SCADA systems. The primary objective of this work is to accurately spot the intrusions from the IDS datasets by using a combination of clustering, optimization, and classification methodologies with reduced computational complexity and time consumption. For accomplishing this process, a multifacet data clustering model (MDCM), gradient descent spider monkey optimization (GDSMO), and deep sequential long short term memory (DS-LSTM) have been implemented. The novel contribution of the proposed system is to select the optimal features from the clustered dataset based on the best fitness value for detecting and categorizing the type of intrusions with an efficient data training model. Here, the SCADA IDS datasets have been taken as the inputs for processing, which comprises some irrelevant attribute information, random values, and a missing field of attributes. Hence, it must be preprocessed and clustered to improve the quality of input datasets, because the unbalanced dataset can affect the performance of IDS with increased misclassification results and error values. So, the proposed work intends to utilize the MDCM technique for normalizing and clustering the data attributes of the input dataset, which helps to improve the efficiency and accuracy of classification. After that, the GDSMO mechanism is implemented for optimally selecting the most-suited features from the clustered dataset, based on the best fitness value. Here, the main advantages of using the GDMO technique are as follows: it efficiently identified the best global optimal solution with minimum iterations, increased convergence rate, and was fast in processing. Moreover, the DS-LSTM mechanism is employed to detect the intrusions from the desired datasets by using the set of optimal features. This is because it supports the aim of efficiently training the model of classifier with reduced time consumption and increased accuracy. Finally, the classifier produces the predicted label as whether normal or intrusion.

The working flow and methodology of the proposed IDS in SCADA systems is shown in Figure 1, which involves the following modules of operations:

• Data preprocessing and clustering
• Segmentation
• Feature Optimization
• Attack Prediction

3.1. Data Preprocessing and Clustering

At first, the input dataset preprocessing and normalization processes have been performed for balancing the attributes by filling the missing values, and eliminating the irrelevant information and random values. Additionally, dataset clustering is one of the most essential operation that needs to be accomplished for segmenting the dataset into the group of attribute information in the form of clusters. This is because the large and unbalanced datasets are highly difficult to process, and they also affects performance of classification with increased error values and false positives. Hence, this work aims to implement an advanced clustering technique, named as the multifacet data clustering model (MDCM), for normalizing and clustering the original input datasets, which helps to improve the performance of the classifier. The key factors of using this technique are reduced detection time, increased speed of processing, and classifier accuracy. This stage includes the following stages:

• Attribute normalization
• Distance computation
• Clustering

Here, the attribute normalization is mainly performed for standardizing the data values by extracting the relevant features, where the data is normalized between the values of 0 to 1 as shown in the following equation:

$$f_v^{\prime }=\frac{f_v-Min \left(DS\right)}{Max \left(DS\right)-Min \left(DS\right)}$$

(1)

where, $f_v^{\prime }$ indicates the normalized feature value, $Min \left(DS\right)$ and $Max \left(DS\right)$ denote the minimum and maximum values of the dataset DS, respectively, and the feature value of $f_v\in DS$. Then, the distance computation is performed to estimate the similarity between the multiple features of the data, which is computed according to the minimum distance and increased similarity value. Consider the input dataset having two objects with N number of attributes as $D{S}_i=\left\{f_{v1},f_{v2}\dots f_{viN}\right\}$. and $D{S}_j=\left\{f_{v1},f_{v2}\dots f_{vjN}\right\}$. After that, the correlation between the data is estimated based on the formation of a covariance matrix as illustrated in the equation below:

$$d\left(D{S}_i,D{S}_j\right)=\sqrt{{\left(D{S}_i-D{S}_i\right)}^{S}C{M}^{-1}\left(D{S}_i-D{S}_j\right)}$$

