A hybrid anomaly-based intrusion detection system to improve time complexity in the Internet of Energy environment
Introduction
The recent technological advancements have converted the traditional electric grid to a Smart Grid (SG) thereby using the information and communication technology. One step ahead of this, a new paradigm has emerged on the technology horizon, called the Internet of Energy (IoE). The IoE is believed to remedy the two main global problems of carbon emissions and energy crisis. The IoE is the innovative version of the amalgamation of the SG and the Internet. In other words, it is the convergence of Internet, communication, and energy [7]. The IoE is a platform that is used to integrate communication and power flows, thereby ensuring the seamless integration of power generation, distribution, operations, end-users, service providers, and regulators. It is believed that the IoE will also accommodate the renewable energy sources in order to support economic and environmental efficacies. An abstract form of the IoE is depicted in Fig. 1. One of the key enablers for IoE is the Internet of Things (IoT) [1], [37], [41], specifically the sensing and actuating abilities of IoT will be used for the IoE energy domains. The Internet architecture provided by the IoT technology enables the dissemination of information among various smart devices, such as smart home appliances, smart metres, and utility companies; and facilitates to monitor and control the operations of IoE.
The Advanced Metering Infrastructure (AMI) is an important entity of the IoE paradigm that facilitates the bidirectional data communication between the potential customers and the utility companies. The AMI is composed of three entities, i.e. smart metre, data concentrators, and AMI headends. Smart metres are responsible for the metring of electricity consumption of the electrical appliances. The data concentrators work in a specific geographical area and aggregate power consumption related data from smart metres installed at that region. The data concentrators then forward the data to the AMI headends. The headends act as a central server at the utility company and are responsible for the reception, storage and management of the information sent by the data concentrators. The aggregated data at the headends enable the utility company in managing the resources and taking right decisions regarding the power generations, transmission and dissemination.
The AMI employs and use various communication networks to exchange data, as shown in Fig. 2. We discuss these networks briefly as follows. Home Area Networks (HANs) is a personal area network that is usually built across personal devices of a person at home, such as smart appliances, using Bluetooth or Zigbee. The smart metre at HAN connects to data concentrators via another communication network, called Neighborhood Area Networks (NANs), using WiFi, cellular-3G or 4G, or WiMAX technologies. The data concentrators then use Wide Area Networks (WANs) to communicate with the headends at the utility company’s network. WANs may use WiMAX, cellular-3G or 4G, or satellite technologies. The Field Area Networks (FANs) are then used by the utility company to process and maintain the operations.
The advantages of the ensued IoE architecture are numerous; however, the IoE being a critical infrastructure for a country will inherit the security vulnerabilities of the SG and the IoT and may induce more unknown threats to the new system. The IoE architecture may be targeted by cyber attackers for the availability, integrity, and confidentiality services to be compromised [15]. For instance, Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks may be mounted to cause detrimental damages like disruption of the system or its subsystems, or power outage [4], [8], [14], [50]. Cyber attackers create network of compromised nodes, called botnets, in order to upsurge the scale of the attack. The attackers usually employ spoofed or masquerade identities to launch these attacks which makes the source of the attack undetectable [2]. One example of such an incident happened in Ukraine, where a successful cyberattack was launched on a Ukrainian power substation ensuing power outage in the region for almost 225,000 population [19]. Furthermore, bogus data can be injected into the network to disrupt the system and even to modify the smart metre data [9], [10], [29], [31]. False identities can be created on a single physical device, called Sybil attack [3], [25], to perform other malicious actions for monetary and non-monetary gains.
The hybrid nature of IoE architecture that comprises of various ICT and industrial components and the diversity of communication taking place among these components generating huge volume of data by each subsystem hinder the use of conventional security systems. Therefore, it is evident that the presence of an Intrusion Detection Systems (IDS) is crucial for the smooth operation of IoE thereby ensuring the main security requirements of availability, integrity, and confidentiality [44], [45]. The IDS monitor network traffic and look to detect any attacks in real-time. Monitoring network traffic provides the ability to flag any attack up to a network administrator or security practitioner for further analysis and counter measures to be carried out. IDS monitor network traffic and raise alerts for any suspected attacks, this is made difficult by increasing quantities of data as well as new attacks being constantly created as a consequence of the increase in valuable data [12], [18], [20], [34], [39].
Various machine learning based anomaly-based IDS have been proposed to protect the critical infrastructure of IoE and SG. Some of them are designed to protect the whole ecosystem of IoE or SM, such as [35] and [51], while others are designed to target protecting the critical individual components of IoE or SM, such as [23] and [6]. However, anomaly-based IDS have one main drawback, i.e. the complexity of the algorithms involved adds to computational and therefore time complexity; this is a serious problem when the volume of network traffic increases. Similarly, some components of the IoE and SG are resource-constrained and may not feasible for them to use these machine learning based IDS which are resource hungry and consume considerable amount of computing and storage resources. In this paper, we propose an anomaly detection-based IDS that employs machine learning algorithms to detect the zero-day (unknown) malicious attacks. Our proposed IDS can be installed at networked site of the IoE architecture, such as AMI which enables the communication between energy consumers and the utility companies [36]. This research work tries to tackle the aforementioned drawback of the anomaly-based IDS by reducing the processing time of data in anomaly detection whilst not compromising the detection accuracy of the system.
