Efficient Cyber Attack Detection on the Internet of Medical Things-Smart Environment Based on Deep Recurrent Neural Network and Machine Learning Algorithms

Information and communication technology (ICT) advancements have altered the entire computing paradigm. As a result of these improvements, numerous new channels of communication are being created, one of which is the Internet of Things (IoT). The IoT has recently emerged as cutting-edge technology for creating smart environments. The Internet of Medical Things (IoMT) is a subset of the IoT, in which medical equipment exchange information with each other to exchange sensitive information. These developments enable the healthcare business to maintain a higher level of touch and care for its patients. Security is seen as a significant challenge in whatsoever technology’s reliance based on the IoT. Security difficulties occur owing to the various potential attacks posed by attackers. There are numerous security concerns, such as remote hijacking, impersonation, denial of service attacks, password guessing, and man-in-the-middle. In the event of such attacks, critical data associated with IoT connectivity may be revealed, altered, or even rendered inaccessible to authorized users. As a result, it turns out to be critical to safeguard the IoT/IoMT ecosystem against malware assaults. The main goal of this study is to demonstrate how a deep recurrent neural network (DRNN) and supervised machine learning models (random forest, decision tree, KNN, and ridge classifier) can be utilized to develop an efficient and effective IDS in the IoMT environment for classifying and forecasting unexpected cyber threats. Preprocessing and normalization of network data are performed. Following that, we optimized features using a bio-inspired particle swarm algorithm. On the standard data for intrusion detection, a thorough evaluation of experiments in DRNN and other SML is performed. It was established through rigorous testing that the proposed SML model outperforms existing approaches with an accuracy of 99.76%.


