Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp.

329-340

An Efficient Security Model for Industrial Internet of Things

(IIoT) System Based on Machine Learning Principles

Sahar L. Qaddoori* Qutaiba I. Ali**

[email protected] [email protected]
* Electronic Engineering Departement, Collage of Electronics Engineering, Ninevah University, Mosul, Iraq
** Computer Engineering Department, Collage of Engineering, University of Mosul, Mosul, Iraq

Received: 2022-07-30 Accepted: 2022-11-12

ABSTRACT
This paper presents a security paradigm for edge devices to defend against various internal and
external threats. The first section of the manuscript proposes employing machine learning models to identify
MQTT-based (Message Queue Telemetry Transport) attacks using the Intrusion Detection and Prevention
System (IDPS) for edge nodes. Because the Machine Learning (ML) model cannot be trained directly on low-
performance platforms (such as edge devices),a new methodology for updating ML models is proposed to
provide a tradeoff between the model performance and the computational complexity. The proposed
methodology involves training the model on a high-performance computing platform and then installing the
trained model as a detection engine on low-performance platforms (such as the edge node of the edge layer)
to identify new attacks. Multiple security techniques have been employed in the second half of the manuscript
to verify that the exchanged trained model and the exchanged data files are valid and undiscoverable
(information authenticity and privacy) and that the source (such as a fog node or edge device) is indeed what
it it claimed to be (source authentication and message integrity). Finally, the proposed security paradigm is
found to be effective against various internal and external threats and can be applied to a low-cost single-
board computer (SBC).

Keywords:
Anomaly Detection; MQTT packets; Intrusion Detection System (IDS); Firewall; Edge Device.

This is an open access article under the CC BY 4.0 license (http://creativecommons.org/licenses/by/4.0/).

https://rengj.mosuljournals.com
===================================================================================

1. INTRODUCTION The huge number of sensors, controllers,

In recent years, the Industrial Internet of and actuators used in the IIoT network to make
Things (IIoT) has developed as the fastest- intelligent business choices generate a lot of
evolving revolutionary technology, with the information, which has caught the attention of
capability of digitizing and connecting a wide hackers all over the world. IIoT-enabled devices
range of industries, resulting in huge economic and sensors, on the other hand, are deemed
possibilities and worldwide GDP (Gross resource-constrained devices with restricted
Domestic Product) growth. Smart homes, smart power, memory, and communication
cities, smart grids, logistics, transportation, linked capabilities.[1, 2].
autos, and supply chain management are all As a result, edge devices such as laptops,
examples of IIoT applications [1, 2]. Although the desktops, routers, mini servers, hand-held
IIoT offers exciting possibilities for the devices, and cellphones are utilized to connect
development of many industrial applications, it is sensors and cloud servers. These devices collect
vulnerable to cyberattacks and requires stricter data from sensors and send it to local servers after
security standards [1]. doing any essential preprocessing. Nevertheless,
since the number of IoT edge devices in the

Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp. 329-340
330 Sahar L. Qaddoori: An Efficient Security Model for Industrial Internet …..

industry has grown rapidly, various security and

privacy issues have surfaced, posing a significant 2. RELATED WORKS
threat to IIoT's security and trustworthiness. Various studies have yielded many
Intruders may be able to take advantage of these approaches for IDSs in the workplace. Several
edge devices [2]. machine learning-based IDS for IIoT network
This might result in operational have been proposed in the literature. Table 1
inefficiencies, as well as financial and reviews the state-of-the-art and related studies [1].
reputational damage. One of the biggest issues in In 2019, this paper suggested the
current industrial contexts is ensuring architecture and detection method. The bottom
cybersecurity in the IIoT. It comprises virus layer network is subjected to a novel machine
protection, unwanted access prevention, and learning-based intrusion detection method, which
communication and physical privacy protection. significantly improves detection accuracy without
By installing modern and comprehensive security increasing training time. With the help of its great
procedures, the IIoT's security, privacy, and learning capability, a deep learning algorithm
trustworthiness may be improved. An Intrusion applied to the resource-rich upper layer network
Detection System (IDS) is one of the most delivers improved detection accuracy. The hybrid
important security keys in the context of IoT/IIoT architecture improves network security by
security by monitoring networks for malicious combining the advantages of both machine
activity or policy breaches [1-3]. learning and deep learning methods. Furthermore,
IDS might be based on signatures or hierarchical information interaction and resource
anomaly detection. Signature-based detection allocation reduce the network's existing
approaches that employ predetermined criteria are bandwidth and energy limit [7]. To discover
excellent at identifying assaults for previously anomalies in the water treatment process, this
observed patterns. Anomaly-based identification, study [8] provides a supervised learning strategy
on the other hand, is used to detect unknown that uses the Roll-forward technique for
assaults or attacks with a lack of clearly validation and Classification and Regression
established patterns. Machine learning algorithms Trees (CART) with integrals for classification. It
have recently been shown to prevent many includes the ability to validate time-series data
security vulnerabilities and improve the using Roll-forward validation, which is
performance of anomaly-based detection methods subsequently followed by classification using the
[4-6]. CART with invariants. It is simulated with the
In this manuscript, a security model for Mininet tool, and the accuracies of the train and
edge devices in IIoT networks is presented to test are respectively 99.9% and 98.1%.
protect edge devices against various external and In 2020, the technique in this paper [9] is
internal attacks. The main contributions are as based on two linear feature extraction algorithms,
follows: namely Principal Component Analysis (PCA) and
• Developing a lightweight IDS for edge devices Linear Discriminant Analysis (LDA), and it
to identify MQTT-based threats using ML monitors the actions of factory network traffic. To
models. evaluate the packets of network connections from
• Proposing a new update strategy by retraining the UNSW-NB15 database and discover and
the ML model on rich-computing devices such report abnormalities like malevolent assaults, a
as fog nodes, and then executing it on limited Machine-Learning-based technique is utilized.
resources devices such as edge nodes to deal In 2021, this thesis [10] focuses on
with new attacks. detecting and classifying DoS (Denial of Service)
• Multiple security techniques are used to attacks in MQTT sensor networks. To acquire
guarantee that data exchanged between the fog accurate data, a smart home scenario was
node and edge device during the update constructed to present a realistic MQTT-based
strategy is reliable and not readily. dataset that comprises valid and malicious flow-
The outline of this manuscript is as level traffic by collecting legitimate and harmful
follows: Section 2 demonstrates the related works data. The thesis shows how to identify and
and tabulates the comparison between them. The categorize DoS assaults using online and offline
security issues for the IIoT network are declared machine learning technologies. The suggested
in section 3. The description of the proposed online classifiers can detect assaults in a variety
security model for edge devices is confirmed in of flow durations, allowing researchers to see the
section 4. In section 5, the system evaluation and trade-off between classifier performance and flow
security assessment for the proposed security lengths. In the IIoT infrastructure, this article [11]
model are described. offers an analytical investigation of identifying

Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp. 329-340
Sahar L. Qaddoori: An Efficient Security Model for Industrial Internet …. 331

abnormalities, cyber-attacks, and malevolent (like Intrusion Detection System (IDS)) and/or
actions in a cyber-physical of vital water applying on constrained resources devices (which
infrastructure. The paper classifies anomalous is in the scope of our research).
occurrences using a variety of machine learning
methods, including numerous assaults and IIoT 3. SECURITY ISSUES OF IIOT NETWORK
hardware failures. For the study review of the When combining IIoT systems,
suggested technique, a real-world dataset multilevel architectures are widely employed.
encompassing 15 anomalous instances of the Figure 1 depicts a multi-tier IIoT structure in
regular system operation was investigated. The progress. The main three layers that make up the
test scenarios included anything from hardware IIoT network topology are edge, fog, and cloud
failure to sabotage of water SCADA (Supervisory [14].
Control and Data Acquisition) devices. CART • The edge computing layer consists of billions
and Naïve Bayes (NB) have the greatest of IIoT machines that are linked to edge
precision, F1-score, accuracy, and recall values, devices. Actuators, sensors, security cameras,
according to the findings. vehicles, smart machines, and smart home
In 2022, this study [12] described an appliances are examples of IIoT equipment
architecture for enabling predictive analytics at that have restricted resources. This layer uses
the edge of a production system while they are edge devices to collect massive volumes of
being generated on a cloud node. The goal of this data from a variety of sources and
research is to look into the usage of knowledge applications, then sends it to higher levels [15,
graphs to collect information from maintenance 16].
employees as well as the linkages between assets • The fog layer sits between the cloud layer and
and sensors. The suggested framework was put to the edge layer. Each fog node is in charge of
the test in a use case involving an aluminum serving a certain part of the city. Each fog
manufacturing firm. The results demonstrated the node communicates with the central server in
potential for further examination of the mixture of the cloud layer regularly to ensure system
machine learning and knowledge graphs, resilience. Fog nodes are more powerful than
confirming the time savings for training ML edge nodes and are closer to the edge
models as well as applications that can provide a computing layer than the cloud layer [16].
better vision to operators regarding the • The cloud layer comprises high-performance
manufacturing process. servers and storage devices. The central
Although there are numbers of papers, management and database core are located on
like the paper in [13] which proposed a the cloud layer's servers. Furthermore, they
methodology that is somewhat similar to our are in charge of monitoring the fog layer and
proposed methodology, their proposed nodes' security, availability, activities, and
methodology was used to build and train a services [17].
Convolution Neural Network (CNN) model based
on images dataset (which is out the scope of our
research) without focusing on any application

Table 1: The details for the recent research based on IDS for IoT/IIoT Networks.
Architecture Upgrading Prevention and Validation
Ref. Year Dataset Used Algorithm Utilized CIA Triad
Approach Policy response activities Strategy
Roll-forward technique
[8] 2019 SUTD N/A × × × Simulation
and CART
Machine learning and
[7] 2019 Two datasets Hybrid √ × × Simulation
deep learning
Binary classes and
[9] 2020 UNSW-NB15 N/A × × × Simulation
multi-classes
Various machine
[11] 2021 Real-word dataset N/A × × × Simulation
learning
Realistic MQTT- online and offline
[10] 2021 Distributed √ × × Simulation
based dataset machine learning
Two types of machine Simulation/
[12] 2022 Custom dataset Central √ × ×
learning Emulation
Not available N/A
Confidentiality, Integrity, and Authentication Triad (CIA)
Singapore University of Technology and Design (SUTD).

Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp. 329-340
332 Sahar L. Qaddoori: An Efficient Security Model for Industrial Internet …..

Fig. 1 An example of multi-tier IIoT architecture.