(2)

where, $d(.)$ indicates the distance function, and $CM$ is the generated covariance matrix. Moreover, the estimated distance function is mainly used to compute the similarity of multi-features in the dataset. Consequently, the symmetry similarity matrix $m\times m$ has been constructed according to the closeness of data objects as illustrated in the equation below:

$$\left(\begin{array}{c}\begin{array}{ccc}0& d\left(D{S}_1,D{S}_2\right)& \begin{array}{cc}\dots & d\left(D{S}_1,D{S}_n\right)\end{array}\\ d\left(D{S}_2,D{S}_1\right)& 0& \begin{array}{cc} \dots & d\left(D{S}_2,D{S}_n\right)\end{array}\\ ⋮& ⋮& \begin{array}{cc}\ddots & ⋮\end{array}\end{array}\\ \begin{array}{ccc}d\left(D{S}_n,D{S}_1\right)& d\left(D{S}_n,D{S}_2\right)& \begin{array}{cc}\dots & 0\end{array}\end{array}\end{array}\right)$$

(3)

Furthermore, the best clustering effects has been obtained by using the following Equation (4):

$$\delta ={{\displaystyle \sum }}_{j=1}^N{\displaystyle \sum }_{D{S}_i\in C_j}{\left|\left|D{S}_i-C_j\right|\right|}^2$$

(4)

where, $\delta$ indicates the clustering result, and $C_j$ denotes the center of the j-th cluster. Based on the minimum distance value, the clustering dataset has been generated, which is used for further operations, such as optimization and classification.

3.2. Gradient Descent Spider Monkey Optimization (GDSMO)

After preprocessing, the optimal number of features are selected from the clustered dataset based on global fitness function by using the proposed hybrid Gradient Descent Spider Monkey Optimization (GDSMO). The conventional SMO technique can easily fall into the problem of local optimum, hence it could not be suitable for all kinds of applications. Hence, the proposed work intends to incorporate the gradient descent (GD) with SMO technique, which efficiently avoids the local optimum problem by adding the fraction of past weight update with the current weight update value. Additionally, it acts like a simulated annealing algorithm, where the randomness is hosted to avoid the local minimum of optimization. In this technique, the parameters are initialized with the random values, and the derivatives are computed to adjust the weight value according to the objective function.

The main purpose of using this technique is to select the best features with a reduced number of iterations, increased convergence rate, and speed of processing. Additionally, it is a technique inspired by a stochastic optimization mechanism, which helps to efficiently reduce the learning time of the classifier [39]. Typically, the increased number of features can degrade the performance of classification with an increased time consumption and misprediction rate. Hence, it is most essential to optimally select the best suited features in order to train the data model of a classifier for intrusion identification and classification. Here, the parameter tuning is performed for simplifying the process of classification, due to the fact that it is more suitable for solving the complex multi-objective optimization problems. In this technique, the local iterative search is enabled for calculating the functions having a local minimum. Consider that the multivariate function $M\left(x\right)$ is distinctive from the neighboring points k, and that $M\left(k\right)$ is decreased with the negative gradient of $\left(k,G\left(k\right)\right)$, denoted as the gradient descent. Then, the next position P of the gradient corresponding to the current position k is illustrated as follows:

$$P=k-\omega \nabla M\left(k\right)$$

(5)

where, $\omega$ indicates the weight factor. The function $M\left(k\right)>M\left(P\right)$ must be satisfied to confirm the sufficient level of $\omega$. Consequently, the sequence of attributes $s_0, s_1,s_2\dots$ and $t_0, t_1,t_2\dots$ are considered with an arbitrary point $s_0$, and the local minimum value is computed as follows:

$$M\left(t_i\right)=\rho {\left(s_i-t_i\right)}^2+\delta {\left(t_i-t_{i+1}\right)}^2+\delta {\left(t_i-t_{i-1}\right)}^2$$

(6)

$$t_i^{\prime }=t_i+2\rho \left(s_i-t_i\right)+2\delta {\left(t_{i+1}-t_i-2t_i\right)}^2$$

(7)

Based on the step function, the expected local point is optimally identified with improved convergence. This optimization algorithm performs the following operations for computing the best fitness value:

• Initialization
• Local Leader Selection
• Global Leader Selection
• Learning module
• Decision module

