writing summary in computer science filed

I need to write analysis to this paper that I attached the document should have these points

Motivation

contribution and her explain the proposed mothed with more details and explain it very good.

Result : Also, with details

Limitation or drawback

Conclusion for the whole paper

Intrusion detection in smart cities using Restricted Boltzmann Machines Asmaa Elsaeidy a,* , Kumudu S. Munasinghe a , Dharmendra Sharma a , Abbas Jamalipour b a Faculty of Science and Technology, University of Canberra, ACT 2601, Australia b School of Electrical and Information Engineering, University of Sydney, NSW 2006, Australia ARTICLE INFO Keywords: Smart cities Distributed denial of service Restricted Boltzmann Machines Feed forward neural networks ABSTRACT Smart cities have received greater attention over the recent years. Despite its popularity, unsecured smart city networks have become potential back door entry points. Distributed Denial of Service (DDoS) attacks are one of the most widespread threats to smart city infrastructure. In this paper, a smart city intrusion detection framework based on Restricted Boltzmann Machines (RBMs) is proposed. RBMs are applied due to their ability to learn highlevel features from raw data in an unsupervised way and handle real data representation generated from smart meters and sensors. On top of these extracted features, different classifiers are trained. The performance of the proposed methodology is tested and benchmarked using a dataset from a smart water distribution plant. The results show the efficiency of the proposed methodology in attack detection with high accuracy. In addition, the proposed methodology outperforms the classification model applied without features learning step. 1. Introduction Smart orientation represented by smart cities, smart grids, and smart homes have introduced new security challenges. Security of smart cities plays an important role in saving time and money, and affecting citizens’ life and health. In recent years, there are some tangible works that have been applied to detect cyber-attacks in smart cities by adopting methods from machine learning filed. Recently, deep learning models, such as convolutional neural networks (Wu et al., 1993), Restricted Boltzmann Machines (RBMs) (Teh and Hinton, 2001), deep belief nets (Hinton et al., 2006), and deep auto encoders (Madani and Vlajic, 2018) have been integrated with typical machine learning methods for anomaly-based detection tasks to enhance detection accuracy. Despite the efficiency of deploying machine learning algorithms for anomaly-based detection tasks in general and smart cities in specific, utilizing deep learning methods to enhance anomaly-based detection tasks in smart cities does not reach its full potential yet for three main reasons. First, there is a lack of how deep learning can inquire high achievements to develop security frameworks for smart cities. Second, most of proposed works have been focused on triggering attack alerts in traffic data, where determining attacks spots are more vital to prevent and block these attacks. Finally, the focus of most proposed works is to detect attacks based on traffic data without considering users behaviours which is more reliable to depend on. RBM is an undirected generative model with two layers, visible and hidden, where both layers contain binary stochastic units fully connected to each other. In the context of intrusion detection in smart cities, RBM is a preferred choice for several reasons: modelling unknown data distribution; unsupervised features extraction which could be efficient to learn user behaviours from raw traffic data; and the ability to handle different data representations, real representation in specific, generated from smart meters and sensors. The work in this paper is introduced toward complementing the ongoing work to build reliable and efficient security frameworks for smart cities. In this paper, an intrusion detection framework is proposed which consists of two main parts: deep RBM model to extract high-level features from network traffic; and the classification part to detect different types of DDoS attacks based on learned features from deep RBM model. The performance of the proposed methodology is tested and verified on selected benchmark dataset from smart water plant. We applied typical feed-forward neural network (FFNN) (Micusik et al., 2002), automated FFNN, where an automated procedure is applied to select the best hyper-parameters, random forest (RF) (Breiman, 2001) and support vector machine (SVM) (Hsu and Lin, 2002) models. The experimental results show the ability of the proposed methodology to detect DDoS attacks in an efficient and accurate way. The remainder of this paper is organized as follows: Section 2 provides brief background for smart cities and related work. The proposed methodology is introduced in Section 3. The experimental evaluation, including brief description for the smart water distribution system and the experimental setups, is explained in Section 4. The results and discussion are described in Section 5. Finally, Section 6 concludes the paper and highlights future directions. * Corresponding author.asmaa. E-mail address: Asmaa.Elsaeidy@canberra.edu.au (A. Elsaeidy). Contents lists available at ScienceDirect Journal of Network and Computer Applications journal homepage: www.elsevier.com/locate/jnca https://doi.org/10.1016/j.jnca.2019.02.026 Received 4 September 2018; Received