This manuscript focuses on the attacks to some assaults that vary in their nature, aims,
on edge devices, which are essential components and catastrophic results when researching the
of the IIoT network. Security risks of edge different sorts of attacks. An investigation of
devices can take many shapes and come from a potential attacks against edge devices is
variety of places. Insider attackers can be conducted, based on their kind, with the
"machine users" (e.g., sensors) or faked edge descriptions summarized in Table 2.
devices. In other words, an insider attacker
4. DESCRIPTION OF THE PROPOSED
(attacks between the edge device and IIoT
SECURITY MODEL
machines) is a network user who has some
The proposed security model is provided
network expertise and uses it to study the
in this section to protect edge devices from
architecture and configuration of the edge devices
various threats discussed before. The primary
and the whole network. Outsider attackers
purpose is to safeguard edge device data (which is
(attacks between the edge device and fog node),
required for its functioning), as well as its
on the other hand, exploit the Internet connection
accessibility and functionality.
to launch assaults from a distant place outside of
the coverage region. Edge devices are vulnerable

Table 2: Investigation of the potential edge device attacks.

Attacks Source Attack Type Description
It attempts to transfer data from an unauthorized device its IP (Internet
Unauthorized IP address
Protocol) address is in the banned IP addresses.
It attempts to transfer data using the destination port number found in the
Unauthorized port No.
banned port list.
Flooding Denial of Service It's set up to keep the service from serving legitimate customers.
Slow DoS against Internet of Things It establishes many connections with the MQTT broker to simultaneously
Insider Attacks Environments (SlowITe) take advantage of all available connections.
It uses a single connection rather than numerous connections to saturate
MQTT Publish Flood
the resources.
Its goal is to generate and transmit multiple erroneous packets to the
Malformed Data
broker to cause exceptions on the specified service.
Its goal is to crack clients' authentication credentials (password and
Brute Force Authentication
username) during the authentication phase.
It sends several messages to various edge devices, each with a forged
Sybil attack
source identity.
Administrative Impersonation Attack It claims the administrator's identity.
Monitoring Attack Passive monitoring of edge device activities.
External Attacks
Edge Device Impersonation Attack It claims the edge device identity.
It changes the data of the edge device or fog server and uses it for its
Data Sniffing and modification
benefit.
It is disabling the network or compromising network users to glean sensitive
Wireless Layer 2 attacks
information such as passwords.

Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp. 329-340
Sahar L. Qaddoori: An Efficient Security Model for Industrial Internet …. 333

Fig. 2 The software structure of the edge device.

The proposed security model must meet inspecting the header information in each MQTT
several goals: it must ensure that the system is packet. So, this part of the proposed security
available and stable (using an Intrusion Detection model has numerous roles, as follows:
System (IDS)), that the data exchanged is exact • MQTT Broker: To serve as an MQTT broker,
and untraceable (data privacy and authenticity), Mosquitto must be installed on the edge
and that the source (e.g., fog server or edge device [19]. Mosquitto is an open-source
device) is what it is claimed to be (source MQTT broker which offers a lightweight
authentication and message integrity). Figure 2 MQTT protocol server implementation.
shows the edge device's software architecture for • Internal Firewall: It is used to create a trusted
implementing the recommended security wall of restrictions between IIoT machines
paradigm. The recommended security paradigm is and the MQTT broker by analyzing the
separated into two components, as shown in network traffic using the IP and port addresses
Figure 2. Each component is designed to protect to see if it matches a set of rules defining what
each network port (assume the edge device has data flows are allowed to pass through it. The
two different network connections). The proposed employed firewall blocks packets if their
security model's first component protects the source IP addresses or specified prefix IP or
connection between edge devices and IIoT destination port addresses are in the list of
machines, while the second protects the banned addresses and blocks too many
connection between the fog server and edge requests made by the same IP quickly.
device. The Raspberry Pi 4B platform may be • IPS (Intrusion Prevention System): It is used
utilized to build the suggested edge device since it to take an action automatically to stop or
is a compact, inexpensive, and independent neutralize a potential attack when it is
single-board computer. The purpose of each role detected. The actions for the IPS module are:
in the proposed edge node will be discussed in the resetting the connection, forwarding the
following subsections. packet, and dropping the packet.
• IDS (Intrusion Detection System): It is a
4.1. Securing Connection Between Edge Device multi-class machine learning trained model
and IIoT Machines which is used to constrain the normality for
The suggested edge device may connect the packet. If the packet is normal, it will be
wirelessly with IIoT equipment in the edge layer directed to the MQTT broker. Otherwise, the
utilizing low-cost Wi-Fi-capable devices and the attack’s type will be detected, and the IPS
MQTT protocol as a communication mechanism. module will be activated.
Because MQTT is a lightweight small-message After the packet has been approved by
protocol, it saves bandwidth and extends the the firewall, packet features are taken from it
battery life of the device. And since the MQTT and are preprocessed to match the input of the
client does not require a request update, the trained model. The features are then recorded in
Publish / Subscribe architecture is more suited to a file that is sent to the fog server every so often
the edge layer than the Request / Response (one week, one month, or whatever) to retrain
architecture utilized in other protocols [18]. As a the intrusion detection model. Figure 3 depicts
result, different threats such as DoS, brute force the IDS module's flowchart for MQTT packets.
attacks, and others are launched against these
types of packets, which may be detected by

Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp. 329-340
334 Sahar L. Qaddoori: An Efficient Security Model for Industrial Internet …..

AUC values for RF, DT, and GB are depicted in

Table 4.

