Optimal Graph Convolutional Neural Network-Based Ransomware Detection for Cybersecurity in IoT Environment

Abstract

The fast development of the Internet of Things (IoT) and widespread utilization in a large number of areas, such as vehicle IoT, industrial control, healthcare, and smart homes, has made IoT security increasingly prominent. Ransomware is a type of malware which encrypts the victim’s records and demands a ransom payment for restoring access. The effective detection of ransomware attacks highly depends on how its traits are discovered and how precisely its activities are understood. In this article, we propose an Optimal Graph Convolutional Neural Network based Ransomware Detection (OGCNN-RWD) technique for cybersecurity in an IoT environment. The OGCNN-RWD technique involves learning enthusiasm for teaching learning-based optimization (LETLBO) algorithms for the feature subset selection process. For ransomware classification, the GCNN model is used in this study, and its hyperparameters can be optimally chosen by the harmony search algorithm (HSA). For exhibiting the greater performance of the OGCNN-RWD approach, a series of simulations were made on the ransomware database. The simulation result portrays the betterment of the OGCNN-RWD system over other existing techniques with an accuracy of 99.64%.

1. Introduction

Recently, the use of interconnected smart devices commonly called the Internet of Things (IoT) has seen exponential growth [1]. IoT gadgets can be accessed from any place, home, vehicle and office to make daily tasks as simple as they can. Such smart devices are utilised in smart cities, healthcare services, vehicular networks, industries, smart grids, and smart homes [2]. These smart gadgets have unique features such as minimal power consumption and lighter protocols, weight and compact size which make them more adjustable. Expanded dispatch of smart gadgets in advertisements has decreased trust regarding detecting gadgets and has made the web of things increasingly versatile [3]. With the two downsides and upsides, the devices linked to the Internet are at risk of attacks and digital threats, prompting failure of the administration to more dreadful conveyed refusal of administration [4]. There are no confirmed security techniques that ensure the digital safety of such gadgets. IoT infrastructure is prone to terrible security threats and various attacks, because it lacks built-in security mechanisms and standard supporting systems [5]. IoT has become a capitated platform for invaders since it has the potential to launch all types of network attacks on the connected devices, which in most cases, result in some serious losses.

Ransomware can be referred to as a malware type that can be devised to block access to the user files, device, or operating system [6]. Figure 1 represents the process of ransomware detection for cybersecurity in IoT platforms. Ransomware is commonly found in the form of crypto-ransomware and locker ransomware. Crypto-ransomware encodes key documents on a system of the user, utilizing complicated encryption methods and demand payments, generally cryptocurrency for decoding the credentials of victims [7]. Locker ransomware displays a lock screen that stops the victim from opening their system and demands money for access to a computer. Ransomware is more destructive, prominent, and advanced [8]. In comparison to static code analysis methods, machine learning (ML) approaches have proven to be effectual. ML has high potential in finding malware in Android and Windows OS systems [9]. Further studies on ML in malware recognition as a substitute for the use of signs has shown efficiency regarding the use of ML-related detection over signature-related techniques [10]. The decision to assess ML and DL methods as opposed to other non-ML-related methods has been considered due to their strong ability and adaptability to find unseen samples of ransomware malware.

This article focuses on the development of an Optimal Graph Convolutional Neural Network based Ransomware Detection (OGCNN-RWD) technique for cybersecurity in an IoT environment. Primarily, the OGCNN-RWD technique involves learning enthusiasm for teaching learning-based optimization (LETLBO) algorithms for the feature selection procedure. Next, the GCNN model is used for ransomware classification, and its hyperparameters can be optimally chosen by the harmony search algorithm (HSA). To demonstrate the better results of the OGCNN-RWD system, a series of simulations were made on the ransomware database.

The rest of the paper is organized as follows. Section 2 provides the related works, and Section 3 offers the proposed model. Then, Section 4 gives the results analysis, and Section 5 concludes the paper.