This paper specifically makes the following contributions:
- •
We propose an anomaly detection-based IDS that employs machine learning algorithms to detect zero-day (unknown) malicious attacks using k-means based Support Vector Machine (SVM).
- •
The proposed system significantly reduces the time complexity by using the optimal value of “k” for K-means as well as using the elbow method.
- •
We apply SVM to detect anomalies and fine-tune the hyperparameters using the grid search method for better anomaly detection.
- •
We tackle the problem of processing large amounts of network traffic and our proposed approach achieves the highest accuracy of 99.9% in comparison with existing approaches.
This paper is structured as follows, Section 2 described related work of the anomaly-based IDS solutions from 2010 onwards, in Section 3 the proposed KSVMeans is described and broken down into its individual modules before being evaluated and analysed in Section 4 through a series of experiments and comparisons to the recent research. In Section 5 the paper is concluded.
Section snippets
Related work
Anomaly-based IDS are usually considered to be the best option (as compared to the signature-based IDS) because of their ability to detect zero-day attacks. In this section, we will discuss the existing anomaly-based IDS in general and also the ones that have been proposed for the IoE and SG architectures.
In IDS, machine learning algorithms are commonly used to perform statistical analysis and pattern matching in an attempt to determine an anomaly. The goal of the algorithm is for the system to
System overview
In our proposed solution, a machine learning algorithm is developed to detect attacks, specifically DoS and Probing attacks in network traffic whilst reducing the processing time. TheK-means algorithm is a clustering algorithm which can produce tight clusters from unlabelled large datasets, such as network traffic. The SVM on the other hand can be extremely accurate when dealing with smaller lower dimensional datasets. For this reason, we see the use of the K-means algorithm on the dataset
Experimentation and results
This section explains the experimental analysis and results of our intrusion detection approach. We also provide a comparison with existing studies carried out for intrusion detection. We use the KDD’99 dataset for experimentation. We apply K-means and SVM algorithm to detect the normal traffic and intrusion attacks (i.e., DoS, Probe, R2L, and U2R).
Conclusion
Cyberattacks are becoming a detrimental problem in an Internet environment, so as in the IoT and IoE. This research reviewed the current state of the anomaly IDS research landscape and drawn conclusions based on findings. This research proposed the KSVMeans, a solution to the problem of real time network detection. We showed that the KSVMeans can be used at any networked site of the IoE architecture, such as Advanced Metering Infrastructure (AMI). This method was tested using the KDD Cup ’99
CRediT authorship contribution statement
Thomas Rose: Conceptualization, Methodology, Validation. Kashif Kifayat: Supervision. Sohail Abbas: Conceptualization, Writing - original draft. Muhammad Asim: Writing - review & editing.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Thomas Rose graduated with a 1st class honours degree in Cyber Security from Liverpool John Moores University. His main area of expertise is in offensive security, specifically web application and network security. He currently works as a Penetration Tester at The Hut Group. Prior to this position he also has experience in Software Development and Application Security.
References (53)
COMITMENT: A fog computing trust management approach
J. Parallel Distrib. Comput.
(2020)- et al.
High-dimensional and large-scale anomaly detection using a linear one-class SVM with deep learning
Pattern Recognit.
(2016) - et al.
A novel hybrid intrusion detection method integrating anomaly detection with misuse detection
Expert Syst. Appl.
(2014) - et al.
A network intrusion detection system based on a hidden Naïve Bayes multiclass classifier
Expert Syst. Appl.
(2012) - et al.
CANN: An intrusion detection system based on combining cluster centers and nearest neighbors
Knowl.-Based Syst.
(2015) - et al.
A nifty collaborative intrusion detection and prevention architecture for smart grid ecosystems
Comput. Secur.
(2017) - et al.
Feature selection based hybrid anomaly intrusion detection system using K means and RBF kernel function
Procedia Comput. Sci.
(2015) - et al.
Decision tree based light weight intrusion detection using a wrapper approach
Expert Syst. Appl.
(2012) Real-time anomaly detection systems for denial-of-service attacks by weighted k-nearest-neighbor classifiers
Expert Syst. Appl.
(2011)- et al.
Support vector domain description
Pattern Recognit. Lett.
(1999)
A triangle area based nearest neighbors approach to intrusion detection
Pattern Recognit.
Deep learning aided interval state prediction for improving cyber security in energy internet
Energy
Breast cancer diagnosis based on feature extraction using a hybrid of k-means and support vector machine algorithms
Expert Syst. Appl.
