An Intrusion Detection Approach for Industrial Internet of Things Traffic Using Deep Recurrent Reinforcement Learning and Federated Learning

Artificial Intelligence Computer Science Electronic Information Information Science
Industrial IoT Intrusion Detection Federated Learning Deep Reinforcement Learning Temporal Dependencies Data Privacy Node Selection

Intrusion Detection Approach for Industrial Internet of Things Traffic Using Deep Recurrent Reinforcement Learning and Federated Learning

Academic Background

The rapid development of the Industrial Internet of Things (IIoT) has profoundly transformed intelligent industrial systems, enabling data exchange, remote control, and smart decision-making by connecting various industrial devices through the internet. However, this seamless connectivity and a vast network of devices also expose industrial systems to increasingly complex and diverse cybersecurity threats. In real-world IIoT scenarios, network attacks can lead to serious consequences, including data breaches, data manipulation, denial of services (DoS), and factory production disruptions. Although traditional intrusion detection methods have shown some capabilities for detecting specific types of attacks, most utilize conventional machine learning models trained on centralized servers, making it challenging to handle privacy, energy, and heterogeneous data distribution issues associated with distributed devices effectively.

To address these challenges, federated learning (FL) has recently emerged as a privacy-preserving distributed machine learning framework receiving widespread attention. FL enables the global optimization of models without transferring local data from devices, offering significant breakthroughs in data privacy preservation. However, the highly non-independent and identically distributed (non-IID) nature of data generated by IIoT nodes often limits the performance of traditional FL frameworks in complex industrial scenarios. Moreover, existing studies typically fail to consider energy efficiency and data quality in model training node selection, further affecting the performance of FL systems.

To overcome these issues, this paper proposes a novel intrusion detection framework: a gated recurrent unit (GRU)-assisted FL framework integrated with deep recurrent reinforcement learning (DRL). This approach improves the efficiency of intrusion detection and model aggregation performance in IIoT scenarios by effectively selecting high-quality IIoT nodes and capturing the temporal characteristics of network traffic.

Paper Source

This paper, titled “Intrusion Detection Approach for Industrial Internet of Things Traffic Using Deep Recurrent Reinforcement Learning Assisted Federated Learning,” is authored by Amandeep Kaur from the ABV-Indian Institute of Information Technology and Management, Madhya Pradesh, India. It is published in the January 2025 issue of IEEE Transactions on Artificial Intelligence (Volume 6, Issue 1).

Research Workflow

The research adopts a comprehensive multi-layered framework design and innovative methodology encompassing the entire process from data preprocessing to model optimization. Its core idea integrates FL, DRL algorithms, and GRU models to enhance the global model’s performance by effectively selecting high-quality devices and improving intrusion detection capabilities by capturing the temporal patterns of network traffic.

1. System Modeling and Framework Design

The proposed research envisions a complex IIoT industrial system comprising the following three-layer structure: - Edge Layer: Includes various heterogeneous industrial devices (e.g., sensors and actuators) connected via Wi-Fi to local edge servers, which process local model training tasks. - Cloud Layer: A cloud server is responsible for aggregating global model parameters and broadcasting the updated model to edge servers. - Attack Model: Assumes attackers pose as edge servers to intercept sensor data to manipulate communications or industrial processes.

The framework employs FL as its structural backbone, constructing an iterative process of multi-round model training and parameter updates. GRUs are used in local training to capture temporal traffic characteristics, while DRL dynamically selects high-quality devices to participate in training.

2. Data Preprocessing and Feature Engineering

Data Preprocessing

The study utilizes multiple public datasets, including Ton_IoT, Edge-IIoT, and X-IIoTID, which contain typical IIoT attacks such as denial of service attacks (DoS), distributed denial of service attacks (DDoS), password cracking, and cross-site scripting (XSS) attacks.

The raw network traffic data undergoes the following preprocessing steps: - Data Encoding: Using one-hot encoding, categorical features are converted into numerical formats suitable for machine learning models. - Data Normalization: Feature values are scaled to a unified range using min-max normalization, ensuring balanced contributions during model training.

The normalization formula is:
[ z = \frac{y-y{min}}{y{max}-y{min}} ]
where ( y{max} ) and ( y_{min} ) are the maximum and minimum values of the features, respectively.

3. GRU-Assisted Federated Learning and DRL Integration

GRU Network Design

GRU gating mechanisms are crucial for modeling temporal data, consisting of: - Reset Gate: Removes irrelevant information. - Update Gate: Retains information relevant to long-term dependencies.

Local edge servers train device data using GRUs to extract temporal dependencies in traffic. This mechanism significantly enhances the detection of intrusion behaviors with complex temporal features.

DRL for Node Optimization

To optimize device selection for FL, the problem is formulated as a Markov decision process (MDP):
- State Space: Includes node computing resources, data quality, and signal-to-noise ratio (SNR).
- Reward Function: Encourages improved global model convergence with considerations for energy efficiency and communication costs.
- Reinforcement Learning Algorithm: Deep Q-learning with experience replay accelerates convergence and adapts optimally to dynamic environments.

Federated Learning and DRL Collaboration

In each round of FL training: 1. The cloud server initializes and broadcasts the global model to selected devices. 2. Each device trains locally for several epochs and updates its model parameters. 3. The cloud server aggregates local model parameters to update the global model.
This cycle is repeated until the global model achieves convergence.

Results

The proposed framework was validated on three public datasets—Ton_IoT, Edge-IIoT, and X-IIoTID—demonstrating outstanding performance in intrusion detection.

1. Ton_IoT Dataset Analysis

  • Accuracy: Up to 99.95%.
  • Recall: Average of 99.98%.
  • F1 Score: 99.99%.
  • Specific Attack Detection: Achieved the best performance in detecting XSS and password cracking attacks.

2. Edge-IIoT Dataset Analysis

  • Accuracy: Achieved 97.90%.
  • Energy Efficiency: Significantly reduced energy consumption compared to traditional baselines.

3. X-IIoTID Dataset Analysis

  • Multi-Class Scenario: Accurately classified 18 subcategories of attacks with 99.99% accuracy.
  • Robustness: Worst-performing nodes improved accuracy from 67.73% to 82.96% after 50 rounds in non-IID data distribution.

Significance and Highlights

Research Contributions

  1. Scientific: Expands IIoT intrusion detection frameworks by integrating GRUs and DRL, providing novel approaches for temporal data modeling and FL performance enhancement.
  2. Practical: Offers a high-accuracy, low-energy-consumption solution for dynamic device selection and intrusion monitoring in industrial systems.

Innovations

  1. Protects IIoT data privacy through GRU-integrated FL models.
  2. Effectively handles non-IID data distribution, improving robustness in real-world applications.
  3. Reduces energy consumption under dynamic channel conditions by selecting high-quality nodes with DRL.

Future Directions

While this research makes significant progress, future work can focus on: 1. Real-World Validation: Assessing framework performance in real industrial environments to enhance real-time applicability. 2. Device-Specific Optimization: Developing customized data preprocessing and attack defense mechanisms for specific industrial devices. 3. Cross-Disciplinary Integration: Incorporating privacy-enhancing technologies, such as differential privacy and blockchain, to further ensure data security.

This study empowers IIoT industrial systems to address complex network threats more efficiently, safeguarding critical industrial processes.