A Novel Anomaly Detection System on the Internet of Railways Using Extended Neural Networks

Abstract

The Internet of Railways (IoR) network is made up of a variety of sensors, actuators, network layers, and communication systems that work together to build a railway system. The IoR’s success depends on effective communication. A network of railways uses a variety of protocols to share and transmit information amongst each other. Because of the widespread usage of wireless technology on trains, the entire system is susceptible to hacks. These hacks could lead to harmful behavior on the Internet of Railways if they spread sensitive data to an infected network or a fake user. For the previous few years, spotting IoR attacks has been incredibly challenging. To detect malicious intrusions, models based on machine learning and deep learning must still contend with the problem of selecting features. k-means clustering has been used for feature scoring and ranking because of this. To categorize attacks in two datasets, the Internet of Railways and the University of New South Wales, we employed a new neural network model, the extended neural network (ENN). Accuracy and precision were among the model’s strengths. According to our proposed ENN model, the feature-scoring technique performed well. The most accurate models in dataset 1 (UNSW-NB15) were based on deep neural networks (DNNs) (92.2%), long short-term memory LSTM (90.9%), and ENN (99.7%). To categorize attacks, the second dataset (IOR dataset) yielded the highest accuracy (99.3%) for ENN, followed by CNN (87%), LSTM (89%), and DNN (82.3%).

1. Introduction

Railways have played a central role in public transportation since the early 19th century when the first steam locomotive was used [1]. Because of their central role in connecting major metropolitan areas, railroads have long been considered an essential mode of transportation for people traveling in and out of those areas [2]. For the first time in history, a high-speed rail system has been developed to meet the public’s need for long-distance travel [3]. As a result of the railroad’s high capacity and energy efficiency, several countries’ governments have promoted and supported it for the benefit of the public [4]. As a result, when formulating transportation regulations, governments take the railroad into account [5,6]. Things are employed in a variety of applications, including the smart Internet of Rail Things [7]. Because of the wide variety of IoT devices, and their limited computing power, protocols, and standards, there are new security risks to contend with. IoT devices have default passwords before manufacturing, making them vulnerable to brute force attacks [8]. Due to the ever-increasing complexity of the computer system, network security must be improved [9]. Therefore, to sustain security, there must be continuity, integrity, and confidentiality in networked system and integrity, confidentiality, and availability can all be jeopardized by intrusions [10,11].

Internet of Railways (IoR) is an open, convergent network system that supports human, rail, and environmental cooperation [12]. Multiagent systems (MAS) work in concert with VANET and cloud computing to build a cooperative and extended transportation system. An IoR anomaly detection system is essential for data quality and security in today’s uncertain world [13]. The cost of real-time anomaly detection for all data in a data package must be taken into account while conducting crucial safety data analysis. The three layers of the Internet of Railways are experimentation and control, computation, and application. In [14], environmental data are used to run and monitor the railway’s experimental and control layers. Wireless networks such as WLAN, cellular (4G/5G), and short-range wireless networks are used by the railways to communicate at the computer level. Both closed and open service models can be found at this level of the application. The major components of an IoR system are shown in Figure 1.

Unlike the Internet, IoR data security flaws come from both inside and outside [14]. Because they lack the data verification capabilities of the CAN protocol, Internet data transmission techniques are vulnerable to simple security issues. Because of the IoR’s openness and widespread adoption, protecting against a data breach is more challenging as is identifying irregularities in autonomous railways [15]. Cyber railways are so unique and susceptible. System failures and malicious attacks jeopardize human and property safety [16]. Figure 2 shows the potential IoR security risks. An attacker can steal data and damage drivers using a V2V connection. This condition creates a second security issue.

Internet-based rail systems are based on interconnected networks of sensors, actuators, and network layers, all working together to form the Internet of Railways (IoR). The IoR’s success depends on how well it communicates. To exchange and transfer data, a railroad network employs a variety of protocols. The entire system is vulnerable to hacking due to the widespread use of wireless technology on trains. These kinds of attacks on the Internet of Railways can have a negative impact, especially if they spread sensitive information to an infected network or a false user. Detecting IoR attacks has been extremely difficult in the past few years. Feature selection is still a challenge for models based on machine learning and deep learning when trying to detect harmful activity.