2. Related Works

One author used deep learning (DL) approaches for the extraction of the latent representation of high dimensions of the gathered dataset for precisely finding malevolent behavior [11]. Specifically, this method rests on a hybridized feature engineering approach of a variational and traditional autoencoder (AE). This approach was utilised to minimalize the dimension of data and to extract a good representation of accumulated system activities. Afterwards, the novel feature vector was sent to classifiers that can be framed on batch normalization and deep neural network (DNN) methods. The authors in [12] presented a detection system relevant to the stacked variational AE (VAE) with a fully connected neural network (FC-NN) that learns the latent framework of system activities and exposes the ransomware performance. In addition, the author came up with a data augmentation approach that depends on VAE to produce novel datasets that can be utilised in training an FC network to enhance the generalized capabilities of the presented recognition model.

Al-Hawawreh et al. [13] modelled a new aimed ransomware detection method devised for the industrial IoT edge mechanism. It leverages DL and Asynchronous Peer-to-Peer Federated Learning (AP2PFL) methods as targeted ransomware recognition methods. The presented technique contains two modules. The Diagnostic and one Decision Module (DDM) was utilized for finding targeted ransomware and its phases depend on DNN and Batch Normalization (BN). Basnet et al. [14] introduced the DL-related new ransomware detection structure in supervisory control and data acquisition-controlled electric vehicle charging station (EVCS) with the performance analysis of three DL methods.

Alrawashdeh and Purdy [15] devised a fast ransomware identification approach utilizing Memory-based Stochastic-Dynamic-Fixed-Point arithmetic utilizing a four-layer deep belief network (DBN) architecture. The technique stored random bit-streams in storage for producing potential cross-correlation for stochastic computation in Field Programmable Gate Arrays (FPGAs). Mathane and Lakshmi [16] presented a context-aware ransomware predictive approach that leverages context ontology to derive data features (software updates, connection requests, etc.) and ML techniques to predict ransomware. The presented approaches rely on and focus on the initial detection and prediction of ransomware penetration attempts to resource-limited IoT mechanisms. A weighted minimum Redundancy maximum Relevance (WmRmR) algorithm has been modelled for superior feature impact prediction in datasets captured at the primary stages of a ransomware attack [17]. This presented approach can assess if the feature in the appropriate set was significant or not. It includes a smaller number of evaluations and low-dimensional complexity than the original mRmR approach.

Several models exist in the literature that perform the ransomware classification process. Although several ML and DL models for ransomware classification are available in the literature, a model is still needed that can enhance the classification performance. Owing to the continual deepening of the model, the number of parameters of DL models also increases quickly, which results in model overfitting. At the same time, different hyperparameters have a significant impact on the efficiency of the CNN model. Particularly, hyperparameters such as epoch count, batch size, and learning rate selection are essential to attain effectual outcomes. Since the trial and error method for hyperparameter tuning is a tedious and erroneous process, metaheuristic algorithms can be applied. Therefore, the HSA algorithm can be applied to the parameter selection of the GCNN model.

3. The Proposed Model

In this study, a novel OGCNN-RWD system has been developed for cybersecurity in the IoT platform. The OGCNN-RWD technique mainly intends to precisely distinguish ransomware from legitimate activities. In the presented OGCNN-RWD approach, the LETLBO system is applied for the feature subset selection process. To classify ransomware, the GCNN model is used in this study, and its hyperparameters can be optimally chosen by the HSA. Figure 2 illustrates the workflow of the OGCNN-RWD system.

3.1. Feature Selection: LETLBO Algorithm

In this work, the LETLBO algorithm is exploited for an optimal subset of features. LETLBO is an improved version of the fundamental TLBO technique. A TLBO modification increases the ability for searching for better solutions. LETLBO combines two novel components such as the learning enthusiasm-based teacher and learner phases [18]. These are added for improving the typical of worse learners by utilizing the worst student tutoring stage and for raising searching potency. Based on the basic TLBO, all the learners have similar abilities for obtaining the knowledge of others. However, LETLBO reached their stimulus through the learning enthusiasm process, but all the learners have a unique group of capabilities and enthusiasm for learning. A primary step contains a population of NP learners (whereas the entire populations are referred to as x), with initialization as:

$$x_i^j=x_{ \min }^j+a_b\times \left(x_{ \max }^j-x_{ \min }^j\right)$$

(1)

where $i\in \left\{1,2, \dots , NP\right\},j\in \left\{1,2, \dots , D\right\}, x_{i,j}$ refers to the ith solution from the jth dimension; $a_b$ represents a random number between 0 and 1, and ${\chi }_{\min /}{x}_{\max }$ defines the lower as well as upper bounds, respectively. Next, the learner population is initialized, and every learner’s fitness was calculated. The maximum fitness learner is termed the teacher, signified as the $x_{teacher}$. The stages of the LETLBO technique are defined below.

3.1.1. Learning Enthusiasm-Based Teacher Phase

LETLBO is a learning enthusiasm-based paradigm, but students with optimum estimations are more enthusiastic about learning, and thus, it is highly possible to learn with the instructor. The estimated student is less inspired to learn, and it is less possible to receive what the educator needs to tell.

During this stage, every learner can sort based on their fitness value:

$$f\left(x1\right)\le f\left(x_2\right)\le \cdots \le f\left(x_{NP}\right)$$

(2)

The learner learning enthusiasm value was determined as:

$$L{E}_i=L{E}_{ \min }+\left(L{E}_{ \max }-L{E}_{ \min }\right)\frac{NP-i}{NP}, i=1,2, \dots .NP$$

(3)

where $L{E}_{max}$ indicates the maximal learning enthusiasm, and $L{E}_{min}$ refers to the minimal learning enthusiasm, with referred values of $L{E}_{\max }=1$ and $L{E}_{ \min }\in \left[0.1, 0.5\right]$. The learning enthusiasm curve illustrates that the better learner reveals maximal learning enthusiasm and the worse learner displays minimal learning enthusiasm.

Due to the characteristics of learning enthusiasm, all the students are classified as both learning and gaining in the teacher and not learning in the instructor, depending on the learning enthusiasm value LE. It generates an irrational number $r_i\in \left[0,1\right]$ for student $x_i;$ if $r_i\le L{E}_i$; afterwards, student $x_i$ is advantageous for the educator; otherwise, student $x_i$ neglects the instructor’s teachings generally. If student $x_i$ obtains the skill of the teacher, the position is restored by exploiting a change of upgraded displaying techniques in the subsequent situations:

$$x_{i,new}^d=\left\{\begin{array}{l}{x}_{i,old}^d+rand\left(x_{teacher}^d-T_F\cdot x_{mean}^d\right) if ran{d}_1<0.5\hfill \\ x_{r_1}^d+F\cdot x_{r_2}^d-x_{r_3}^d otherwise\hfill \end{array}\right.$$

(4)

where $r_1,$ $r_2$ and $r_3\left(r_1\ne r_2\ne r_3\ne i\right)$ represent the arbitrarily created integers selected in $\left\{1, 2,\dots , NP\right\};d\in \left\{1,2,\dots , D\right\};$ $ran{d}_1$ and $ran{d}_2$ signifies the arbitrarily created numbers that are uniformly distributed in the range of zero and one, and $F$ signifies the scaling factor from range 0 to 1. Equation (4) is observed as a hybrid method of TLBO and DE.

3.1.2. Learning Enthusiasm-Based Learner Phase

The learner system for learning is also learning enthusiasm-based from LETLBO. Related to the teaching approach, it integrates maximal learning enthusiasm to obtain better grades, and it may be a higher probability region to attain the data. During this learning enthusiasm-inspired learner stage, every learner can rank depending on the efficiency of the grades as determined in Equation (3).