Table 3: The different evaluation metrics for the

MQTTset dataset based on different classifiers.
Metrics RF DT GB
Accuracy 0.9969 0.9970 0.9912
Precision 0.9968 0.9969 0.9936
Training
Recall 0.9968 0.9969 0.9912
Fig. 3 The processing of the Intrusion detection F1 Score 0.9966 0.9967 0.9911
for MQTT packets. Accuracy 0.9968 0.9968 0.9903
Precision 0.9967 0.9967 0.9934
The intrusion detection model is a Testing
Recall 0.9968 0.9968 0.9903
mixture of numerous processes. It is implemented
and validated to classify multiple threats. To F1 Score 0.9966 0.9966 0.9900
evaluate this scheme, a dataset must be selected.
An open-source dataset named MQTTset was Table 4: The AUC values for different classifiers.
obtained from Kaggle [20]. This dataset was Attacks
RF DT GB
provided by Ivan Vaccari et al. [21]. In the Type
MQTTset dataset, six types of labels represent Malformed 0.96 0.95 0.58
one type of legitimate activities (Legitimate) and DOS 0.99 0.99 0.45
five types of threats, respectively (malformed, Flood 0.96 0.95 0.91
DoS, brute force, slowite, and flood), as shown in Legitimate 0.99 0.99 0.98
Table 2. The performance of different ML models
Brute Force 0.94 0.93 0.86
is studied in this subsection to accurately detect
SlowITe 0.97 0.97 0.93
the assaults and anomalies on packets. Random
Forest (RF), Decision Tree (DT), and Gradient
Boosting (GB) are the machine learning According to the Area Under the Curves
algorithms employed here. For hyper-parameters (AUC) in Table 4, DT and RF have higher
tuning, the best splitter, the Gini criterion, and the accuracy because they achieve a 99% detection
greatest depth were utilized in the DT until all rate in some attacks. The AUC values for some
leaves were genuine, while the RF was examined classes are roughly equal to value one. In the case
using two extreme estimators. The GB, on the of GB, the AUC value is nearly equal to one for
other hand, is limited to a maximum of 20 the legitimate class only, and the detection rates
estimators. for some classes are very low, while other classes
The used dataset is divided into 70–30 have close to 90% detection rates.
ratio into training and testing sets. The training set
is then split into two subsets: A training set and a Table 5: The important times for the MQTTset
validation set, with a split ratio of 0.33 %, i.e., 67 dataset based on different classifiers.
% of the training set would be utilized for training Algorithms
Train Test Model Prediction
Time(sec) Time(sec) Size(KB) Time(msec)
and 33 % for validating. Only 18 features out of
RF 22.473942 2.1602210 742 1.67393
33 in the dataset played an important role in the DT 33.585477 1.7004511 497 0.66304
decision because the rest had a feature importance GB 982.01197 7.3737800 137 1.51801
value of 0. On the new features set, the ML
models for identifying attack packets have been
From Table 5, it can be distinguished
trained and evaluated. To identify which
that RF takes the minimum train time, but GB
technique is best suited for the proposed system,
takes the maximum train time because RF builds
the models’ performance is evaluated using key
multiple decision trees independently at the same
performance metrics such as Detection Rate,
time while GB builds multiple decision trees
Precision, F-score, Recall, and Area Under the
serially (one tree at each time). In the testing
Curve (AUC), as well as Accuracy (as shown in
state, however, DT takes the lowermost time. It
Table 3). From Table 3, it can be noticed that DT
can also be noticed that the DT model consumes
and RF have higher accuracy, precision, recall,
the least time when executed on the SBC
and F1 score values than GB. On the other hand,
(Raspberry Pi4). Finally, based on the used
DT and RF are slightly more accurate than GB
platform to build the edge device, the time
because GB may not be a good choice if the used
consumed to extract the features from real packets
dataset (MQTTset dataset) has a lot of noise. The
for different trained models is 0.505978 msec. In

Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp. 329-340
Sahar L. Qaddoori: An Efficient Security Model for Industrial Internet …. 335