Many security and privacy concerns have been raised by using many attack models on intelligent trains. As a result, the VANET is vulnerable to attacks that jam or spoof its signal. Delays in the transmission of the message cause it to be damaged and not accomplish its intended purpose [17]. Internet or physical access to an intelligent rail’s intelligence system is another security problem [18,19,20]. Embedded technologies, hardware and software updates, and networking devices have helped the IoR’s progress. However, despite this, the IoR still poses security, accuracy, performance, and network and personal privacy threat. The usage of intelligent services, remote access, and network alterations has resulted in several security and privacy concerns. Thus, the IoR data transfer security issues are a serious issue. The network and security issues in the Internet of Railways can be addressed using these strategies and ideas. This study defined security requirements for IoR apps to enhance the network and user services. DoS intrusions are detected using a new model called extended neural network. The main research contributions are:

(a)

A deep learning model to detect an anomaly in the railway network is proposed in this research.

(b)

The goal of this research is to give a thorough methodology for preparing network traffic data for the creation of an IDS.

(c)

We employ k-means clustering to present an averaging feature selection approach to increase the efficiency of the proposed intrusion detection system and to perform a network attribute and attack analysis for network monitoring purposes.

There are five sections in this paper. The problem and context for the paper are laid forth in Section 1 of the document. The relevant work is described in Section 2. In Section 3, the present framework and approach are described. The current study’s findings are discussed in detail in Section 4. The conclusions of the current investigation are presented in Section 5.

2. Related Work

The IoT’s enormous variety, limited computational resources, and protocols and standards all combine to create a common challenge: how to ensure secure communication across all connected devices at once. A large attack surface in IoT networks, even with certain security precautions, makes them very vulnerable to numerous attacks. This necessitates the development of security measures. Having security defenses such as intrusion detection systems (IDSs) in place is critical in IoT networks [19]. Traditional security solutions such as authentication and encryption are insufficient [20]. IDSs protect Internet-connected frameworks as a network-level solution. Internet of Things concerns include malware detection, ransomware, processor heterogeneity, and security design gaps. Classical IDSs are not perfect because of false alarms [21]. Traditional approaches such as supervised and unsupervised machine learning [22,23,24,25,26], as well as newer technologies [27,28], have been examined for intrusion detection in the IoT. They have been analyzed and their outcomes discussed, along with every selected work objective and methodology. IoT systems cannot be protected using traditional security techniques because of their computational limitations and inherent resources [26,27,28,29]. ML approaches in IDSs identify unknown and known attacks on IoT devices in real time [30,31]. IoT protocols and network structure are not relevant to an IDS proposed in [32]. “To utilize this IDS, no prior knowledge of security concerns is required.” This necessitates the creation of an artificially intelligent IDS for use in the Internet of Things’ (IoT) networks.

For IoR-ready software systems that require flexible, decentralized feedback control mechanisms, Eiza et al. [32] offered a guaranteed requirements model utilizing situation calculus modeling. Interactive passenger support software that provided passengers with real-time information tailored to their specific needs was demonstrated using an established formal model. The system adapted in real time as it was being used.

At the transport layer, network packets can be classified as “abnormal” or “regular” using machine learning and a knowledge-based system to identify DDoS attacks. To counter DDoS attacks, [33] used deep learning methods and convolutional neural networks (CNNs). TCP SYN-Flood and ICMP flood DDOS attacks were highlighted in that study. During the experimentation phase, the researcher employed the CICIDS2017 and NSL-KDD datasets to train and evaluate the algorithms (models). That accuracy number served as a benchmark for comparing the four algorithms. Results showed that a score of 99.93 was achieved.

According to Zhang et al. [2], using IoT-specific network behavior (such as a restricted number of endpoints and regular time intervals between packets) to influence feature selection, neural networks can achieve high-accuracy DDoS detection in IoT network traffic. Home gateway routers and other network middleboxes can use low-cost machine learning algorithms and flow-based and protocol-agnostic traffic data to automatically detect the local IoT device sources of DDoS attacks.

IoT threats and vulnerabilities were examined from a packet core perspective, and a machine learning DDoS detection and mitigation method was proposed for the mobile core network in [3]. Four supervised machine learning classification methods were used to test the proposed method, and each classifier was evaluated. A KNN, decision tree, naive Bayes, and logistic regression all performed well in the evaluations, with the KNN scoring 99.93 %accuracy, decision tree scoring 99.31 %accuracy, and naive Bayes scoring 74.17 %accuracy.

An IoT device traffic detection model that uses a boosting strategy of logistic model trees was shown in [4]. There was a model version for each device type because network traffic from different devices can change slightly. A typical smart home has four types of devices: Class 1—extremely high traffic predictability; Class 2—high traffic predictability; Class 3—medium traffic predictability; and Class 4—low traffic predictability. Using these four device categories, our proposed method was shown to be 99.92 to 99.99 %accurate in testing.