I. INTRODUCTION
The IoT offers a plethora of uses. Smart health services, smart grids, and smart transportation, and constructions are all well-known uses [3]. Figure 1 depicts the IoT's fourlayer design. In addition, the IoT is a new paradigm in which a network of real items equipped with sensors aims to combine the digital and physical worlds seamlessly. The IoT revolution, fueled in large part by advancements in sensor networks, wireless communications, cloud computing, and mobile devices, is reimagining modern healthcare and altering its reliability and delivery [4].
The Internet of Medical Things (IoMT) is a recent development that is a component of the IoT. It is an environment in which numerous healthcare gadgets such as smart glucometers, smart blood pressure displays, smart bands, Intelligent pacemakers, and Intelligent pulse rate monitors are linked and interact with one another to distribute sensitive medical information that is used by health care officials, hospitals, and doctors to provide exceptional medication and support [6]- [8]. These confidential data are kept on some data centers by the gateway and then sent to the appropriate end users [9]. IoMT architecture is depicted in Figure 2, which connects various medical smart appliances and interacts with clinicians to provide effective treatment and assistance. The data is hosted in the cloud, and distributed to end-users via a separate gateway. Remote patient monitoring has been expanded with the advent of the IoMT. By linking outpatients to their doctors and permitting for the secure transfer of health information via a protected web, it helps reduce needless hospital visits and the stress on systems of health care. At the moment, this is fundamentally important owing to the worldwide pandemic, COVID-19, which is limiting in-person medical appointments, thereby preventing the spread.
In addition, the IoMT was born as a result of the incorporation of medical equipment into the IoT [10]. With the advent of the modern digitized healthcare age dubbed Healthcare vs4.0 [11], [1], IoT equipment's have been used in a variety of medical domains, most notably through the widespread use of medical wearable sensors, gadgets, robots, and unmanned aerial vehicles (UAVs). Indeed, in the context of body area networks, actuators and medical sensors are utilized as wearable gadgets. Rather than confining patients in hospitals, these technologies are capable of monitoring their health in real-time and improving their physical mobility and flexibility. On either hand, medical robots can also be used as hospital robots and surgical robots [1], capable of performing minor surgery accurately. Additionally, they can perform a variety of surgical treatments, including cardiopulmonary resuscitation (CPR) [12]. Nevertheless, the central problem is that several IoMT devices are susceptible to and prone to cyber-attacks merely because medical equipment is either inadequately guarded against prospective attackers or is completely insecure. As a result, any cyberattack might have dire effects, endangering patients' lives and impeding the widespread adoption of IoMT. Hackers are also motivated by the growth and developments in technology to break into the servers that house this sensitive data. Numerous attack vectors might be exploited to take control of these intelligent medical accessories. For instance, if an intruder takes possession of intelligent pacemakers, he'll be able to take the patient by surprise, perhaps resulting in death. These emergent risks have the potential to negatively impact the IoMT ecosystem and so must be addressed immediately [13].
It is not only the IoMT transforming the healthcare industry, but it is also facilitating a more humane approach to patient healing and care. It is, nevertheless, vulnerable to a variety of cyber-attacks and susceptibilities. The authors [14] identified several causes for the high number of cyberattacks in IoMT, including the following: (1) Compatibility and complexity issues that arise when a large number of gadgets and diverse networks are connected. (2) Medical Things is largely concerned with the exchange of delicate patient data. (3) As a burgeoning paradigm, there is the rapid adoption of IoMT solutions by healthcare makers without regard for security concerns. As a consequence, additional concerns about confidentiality, integrity, and availability (CIA) emerge. (4) Application risks, such as authorization and authentication breaches, are likewise a big concern, as is the application's general security and availability. (5) Certain security computations need a sizable proportion of computing powers. (6) Because the majority of IoT components receive and transmit data wirelessly, IoMT is at risk of WSN security violations. These are only a few of the primary reasons why IoMTs are vulnerable to a variety of harmful assaults.
Most of these linked appliances are unsecured, and the possible influence is not just on patients' records, but also on outpatient care, as any mistake in a patient's document or analysis could result in their death. As a result, it is critical to address how to recognize and guard against medical equipment assaults. While the majority of IoT vulnerabilities also apply to IoMTs, although, some are much more specifically pointed at IoMTs because of the delicate essence of healthcare data. These assaults comprise, but are not restricted to, data breaches, man-in-the-middle assaults, probe attacks, decryption of network communication, DoS attack, and privacy and security issues.
According to an IBM survey, healthcare firms incurred the largest losses as a result of data theft [15].
Additionally, Help Net security reports that hackers infiltrated Singapore's health system, stealing private information from 1.5 million patients and compromising outpatient prescription data for 160,000 persons, which include Singapore's Prime Minister [16]. The health sector is perpetually beset by a slew of cybersecurity-related problems. These concerns vary from ransomware that undermines system integrity and patient privacy to DDoS assaults that impair institutions' capacity to deliver outpatient care. Secure transmission of delicate data, akin to protected health info, across the IoMT, in addition to continuous access to the computer system, is growing anxiety for healthcare practitioners. While other vital groundwork industries are often targeted, the healthcare sector has specific hurdles due to the nature of its mission. It extends beyond monetary loss and invasion of privacy to have a direct effect on human existence. Regardless of the motivation for an attack on the healthcare system, great or minor, they continue to constitute a threat. As IoMT grow ingrained in hospital, we must devise a strategy for their secure and effective management.
Conventional information technology security measures do not take into account the setting of connected medical equipment. Security research in this domain is now focusing on the implementation of encryption, authentication, and trust-based systems for implantable, and wearable medical products [17]- [19]. These cryptographic solutions are frequently computationally intensive and difficult to apply on a limited resource medical equipment [4]. Physical layer safety has lately been considered as a promising substitute to cryptography, leveraging the physical layer characteristics of the net system to enhance the safety of IoT devices [20].
The major drawback of conventional information technology security measures such as encryption, authentication, and trust-based system is that they are difficult to apply and cannot guarantee adequate security. Therefore, the second line of defense is needed. However, before physical layer security solutions are used by practical systems, issues like weak attacker models regarding wireless channels must be addressed [21].
The proposed method for detecting assaults in the IoMT includes the different attacks such as DoS, Brute force, and botnet are all examples of attacks in this data that might result in the disappointment of an IoT system. In this study, we take a different approach to cryptographic security solutions and present detection of intrusion solutions grounded on ML and DL for detecting cyber-attacks in IoMT. While there is extensive research on utilizing cryptography to detect IoMT assaults, research on intrusion detection in IoMT is still in its infancy, and to the best of our knowledge, there is no research on using wrapper-based PSO feature selection to improve IDS performance in IoMT. This paper is organized as follows. Section 2 discusses the related work. Section 3 presents the proposed methodology. Section 4 reports the results and discussion. Section 5 concludes the paper.