in revised form 27 January 2019; Accepted 25 February 2019 Available online 5 March 2019 1084-8045/© 2019 Elsevier Ltd. All rights reserved. Journal of Network and Computer Applications 135 (2019) 76–83 2. Background and related work In the recent years, smart cities have significant impact due to their leverage and big influence on life of citizens. Smart city is about connecting day activities that citizens need with smart devices to easily access and control different services such as parking, public transportation, billing and healthcare (Panigrahi et al., 2016). Smart city infrastructure is based on Internet of Things (IoT) concept, and consists of three layers: perception, network and application layers (Iraji et al., 2017). The perception layer is responsible for collecting data from sensors and transmitting it into gate-ways. This layer includes sensors, cameras and RFID tags. The network layer, also called the communication layer, includes the core network and its main task is to transfer collected data from sensors into the cloud for analysis. Finally, the application layer links user required services with the cloud processed data (Wu et al., 2010). As any new trend, there are some successful factors and challenges to make smart city achieves its targets, such as security, mobility, scalability, latency and deployment. Although the ability of smart city technologies to provide citizens with needed services easily and smartly, it poses a set of security and privacy challenges on life of citizens (Khatoun and Zeadally, 2016). Citizen's privacy is represented as authentication. Protocols that identifies each user identity to pass through the system. Authorization or access control is defined as the mechanism that is used to differentiate legitimate user from illegitimate one (Yan et al., 2012). Cyber security main aim is to secure cyber-space from cyber-attacks that could lead to network damage or service unavailability (Wang and Lu, 2013). The huge amount of exchanged data in IoT applications increases the possibility of cyber-attacks that threat citizens privacy, information integrity, confidentiality and service availability. Cyber-attacks could target the physical layer, data link layer, network layer, transport layer or application layer (Garcia-Font et al., 2017). Distributed Daniel of Service (DDoS) attacks are the most popular attacks that threaten variety of smart city applications. DDoS attacks obscure services form end users through set of distributed created agents by attackers (Gharaibeh et al., 2017). There are many shapes of DDoS attacks, such as Smurf, HTTP flood, UDP flood, SIDDOS and SYN flood. DDoS attack attempts to send large amount of packets from different sources, called zombies, to offload servers and stop them from replaying to legitimate users which results to service unavailability (Douligeris and Mitrokotsa, 2004), as shown in Fig. 1. Intrusion detection systems (IDS) are the defence action taken to reveal different cyber-attacks. There are three security mechanisms used to protect a system against harmful attacks: prevention, detection and mitigation (Ahmed et al., 2016) (Butun et al., 2014). Intrusion prevention is represented in encryption and authentication, but it is not enough to protect networks from malicious nodes or attackers. Intrusion detection can be used as second wall to protect networks from malicious attacks as early as possible and minimize resulted harms in mitigation step. Typical IDS is classified according to intrusion type, intruder type, and used detection methodology (Butun et al., 2014). IDSs can be classified based on applied methodology, into three basic types (Ahmed et al., 2016): anomaly-based, misuse-based, and hybrid-based. In anomaly-based type, IDS is based on observing network behaviour and identifying abnormal behaviours based on intrinsic normal behaviour. In misuse-based type, IDS uses a profile of previous known attacks as a reference to detect future ones. However, if the attack is new and not profiled before, IDS will fail to detect it. In hybrid-based type, IDS combines merits of both anomaly and Misuse-based detection methodologies (Haider et al., 2017). In the recent years, applying anomaly-based models for cyber-attacks detection in smart city architectures get a noticeable attention. In (Chen et al., 2009), a proposed IDS based on rough sets is proposed. This model tries to improve the false alarm rate detection by reducing feature space dimensions using rough sets. Based on this feature reduction step, support vector machines are applied to classify different types of attacks. Similar to this work, an intrusion detection system based on artificial neural networks is proposed, but without applying a dimensionality reduction step (Li et al., 2010) (Hodo et al., 2016). This proposed model proves its efficiency in threat analysis and the distinction between normal and abnormal traffic in efficient way. In (Kasinathan et al., 2013) and (Raza et al., 2013), a real time intrusion detection system is applied on IoT 6LOWPAN networks to reveal different sinkhole and selective forwarding attacks, DDoS attacks in specific. In (Bostani and Sheikhan, 2017), an intrusion detection system is proposed which implements mapreduce technology for attack detection in large scale. Another attempt for building more efficient and accurate intrusion detection systems is introduced in (Yin et al., 2017). In this work, a deep self-taught learning model with two classification stages is applied for attack detection. In (Fiore et al., 2013), an RBM model is applied for attack detection. Similar to the previous work, deep RBM model is proposed to extract high-level features which are used to detect DDoS attack for smart cities (Elsaeidy et al., 2017). 