In another study [33], AI and ML techniques were examined to improve IoV network defenses against DDOS attacks, which could lead to more sophisticated protection architectures. Simulators were used to evaluate the utility of the suggested methodology in comparison to more traditional methods based on fuzzy logic and Q-learning theory. There have been few works on IoR security systems.

Table 1. Comparative Analysis of Existing Techniques.

References	Techniques	Datasets	Accuracy (%)
[27]	SVM, KNN	IoR dataset	85.4%
[2]	CNN	CAN dataset	83.5%
[28]	GMM	UNSW dataset	89%
[29]	CNN	UNSW dataset	90%
[33]	LSTM	UNSW dataset	91%

shows the summary of the previous state-of-art studies with the techniques used and accuracy obtained.

3. Methodology

In this section, a detailed description of the datasets and proposed schemes is given. Figure 3 shows the proposed workflow of the current study. In the first step, we gathered two datasets from an online open-source website (www.kaggle.com accessed on 28 February 2021) namely UNSW-NB15 (referred to as dataset 1) and IoR dataset (referred as dataset 2). We adopted multiple data preprocessing techniques, i.e., data scaling, normalization, null spaces removal, and outliers removal. In feature scoring, we used the k-means clustering technique to rank the most important features and select these features to detect attacks in both datasets with the help of the extended neural network.

3.1. Dataset Description

(a)

UNSW-NB15 Dataset

The UNSW-NB15 dataset keeps track of network attacks. In addition to DDoS, worms, backdoors, and fuzzers, malicious software includes nine other sorts of attacks. In the dataset are packets from the network. Among the training and testing sets, there were a total of 175,341 and 82,332 attacks, respectively. Listed below are the dataset’s characteristics.

Table 2. UNSW-NB15 Dataset Description.

Features	Description	Value	Variable Type
State	Connectivity state	0 or 2	Input
SPkcts	Source packets	Positive integer	Input
DPckts	Destination pockets	Positive integer	Input
Sbytes	Source bytes	Positive integer	Input
Dbytes	Destination bytes	Positive integer	Input
Attack	Category of attack	0–8, categories of attacks	Output

shows UNSW-NB15 Dataset Description.

The figure below shows the repartition of services from different PCs of railway networks. Figure 4 shows the total counts of target class distribution in the dataset. DDoS attacks occurred 50,000 times in the dataset.

(b)

IOR Dataset

The IOR dataset was used in this investigation. This dataset contains harmful attacks on railway networks that are linked to real-world anomalies. CICFlowMeter data included a time stamp, source, and destination IPs, source and destination ports, protocols, and assaults. The definition of the extracted feature was supplied as well. The collection took place from 3 July to 7 July. There was less traffic on Mondays. DDoS, botnets, and other forms of distributed denial-of-service assaults are only a few examples of the attacks. Tuesday through Friday were the days of the week when classes were in session.

Table 3. IOR Dataset Description.

Features	Description	Value	Variable Type
State	Connectivity state	0 or 2	Input
SPkcts	Source packets	Positive integer	Input
DPckts	Destination packets	Positive integer	Input
Sbytes	Source bytes	Positive integer	Input
Dbytes	Destination bytes	Positive integer	Input
Attack	Category of attack	0 or 1, normal or attacked.	Output

shows IOR Dataset Description.

The distribution of the target variable, attacks, is represented in the Figure 5.

The proposed approach was put to the test on these two recent datasets. To use deep learning algorithms, the data must be preprocessed. Classifier performance can be enhanced by selecting relevant features from both datasets using the homogeneity measure in an unsupervised manner (k-means clustering). Deep learning models can be reviewed and improved using fivefold cross-validation. Classifying the attacks was performed using the ENN.

3.2. Data Preprocessing

(a)

Data Preprocessing

The dataset was preprocessed to improve its suitability for use by a machine learning classifier.

(b)

Removal of Socket Information

Identifying the source and destination must be done without including either of their IP addresses. Instead of relying on a single connection’s data, it can use packet characteristics to rule out hosts with similar packet information.

(c)

Removing White Spaces

Labels with several classes can have white spaces. This class has two labels since the other tuples in it have different labels.