During initialization, there are E number of spider monkeys which have been initialized, in which each monkey has the set of the G dimensional vector as $B_{ij}\left(i=1,2,3\dots E\right)$, where $B_{ij}$ indicates the i-th spider monkey B at the j-th direction. This is represented as follows:

$$B_{ij}=B_{mnj}+rand \left(0,1\right)\left(B_{mxj}-B_{mnj}\right)$$

(8)

where, $B_{mnj}$ and $B_{mxj}$ are the minimum and maximum limits of the spider monkey $B_{ij}$, and the function rand (0, 1) indicates the random value lies in the range of 0 to 1. After initialization, the local leader is selected from the group of local members, and the fitness is computed according to its new position. If the estimated fitness value is greater than the new fitness value, the spider monkeys have updated their position as shown in the equation below:

$$B_{hij}=B_{ij}+rand \left(0,1\right)\left(L{P}_{vj}-B_{ij}\right)+rand\left(-1,1\right)\left(B_{rj}-B_{ij}\right)$$

(9)

where, $B_{hij}$ is the new position of the spider monkey, $L{P}_{vj}$ indicates the v-th local group leader with dimension j, and $B_{rj}$ denotes the random r-th spider monkey with dimension j, $r\ne i$. Subsequently, the global leader is elected based on the experience, and during this stage, all spider monkeys have to update their positions. Then, the experience of both local and global leader members are determined as follows:

$$B_{hij}=B_{ij}+rand \left(0, 1\right)\left(G{P}_j-B_{ij}\right)+rand\left(-1,1\right)\left(B_{rj}-B_{ij}\right)$$

(10)

where, $G{P}_j$ indicates the global leader with dimension j and random index of $j\in \left\{1,2\dots d_n\right\}$. Then, the positions of all spider monkeys $\left(B_i\right)$ have been updated according to the probability value of $P{b}_i$. This value can be determined with respect to the fitness value and, based on this, the best global leader candidate is selected using the probability value as shown below:

$$P{b}_{ij}=\frac{F_i}{{{\displaystyle \sum }}_{i=1}^n{F}_i}$$

(11)

where, $P{b}_{ij}$ indicates the estimated probability function, and $F_i$ is the fitness value of the i-th spider monkey. Furthermore, the learning phase has been executed with the local and global leaders. During this process, the spider monkey having the highest fitness value is considered as the global leader of all spider monkeys, and its position does not update. Similar to that, the local leader has been selected from each group of members, and its position is also does not update. During the decision making module, the group members have to update their positions once the local limit reaches the threshold value, as shown in the equation below:

$$B_{hij}=B_{ij}+T\left(0,1\right)\times \left(G{P}_j-B_{ij}\right)+T\left(0,1\right)\times \left(B_{ij}-L{P}_{vj}\right)$$

(12)

Similar to that, the global leader could split the population into small number groups, until it reached the maximum number of splits. If its position is not updated, all groups are integrated into a single group. Based on the optimal solution, the final best subset of features have been selected for improving the accuracy of classification. These selected features are further utilized for training the classifier that helps to increase the overall accuracy of intrusion detection and classification system. The algorithmic procedure of the proposed IDS is presented in Algorithm 1.

Algorithm 1 Gradient Descent Spider Monkey Optimization (GDSMO)