conclusion, the proposed edge device can be the re-trained model will be exchanged with the
based on the DT to detect the abnormality in the old intrusion detection model. Figure 4 illustrates
MQTT packets. the transaction operations which are done
between the fog server side and the edge device
4.2. Securing Connection Between Edge Device side.
and Fog Node
As previously stated, the proposed 1) Transfer Data File and ML Model Based on
security model is also dependent on the fog node CIA Triad
and edge devices interaction. The remote Transport Layer Security (TLS) is a
intrusion detection retrained technique performed protocol used to provide Confidentiality,
by the fog node is a dangerous and sensitive Integrity, and Authentication (CIA) between two
activity that must be carried out with extreme communicating applications. It is used to ensure
caution to ensure the proper operation of edge IoT/IIoT communication security and to protect
devices. The following approach is proposed in connections between edge nodes and fog servers
this manuscript for maintaining the security of the during the transfer of real datasets files and
intrusion detection model transfer: trained models over insecure channels [22, 23].
Initially, a fresh data file is collected on The trained model and the collected data file will
the edge device, which is a single-board computer be transferred in a separate TLS session.
(SBC) (Raspberry Pi 4) provided with an anomaly
detection model and security techniques tools.
Nevertheless, to guarantee the freshness of the
data file and to avoid replay assaults, a tag called
the Data Version Tag (DVT) must be sent. The
DVT is a crucial parameter. This tag contains the
edge device’s unique identifier, user identity, and
date and time at creating this data file, and is used
to determine the number of data files stored in the
nearest fog node. The fog node also saves a copy
of the edge device’s unique identifier, the user
identity in a trusted database. The DVT and data
file are processed by security methods. Afterward,
the handshaking is established to ensure that the
fresh data file will be sent to the correct fog Fig. 4 The transactions between fog server-side
server. When the handshaking step is completed, and edge device side.
the processed DVT and data file are ready to be
sent over an unsecured network utilizing the TCP Table 6: Some assumptions to find latency
protocol (Transmission Control Protocol) for between the edge node and fog server
increased dependability. The fog server receives Parameter value
them through a wireless network port, processes Distance between the edge node and fog
100m
them using inverted security mechanisms like server
The Propagation Speed (PS) 2 x 108 m/sec
decryption, and saves them in its memory. Later,
Packet Processing Rate in Client (PPRC)
the received data files will be used to rebuild and (with effective for AES (Advanced 10000
retrained the intrusion detection models. Encryption Standard) and SHA (secure packet/sec
Next, a new trained model file is created hashing algorithm) algorithms)
on the fog server based on the received data file Packet Processing Rate in Server (PPRS) 50000
from a certain edge device. The fog server is (with effective for AES and SHA algorithms) packet/sec
SIFS 20 µ sec.
provided with machine learning and security
DIFS 300 µ sec.
techniques tools. Also, to ensure the freshness of Wireless Stander 802.11a
the trained model and to avoid replay threats, Data Rate (DR) 54 Mbps
another tag called the Trained Model Version Tag The Size of Wireless Control signals (RTS,
(TMVT) must be sent which contains the edge 74 bytes
CTS, ACK, FIN) (SWC)
device’s unique identifier, user identity, and date TCP Header(TCPH) 20 bytes
and time at creation of this trained model. This IP Header (IPH) 20 bytes
tag is used to determine the number of trained Wireless Header (WH) 34 bytes
model updates by the fog server. The TMVT and The size of control TCP signals (REQ, ACK,
74 bytes
GET, FIN) in the wireless network (SCTCP)
trained model are sent to a certain edge device
The maximum Packet length in a Wireless
using the same steps mentioned earlier. Finally, network (MPLW)
2346 bytes

Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp. 329-340
336 Sahar L. Qaddoori: An Efficient Security Model for Industrial Internet …..

The communication time to transfer one To find the latency, it can be used the
trained model will be calculated in a theory that is following equations [24]:
based on some assumptions as shown in Table 6
[24]. Figure 5 shows the wireless and TCP signals TCP Latency = Node delay
to transfer a file (which can be a trained model + N. W delay … . (1)
file) from the FTP (File Transfer Protocol) server
(Fog server) to the FTP client (edge node). Node Delay = (No. of data packets
+ No. of TCP control Signal)
1 1
∗( + ) … . (2)
𝑃𝑃𝑅𝐶 𝑃𝑃𝑅𝑆

No. of data packets (N) required to

transfer the file can be computed using:

𝐹𝑆 ∗ 8
𝑁= … . (3)
(𝑀𝑃𝐿𝑊 − 𝑊𝐻 − 𝐼𝑃𝐻 − 𝑇𝐶𝑃𝐻) ∗ 8

𝑃𝑎𝑐𝑘𝑒𝑡 𝐿𝑒𝑛𝑔𝑡ℎ ∗ 8
𝑃𝑎𝑐𝑘𝑒𝑡 𝐷𝑒𝑙𝑎𝑦 =
𝐷𝑅
𝐷𝑖𝑠𝑡𝑎𝑛𝑐𝑒
+ … . (4)
𝑃𝑆

TLS RSA WITH AES 128 CBC SHA is

the cipher suite used in this section, which uses
RSA (Rivest–Shamir–Adleman) for key
exchange, AES-128 in Cipher Block Chaining
(CBC) mode for encryption, and HMAC SHA1
for message authentication. Based on the TLS
protocol version (1.2) and ciphersuite
(TLS_RSA_WITH_AES_128_CBC_SHA), Table
7 [22, 23] displays the assumptions for the sizes
of each message to find TLS overhead. On
average, the overall overhead time to start a new
TLS session is around 2.65msec. Figure 6 shows
the latency to transfer different file sizes using the
TLS protocol.

Fig. 5 The wireless and TCP signals to transfer a Table 7: The assumptions to find TLS overhead
file from the FTP server to the FTP client Parameter Value
The average size of the initial ClientHello 170 bytes
The average size of ServerHello 75 bytes
Some notes based on Figure 5 are stated
The average size per Certificate 1500 bytes
as follows: No. Of certificate in the chain 4
• Wireless signals (RTS (Request to Send), The average size of ClientKeyExchange for
CTS (Clear to Send), and ACK 130 bytes
RSA server certificate.
(Acknowledgment)) have passed through The average size of Finish message 12 bytes
Layer 2. As a result, the packet processing TLS Handshake header 4 bytes
rate for them is not computed. TLS Record header for each record sent 5 bytes
• The data rate for wireless signals is always
(1 Mbps) when the system uses the 802.11x 2) External Firewall
standard. The traffic between the fog server and
• The TCP control signals are REQ (TCP), edge nodes and vice versa is monitored using the
ACK (TCP), and FIN (TCP). They are firewall which is a security device used to stop or
handled like data packets, which means they mitigate unauthorized access to the edge device.
will require an ACK Wireless signal. The proposed system implements a software
• When determining the latency of TCP firewall to create a trusted wall of restrictions
control signals, the packet processing rate is between the fog server and the edge device. It
taken into consideration. analyzes the network traffic using the IP and port

Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp. 329-340
Sahar L. Qaddoori: An Efficient Security Model for Industrial Internet …. 337

addresses to see if they match a set of rules two encryption options often available to users
defining what data flows are allowed to pass when configuring a WPA2 network [25].
through the firewall. The firewall is implemented To produce certain encryption keys for
using the NetfilterQueue library. The applied the WPA2 protocol that is used to encrypt actual
firewall performed the following functions: data delivered over wireless media, the
authenticator (access point) and the applicant
(client device) exchange 4 messages during the 4-
way handshake procedure. These keys are
produced via a four-way handshake and come
from some source key material [26].
Using WPA2 decreases the performance
of network connections due to the extra
processing load of encryption and decryption. The
performance impact of WPA2 is usually
negligible, especially when compared with the
increased security risk of using WPA or Wired
Equivalent Privacy (WEP), or no encryption at all.
Fig. 6 The latency for different file sizes using
5. SYSTEM EVALUATION AND SECURITY
TLS Protocol
ASSESSMENT
Different assessment criteria will be
• Block packets if their source IP address is in
utilized to analyze the overall performance of the
the list of banned IP addresses.
recommended edge device in this section. The
• Block packets if their destination port address proposed system's resource utilization statistics
is in the banned port addresses list. and network performance are listed in Table 8.
• Block subnets by blocking specified prefixes The primary takeaway from the statistics
of IP addresses found in the list of banned on system resource utilization shows that the
prefix addresses. proposed IDS was effectively and efficiently
• Block too many requests made by the same IP incorporated into the edge device platform. The
quickly, such as ping attacks, by specifying proposed IDS utilizes a suitable amount of system
the packet threshold and time threshold. resources while having minimal impact on the
edge device's original functions. This architecture,
3) Secure Wireless Communication on the other hand, assures that the addition of new
Encrypting wireless data is crucial to IDS duties will not significantly decrease the
help maintain a level of security because Wi-Fi node or network performance.
signals are carried via the air and can be accessed To round out the vision, a detailed
by someone nearby. The security protocol known security assessment for internal and external
as Wifi Protected Access II (WPA2) was created threats was conducted, taking into account the
to protect 802.11 wireless networks by encrypting most likely attack vectors and sources of risk, and
sensitive data using 128-bit technology and recommending effective remedies. According to
encrypting passwords. Since 2006, WPA2, which Table 9, the suggested IDS can detect and protect
is based on the IEEE 802.11i technical standard against internal assaults that are MQTT-based
for data encryption, has been deployed on all threats. The proposed security methods are
certified Wifi equipment. intended to defend against external threats, as
Temporal Key Integrity Protocol (TKIP) shown in Table 10. Finally, the suggested edge
and Advanced Encryption Standard (AES) are the device has a wealth of security features as well as
realistic resource consumption.
Table 8: The proposed system's resource utilization statistics and network performance.
Parameters Deactivated IDS Activated IDS
Average Round Trip Time (RTT) 0.1544513 sec 0.2622866 sec
Network Average No. of retransmission synchronous packets 2 packets 4 packets
Performance Average No. of retransmission data packets 5 packets 13 packets
Average Throughput 5786 bit/sec 4662.7 bit/sec
Total Memory Utilization% 1.73%(0.139 Gbyte) 2.52%(0.202 Gbyte)
Resource
Average CPU Operation % 5% 16%
Utilization
Average power Consumption 3.325 W 3.750 W

Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp. 329-340
 338 Sahar L. Qaddoori: An Efficient Security Model for Industrial Internet …..

Table 9: The security assessments for the internal attacks.

Attack Type Detected by Response
Unauthorized IP address Firewall It is blocked by firewall
Unauthorized port No. Firewall It is blocked by firewall
The user is informed by writing the details
Abnormal periodic data meter Anomaly Detection for Metering Data
on the web page
The user is informed by writing the details
Abnormal daily data meter Anomaly Detection for Metering Data
on the web page
Flooding Denial of Service IDS for Packet-level module It is dropped by IPS
Slow DoS against Internet of
IDS for Packet-level module IPS is sent the reset connection
Things Environments (SlowITe)
IPS is forward to the same source IP
MQTT Publish Flood IDS for Packet-level module
address
Malformed Data IDS for Packet-level module It is dropped by IPS
Brute Force Authentication IDS for Packet-level module IPS is sent the reset connection

Table 10: The security assessment for external attacks.

Attack Type Attacks’ Target Defense Strategy
Sybil attack Edge Device services Handshaking Authentication
Administrative Impersonation ▪Edge Device data & services
Handshaking and Message Authentication
Attack ▪Fog server Functionality
Monitoring Attack Edge Device data & services Packet Encryption
Illegal Access Attack Edge Device data & services Handshaking Authentication
Edge Device Impersonation ▪Edge Device data & services
Malicious Edge Devices Detection
Attack ▪Fog server Functionality
▪Edge Device data & services
Data Sniffing and modification Message Authentication and Integrity
▪Fog server Functionality
▪Disable the network
Wireless Layer 2 Attack WPA2
▪ Compromise the network users