This section covers work in the relevant area of IDS.
Because patient data is sensitive and confidential, privacy and security are crucial in IoMT applications. Numerous academics have conducted surveys on the topic of offering privacy, confidentiality, and safety solutions in IoMT [23].
The authors [5] provided an IDS for the detection of various threats such as DoS, Botnet, and web attacks in IoMT contexts. The CICIDS dataset was used to conduct the experiment, which used the DBN model to spot these assaults. The botnet attack had an accuracy of 97.93 percent. The authors overlook the feature selection phase, which was identified as a fundamental flaw in IDS in the IoMT environment.
The authors of [24] presented a framework for IoMT applications, data gathering, and analysis that is privacypreserving. On the NSL-KDD datasets, FFDNN is combined with the FBFSA to detect anomaly incursion in wireless networks. For wireless networks, the algorithm picks the best feature with the least amount of redundancy. It is composed of three deep layers and contains a soiree of 30 neurons. The data is separated into training and testing segments in this article, resulting in a 99.69 percent accuracy [25].
Thamilarasu et al [4] design a new IDS based on mobile agents to safeguard a network of linked medical equipment. The suggested system, in particular, is layered, autonomous, and utilizes ML and regression methods to detect networklevel attacks and also abnormalities in wearable sensors. They replicated a hospital network and conducted comprehensive experiments on a variety of IoMT subsets, such as wireless body area networks as well as other linked medical instruments. The authors of [26] suggested a two-stage DL method that utilizes a soft-max technique and stacked autoencoder for ID. The suggested system is made up of three layers: input, concealed, and output. The likelihood score model was employed in the first stage to classify network circulation as regular or anomalous. The second phase used a soft-max to classify the data as regular, type 1, and type 2 attacks, and so on. To demonstrate its efficiency, studies were conducted on two publicly available datasets, KDD'99 and the UNSW-NB15, which attained an accuracy reaching 99.99 percent and 89.13 percent, respectively. Asmae et al. [27] presented an IDS based on network metrics for detecting WBAN jamming attacks.
The authors of [28] detected infiltration in the system by combining an enhanced conditional variation autoencoder with a DNN. In DNN hidden layers, the ICAVE encoder conducts weight initialization. DNN is simple and quick to use because it reduces the dimensionality of features. The authors of [29] propose a methodology called deep adversary learning (DAL) that uses statistical learning and data enrichment to identify network infiltration. In data augmentation, this strategy solves the difficulties of data shortages and imbalances. The classifier is being used to reject intrusion enhanced data, while the producer is being used to generate intrusion enhanced datasets. SVM is being used to distinguish between normal and attack intrusion datasets. The experimentation was performed on the KDD Cup 99 data, and the findings revealed that when compared to conventional techniques, the precision, recall, and accuracy scores were improved. The researchers introduced a framework for cyber ID based on DBN and IGA in [30], which was primarily assessed on NSL-KDD datasets and showed a 99 percent detection accuracy rate. For intrusion detection, DBN employs IGA-generated optimum system features. However, training the dataset takes more time.
In reference [31], the researchers compared an IoT extracting features model with a predictive analysis system to create a cybersecurity IDS for smart cities using deep migrating supervised learning. The four steps of the deep migrating learning model are an ideal feature, variable, feature sampling, and knowledge. The KDD CUP 99 incursion dataset was used for this study's experiments conducted, which included 10,000 training data sessions at random and produced outcomes with the rate of detection 91.05 percent. Nevertheless, the intrusion detection rate performance can be enhanced further. The authors of [32] presented an RBM model having five (5) levels for detecting DDoS assaults in datasets from smart city applications. For pre-sample selection, an FFN is employed; for data classification, an RF and an SVM are utilized. RBM is used to process the K-means approach to learn critical features for sub-form datasets. In [33], GDM and GDM/AG are combined with a DLNN architecture to increase the accuracy and identification of automotive security intrusions. The suggested solution is validated using the Intelligent car CAN bus via the Kvasercan leaf version 2 device.
In [34], a novel hybrid model based on IG and PCA was introduced to spot intrusion on the NSL-KDD, the Kyoto 2006+ and ISCX 2012datasets using an MLP, IBK, and SVM. The KDD99 dataset is used in [35] to identify anomalous cyber intrusion threats using a SoftMax algorithm and CNN. The authors employed 494021 samples for training and 311029 sample for testing, achieving a 99.23 percent accuracy rate. The summary of other existing methods is given in Table 1.