The count is created randomly amongst $r_i\in \left[0,1\right]$ for learner $x_i;$ if $r_i\le L{E}_i$, then learner $x_i$ is learned by the other learner; otherwise, the data of the learners are ignored by learner $x_i$. If learner $x_i$ acquires the data from the teacher, dependent upon a diversity-enhanced teaching manner, their position is upgraded as:

$${\chi }_{i,new}=\left\{\begin{array}{l}{x}_{i,old}+rand\cdot \left(x-{\chi }_j\right), if f({\chi }_i)\ge f\left(x_j\right)\hfill \\ x_{i,old}+rand\cdot \left({\chi }_{\mathrm{j}}-x_j\right) if f\left(x_j\right)<f\left(x_j\right)\hfill \end{array}\right.$$

(5)

where $f\left(X_i\right)$ stands for the main function, and $x_{i,old}$ represents the preceding position of ith learners. If $x_{i,new}$ is fitter than $x_{i,old}$, then $x_{i,new}$ is accepted; otherwise, $x_{i,old}$ does not changed.

3.1.3. Poor Student Tutoring Phase

The basic TLBO can not be used for this stage; the initial purpose of this stage is for enhancing the grades of worse students. A similar procedure was utilized under this stage as well, with learners ranking from better to poor depending on their grades.

A learner assumes a worse learner when it exists in the bottom 10%. This stage used to is arbitrarily select learner $x_T$ in all the worse students ${\chi }_i$, whose rank exists at the top 50%, and the learning is dependent upon the subsequent formula:

$$x_{i,new}^d=x_{i,old}^d+rand\cdot \left(x_T^d-x_{i,old}^d\right)$$

(6)

If $x_{i,new}$ is superior to ${\chi }_{j,old},$ $x_{i,new}$ is accepted; if not, $X_{j,old}$ remains the same. The students with worse grades have a lesser probability of upgrading their position from the type of optimum students, but students with better grades take a comparatively superior probability of upgrading their position. The worse student tutoring stage plays a vital role in enhancing the grades of worse students into that of better students. This technique was appropriate to real-time teaching–learning procedures, but the worst students of all the time require tutorials for its enhancement, more tutorials than if related to other better students.

The fitness function of the LETLBO technique considers the count of selective features and the classifier performance. It minimises the set size of selective features and maximizes classification accuracy. Thus, the subsequent fitness function is utilized for evaluating individual solutions as follows:

$$Fitness=\alpha \times ErrorRate+\left(1-\alpha \right)\times \frac{\#SF}{\#All\_F}$$

(7)

where $ErrorRate$ denotes the classifier rate of errors exploiting the selective feature. $ErrorRate$ can be evaluated as the percentage of inappropriate classifications to the count of classifiers developed in the formula as a value within $\left[0, 1\right]$. $\#SF$ implies the selective feature count, and $\#All\_F$ indicates the overall amount of features from the original data. $\alpha$ is exploited for controlling the importance of subset length and classifier quality. Here, $\alpha$ is fixed to 0.9.

3.2. Ransomware Detection: Optimal GCNN Model

To classify ransomware from legitimate activities, the GCNN model is used. The GCNN is a DL framework which works on graph-structured data. CNN is used to work on arbitrary graphs (with any number of edges and nodes, and graphs of some structure, cyclic or not) rather than on images [19]. Consider the image as a ‘‘grid graph’’ (all the nodes represent a pixel, and the pixel matrix of an image represents the adjacent matrix of grid graphs). To exploit the similar concept of filtering an image on the graph, rather than having a pixel that applies the data contained in its adjacent pixel to upgrade its value, it takes a node where it applies its adjacent node to upgrade its features.

The GCNN classifies the edges or examines the existence of a connection between two nodes, classifies every node individually, or classifies the overall graph. To construct a GCNN, we begin to construct the adjacent matrix $A$ of the graphs. For instance, non-oriented graphs consider $A_{ij}=1$ (with $A_{ij}$ being a component of the adjacent matrix $A$) when there is a connection between the $i\mathrm{th}$ and $j\mathrm{th}$ nodes, and $A_{ij}=0$ if ith and jth nodes are mess linked. In addition, the node matrix H is constructed that contains stored information or a message in all the nodes, and later constructs the matrix $H^{\prime }=\sigma \left({\widehat{D}}^{-1}\widehat{A}HW\right),$ where $W$ indicates a learnable node-wise shared linear conversion (linear layer in a DL architecture), $\sigma$ denotes the non-linear function, for example, ReLU,$\widehat{A}=A+I$, where $\widehat{A}$ does not remove the central node, it forces a node to stay connected with itself, $\widehat{D}$ denotes the degree matrix, which provides the degree of all the nodes, $\widehat{D}$ is incorporated into the equation for normalizing $A$ and enforcing the feature not to explode, while summing is named as the mean-pooling upgrade rule:

$$H^{\prime }=\sigma \left({\widehat{D}}^{-\frac{1}{2}}\widehat{A}{\widehat{D}}^{-\frac{1}{2}}HW\right)$$