6. CONCLUSION provide the major security aspects for the data

Since edge devices connect IIoT transmitted (such as the trained model and
machines to the data center, they are critical to gathered data files). A low-cost single-board
IIoT networking. As a result, it is vital to computer (SBC) like the Raspberry Pi may easily
safeguard these devices from numerous risks. The implement the proposed security paradigm for
manuscript's first section proposed a security edge devices. The security structure of the
paradigm for edge devices to defend against proposed edge device is lightweight (which has
various internal and external attacks. By 2.52.% total memory utilization and 16% average
leveraging machine learning methods, MQTT- CPU operation) and saves power (which has
based threats are identified, utilizing Intrusion 3.75W average power consumption). As this
Detection and Prevention SysteIDPS)-based paradigm is effective against a variety of internal
security form (edge nodes). After the performance and external assaults, it provides a balance
comparison between three ML algorithms (DT, between good performance and high security.
RF, GB), The proposed edge device can be based Finally, it is hoped that this work will serve as a
on the DT to detect the abnormality in the MQTT springboard for future advancements in
packets because of its low prediction time cybersecurity analytics on edge devices
(0.66304msec) and good accuracy with the employing effective machine learning models.
MQTTset dataset (99.69%). Because the
machine-learning model cannot be trained REFERENCES
directly on low-performance devices (like edge
devices), a new methodology for updating ML [1] T. Vaiyapuri, Z. Sbai, H. Alaskar, and N. A.
models is proposed, which involves training the Alaseem, "Deep Learning Approaches for
model on a high-performance computing platform Intrusion Detection in IIoT Networks–
(such as the fog node) and then installing the Opportunities and Future Directions,"
International Journal of Advanced Computer
trained model as a detection engine on low- Science and Applications (IJACSA), vol. 12,
performance platforms (such as the edge node of pp. 86-92, 2021.
the edge layer) to detect new attacks. In the [2] Z. E. Huma, S. Latif, J. Ahmad, Z. Idrees, A.
second half of the manuscript, the CIA triad, Ibrar, Z. Zou, et al., "A Hybrid Deep Random
firewall, and WPA2 techniques are utilized to Neural Network for Cyberattack Detection in

Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp. 329-340
Sahar L. Qaddoori: An Efficient Security Model for Industrial Internet …. 339

the Industrial Internet of Things," IEEE [14] L. Zhang, S. Jiang, X. Shen, B. B. Gupta, and
Access, vol. 9, pp. 55595-55605, 2021. Z. Tian, "PWG-IDS: An Intrusion Detection
[3] M. Zolanvari, M. A. Teixeira, and R. Jain, Model for Solving Class Imbalance in IIoT
"Effect of imbalanced datasets on security of Networks Using Generative Adversarial
industrial IoT using machine learning," in Networks," arXiv preprint arXiv:2110.03445,
2018 IEEE International Conference on 2021.
Intelligence and Security Informatics (ISI), [15] M. A. Ferrag, O. Friha, D. Hamouda, L.
2018, pp. 112-117. Maglaras, and H. Janicke, "Edge-IIoTset: A
[4] H. Alaiz-Moreton, J. Aveleira-Mata, J. New Comprehensive Realistic Cyber Security
Ondicol-Garcia, A. L. Muñoz-Castañeda, I. Dataset of IoT and IIoT Applications for
García, and C. Benavides, "Multiclass Centralized and Federated Learning," IEEE
classification procedure for detecting attacks Access, vol. 10, pp. 40281-40306, 2022.
on MQTT-IoT protocol," Complexity, vol. [16] A. Samy, H. Yu, and H. Zhang, "Fog-based
2019, pp. 1-11, 2019. attack detection framework for internet of
[5] E. Jove, J. Aveleira-Mata, H. Alaiz-Moretón, things using deep learning," IEEE Access,
J.-L. Casteleiro-Roca, D. Y. Marcos del vol. 8, pp. 74571-74585, 2020.
Blanco, F. Zayas-Gato, et al., "Intelligent [17] I. Butun, M. Almgren, V. Gulisano, and M.
One-Class Classifiers for the Development of Papatriantafilou, "Intrusion Detection in
an Intrusion Detection System: The MQTT Industrial Networks via Data Streaming," in
Case Study," Electronics, vol. 11, pp. 422- Industrial IoT, ed: Springer, 2020, pp. 213-
433, 2022. 238.
[6] M. A. Ferrag, L. Shu, H. Djallel, and K.-K. R. [18] R. Colelli, S. Panzieri, and F. Pascucci,
Choo, "Deep learning-based intrusion "Securing connection between IT and OT: the
detection for distributed denial of service Fog Intrusion Detection System prospective,"
attack in Agriculture 4.0," Electronics, vol. in 2019 II Workshop on Metrology for
10, pp. 1257-1282, 2021. Industry 4.0 and IoT (MetroInd4. 0&IoT),
[7] H. Yao, P. Gao, P. Zhang, J. Wang, C. Jiang, 2019, pp. 444-448.
and L. Lu, "Hybrid intrusion detection system [19] (19-9-2021). Mosquitto MQTT Broker.
for edge-based IIoT relying on machine- Available:
learning-aided detection," IEEE Network, vol. https://mosquitto.org/documentation/
33, pp. 75-81, 2019. [20] MQTTset Dataset [Online]. Available: https:
[8] S. Madhawa, P. Balakrishnan, and U. //www.kaggle.com/cnrieiit/mqttset
Arumugam, "Roll forward validation based [21] I. Vaccari, G. Chiola, M. Aiello, M.
decision tree classification for detecting data Mongelli, and E. Cambiaso, "MQTTset, a
integrity attacks in industrial internet of new dataset for machine learning techniques
things," Journal of Intelligent & Fuzzy on MQTT," Sensors, vol. 20, pp. 6578-6595,
Systems, vol. 36, pp. 2355-2366, 2019. 2020.
[9] H. Qiao, J. O. Blech, and H. Chen, "A [22] R. Oppliger, SSL and TLS: Theory and
Machine learning based intrusion detection Practice: Artech House, 2016.
approach for industrial networks," in 2020 [23] K. McKay and D. Cooper, "Guidelines for the
IEEE International Conference on Industrial selection, configuration, and use of transport
Technology (ICIT), 2020, pp. 265-270. layer security (TLS) implementations,"
[10] A. Ghannadrad, "Machine learning-based National Institute of Standards and
DoS attacks detection for MQTT sensor Technology2017.
networks," 2021. [24] Q. I. Ali, "An efficient simulation
[11] G. E. I. Selim, E. Hemdan, A. M. Shehata, methodology of networked industrial
and N. A. El-Fishawy, "Anomaly events devices," in 2008 5th International Multi-
classification and detection system in critical Conference on Systems, Signals and Devices,
industrial internet of things infrastructure 2008, pp. 1-6.
using machine learning algorithms," [25] B. I. Reddy and V. Srikanth, "Review on
Multimedia Tools and Applications, vol. 80, wireless security protocols (WEP, WPA,
pp. 12619-12640, 2021. WPA2 & WPA3)," International Journal of
[12] G. Siaterlis, M. Franke, K. Klein, K. A. Scientific Research in Computer Science,
Hribernik, G. Papapanagiotakis, S. Engineering and Information Technology,
Palaiologos, et al., "An IIoT approach for vol. 5, pp. 28-35, 2019.
edge intelligence in production environments [26] S. Alblwi and K. Shujaee, "A survey on
using machine learning and knowledge wireless security protocol WPA2," in
graphs," Procedia CIRP, vol. 106, pp. 282- Proceedings of the international conference
287, 2022. on security and management (SAM), 2017,
[13] W. Sun, J. Liu, and Y. Yue, "AI-enhanced pp. 12-17.
offloading in edge computing: When machine
learning meets industrial IoT," IEEE
Network, vol. 33, pp. 68-74, 2019.