(d)

Label Encoding

When the labels are encoded into numeric form, they may be read by a computer. Thus, the algorithms that utilize machine learning to understand how to use these labels may do so with more accuracy and efficiency. In supervised learning, preparing the structured dataset is a critical stage in the process.

(e)

Data Normalization

We normalized the dataset using the standard scalar function because non-normalized data cause inaccuracies in the prediction of outcomes. After the data set was normalized, feature ranking took place.

(f)

Feature Ranking

In the feature ranking of attributes, we employed k-means clustering, which took into account the weight of each feature to determine how important it was to the final result. We first calculated the distance and then created an objective function:

$$D\left(Centroi{d}_j, point\right)=\sqrt{{\displaystyle \sum }_{i=1}^{distance}{\left(Centroi{d}_{ji}-poin{t}_i\right)}^2}$$

(1)

Using Equation (1), we could determine the distance between each cluster’s centroid and the j^th cluster to see if the j^th feature was similar to the data at point p.

3.3. Extended Neural Networks

Machine learning models should be replaced by neural networks such as ENNs. Thus, the network’s properties and nonlinear alterations it learned to determine its output may be explained concisely and understandably by anyone (predictions). Complex neural networks may be explained and seen using this model, because it incorporates methods to explain the relationship between input features and output and helps researchers visualize the functions that the network has learned. Standard neural networks struggle with data that have sequential properties. In the UNSW-NB15 dataset, system calls are followed by host calls. Odd behavior can have normal call sequences and subsequences. Due to the sequential nature of the system calls, intrusion detection in IoT must consider it. Classifying input data in this manner requires that past and current data, as well as their shifted or scaled features, be considered. To detect intrusions, a function f(x) generated input instances with normal and aberrant sequences. To meet the following criteria, we shifted and scaled k-means-clustered data features. The additive index model used by the ENN is:

$$f\left(x\right)=x_1{\beta }_1^{Tx}+x_2{\beta }_2^{Tx}+x_3{\beta }_3^{Tx}+\cdots +x_k{\beta }_k^{Tx}$$

(2)

Adding up the parameters of the shifting, rotating, and scaling of data instances, Equation (2) becomes:

$$f\left(x\right)=\mu +x_1{\beta }_1^{Tx}\gamma h_1+x_2{\beta }_2^{Tx}\gamma h_2+x_3{\beta }_3^{Tx}\gamma h_3+\cdots +x_k{\beta }_k^{Tx}\gamma h_k$$

(3)

where $\mu$ is the shift parameter used for model fitting and $\gamma$ is the scaling parameter used for fitting as well. The following Figure 6 prsents the ENN system’s architecture:

Having rotating and shifting parameters makes the ENN model more efficient at detecting abnormalities from datasets in this research.

The classification of output variables, such as attacks, was handled by the function f(x). The input characteristic was gamma. The k-means clustering provided a value based on k. Using clustering, we could keep track of all of our traits in one place, while x was the feature’s value per instance. A scalability coefficient (T) could be calculated by multiplying beta by the coefficient of variation. From Equation (2), a scaling parameter was added to the neural network in Equation (3), on the other hand, included the gamma-shifting parameter and the sigma-shifting coefficient, as well as the hyperparameter transfer function for model over- and underfitting.

Each number in the network was given a weight that was multiplied before the data were sent on to the next layer of neurons to be processed. To arrive at the sigmoid activation function, the total of the activation functions of each neuron must be weighted. These values separated the weighted connections between layers two and three. Each subsequent layer was completed in this manner. Neurons were represented as nodes in a weighted directed network, with weighted edges connecting them.

A neural network model receives information stored in vectors from the outside environment. It is common practice to use x(n) to indicate the number of inputs. Each input’s weights are multiplied. Weights aid the neural network solve a problem. The strength of a neural network’s connections between neurons is often represented by the network’s weight. It summarizes the weighted sum of all of the inputs into the compute unit (artificial neuron). A bias is applied if the overall weighting is zero, to boost the system’s responsiveness. Both weight and input have a bias of “1”. The sum can contain any number in the range 0 to infinity. The response can only be as high as the intended value if the threshold is set high enough. An activation function f causes the total to rise as a function of x. The activation function is activated by transferring control from the transfer function. Linear or nonlinear activation functions are possible. In this research, ENN has the significant advantage of having scaling, rotating, and shifting parameters, which extend the model to better detect the anomalies from datasets.

4. Results

The ENN model evaluation and performance are shown in this section. ENN was evaluated on UNSWN-B15 (dataset 1) and IoR (dataset 2) to classify attacks in IoR systems. We also compared the model with a CNN, LSTM, and DNN models to show the better performance of the proposed scheme.