3. Proposed methodology The proposed methodology consists of two main parts: the RBM Fig. 1. Illustrative example of DDoS attack in smart water plant. A. Elsaeidy et al. Journal of Network and Computer Applications 135 (2019) 76–83 77 model for feature learning and the classifier model for attack detection, as shown in Fig. 2. Typical RBM models are commonly applied on binary data using binary visible units. However, different types of visible units are introduced to handle different representations, such as Gaussian units for real data. The raw dataset generated from smart water system has total of six features represented in real values representation, where each record could be a normal or attack behaviour. In smart cities, more than one attack could be exist, so we applied a clustering step to re-group attack records into more than one category. Given the re-grouped dataset, RBM model is applied to learn high-level features in unsupervised way by stacking layers on top of each other. Each layer is an RBM model with Gaussian visible and hidden units. After that, classifier model is trained to distinguish between normal and different types of DDoS attacks. Four classifier models are selected including: FFNN automated FFNN, RF and SVM. These models are well known and widely applied classification models to variety of problems. For automated FFNN, a simple grid-search approach for finding the best hyper-parameters for FFNN is selected with a combination of values for learning rate, momentum and number of hidden neurons, where the cost function is the classification accuracy. The main part of the proposed detection system is the deep learning model which is used to learn high-level features and patterns from network traffic flow represented by sensors’ readings. Typical intrusion detection systems are working directly on this type of data to identify the attacks. However, this raw data could not be representative enough to detect an attacker. In order to identify useful features from this raw data, two approaches could be applied: human-based feature extraction or learning-based feature extraction. In human-based feature extraction, an expert human in the field identifies and extract useful features that could be used by machine learning algorithm, while in learning-based feature extraction, features are learned directly from the raw data (Abdelbary and El-Korany, 2013). The extracted features using human-based approach still could not be rich enough to represent the original raw data, so it is preferable to learn these features from data directly. Features learning could be done at hierarchical levels by learning more higher features based on previous extracted ones. The common applied machine learning algorithms for features learning is deep learning models. Deep learning is a stack of layers, where each layer learns from the previous one (Edwards, 2015). In this paper, the proposed intrusion detection system is based on deep RBM model. A typical RBM architecture consists of a visible layer of N nodes and a hidden layer of M nodes. The nodes are connected to each other across visible and hidden layers, but no nodes of the same layer are linked. Given a sample training input v via the visible layer nodes, the binary activation value for each Hidden unit hj is calculated as follows: p hj ¼ jv ¼ σ bj þXN i¼1 υiwij! (1) Given a hidden vector h, the binary activation value for each visible unit vi is calculated.as follows: pðυi ¼ 1jhÞ ¼ σ ai þXM j¼1 hjwij! (2) where σ is the logistic activation function, ai is the visible unit bias value, bj is the hidden unit bias value, and wij is the weight values between visible and hidden nodes. The probability that could be assigned to a visible vector v is calculated as follows: pðυÞ ¼ 1 Z X h expEðυ;hÞ (3) where Z is the partition function which is calculated by summing over all possible pairs of visible and hidden vectors and it acts as a normalization factor for the joint probability distribution of the network (Hinton, 2010), and E (v, h) is the joint configuration (energy) of the visible and hidden nodes which is calculated as follows. Eðυ; hÞ¼XN i¼1 aiυi XM j¼1 bihi X i:j υihjwij (4) The training procedure of the RBM is based on adjusting the network weights toward minimizing the energy assigned to the visible vectors as follows: δwij ¼ ε υihj data υihj model (5) where the angle brackets refers to the expectations and is the learning rate. Since there are no connections among hidden units, getting a sample of < vihj >data is easy, but calculating the term < vihj >model is much harder since we need to start with a random state of visible units and perform a sampling for a very long time (Hinton, 2010). This problem is solved by the proposed algorithm called contrastive divergence (CD) (Yuille, 2005), where the model term is replaced by the reconstruction of the visible vectors from a hidden state given an input vector from the training set. This changes the learning rule formula to be as follows: δwij ¼ ε υihj data υihj recon (6) Different types of units can be used in addition to the stochastic Fig. 2. The proposed intrusion detection framework. A. Elsaeidy et al. Journal of Network and Computer Applications 135 (2019) 76–83 78 binary units depending on the nature of data, such as Gaussian units, binomial units, or rectified linear units (Hinton, 2010). The deep RBM part of the proposed methodology uses Gaussian visible units with stochastic binary hidden units which is more suitable to the nature of the dataset used in this paper. By using a Gaussian visible unit, the energy function will be calculated as follows: Eðυ; hÞ¼XN i¼1 ðυi aiÞ 2 2σ2 i XM j¼1 bjhj X i:j υi σi hjwij (7) where σ is the standard deviation. RBM networks can be used for building deep models by learning highlevel features based on the previous learned ones. Deep RBM model is built by stacking more than one RBM model on the top of each other in gridy wise procedure (Srivastava and Salakhutdinov, 2012). The first layer in a deep RBM model learns from the raw data features, then the generated new features from this RBM is used as the new dataset to train the next RBM layer (Hinton et al., 2006). 4. Experimental evaluation In this section, the details of the experimental setup and the dataset that is used to validate the proposed methodology performance are presented. 4.1. Smart water distribution system The system used to generate the dataset is related to a smart water system. It is physically constructed and uses physical Micro-CI testbed (Hurst et al., 2017). The system is composed of two peristaltic pumps, with 12 voltage, to raise the water from its external sources. These pumps are used to fill the water tanks with specified levels connected with two water level sensors. The water level and the outgoing flow rate are monitored using remote terminal unit (RTU), which is physically represented with Arduino UNO rev.3. The pump speed is adjusted dynamically to ensure a suitable renewal for the water tanks. There is a USB connection between the Arduino board and a PC representing the network connection, where the real data gathering is supported by a serial connection. The measured metrics that is collected during this experiment are: pump speeds, water level and the flow meter. The readings are collected periodical every 0.25 s. The system is simulated in (Hurst et al., 2017) using object oriented modelling approach with variety of objects representing a water source, two pumps, two tanks and network of pipes. The dataset is generated from the physical system and the simulated model as well. The normal data records are collected, while anomalies such as DDoS attacks are recorded by changing the characteristics of the pump speed and the interrupted readings from the sensors. 4.2. Experimental setup The performance of the proposed methodology to detect different DDoS attacks is evaluated using different variations of the original generated dataset from the smart water distribution system. The original generated dataset contains records differentiated to be either normal or attack record. In real-life scenarios, there is more than one DDoS attack that threatens smart cities. To mimic this behaviour, we applied the kmeans clustering algorithm to re-group DDoS attack records from 1 to 10 groups. This clustering process provides us with 10 different versions of the original dataset. In the experiments, each version of the dataset generated from kmeans algorithm is processed by RBM model to learn high-level features. We applied deep RBM model up to 5 layers. This provides us with 5 subversions of each main version of the dataset generated from clustering algorithm with different K values. The first sub-version is generated by applying RBM with only one layer, the second sub-version is generated by applying RBM with two layers and so on until we have the fifth subversion of the dataset which is generated by applying RBM with 5 layers. For each sub-version we applied FFNN, automated FFNN, RF and SVM classification models. Classification models are trained by dividing the dataset into training, validation and testing parts. For each dataset generated from the clustering algorithm with K values, we have total of 5 datasets and 4 classification algorithms applied to each one. This provides us with total of 20 experiments. Given that we have varying K values for the clustering algorithm, this gives us with total of 200 experiments. Each dataset is normalized to have zero mean and unit variance. The k-means clustering algorithm and deep RBM model are implemented using Matlab 9.1.0.441655 (R2016b). The FFNN, automated procedure for learning FFNN, RF and SVM are implemented using Java SDK 1.8.0 151 and Weka 3.8 libraries. The experiments are run on an Intel core i5 CPU 2.4 GHz with 16 GB of RAM and Windows 10 (64-bit) machine. For k-means clustering algorithm, K is varying from 1 to 10 and maximum number of iterations is 500. For the RBM model, the number of layers are varying from 1 to 5, hidden units of 50 for each hidden layer, epocs of 500, learning rate of 0.001, batch size of 100, and initial and final momentum values are 0.5 and 0.9, respectively. For FFNN, epocs of 500 are used, learning rate of 0.3 and momentum of 0.2. For automated procedure of FFNN, the learning rate value is varying from 0.2 to 0.8, momentum value is varying from 0.2 to. 0.8 and hidden units are varying from 50 to 100. For RF, bag size percentage is 100, batch size is 100, tree max depth is unlimited, and number of iterations is 100. For SVM, batch size is 100, the complexity parameter is 1.0 and epsilon is 1.0e-12. 