Al-Rafidain Engineering Journal (AREJ) Vol.28, No.1, March 2023, pp. 329-340
‫‪340 Sahar L. Qaddoori: An Efficient Security Model for Industrial Internet …..‬‬

‫نموذج أمان فعال لنظام إنترنت األشياء الصناعي )‪ (IIoT‬استنادًا إلى مبادئ التعلم‬
‫اآللي‬
‫**‬ ‫*‬
‫قتيبة ابراهيم علي‬ ‫سحر الزم قدوري‬
‫‪[email protected]‬‬ ‫‪[email protected]‬‬
‫*جامعة نينوى ‪ -‬كلية هندسة االلكترونيات ‪ -‬قسم هندسة االلكترونيك‪ -‬موصل – العراق‬
‫** جامعة الموصل ‪ -‬كلية الهندسة ‪ -‬قسم هندسة الحاسوب ‪ -‬موصل – العراق‬

‫الملخص‬
‫اقترحت هذه الورقة نموذ ًجا أمنيًا لألجهزة الحافة للدفاع عنها ضد التهديدات الداخلية والخارجية المختلفة‪ .‬اقترح القسم األول من‬
‫المخطوطة استخدام نماذج التعلم اآللي لتحديد الهجمات المستندة إلى ‪( MQTT‬نقل الرسائل عن بُعد في قائمة انتظار الرسائل) باستخدام نظام‬
‫نظرا ألنه ال يمكن تدريب نموذج التعلم اآللي مباشرة على منصات منخفضة األداء (مثل األجهزة‬ ‫كشف ومنع التطفل (‪ )IDPS‬للعقد الطرفية‪ً .‬‬
‫الحافة) ‪ ،‬لذلك ‪ ،‬تم اقتراح منهجية جديدة لتحديث نماذج ‪ ML‬و لتوفير مفاضلة بين أداء النموذج والتعقيد الحسابي ‪ .‬تضمنت المنهجية المقترحة‬
‫تدريب النموذج على منصة حوسبة عالية األداء ثم تثبيت النموذج ا لمدرب كمحرك كشف على منصات منخفضة األداء (مثل عقدة الحافة لطبقة‬
‫الحافة) لتحديد الهجمات الجديدة‪ .‬تم استخدام تقنيات أمان متعددة في النصف الثاني من المخطوطة للتحقق من أن النموذج المدرب المتبادل‬
‫وملفات البيانات المتبادلة صالحة وغير قابلة لالكتشاف (صحة المعلومات والخصوصية) وأن المصدر (مثل عقدة الضباب أو جهاز الحافة) هو‬
‫أخيرا ‪ ،‬يعتبر نموذج األمان المقترح ً‬
‫فعاال ضد التهديدات الداخلية والخارجية‬ ‫ً‬ ‫في الواقع ما تدعي أنه (مصادقة المصدر وسالمة الرسالة)‪.‬‬
‫المختلفة ويمكن تطبيقه على كمبيوتر منخفض التكلفة أحادي اللوحة (‪.)SBC‬‬

‫الكلمات الداله ‪:‬‬

‫الكشف الشاذ‪ ،‬حزم ال ‪ ،MQTT‬نظام كشف التطفل‪ ،‬الجدار الناري‪ ،‬امنية طبقة النقل (‪ ،)TLS‬جهاز الحافة‪.‬‬

‫)‪Al-Rafidain Engineering Journal (AREJ‬‬ ‫‪Vol.28, No.1, March 2023, pp. 329-340‬‬