(8)

The GCN update rule can be obtained using the above equation. Currently, this is the more commonly known graph convolution layer. Generally, nodes can transmit arbitrary messages alongside the edge $\overrightarrow{e_{ij}}$ and then aggregate each message it receives through the permutable-invariant function, where $\overrightarrow{m_{ij}}$ denotes the message transmitted from ith to jth nodes, evaluated by the message function $f_e$:

$$\overrightarrow{m_{ij}}=f_e\left(\overrightarrow{h_i},\overrightarrow{h_j}, \overrightarrow{e_{ij}}\right),$$

(9)

Then, each message which enters the nodes is aggregated through a readout function as follows:

$$f_b:\overrightarrow{h_i^{\prime }}=f_v\left(\overrightarrow{h_v},{\displaystyle \sum }_{j\in N_i}\overrightarrow{m_{ji}}\right),$$

(10)

In Equation (10), $N_i$. represents the group of neighbors of ith nodes. This provides the message-passing neural network (MPNN), which applies only to smaller graphs. $f_e$ and $f_t$ are generally smaller multilayer perceptron and are generally expressed as follows:

$$\overrightarrow{h_i^{\prime }}=\sigma \left({\displaystyle \sum }_{j\in N_i}{\alpha }_{ij}W\overrightarrow{h_j}\right),$$

(11)

In Equation (11), ${\alpha }_{ij}$ denotes the coefficient that is explicitly determined to cause certain deficiencies, or

$${\alpha }_{\mathrm{ij}}=\frac{ \exp \left(a_{ij}\right)}{{{\displaystyle \sum }}_{jϵN_i} \exp \left(a_{ik}\right)},$$

(12)

where

$$a_{\mathrm{ij}}=a\left({\overrightarrow{h}}_v,{\overrightarrow{h}}_j,\overrightarrow{ e_{ij}}\right),$$

(13)

From the expression, $a$ is a shared, learnable, self-attention model. It is named as the graph attention network upgrade rule.

Briefly, the presented graph was encoded using three matrices: $W, A$, $H$, and $D$. Using the aforementioned parameters, a matrix $H^{\prime }$ can be evaluated after the selected update rule formula. The description of a GCNN is the process of encoding the graphs as matrix $H^{\prime }.$

At the final stage, the HSA is applied for the optimal hyperparameter selection process, a new intelligent optimized technique. Similar to how the SA simulates physical annealing, the GA simulates biological evolution, the harmony algorithm simulates the principles of concert performance, and the PSO algorithm [20] simulates flocks of birds. Briefly, for HSA, every solution vector (decision variable set) is stored in harmony memory (HM). The key parameter of HSA includes pitch adjusting rate (PAR), harmony memory size (HMS), distance bandwidth (BW), stopping criterion or several improvisations (NI), and harmony memory consideration rate (HMCR). Generally, the global optimization problems are discussed below. Minimize $f\left(x\right)$ subjected to

$${\chi }_j\in X_{i}i=1,2,\cdots , N.$$

(14)

where $f\left(x\right)$ indicates the main function, $\chi$ denotes the group of decision parameters $x_i,$ $N$ shows the count of decision parameters, $X_i$ represents the group of the potential range of value for every decision parameter, the upper boundary for every decision parameter is $B\left(i\right)$, and the lower boundary is $LB\left(i\right)$; afterwards, $LB\left(i\right)\le X_i\le UB\left(i\right)$. The HM with the size of HMS is produced based on solution space.