$\mathrm{Input}:\hspace{1em}\mathrm{Initial} \mathrm{set} \mathrm{of} \mathrm{population} s_i\left(a\le i\le m\right)$$, \mathrm{transaction} \mathrm{probability} \tau$$, \mathrm{and} \mathrm{switching} \mathrm{probability} {\alpha }_p$; $\mathrm{Output}:\hspace{1em}\mathrm{Best} \mathrm{optimal} \mathrm{solution} Op{t}_{a\left(i\right)}$; $\mathrm{Step} 1:\hspace{1em}\mathrm{At} \mathrm{first}, \mathrm{the} \mathrm{objective} \mathrm{function} O\left(s\right)$$\mathrm{is} \mathrm{constructed} \mathrm{with} \mathrm{the} \mathrm{set} \mathrm{of} s={\left(s_1,s_2\dots s_d\right)}^T$; $\mathrm{Step} 2:\hspace{1em}\mathrm{Initialize} \mathrm{the} \mathrm{set} \mathrm{of} \mathrm{populations} \mathrm{of} \mathrm{k} \mathrm{number} \mathrm{of} \mathrm{spider} \mathrm{monkeys} s_i$$\mathrm{with} 1\le i\le k$$, \mathrm{and} \mathrm{its} \mathrm{switching} \mathrm{probability} {\alpha }_p\in \left[0, 1\right]$ with the maximum number of iterations; $\mathrm{Step} 3:\hspace{1em}\mathrm{While} (l<Ma{x}_{itr})$ do. Randomly select the spider monkeys for computing the fitness function by using Equations (5)–(7); $\mathrm{Verify} \mathrm{the} \mathrm{value} \mathrm{of} M_i=O\left(s_i^{l+1}\right)$ for computing the fitness value; $\mathrm{While} \mathrm{the} \mathrm{fitness} \mathrm{of} s_i$$\mathrm{is} \mathrm{not} \mathrm{at} (l<It{r}_{max})$ do $\mathrm{Split} \mathrm{the} \mathrm{entire} \mathrm{set} \mathrm{of} \mathrm{population} s_i$$\mathrm{with} 1\le i\le n$ into g number of groups; //Local and global leader phase Update the position of monkeys and global leader as shown in Equations (8)–(10); //Learning phase Select the best global leader based on the probability as defined in Equation (11); Update the position of global & local leaders, and compute the fitness value for the leaders; Group members can update their position by using Equation (12); $Itr=Itr+1$;      End; $\mathrm{Step} 4:\hspace{1em}\mathrm{If} (M_i>M_j)$ then $M_j\leftarrow M_i$; //Replace the old solution with the new solution; End if; $\mathrm{Step} 5:\hspace{1em}\mathrm{If} (rand \left[0, 1\right]<{\alpha }_p)$ then Re-initialize the entire population with the group members; Obtain the global best solution; End if; $\mathrm{Step} 6:\hspace{1em}\mathrm{If} (M_i<M_{min})$ //Old solution is replaced with the new solution        $Op{t}_{a\left(i\right)}=s_i$; $M_i=M_{min}$; //Arrange the most feasible solutions for determining the current best solution;Increment the count l by 1; $\mathrm{Return} \mathrm{the} \mathrm{best} \mathrm{optimal} \mathrm{solution} \mathrm{as} Op{t}_{a\left(i\right)}$;             End;

3.3. Deep Sequential Long Short Term Memory (DS-LSTM) Classification Model

In this stage, the selected optimal number of features have been utilized by the classifier for training the model. Here, the deep sequential long short term memory (DS-LSTM) mechanism is employed to identify the intrusions from the SCADA dataset, based on the optimal number of features. It is a kind of machine learning classification mechanism and is more suitable for solving the complex prediction problems. The hyper-parameters play a vital role in the deep learning classification techniques, because they have a great impact on determining the performance of a classifier. In the existing works, the hyper-parameter tuning is performed in the deep learning models based on the random and grid search, but it is not more efficient. Hence, the proposed work aims to utilize an optimization technique for tuning the hyper-parameters. Typically, optimizing the hyper-parameters is one of the crucial processes, so it is required for deep understanding of the underlying model. Hence, the proposed work utilizes an optimization model for optimizing the hyper-parameters of a classifier, which helps to obtain improved performance results. Then, the RMSprop optimizer has been used to optimize the value of the hyper-parameters, which helps to obtain an increased training and testing accuracy. Here, the main purpose of optimizing the hyper-parameters is to increase the training and testing accuracy of classifier. In the proposed system, the different types of hyper-parameters used in the classification are as follows: learning rate, number of epochs, hidden layers, and batch size. The primary advantages of using this technique are reduced time consumption for training and testing, increased accuracy, detection rate, and minimized misclassification rate. In the proposed system, the parameter tuning process [40] has been performed by using the optimization technique that helps to efficiently improve the detection rate of proposed IDS. During this process, the optimal set of features, learning model, and label are taken as the inputs, and the predicted label is produced as the classified output. Initially, the deterministic rules $\Delta D_r\left(x\right)$ are computed according to the logical vector $\sigma$ and featured data $Op{t}_{a\left(i\right)}$, as shown below:

$$\Delta D_r\left(x\right)=k_v^{\prime }\left(ne{t}_v\left(x\right)\left(\tau -Op{t}_{ai}\left(x\right)\right)\right)$$