5. Results and discussion This section represents the results conducted on the smart water distribution system dataset for different experimental setups discussed above. First, we visualize the F-measure values for learned classifiers using FFNN, automated FFNN, RF and SVM over varying the number of deep layers for each cluster as shown in Fig. 3. Second, we listed the Fmeasures values for all learned classifiers for different RBM deep layers for all clusters as shown in Table 1. We highlighted in this table the best classifier model with best number of deep RBM layers, the best classifier model overall each cluster and the best classifier model overall all clusters. Third, we visualize the F-measure values for the FFNN vs. Automated FFNN vs. RF vs. SVM learned models combined with RBM model with one layer over all clusters, as shown in Fig. 4. We picked the classifier models combined with one layer RBM model since it provides us with best learned model over other learned models with more deep RBM layers. For learned models using FFNN, automated FFNN, RF and SVM, the performance of the learned models represented by F-measure values is improved by feature learning step using RBM model compared to applied classifiers without RBM model, except for SVM learned models for clusters from 1 to 4 and auto-mated FFNN for clusters 3 and 4, where the best leaned models applied without RBM outperforms the performance of learned models that applied the RBM for feature learning with different layers. However, increasing the number of RBM layers affects the performance of learned models by decreasing F-measure values, specifically when adding fourth RBM layer which cause a drop in the F-measure value to around 0.333, except for RF and SVM classifiers where the performance did not dropped that much which is higher than 0.9, as shown in Table 1. In addition, RF best learned models for clusters from 3 to 10 improves the performance by applying RBM model with more than one layer, as shown in Table 1. Learned models using automated FFNN outperforms learned models using FFNN, RF and SVM with higher F-measure values for all clusters, except for clusters 4, 7 and 9. Where SVM outperforms all other A. Elsaeidy et al. Journal of Network and Computer Applications 135 (2019) 76–83 79 classifiers. Another observation is that the performance of the learned models represented by F-measure values decreased with the increase in the number of clusters for FFNN, auto-mated FFNN, RF and SVM, as shown in Fig. 3. The reason for that could be the complexity that added to the dataset by introducing more number of classes (attack types), which makes the problem harder for classifier models. An increase in number of RBM layers does not improve the classifiers performance, especially after layer 3, where the performance is dropped to low F-measure values. This probably due to the inability of RBM model to learn more high-level features than three levels for this dataset. Also, the simplicity of the dataset with small number of features (only six features) could have this impact on the performance of RBM model. Although the small number of features the dataset has, its real-value representation is also challenging to handle for RBM models, since they Fig. 3. Learned models using FFNN, automated FFNN (A FFNN), RF and SVM by varying deep RBM layers for each cluster. A. Elsaeidy et al. Journal of Network and Computer Applications 135 (2019) 76–83 80 are originally proposed to handle binary representation for a dataset features. In addition, applying RBMs for real data representation is tricky and causes an instability issues during training. Even if the dataset is in binary representation, this will cause a loss in the information which will not provide us with an expected reliable performance. The best learned model overall all clusters is the one learned using automated FFNN with one RBM layer for the dataset version represented with cluster 2 (2 attack classes are assumed). This somehow reasonable since the small number of classes makes the job for classifier model less complicated. However, the larger number of attack classes, as we assumed by applying k-means algorithm, makes more sense and makes the problem of attack detection more similar to real-life scenarios, where more than one DDoS attack could attack smart city applications. Introducing more attacks to the problem makes the learning process more challenging, where more enhancements to the classifiers and feature learning models are needed. When we compare the best learned models using FFNN, automated FFNN, RF and SVM with one layer RBM model overall clusters, since these models reported the best performance, as shown in Fig. 4, the Fmeasure values for the learned models for the first two clusters are very close to each other, except for SVM, with small improvement introduced by automated FFNN model over all other classifiers. Starting from cluster 3 to 10, the gap in performance between FFNN, automated FFNN and SVM models becomes more closer, where the performance of RF classifier starts to decrease. However, at cluster 10, the F- measure values are dropped to around 0.6 where it was above 0.9 in all previous learned models over all remaining clusters from 1 to 9. 