$$HM=\left[\begin{array}{ccccc}{x}_1^1& x_2^1& \dots & x_{N-1}^1& x_N^1\\ x_1^2& x_2^2& \dots & x_{N-1}^2& x_N^2\\ ⋮& ⋮& \dots & ⋮& ⋮\\ x_1^{HMS-1}& x_2^{HMS-1}& \dots & x_{n-1}^{HMS-1}& x_N^{HMS-1}\\ x_1^{HMS}& x_2^{HMS}& \dots & x_{\mathrm{N}-1}^{HMS}& x_N^{HMS}\end{array}\right]$$

(15)

Every decision parameter is produced by: $x_i^j=LB\left(i\right)+\left(UB\left(i\right)-LB\left(i\right)\right)\ast r$ for $i=1,2,\dots , N$ and $j=1,2,\dots , HMS$, where $r$ denotes the arbitrary value within [0, 1]. A new harmony vector is produced using the following rules, such as pitch adjustment, random selection, and memory consideration. Initially, a random number $r_1$ is generated within $\left[0,1\right]$ and compares $r_1$ with the initialized HMCR. When $r_1<HMCR$, a random parameter in the initial HM is taken that is named memory consideration. Otherwise, it is attained by random selection (produced randomly between the search boundary). Lastly, a new harmony parameter is taken. Once it can be upgraded by the memory consideration, it should be attuned, and a parameter $r_2$ within [0, 1] is produced randomly as explained in Algorithm 1 below. When $r_2<PAR,$ the parameter based on the initial BW is adjusted and a newly generated parameter that is named pitch adjustment is obtained:

$$x_i^{\prime new}=x_i^{new}\pm r\ast BiV$$

(16)

where $r$ denotes the randomly generated value within [0, 1].

Algorithm 1 Pseudocode of HSA

Initialize the parameters HMCR, HMS, BW, PAR, Tax

Initialize the HM

Repeat

Create a New Harmony as:

for every $i$, perform

$x^{new}\to \left\{\begin{array}{c}\mathrm{memory} \mathrm{consideration} \mathrm{with} \mathrm{probability} \mathrm{HMCR}\\ \mathrm{random} \mathrm{selection} \mathrm{with} \mathrm{probability} 1-\mathrm{HMCR}\end{array}\right.$

if $x_i^{new}\in HM$, then

$x_i^{\prime new}=\left\{\begin{array}{ll}{x}_i^{new}\pm r\ast BW\hfill & with probability PAR\hfill \\ x_i^{new}\hfill & with probability 1-PAR\hfill \end{array}\right.$

end if

end for

if the new harmony vector is superior to that of the worse one in the novel HM, then

Upgrade HM

end if

Until $T_{max}$ is satisfied

Return better harmony

The newly attainted harmony is evaluated by $\left(x\right)$. Once the new harmony has the best main function solution when compared to the worst solution in the abovementioned HM, the new harmony substitutes the worst harmony from the HM. If the present amount of times of creation are attained, the abovementioned maximal times $T_{\max }$ of formation are checked. Fitness selection is a critical factor in the HSA technique. Solution encoding can be used to assess the aptitude (goodness) of the candidate solution. Here, the accuracy value is the main condition used to design a fitness function.

$$Fitness= \max \left(P\right)$$

(17)

$$P=\frac{TP}{TP+FP}$$

(18)

From the expression, TP represents the true positive, and FP denotes the false positive value.

4. Performance Validation

The proposed model is simulated using Python 3.6.5 tool on PC i5-8600k, GeForce 1050Ti 4GB, 16GB RAM, 250GB SSD, and 1TB HDD. The parameter settings are given as follows: learning rate: 0.01, dropout: 0.5, batch size: 5, epoch count: 50, and activation: ReLU. In this section, the ransomware classification performance of the OGCNN-RWD technique can be observed on a database comprising 840 samples [21] as represented in

Table 1. Details of the dataset.

Class	Number of Instances
Goodware	420
Ransomware	420
Total No. of Samples	840

.