(13)

After that, the feature map has been extracted by applying the convolutional operation across two set of data as shown below:

$$c^v=Op{t}_{ai}\left(x\right)+\left(\Delta D_r\left(x\right)+Op{t}_{ai}\left(x\right)\right)$$

(14)

Based on the value of target vector, the trail vector is computed by using the following model:

$$T{a}_{i,j}^v=\{\begin{array}{c}{c}_{i,j}^v if Cl{a}_L==1 \\ \Delta D_{i,j}^v else\end{array}$$

(15)

where, $T{a}_{i,j}^v$ indicates the trail vector, $Cl{a}_L$ is the classified label, and $c_{i,j}^v$ is the convolutional vector. According to the weight value, the dropout factor is estimated for the v-th target vector, in which the neurons are randomly selected with respect to the specialization function as shown below:

$$T_U\left(x\right)=\frac{1}{2} \left(x-{\displaystyle \sum }_{x=1}^n\partial {\omega }_x^{\prime } T{a}^v\right)$$

(16)

where, $T_U\left(x\right)$ is the training data, $\partial$ indicates the dropout factor, ${{\omega }_x}^{\prime }$ denotes the weight value, and $T{a}^v$ is the target vector. Consequently, the memory cells are updated with the forward pass as shown below:

$${m_c}^x=T_U\left(x\right)\odot g^x+k_v^{\prime }\left(ne{t}_v\left(x\right)\right)\odot {m_c}^x$$

(17)

where, $m_c$ is the memory cells, and $g^x$ comprises both the feature map and feedback. Subsequently, the obtained feature values are passed to the sigmoid layer of the LSTM, where the distributed probability is estimated for each class as shown below:

$$Di{P}_{sd}\left(C_O\right)=\frac{e^{C_U^d}}{1+e^{C_U^d}}$$

(18)

where, $Di{P}_{sd}$ is the distributed probability of sigmoid function, $C_O$ denotes the output class, and $C_U^d$ indicates the output value with d-th class. Then, the binary cross entropy is estimated for analyzing the disparity across the definite segments that are used to attain the probability distribution function as shown below:

$$P_l={\displaystyle \sum }_{i=1}^{v}D\left(C_U^i\right)a \log \left(Di{P}_{sd}\left(C_U^d\right)\right)$$

(19)

At last, the output predicted label is obtained as follows:

$$C_O=C_U\left(Di{P}_{sd}\le 1\right)$$

(20)

Then, the RMSprop optimizer has been used to optimize the value of the hyper-parameters, (as showing in Algorithm 2) which helps to obtain an increased training and testing accuracy.

Algorithm 2 Deep Sequential Long Short Term Memory (DS-LSTM) Classification

Input:$\hspace{1em}\mathrm{Optimal} \mathrm{set} \mathrm{of} \mathrm{features} Op{t}_{a\left(i\right)}$$, \mathrm{learning} \mathrm{model}, \mathrm{and} \mathrm{Label} C_U$; Output:$\hspace{1em}\mathrm{Classified} \mathrm{label} C_O$; $\mathrm{Step} 1:\hspace{1em}\mathrm{Compute} \mathrm{the} \mathrm{deterministic} \mathrm{rules} \Delta D_r\left(x\right)$$\mathrm{with} \mathrm{respect} \mathrm{to} \mathrm{the} \mathrm{logical} \mathrm{vector} \sigma$$\mathrm{and} \mathrm{featured} \mathrm{data} Op{t}_{a\left(i\right)}$ by using Equation (13); Step 2:  Estimate the feature map based on the convolutional operation as shown in Equation (14); Step 3: Compute the trail vector according to the target vector by using Equation (15); $\mathrm{Step} 4:\hspace{1em}\mathrm{Based} \mathrm{on} \mathrm{the} \mathrm{obtained} \mathrm{target} \mathrm{vector} \mathrm{and} \mathrm{weight} \mathrm{value}, \mathrm{the} \mathrm{dropout} \mathrm{factor} \partial$ is estimated as shown in Equation (16); $\mathrm{Step} 5:\hspace{1em}\mathrm{Consequently}, \mathrm{the} \mathrm{memory} \mathrm{cells} m_c$ are updated with the feature map and feedback value as represented in Equation (17); $\mathrm{Step} 6:\hspace{1em}\mathrm{The} \mathrm{distributed} \mathrm{probability} Di{P}_{sd}$ function is computed for each class of data by using Equation (18); Step 7: Compute the binary cross entropy for the definite segments as shown in Equation (19); $\mathrm{Step} 8:\hspace{1em}\mathrm{Finally}, \mathrm{the} \mathrm{output} \mathrm{classified} \mathrm{label} C_O$ is predicted as represented in Equation (20);