6. Conclusion Smart cities and their applications play an important role in citizens’ life. Smart city infrastructure is based on the concept of Internet of things which inherits the advantages of the typical networking and wireless different technologies. However, it also inherits the security problems and the threats come from cyber-attacks, DDoS attacks in specific. Toward securing smart city infrastructure and different applications run over it, variety of attack detection methods are proposed. The work in this paper explores the ability of machine learning approaches to detect DDoS attacks that threats smart city applications. In particular, we have investigated whether applying unsupervised feature learning algorithm could enhance the performance of typical attack detection algorithm to intrusion detection. To test this hypothesis, we evaluated the proposed methodology performance for attack detection on a generated data from smart water distribution system. We varied the deep level of RBM models by varying number of deep layers to be used, in addition we created different versions of the original dataset to have more than one attack type where the original dataset has only one type. Feed forward neural networks with pre-selected and automated selected hyper-parameters, random forest and support vector machines classifiers are used in this paper. The experimental results showed the ability of the automated FFNN for at-tack detection with high accuracy which also outperforms the typical FFNN, RF and SVM learned models. In addition, the reported best learned models are the ones combined with RBM models with only one layer. Increasing the number of RBM layers cause a decreasing in accuracy for the learned models. Also, increasing number of clusters has an effect on the attack detection performance which is decreased by increasing the number of classes generated by the clustering algorithm. The work introduced in this paper is a part of ongoing research to enhance the security levels for smart cities' infrastructures and toward building an end-to- end integrated security platforms for different running smart applications that affects different aspects for citizens’ life. Worthwhile extensions to the proposed work in this paper could be by generating a dataset for smart application, such as smart grid, with more rich features and types of attacks to test the performance of the proposed methodologies with more complicated cases and scenarios. Table 1 F-measure values of learned classifiers through different number of deep layers for each cluster (y indicates best model for each classifier (FFNN, automated FFNN, RF, SVM). RBM Layers 0 1 2 3 4 Cluster for K ¼ 1 F F NN 0.9942 y 0.9977 0.9826 0.9783 0.3333 A F F NN 0.9971 * y 0.9987 0.9956 0.9783 0.3465 RF 0.9783 y 0.9969 0.9961 0.9951 0.9896 SV M y 0.9810 0.9783 0.9783 0.9783 0.9783 Cluster for K ¼ 2 F F NN 0.9918 y 0.9973 0.9812 0.9783 0.3333 A F F NN 0.9979 * y 0.9987 0.9951 0.9783 0.3333 RF 0.9783 y 0.9962 0.9951 0.9948 0.9860 SV M y 0.9795 0.9783 0.9783 0.9783 0.9783 Cluster for K ¼ 3 F F NN 0.9743 y 0.9770 0.9479 0.9345 0.3333 A F F NN * y 0.9866 0.9792 0.9721 0.9497 0.3333 RF 0.9521 0.9429 0.9488 y 0.9664 0.9421 SV M y 0.9811 0.9785 0.9731 0.9704 0.9696 Cluster for K ¼ 4 F F NN 0.9550 y 0.9679 0.9463 0.6369 0.3333 A F F NN y 0.9761 0.9750 0.9578 0.9157 0.3333 RF 0.9454 0.9296 0.9417 y 0.9501 0.9263 SV M * y 0.9862 0.9756 0.9689 0.9632 0.9631 Cluster for K ¼ 5 F F NN 0.9325 y 0.9677 0.9300 0.5746 0.3333 A F F NN 0.9681 * y 0.9768 0.9548 0.9050 0.3333 RF 0.9292 0.9283 y 0.9505 0.9480 0.9263 SV M 0.9611 0.9701 y 0.9677 0.9677 0.9632 Cluster for K ¼ 6 F F NN 0.9381 y 0.9623 0.9192 0.5288 0.3333 A F F NN 0.9655 * y 0.9711 0.9551 0.9132 0.3333 RF 0.9281 0.9364 y 0.9545 0.9515 0.9370 SV M 0.9575 y 0.9701 0.9689 0.9674 0.9635 Cluster for K ¼ 7 F F NN 0.9408 y 0.9596 0.9302 0.5479 0.3333 A F F NN 0.9687 y 0.9696 0.9510 0.9057 0.3333 RF 0.9254 0.9305 y 0.9559 0.9502 0.9276 SV M 0.9642 * y 0.9738 0.9679 0.9652 0.9589 Cluster for K ¼ 8 F F NN 0.9435 y 0.9589 0.9364 0.5037 0.3333 A F F NN 0.9623 * y 0.9697 0.9434 0.9212 0.3333 RF 0.9293 0.9362 y 0.9575 0.9526 0.9385 SV M 0.9562 y 0.9684 0.9667 0.9639 0.9564 Cluster for K ¼ 9 F F NN 0.9345 y 0.9629 0.9092 0.5026 0.3333 A F F NN 0.9656 y 0.9679 0.9390 0.8995 0.3333 RF 0.9350 0.9341 y 0.9504 0.9500 0.9220 SV M 0.9531 * y 0.9685 0.9641 0.9605 0.9535 Cluster for K ¼ 10 F F NN 0.5297 y 0.9479 0.9157 0.5002 0.3333 A F F NN 0.6481 * y 0.9576 0.9400 0.9048 0.3333 RF 0.7310 0.9281 0.9437 y 0.9465 0.9154 SV M 0.6972 y 0.9575 0.9499 0.9456 0.9454 Fig. 4. F-measure values for FFNN, automated FFNN (A FFNN), RF and SVM models combined with RBM model with one layer over the ten clusters. A. Elsaeidy et al. Journal of Network and Computer Applications 135 (2019) 76–83 81 References Abdelbary, H., El-Korany, A., 2013. Semantic topics modeling approach for com- munity detection. Int. J. Comput. Appl. 81 (6). Ahmed, M., Mahmood, A.N., Hu, J., 2016. A survey of network anomaly detection techniques. J. Netw. Comput. Appl. 60, 19–31. Bostani, H., Sheikhan, M., 2017. Hybrid of anomaly-based and specification-based ids for internet of things using unsupervised opf based on mapreduce approach. Comput. Commun. 98, 52–71. Breiman, L., 2001. Random forests. Mach. Learn. 45 (1), 5–32. Butun, I., Morgera, S.D., Sankar, R., 2014. A survey of intrusion detection sys- tems in wireless sensor networks. IEEE Commun. Surv. Tutor. 16 (1), 266–282. Chen, R.-C., Cheng, K.-F., Chen, Y.-H., Hsieh, C.-F., 2009. Using rough set and support vector machine for network intrusion detection system. In: Intelligent Information and Database Systems, 2009. ACIIDS 2009. First Asian Conference on. IEEE, pp. 465–470. Douligeris, C., Mitrokotsa, A., 2004. Ddos attacks and defense mechanisms: classification and state-of-the-art. Comput. Network. 