III. METHODOLOGY
This section examines several methods and algorithms for categorizing attack occurrences in the IoMT environment. A comprehensive overview of the pre-processing phase, feature selection using swarm intelligence method recognized as the particle swarm optimization (PSO), and classification using SVM, RF, NB, and RNN.

A. PROPOSED APPROACH
The IoMT ecosystem is comprised of a variety of sensors that monitor patients' health and send periodic updates to clinicians who can maintain proximity. These devices are intelligent enough to gather subtle data and send it to a storing location such as a server in the cloud, they are not intelligent sufficient to determine if the data is being conveyed safely or whether any assailants have infringed before and during storage while interacting with the physician in the clinic. When an IoMT environment is used, numerous types of attacks are feasible, and our model focuses on detecting the probe, remote to local, user to root, and DoS attack. As seen in figure 3, data travels from medical various sensors to the body of the patient through the multispectral board, gateway, router, and finally to the servers and other observing equipment for viewing. Whereas the data is being transmitted from either the gateway via servers, an eavesdropper may change the therapeutic information in transit or perform DoS attacks to prevent the information from accessing the display phase.

B. DATA FILTERING
The filtered data assists the system in presenting correctly structured data. The data was processed by transforming string attributes to numeric variables and removing inconsistencies [40], [41]. During this phase, an inconsistent element is also eliminated.

C. FEATURE SELECTION
Feature Selection (FS) is a method for picking and deleting a subset of relevant traits of many superfluous and repeated information from [42] the data to create efficient learning methods. FS can be defined as the process of removing redundant and irrelevant attributes from a dataset to enhance training achievement in terms of detection accuracy, and model construction time [43]. Apart from replica complexity, feature selection can assist in removing certain computations [44]. Process for Feature Selection: FS techniques follow a four-stage process, as illustrated in Figure 4. In this research, the PSO is utilized for FS to select twenty-one (21) attributes out of the forty attributes (40) with one class from the NSL-KDD dataset.
1. The sequence of production processes for the future applicant subgroup 2. Its estimation function is capable of estimating the subgroup. 3. Criteria for determining when to terminate 4. The acceptance procedure is used to validate the subgroup.

D. PARTICLE SWARM OPTIMIZATION
In the year 1995, Eberhart and Kennedy presented a method of optimization called PSO, which was enthused by animal behavior [45]. A swarm of particles continuously explores the search area for a problem to determine the global best configuration [46]. Ever since its conception in 1995, PSO has been used to a growing number of complicated, realworld optimization issues where standard methods either underperform or have limited utility [47]. Its visually simple  form and very few adjustable parameters make it perfect for a wide variety of issues that require approximation to some degree. The PSO was adopted to select the significant features of the attacks in the dataset. We used PSO which is a metaheuristic optimization algorithm for FS to select the most relevant attributes in the NSLKDD data before we now subject the features to classification.

E. ASSUMPTION OF THE PSO
In PSO, each particle i's position xi denotes a potential solution to the issue, with fitness f(xi). The particles travel as a factor of the velocity vi during each round of the search method. Thus, the searching space's structure must facilitate such mobility. For instance, finding the optimal value of a linear combination in Rn enables this. The movement of the particles is comparable to that of a flock of birds, a school of fish, or a swarm of insects. In these scenarios, it is believed that the creatures follow the group member who is aware of the optimal path, which may be a food source. As demonstrated in Figure 5, three factors determine the particle movement in PSO. To begin, there is a term that accounts for the particles' ''inertia'': this term tends to retain them on their current track. Second, they are drawn to Z(p), the world's best. Thirdly, they are drawn to their fittest point j greatest i (p). The trajectory of the particle is indicated in red; its current motion is indicated in blue; the pull towards to the global-best is indicated in green; and the attractiveness toward the particle-best is indicated in green. The following formulas control the relationship of a particles from one cycle to the next mathematically [48]: where, w, b1 and b2 are defined constants, and q1 and q2 are pseudo-random values distributed uniformly in the range [0, 1].

F. RECURRENT NEURAL NETWORK
RNN, which is a variant of a feed-forward neural network, tends to make use of sequential data. The term ''recurrent neural networks'' refers to the fact that they perform the same task for each component of categorization, with the outcome dependent on the preceding computation [49]. Because RNNs include cyclic connections, they are particularly well-suited for simulating sequences [50].