4.1. Performance of ENN on UNSW-NB15

Figure 7 and Figure 8 illustrates that k-means clustering played an important role in the classification process of ENN. With the help of feature scoring, the ENN model showed a good accuracy of 0.997.

Figure 9 shows that the ENN had less accuracy (0.915) on the UNSW-NB15 dataset without k-means clustering, demonstrating that feature ranking played an important role in the classification. Figure 10 shows the comparative results of different deep learning models. We compared the current proposed scheme with a CNN, LSTM, and DNN on the IoR dataset.

The proposed scheme showed the best performance when compared to a CNN, LSTM, and DNN. On dataset 1, the ENN had an accuracy of 0.997, the CNN had an accuracy of 0.87, the LSTM network had an accuracy of 0.90, and the DNN had an accuracy of 0.92. The inclusion of scaling, shifting, and rotating parameters made the ENN the best model among the others.

4.2. Performance of ENN on IOR Dataset

K-means clustering played an important role in the classification process of ENN. With the help of feature scoring, the ENN model had a good accuracy of 0.993.

Figure 11 shows that the ENN had less accuracy (0.873) on the IoR dataset without k-means clustering, demonstrating that feature ranking played an important role in the classification. Figure 12 shows the comparative results of different deep learning models. We compared the current proposed scheme with a CNN, LSTM, and DNN on the IoR dataset:

The proposed scheme showed the best performance when compared to a CNN, LSTM, and DNN. On dataset 2, the ENN had an accuracy of 0.993, the CNN had an accuracy of 0.87, the LSTM network had an accuracy of 0.89, and the DNN had an accuracy of 0.82. The inclusion of scaling, shifting, and rotating parameters made the ENN the best model among the others. In order to balance the distribution, the ENN was primarily used to construct synthetic class samples of the minority class. The Undersampling technique was then applied to remove unnecessary points from the boundary between the two classes in order to increase the distance between the two classes. Due to the nature of the rotating, shifting and scaling, the ENN outperformed the other methods in this study. Previous studies are compared to the current study in the following

Table 4. Comparative Analysis of Previous and Current Studies.

References	Techniques	Datasets	Accuracy (%)	Precision	Recall	F1 Score
[2]	CNN	CAN dataset	83.5%	82.4%	82.4%	82%
[15]	LSTM	UNSW dataset	91%	89%	88%	89%
[27]	SVM, KNN	IoR dataset	85.4%	83%	84%	84%
[28]	GMM	UNSW dataset	89%	89%	88%	89%
[28]	CNN	UNSW dataset	90%	89%	88%	89%
[13]	CNN	UNSW dataset	90%	89%	88%	89%
[16]	LSTM	UNSW dataset	90%	89%	88%	89%
[17]	LSTM	KDD	90%	89%	88%	89%
[18]	CNN	KDD	81%	79%	78%	79%
[21]	CNN	UNSW dataset	79%	79%	78%	79%
This study	ENN	UNSW, IOR dataset	99.7%, 99.3%	98.5%, 98.3%	97%, 97%	98%, 98.5%

.

5. Conclusions

The automotive industry has been transformed by technological breakthroughs. Network speeds have increased, making it easier for vehicles to convert from mechanical control to software control. The self-driving train network is controlled via the Controlled Area Network (CAN) bus protocol. Data and traffic characteristics promote unauthorized CAN bus access and attacks on the autonomous railway network. There is a need for an early attack detection system on CAN bus protocols to avoid the harmful consequences of these attacks. Artificial intelligence is used to protect the rail network against cyberattacks. The self-driving train is protected by advanced artificial intelligence techniques. Using the IOR DATASET and the UNSW-NB15, the proposed security solution was evaluated. Using an ENN, we were able to identify several forms of attacks. Our proposed ENN model outperformed the competition using feature scoring. The introduction of scaling, rotating, and shifting parameters in the hidden layers of the neural network improved the accuracy of the ENN. Using the UNSW-NB15 data, the ENN outperformed the other methods tested in the detection task, with an accuracy of 99.7%, compared to the accuracy of 90% achieved by the CNN, LSTM, and DNN on the first dataset. The ENN surpassed the CNN (87%), LSTM (89%), and DNN (82%) in the second dataset. Its detection and classification accuracy and real-time CAN bus security were superior to those of earlier solutions. The disadvantages of the proposed model are that it requires high computing resources and a powerful system to operate.