44 (5), 643–666. Edwards, C., 2015. Growing pains for deep learning. Commun. ACM 58 (7), 14–16. Elsaeidy, A., Elgendi, I., Munasinghe, K.S., Sharma, D., Jamalipour, A., 2017. A smart city cyber security platform for narrowband networks. In: Telecom- Munication Networks and Applications Conference (ITNAC), 2017 27th International. IEEE, pp. 1–6. Fiore, U., Palmieri, F., Castiglione, A., De Santis, A., 2013. Network anomaly detection with the restricted Boltzmann machine. Neurocomputing 122, 13–23. Garcia-Font, V., Garrigues, C., Rif`a-Pous, H., 2017. Attack classification schema for smart city wsns. Sensors 17 (4), 771. Gharaibeh, A., Salahuddin, M.A., Hussini, S.J., Khreishah, A., Khalil, I., Guizani, M., AlFuqaha, A., 2017. Smart cities: a survey on data management, security, and enabling technologies. IEEE Commun. Surv. Tutor. 19 (4), 2456–2501. Haider, W., Hu, J., Slay, J., Turnbull, B., Xie, Y., 2017. Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling. J. Netw. Comput. Appl. 87, 185–192. Hinton, G., 2010. A practical guide to training restricted Boltzmann machines. Momentum 9 (1), 926. Hinton, G.E., Osindero, S., Teh, Y.-W., 2006. A fast learning algorithm for deep belief nets. Neural Comput. 18 (7), 1527–1554. Hodo, E., Bellekens, X., Hamilton, A., Dubouilh, P.-L., Iorkyase, E., Tachtatzis, C., Atkinson, R., 2016. Threat analysis of iot networks using artificial neural network intrusion detection system. In: Networks, Computers and Communications (ISNCC), 2016 International Symposium on. IEEE, pp. 1–6. Hsu, C.-W., Lin, C.-J., 2002. A comparison of methods for multiclass support vector machines. IEEE Trans. Neural Netw. 13 (2), 415–425. Hurst, W., Shone, N., Shi, Q., Bazli, B., 2017. Micro-ci: a model critical infrastructure testbed for cyber-security training and research. Int. J. Adv. Secur. 10 (1&2), 114–125. Iraji, S., Mogensen, P., Ratasuk, R., 2017. Recent advances in m2m communications and internet of things (iot). Int. J. Wirel. Inf. Netw. 24 (3), 240–242. Kasinathan, P., Pastrone, C., Spirito, M.A., Vinkovits, M., 2013. Denial-of-service detection in 6lowpan based internet of things. In: 2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob). IEEE, pp. 600–607. Khatoun, R., Zeadally, S., 2016. Smart cities: concepts, architectures, research opportunities. Commun. ACM 59 (8), 46–57. Li, J., Liu, Y., Gu, L., 2010. Ddos attack detection based on neural network. In: Aware Computing (ISAC), 2010 2nd International Symposium on. IEEE, pp. 196–199. Madani, P., Vlajic, N., 2018. Robustness of deep autoencoder in intrusion detection under adversarial contamination. In: Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security. ACM, p. 1. Micusik, D., Stopjakova, V., Benuskova, L., 2002. Application of feed-forward artificial neural networks to the identification of defective analog integrated circuits. Neural Comput. Appl. 11 (1), 71–79. Panigrahi, B., Rath, H.K., Ramamohan, R., Simha, A., 2016. Energy and spectral efficient direct machine-to-machine (m2m) communication for cellular internet of things (iot) networks. In: Internet of Things and Applications (IOTA), International Conference on. IEEE, pp. 337–342. Raza, S., Wallgren, L., Voigt, T., Svelte, 2013. Real-time intrusion detection in the internet of things. Ad Hoc Netw. 11 (8), 2661–2674. Srivastava, N., Salakhutdinov, R.R., 2012. Multimodal learning with deep Boltzmann machines. In: Advances in Neural Information Processing Systems, pp. 2222–2230. Teh, Y.W., Hinton, G.E., 2001. Rate-coded restricted Boltzmann machines for face recognition. In: Advances in Neural Information Processing Systems, pp. 908–914. Wang, W., Lu, Z., 2013. Cyber security in the smart grid: survey and challenges. Comput. Network. 57 (5), 1344–1371. Wu, Q.-Z., Cun, Y., Jackel, L.D., Jeng, B.-S., 1993. On-line recognition of limitedvocabulary Chinese character using multiple convolutional neural networks. In: Circuits and Systems, 1993, ISCAS '93, 1993 IEEE International Symposium on. IEEE, pp. 2435–2438. Wu, M., Lu, T.-J., Ling, F.-Y., Sun, J., Du, H.-Y., 2010. Research on the architecture of internet of things. In: Advanced Computer Theory and Engineering (ICACTE), 2010 3rd International Conference on, vol. 5. IEEE, pp. V5–V484. Yan, Y., Qian, Y., Sharif, H., Tipper, D., 2012. A survey on cyber security for smart grid communications. IEEE Commun. Surv. Tutor. 14 (4), 998–1010. Yin, C., Zhu, Y., Fei, J., He, X., 2017. A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access 5, 21954–21961. Yuille, A.L., 2005. The convergence of contrastive divergences. In: Advances in Neural Information Processing Systems, pp. 1593–1600. Asmaa Elsaeidy received a B.Sc. in 2004 and a M.Sc. in 2011, both in information systems and technology from Faculty of Computers and Informatics, Zagazig University, Egypt. She is currently working in her PhD at Faculty of Science and Technology, University of Canberra, Canberra, Australia. Her PhD research focuses on developing security frameworks and intrusion detection systems for smart cities applications using machine learning approaches. Her research interests focus on smart cities, internet of things, cyber-security, machine learning and deep learning. She is awarded with the Best Paper Award for a 2017 published conference paper from her PhD work. Dr Kumudu Munasinghe holds a PhD in Telecommunications Engineering from the University of Sydney. He is currently an Assistant Professor in Network Engineering and the Group Leader of the IoT Research Lab