A mechanism for securing IoT-enabled applications at the fog layer
J. Sens. Actuator Netw.
Masquerading attacks detection in mobile Ad Hoc networks
IEEE Access
Bayesian based intrusion detection system
Evaluation of machine learning-based anomaly detection algorithms on an industrial modbus/TCP data set
Internet of energy
Bus. Inf. Syst. Eng.
DeepDetect: Detection of distributed denial of service attacks using deep learning
Comput. J.
Online detection of stealthy false data injection attacks in power system state estimation
IEEE Trans. Smart Grid
A secure fog-based platform for SCADA-based iot critical infrastructure
Softw. - Pract. Exp.
Intrusion detection for advanced metering infrastructures: Requirements and architectural directions
A novel PCA-firefly based XGBoost classification model for intrusion detection in networks using GPU
Electronics
Ten simple rules for selecting a postdoctoral position
PLoS Comput. Biol.
Cited by (25)
HOTD: A holistic cross-layer time-delay attack detection framework for unmanned aerial vehicle networks
2023, Journal of Parallel and Distributed ComputingA novel metaheuristics with deep learning enabled intrusion detection system for secured smart environment
2022, Sustainable Energy Technologies and AssessmentsCitation Excerpt :The crowd source online repository to signature based malicious pattern set generation was planned and self-tuning timed automaton was established for detecting the intruder from IoT networks. Rose et al. [15] presented a hybrid anomaly based IDS which is installed at some networked site of IoE structure like Advanced Metering Infrastructure (AMI), to counteract security attacks. The presented method decreases the entire classifier time of detections related to the present hybrid techniques.
Enabling Technologies for Energy Cloud
2021, Journal of Parallel and Distributed ComputingCitation Excerpt :Also, Abbas Yazdinejad et al. in [17] discuss the secure routing with untrusted devices in Software Defined Network (SDN) –based Energy Cloud critical infrastructure and propose a new algorithm to determine the optimal number of replicated devices to minimize the cost of implementing secure routing in spite of the presence of untrusted devices in SDN-based Energy Cloud critical infrastructure. The authors in [13] propose a hybrid anomaly-based Intrusion Detection System (IDS) that can be installed at any networked site of the Internet of Energy architecture, such as Advanced Metering Infrastructure (AMI), to counteract security attacks. The proposed system reduces the overall classification time of detection compared to the existing hybrid methods.
Energy-aware ACO-DNN optimization model for intrusion detection of unmanned aerial vehicle (UAVs)
2023, Journal of Ambient Intelligence and Humanized ComputingMachine Learning-based Intrusion Detection for Smart Grid Computing: A Survey
2023, ACM Transactions on Cyber-Physical SystemsThree level intrusion detection system based on conditional generative adversarial network
2023, International Journal of Electrical and Computer Engineering
Thomas Rose graduated with a 1st class honours degree in Cyber Security from Liverpool John Moores University. His main area of expertise is in offensive security, specifically web application and network security. He currently works as a Penetration Tester at The Hut Group. Prior to this position he also has experience in Software Development and Application Security.
Kashif Kifayat received the Ph.D. degree in cyber security from Liverpool John Moores University, Liverpool, U.K., in 2008. He is currently a Professor and the Chair of the Cyber Security Department at Air University, Islamabad, Pakistan. Prior to this, he was working as a Reader in cyber security at Liverpool John Moores University. His research interests include network security, security of complex systems, risk analysis, intrusion detection system, digital forensics, secure service composition, privacy-preserving data aggregation, cryptography, computer forensics, and the IoT security. He has published over 90 articles in international conference proceedings and journals, and served in a number of conferences IPCs and journal editorial boards. He has also played a key role in many funded research and development projects related to his research topics.
Sohail Abbas received PhD degree in wireless network security from Liverpool John Moores University, UK in 2011. Currently, he is working as an Assistant Professor in the Department of Computer Science, College of Computing and Informatics, University of Sharjah, UAE. He has been involved in academia and research for more than 14 years. His research interests include security issues, such as intrusion detection, identity-based attacks, and trust in wireless networks, such as mobile ad hoc networks, wireless sensor networks, and the Internet of Things. Dr. Sohail is a member of various technical program committees, including IEEE CCNC, IEEE VTC, IEEE ISCI, IEEE ISWTA, etc. He has been Track Co-chair of 16th ACS/IEEE International Conference AICCSA 2019. He is also serving various prestigious journals as a reviewer, such as Security and Communication Networks, IET Wireless Sensor Systems, Mobile Networks and Applications, International Journal of Electronics and Communications, International Journal of Distributed Sensor Networks.
Muhammad Asim is an Associate Professor at the Department of Computer Science, National University of Computer and Emerging Sciences, Pakistan. Having attained a PhD from Liverpool John Moores University, he researches in the fields of Cloud Computing, Computer Networks, Network Security, Internet of Things and Wireless Sensor Networks.