The confusion matrix of the OGCNN-RWD technique is demonstrated in Figure 3. The outcomes ensure that the OGCNN-RWD system has properly recognized goodware and ransomware samples. For instance, on 100 epochs, the OGCNN-RWD technique identifies 359 goodware and 386 ransomware samples. Moreover, on 200 epochs, the OGCNN-RWD method identifies 372 goodware and 401 ransomware samples. Furthermore, on 300 epochs, the OGCNN-RWD method identifies 372 goodware and 408 ransomware samples. Lastly, on 500 epochs, the OGCNN-RWD approach identifies 417 goodware and 420 ransomware samples.

In

Table 2. Ransomware classifier outcome of OGCNN-RWD algorithm with distinct epochs.

Class	Accuracybal	Sensitivity	Specificity	F-Score	MCC
Epoch—100
Goodware	85.48	85.48	91.90	88.31	77.54
Ransomware	91.90	91.90	85.48	89.04	77.54
Average	88.69	88.69	88.69	88.68	77.54
Epoch—150
Goodware	88.10	88.10	93.57	90.58	81.79
Ransomware	93.57	93.57	88.10	91.08	81.79
Average	90.83	90.83	90.83	90.83	81.79
Epoch—200
Goodware	88.57	88.57	95.48	91.74	84.25
Ransomware	95.48	95.48	88.57	92.29	84.25
Average	92.02	92.02	92.02	92.01	84.25
Epoch—250
Goodware	88.57	88.57	95.71	91.85	84.50
Ransomware	95.71	95.71	88.57	92.41	84.50
Average	92.14	92.14	92.14	92.13	84.50
Epoch—300
Goodware	88.57	88.57	97.14	92.54	86.03
Ransomware	97.14	97.14	88.57	93.15	86.03
Average	92.86	92.86	92.86	92.84	86.03
Epoch—350
Goodware	99.29	99.29	100.00	99.64	99.29
Ransomware	100.00	100.00	99.29	99.64	99.29
Average	99.64	99.64	99.64	99.64	99.29
Epoch—400
Goodware	99.29	99.29	99.76	99.52	99.05
Ransomware	99.76	99.76	99.29	99.52	99.05
Average	99.52	99.52	99.52	99.52	99.05
Epoch—450
Goodware	99.29	99.29	100.00	99.64	99.29
Ransomware	100.00	100.00	99.29	99.64	99.29
Average	99.64	99.64	99.64	99.64	99.29
Epoch—500
Goodware	99.29	99.29	100.00	99.64	99.29
Ransomware	100.00	100.00	99.29	99.64	99.29
Average	99.64	99.64	99.64	99.64	99.29

, the overall ransomware classification outcomes of the OGCNN-RWD technique are inspected in several epochs. The OGCNN-RWD technique properly recognized goodware and ransomware. For the sample, with 100 epochs, the OGCNN-RWD methodology obtained $an acc{u}_{bal}$ of 88.69%, $sen{s}_y$ of 88.69%, $spe{c}_y$ of 88.69%, $F_{score}$ of 88.68%, and MCC of 77.54%. In the meantime, with 100 epochs, the OGCNN-RWD approach attained $an acc{u}_{bal}$ of 92.02%, $sen{s}_y$ of 92.02%, $spe{c}_y$ of 92.02%, $F_{score}$ of 92.01%, and MCC of 84.25%. Finally, with 100 epochs, the OGCNN-RWD method achieved $an acc{u}_{bal}$ of 92.86%, $sen{s}_y$ of 92.86%, $spe{c}_y$ of 92.86%, $F_{score}$ of 92.84%, and MCC of 86.03%. Also, with 100 epochs, the OGCNN-RWD method reached an $acc{u}_{bal}$ of 99.52%, $sen{s}_y$ of 99.52%, $spe{c}_y$ of 99.52%, $F_{score}$ of 99.52%, and MCC of 99.05%. At last, with 100 epochs, the OGCNN-RWD method attained an $acc{u}_{bal}$ of 99.64%, $sen{s}_y$ of 99.64%, $spe{c}_y$ of 99.64%, $F_{score}$ of 99.64%, and MCC of 99.29%.