G. RANDOM FOREST
RF is a group learning method that is used to increase the accuracy of classifications [51]. An RF is made up of several decision trees. In comparison to other classic classification techniques, RF has a low classification error. The RF produces a large number of categorization trees. The tree is generated using a tree classification method and separate bootstrap samples from the original data [52]. Just after a forest is established, each tree inside the forest is assigned a new item that must be classified. Random Forest creates every tree using a unique sample from the original data and a tree classification method [53].

H. DECISION TREE
DT is a non-linear and non-parametric data mining technique that is used for regression learning and supervised classification [54]. This is a household of algorithms for supervised learning. The DT principles are simple to comprehend for the user when combined with a knowledge management system [55]. The primary goal of their DT rule is to generate a training model from which the projected label rate is derived [46]. The structure of a decision tree is characterized as a tree; the tree has decision nodes and leaf nodes [56]. It is the origin node, with each interior node representing a feature.

I. K NEAREST NEIGHBOR
By comparing the test record with the training record that has similarities, the classification employs the k-NN algorithm based on analogy [57]. Classification is performed using the k-NN method based on similarity, by matching the test record to the similar training record. It compares the unlabeled data to the training instances [58]. The training dataset are matrices in a multidimensional space; each trial has a class name associated with it. k is a user-defined constant variable in the classification phase, and an unidentified vector is discriminated by conveying the class that is most frequently occurring amongst some of the k training instances closest to the query instance [59]. Euclidean distance is a frequently used distance metric. Assume that two variables Y = (y 1 , y 2 , y 3 ,. . . .y n ) and Z = (z 1 ,z 2 ,z 3 . . . .z n ). Euclidean distance is defined as: The RC is based on a linear model, in which the parameter matrix is used to reflect the coefficients of a linear model, with the components of the characteristic vector x representing the factors [60].

IV. RESULTS AND DISCUSSION
As can be seen in the related work constraints, In terms of accuracy, there is still space for improvement, detection accuracy may still be increased, and precision, MCC, and F1-measures were not taken into account. This study addressed the literature's limitations.

A. PERFORMANCE MEASURES
Accuracy: The model's accuracy was assessed based on a subset of the model's performance. The accuracy estimation is represented by equation (4).
Recall: The total positives in the scheme states versus the precise total of positives in the data is referred to as the recall or TP value, which denotes the total positives in the classification states versus the actual total of positives in the data. In equation 5, the recall rate is shown.    The performance of the proposed SML techniques is revealed in this section as seen in The performance of the proposed RNN model and the SML models: RF, DT, KNN, and RC is given in Figure 6.  The proposed SML models outperformed the RNN model in terms of accuracy, recall, precision, and MCC.

E. COMPARISON WITH THE EXISTING APPROACHES
We compare the performance of the existing system with our proposed models in this section as shown in Table 5. The author's reference [36] method achieve an accuracy of 92% and F1 of 94%. Reference [37] achieves an accuracy of 98% and F1 of 98%. The authors [38] achieve an accuracy of 94%. While the authors [39] revealed an accuracy of 92.21%. The proposed model achieves an accuracy of 99.76%, F1 of 96.45%, the precision of 99.75%, and MCC of 99.51%.
The comparison with the state-of-the-art approaches is illustrated in Figure 7, the proposed model PSO-RF achieves the best accuracy, precision, and MCC at the expense of the F1. The existing methods outperformed our model in terms of F1.

V. CONCLUSION
The study offers a classification model based on RNN and SML for identifying intruder assaults using the benchmarked NSLKDD datasets, which include DoS attacks, probing attacks, u2R attacks, and remote to local assault in the IoMT environment. The suggested technique may be most appropriate for IoMT environments in which smart medical appliances can communicate with one another using peer-topeer different internet protocol addresses. The resampled data set is then subsequently lowered utilizing PSO to decrease attribute dimension and to identify the most influential features. Following that, the reduced data set is categorized using a variety of state-of-the-art ML algorithms, including RF, DT, KNN, RC, and RNN. Our model's accuracy achieved competitive results and also indicated a decrease within the time frame required to train the classifiers, which is the finest suitable for IoMT architecture, resulting in faster notifications to health -care authorities whenever an assault occurs in their ecosystem. The future work will be on evaluating the effectiveness of the proposed system for detecting IoMT attacks using blockchain technology.