4. Results and Discussions

This section evaluates the results of the proposed GDSMO-DSLSTM intrusion detection system using various performance measures. First, the different types of SCADA IDS datasets such as CSE-CIC-IDS 2018, NSL-KDD, BoT-IoT, and ICS network traffic datasets have been considered to validate this scheme’s performance. Then, the results of both conventional and proposed intrusion detection methodologies are validated and compared by using various performance measures such as accuracy, precision, F1-score, true positive rate (TPR), false positive rate (FPR), detection rate, and false acceptance rate (FAR).

Table 1. CSE-CIC-IDS 2018 dataset.

Attack Types	Size
Benign	736,521
Bot	143,010
DDoS-LOIC-UDP	7085
DDoS-LOIC-HOIC	1,082,293
DDoS-LOIC-HTTP	296,084
DoS-GoldenEye	30,585
DoS-Hulk	90,051
DoS-Sloworis	13,475
SSH-Bruteforce	94,237
FTP-Bruteforce	193,360
Infiltration	209
Bruteforce-Web	268
Bruteforce-XSS	117
SQL-Injection	53

shows the attacking details of the CSE-CIC-IDS 2018 dataset, which comprises the different types of attacks related to bot, DDoS, DoS, brute force, and injection. Then, its corresponding confusion matrix and ROC analysis have been evaluated by using the proposed GDSMO-DSLSTM system, as shown in Figure 2 and Figure 3, respectively. Similarly, the dataset description with the attacking details, confusion matrix, and ROC analysis for the BoT-IoT dataset is presented in

Table 2. BoT-IoT dataset.

Category	Type of Attack	Flow Count
Benign	Benign	9543
Information gathering	Service scanning	1,463,364
	OS Fingerprinting	358,275
DDoS attack	DDoS TCP	19,547,603
	DDoS UDP	18,965,106
	DDoS HTTP	19,771
DoS attack	DoS TCP	12,315,997
	DoS UDP	20,659,491
	DoS HTTP	29,706
Information theft	Key logging	1469
	Data theft	118
Total		73,370,443

, Figure 4 and Figure 5, correspondingly. Then, the NSL-KDD dataset is also described with its features, confusion matrix, and ROC in Figure 6, Figure 7 and Figure 8. These evaluations show that the proposed intrusion detection system could efficiently predict the attacks of the given datasets with increased TPR.

4.1. Simulation Analysis

For validating the performance of the proposed security mechanism, various measures such as accuracy, FPR, TPR, F1-score, and recall are computed, and the results were obtained by using the MATLAB simulation tool. Figure 9 shows the accuracy and TPR of the proposed optimization-based classification methodology concerning various iterations. Similar to that, Figure 10 estimates the F1-score and FPR of the proposed mechanism for the different number of operations. Figure 11a,b show the proposed mechanism’s TPR, FPR, accuracy, and F1-score under varying iterations. According to these evaluations, it is analyzed that the proposed technique provides increased accuracy, F1-score, TPR, and reduced FPR values with a reduced number of operations. Consequently, the overall performance of the proposed system is validated and tested for the given datasets, as shown in Figure 12.

Then, the FAR and detection rate of the proposed techniques are validated for the different types of datasets, as depicted in Figure 13 and Figure 14, respectively. To assess the improved performance rate of the proposed classification technique using F1-score, recall and accuracy measures are shown in Figure 15. The obtained results state that the proposed technique provides improved performance results for the all the IDS datasets.