at the University of Canberra. His research focuses on Next Generation Mobile and Wireless Networks, Internet-of-Things, Green Communication, Smart Grid Communications, and Cyber-Physical Systems and Security. Dr Munasinghe has authored over 100 refereed publications with over 750 citations (H-index 16) in highly prestigious journals, conference proceedings and two books to his credit. He has secured over $ 1.6 Million dollars in research funding by winning grants from the Australian Research Council (ARC), government, defence and private organisations. He won the highly prestigious ARC Australian PostDoctoral (APD) Fellowship, served as a chair for many IEEE international conferences and serve as an editorial board member for a number of journals. Dr Munasinghe's research has been commended through many awards including VC's Research Awards and three Best Paper Awards by the IEEE. He is currently a Senior Member of the IEEE and a Companion (Fellow) of the Engineers Australia. Professor Dharmendra Sharma is currently the Chair of University Academic Board and Professor of Computer Science at the University of Canberra (UC). He had been the Dean of the Faculty of Information Sciences and Engineering from 2007 to 2012 and as Head of School of the School of Information Sciences and Engineering from 2004 to 2007 at UC. He has assumed various senior leadership roles in universities for over twenty years and had been made a University Distinguished Professor by UC in 2012. Prof Sharma's research background is in the Artificial Intelligence areas of Planning, Data Analytics and Knowledge Discovery, Predictive Modelling, Constraint Processing, Fuzzy Reasoning, Brain-Computer Interaction, Hybrid Systems and their applications to health, education, security, digital forensics and sports. He has published over 270 research papers and has supervised to completion over 30 higher degrees research students. He has received several competitive research awards and grants, and recognition for his academic and research leadership initiatives. He has developed and led a strong industry and international university partnerships for courses, research and innovation. Prof Sharma is a Fellow of the Australian Computer Society, a Fellow of the South Pacific Computer Society, and a Senior Member of IEEE. He is a GAICD and has been elected as a Companion of the Institution of Engineers Australia - CompIEAust. Prof Sharma has regularly served on several industry, academic, and research bodies including company boards, government advisory and policy committees. He had completed his PhD from the Australian National University and postgraduate qualifications in Computer Science from the University of New South Wales and postgraduate and undergraduate qualifications in Mathematics and Science from the University of the South Pacific. He has been an academic for over 38 years. He was the founding President of the South Pacific Computer Society and a Branch Executive Member of the ACS Canberra Chapter. His research interests focus on distributed artificial intelligence, constraint satisfaction models and planning and applications of AI to human centered modelling and problem solving. A. Elsaeidy et al. Journal of Network and Computer Applications 135 (2019) 76–83 82 Abbas Jamalipour is the Professor of Ubiquitous Mobile Networking at the University of Sydney, Australia, and holds a PhD in Electrical Engineering from Nagoya University, Japan. He is a Fellow of the Institute of Electrical and Electronics Engineers (IEEE), a Fellow of the Institute of Electrical, Information, and Communication Engineers (IEICE) and a Fellow of the Institution of Engineers Australia, an ACM Professional Member, and an IEEE Distinguished Lecturer. He is the Deputy Director for the Centre of Excellence in Telecommunications, and leads the Wireless Networking Group (WiNG) at the University of Sydney. He is the author of six technical books, nine book chapters, and over 350 technical papers in scholarly journals and international conferences, as well as five patents, all in the area of wireless communications. He is the recipient of many prestigious awards including the 2010 IEEE ComSoc Harold Sobol Award, the 2010 Royal Academy of Engineering UK Distinguished Fellowship, the 2006 IEEE ComSoc Distinguished Contribution to Satellite Communications Award, the 2006 IEEE ComSoc Best Tutorial Paper Award, and ten best paper awards. He is one of the most cited researchers in the field of mobile, cellular, and satellite networks with over 8500 citations (h-index: 40, i10-index: 135). He was the Editor-in-Chief IEEE Wireless Communications and currently he is an editor for several scholarly journals, including IEEE Trans. on Vehicular Technology. He has served in many IEEE positions including ComSoc Vice President for Conferences; Member ComSoc Finance Committee; Member ComSoc On-Line Contents Committee; Member ComSoc Education Board; Member ComSoc Conference Boards; Member IEEE TAB/PSPB Products & Services Committee; Chair Communication Switching and Routing TC; Chair Satellite and Space Communications TC; ViceDirector Asia Pacific Board. He has been a General Chair/ Technical Program Chair/Vice Chair of major IEEE conferences (e.g., RWS0 08, RWS0 09, WCNC0 10, GLOBECOM0 10, ICC0 11, GLOBECOM0 12, PIMRC0 12; ICC0 14; ICT0 15). Professor Jamalipour is an elected and voting member of the Board of Governors since 2014, and currently the Executive Vice President of the IEEE Vehicular Technology Society