The TACY and VACY of the OGCNN-RWD method under distinct epochs are represented in Figure 4. The figure states that the OGCNN-RWD approach has shown higher performance with enhanced values of TACY and VACY. Notably, the OGCNN-RWD algorithm has achieved maximal TACY outcomes.

The TLOS and VLOS of the OGCNN-RWD technique under distinct epochs are given in Figure 5. The figure infers that the OGCNN-RWD approach has demonstrated improved performance with the least values of TLOS and VLOS. Visibly, the OGCNN-RWD method has reduced VLOS outcomes. The lesser values indicate the effectual detection performance of the proposed model.

A brief precision–recall examination of the OGCNN-RWD method under distinct epochs is shown in Figure 6. The figure designates that the OGCNN-RWD algorithm has higher precision–recall values under two class labels.

A clear ROC investigation of the OGCNN-RWD system under distinct epochs is portrayed in Figure 7. The results represent that the OGCNN-RWD algorithm has exhibited its capability in classifying different two-class labels.

To assure the improved outcomes of the OGCNN-RWD approach, a brief comparative investigation is made in

Table 3. Comparative outcome of OGCNN-RWD approach with existing systems.

Methods	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{S}\mathit{e}\mathit{n}{\mathit{s}}_{\mathit{y}}$	$\mathit{S}\mathit{p}\mathit{e}{\mathit{c}}_{\mathit{y}}$
OGCNN-RWD	99.64	99.64	99.64
DWOML Model [21]	99.09	99.43	99.17
Bagging [22]	98.47	93.66	96.06
AdaBoost-M1 [22]	96.13	94.50	94.60
Rotation Forest (ROF) [22]	95.79	96.77	97.38
Decision Tree (DT) [22]	97.63	97.82	98.12
Random Forest (RF) [22]	98.83	98.79	98.26

[21,22]. Figure 8 investigates the comparative examination of the OGCNN-RWD technique in terms of $acc{u}_y$. The experimental values indicate that the OGCNN-RWD technique reaches a maximum $acc{u}_y$ of 99.64% while the DWOML, bagging, AdaBoost-M1, ROF, DT, and RF models result in a minimum $acc{u}_y$ of 99.09%, 98.47%, 96.13%, 95.79%, 97.63%, and 98.83%, respectively.

Figure 9 inspects the comparative investigation of the OGCNN-RWD algorithm in terms of $sen{s}_y$ and $spe{c}_y$. Based on $sen{s}_y$, the OGCNN-RWD technique reaches a maximum $acc{u}_y$ of 99.64% while the DWOML, bagging, AdaBoost-M1, ROF, DT, and RF methods result in minimal $sen{s}_y$ of 99.43%, 93.66%, 94.50%, 96.77%, 97.82% and 98.79%, respectively. Likewise, based on $spe{c}_y$, the OGCNN-RWD technique reaches a maximum $spe{c}_y$ of 99.64% while the DWOML, bagging, AdaBoost-M1, ROF, DT, and RF approaches result in minimum $spe{c}_y$ of 99.17%, 96.06%, 94.60%, 97.38%, 98.12% and 98.26%, respectively.

These results show the enhanced performance of the OGCNN-RWD technique over other models.

5. Conclusions

In this article, we established a novel OGCNN-RWD methodology for cybersecurity in an IoT environment. The OGCNN-RWD technique mainly intends to precisely distinguish ransomware from legitimate activities. In the presented OGCNN-RWD system, three subprocesses are involved, namely, the LETLBO approach-based feature subset selection, GCNN-based ransomware detection, and HSA based hyperparameter tuning. For exhibiting greater performance of the OGCNN-RWD algorithm, a series of simulations were made on the ransomware database. The simulation results portray the betterment of the OGCNN-RWD system over other existing systems with a maximum accuracy of 99.64%. Thus, the OGCNN-RWD methodology is employed for accurate ransomware detection in the IoT platform. In the future, we plan to extend the OGCNN-RWD technique by the design of an ensemble learning process.