4.2. Comparative Analysis

Table 3. Comparative analysis between existing and proposed mechanisms using the CSE-CIC-IDS 2018 dataset.

Methods	Accuracy	TPR	FPR	F1-Score
Logistic Regression	92.2	76.7	0.46	76.7
LDA	88.2	64.8	0.70	64.8
Decision Tree	99.4	98.2	0.03	98.2
NB	91.7	75.1	0.49	75.1
SVM RBF	84.1	52.3	0.95	52.3
SVM Linear	80.2	40.6	1.18	40.6
Random Forest	99	97	0.05	97
MLP	90.9	72.8	0.54	72.8
Ada Boost	84.6	53.8	0.92	53.8
Quadratic Discriminant Analysis	72.2	1.66	1.66	1.66
Dense DNN	98.4	95.4	0.09	95.4
Dense DNN Tanh	96.5	89.7	0.20	89.7
Proposed GDSMO-DSLSTM	99	99.3	0.18	98.5

and Figure 16 compare the conventional [41] and proposed intrusion detection and classification methodologies for the CSE-CIC-IDS 2018 dataset, based on the measures of accuracy, TPR, FPR, and F1-score. Typically, the efficiency of any detection and classification system is evaluated using these measures. Additionally, the overall performance of the IDS approach significantly depends on the accuracy of detection. Therefore, the accuracy, TPR, FPR and F1-score have been increasingly used to validate security systems’ detection efficiency. These measures are computed by using the following models:

$$\mathrm{Accuracy}=\frac{TP+TN}{TP+TN+FP+FN}$$

(21)

$$\mathrm{Precision}=\frac{TP}{TP+FP}$$

(22)

$$\mathrm{Recall} \mathrm{or} \mathrm{TPR}=\frac{TP}{TP+FN}$$

(23)

$$\mathrm{F}1-\mathrm{score}=\frac{2TP}{2TP+FP+FN}$$

(24)

$$\mathrm{FPR}=\frac{FP}{FP+TN}$$

(25)

where, TP is true positive, TN is true negative, FP is false positive, and FN is false negative. The evaluation shows that the proposed GDSMO-DSLSTM outperforms the other techniques with increased accuracy, TPR, F1-score, and reduced FPR, because the clustering-based optimization and classification processes help obtain an improved performance during the detection of intrusions from the datasets.

Table 4. Analysis based on accuracy, TPR, FPR, and F1-score.

Methods	Accuracy	TPR	FPR	F1-Score
ABOD	94.4	100	10.1	94.2
Isolation Forest	93.8	99.9	11.1	93.7
LOF	94.4	100	1.01	94.2
Auto Encoder	95.14	100	0.96	95.33
GDSMO-DSLSTM	98.8	100	0.85	98

and Figure 17 validate and compare the existing and proposed machine learning-based classification techniques used to detect intrusions in the SCADA systems based on accuracy, TPR, FPR, and F1-score. The obtained results also depicted that the proposed GDSMO-DSLSTM technique improves performance value over the other methods. This is because the clustering and optimal parameter tuning help to precisely locate the intrusions from the datasets based on the global fitness value. Moreover, the performance of detection depends on the quality of the input dataset, hence, the attribute normalization helps to increase the quality of data. Specifically, the multifacet clustering splits the preprocessed into a group of chunks, which is more helpful to process the dataset for classification.

Table 5. Accuracy, detection rate, and F1-score of existing and proposed classification techniques using the SCADA network dataset.

Techniques	Accuracy	Detection Rate	F1-Score
Decision Forest	99.72	94.12	80.26
Boosted Decision Forest	99.77	93.14	84.67
Decision Jungle	99.79	93.97	85.08
Cyber physical model	99.79	99.78	98.7
Proposed GDSMO-DSLSTM	99.8	99.85	99.8

and Figure 18 compare the conventional [42] proposed intrusion detection and classification techniques based on accuracy, detection rate, and F1-score, where the SCADA network dataset has been utilized to assess the results. Typically, the detection rate and accuracy are the essential parameters used for validating the proficiency and concert of security systems. Here, the detection rate is used to determine how accurately the IDS can identify the attacks from the datasets with increased speed and reduced time consumption. Based on the evaluations, it is perceived that the proposed GDSMO-DSLSTM technique provides increased accuracy, detection rate, and F1-score values compared to the other methods, which shows the overall improved performance rate of the proposed system.

Table 6. Comparative analysis between the existing and proposed deep learning techniques based on FAR.

Techniques	CSE-CIC-IDS 2018	BoT-IoT
DNN	1.3	1.45
RNN	1.2	1.2
CNN	1	1.1
RBM	1.12	1.135
DBN	1.11	1.12
DBM	1.11	1.115
DA	1.10	1.11
GDSMO-DSLSTM	0.9	0.95

and Figure 19 compare the existing [43] and proposed deep learning techniques used to develop the IDS frameworks, based on the false acceptance rate (FAR) measure. Both datasets, such as CSE-CIC-IDS 2018 and BoT-IoT, have been taken for validation and comparison. Similarly, the detection rate of existing and proposed deep learning models are compared using these datasets, as shown in

Table 7. Comparative analysis between the existing and proposed deep learning techniques based on detection rate.

Techniques	CSE-CIC-IDS 2018	BoT-IoT
DNN	95	97.5
RNN	98	97.5
CNN	98	97.5
RF	92.5	92.5
NB	82	80
SVM	93	90
ANN	90	89
GDSMO-DSLSTM	98	97

and Figure 20. According to these evaluations, it is observed that the proposed GDSMO-DSLSTM provides a reduced FAR and increased detection rate for both datasets, when compared to the other techniques. This is because the proposed optimization technique supports the training the deep learning classifier with the best optimal features, which avoids an increased FAR of classification.

Table 8. Precision, recall and f1-measure of existing and proposed classification techniques.

Methods	Precision	Recall	F1-Measure
FNN	88	89.2	87.4
LSTM	99.54	99.01	99.27
Ensemble Learning	99.76	99.57	99.68
GDSMO-DSLSTM	99.8	99.8	99.85

and Figure 21 compare the precision, recall, and f1-measure of both existing [27] and proposed classification techniques using the omni-attacks dataset. The precision and recall measures are generally used in all classification and detection application systems to assess the classifier’s performance and efficiency. Based on these results, it is evident that the proposed GDSMO-DSLSTM technique provides increased precision, recall, and f1-measure values compared to the other methods. Furthermore, the optimal parameter tuning attains improved performance outcomes over the different classifiers.

5. Conclusions

This paper presents a classy multifacet clustering-based optimization and classification methodology for detecting intrusions from the SCADA systems. The main contribution of this work is to develop an intelligent IDS framework by using the fusion of methods for obtaining an increased detection accuracy, reduced false positives, error rate, and complexity. The most popular IDS datasets have been utilized to implement and validate the proposed security system. The dataset normalization and preprocessing operations have been performed to eliminate irrelevant attributes and balance the data. Consequently, the MDCM technique is applied to group the attributes into the form of clusters based on the distance value. The main purpose of implementing the clustering technique is to simplify the process of intrusion detection and classification with an increased speed of processing. Then, the GDSMO technique is employed to optimally select the best features for training the classifier model, which helps reduce the time taken for dataset training and testing. The switching probability, weight value, and fitness value have been computed during this process for selecting the optimal parameters to improve the classification.

Moreover, the DS-LSTM-based deep learning classifier is deployed for spotting the intrusions from the clustered datasets based on the optimal set of features. The primary advantages of using this technique are reduced time consumption for training and testing, increased accuracy and detection rate, and minimized misclassification rate. Finally, the performance of the proposed GDSMO-DSLSTM-based IDS is validated and compared with the recent state-of-the-art models by using the measures of accuracy, precision, recall, F1-score, FAR, and detection rate. The evaluation states that the proposed GDSMO-DSLSTM technique outperforms the other approaches with improved performance values.

In future, the proposed work can be enhanced by developing a secured communication medium for protecting the SCADA systems from internal and external threats. Additionally, the major properties such as integrity, scalability, intrusion tolerance, and self-healing can be satisfied by designing an effectively secured SCADA architecture.