Resilient Security Framework Using TNN and Blockchain for IoMT

Abstract

The growth of the Internet of Things (IoT) devices in the healthcare sector enables the new era of the Internet of Medical Things (IoMT). However, IoT devices are susceptible to various cybersecurity attacks and threats, which lead to negative consequences. Cyberattacks can damage not just the IoMT devices in use but also human life. Currently, several security solutions have been proposed to enhance the security of the IoMT, employing machine learning (ML) and blockchain. ML can be used to develop detection and classification methods to identify cyberattacks targeting IoMT devices in the healthcare sector. Furthermore, blockchain technology enables a decentralized approach to the healthcare system, eliminating some disadvantages of a centralized system, such as a single point of failure. This paper proposes a resilient security framework integrating a Tri-layered Neural Network (TNN) and blockchain technology in the healthcare domain. The TNN detects malicious data measured by medical sensors to find fraudulent data. As a result, cyberattacks are detected and discarded from the IoMT system before data is processed at the fog layer. Additionally, a blockchain network is used in the fog layer to ensure that the data is not altered, enhancing the integrity and privacy of the medical data. The experimental results show that the TNN and blockchain models produce the expected result. Furthermore, the accuracy of the TNN model reached 99.99% based on the F1-score accuracy metric.

1. Introduction

The rapid advancement in IoT technology plays a vital role in the healthcare sector, making the term IoMT more prevalent [1]. Moreover, the development of high-speed network systems and the growing use of portable monitors, smartphones, wearable devices, and electronic health records in healthcare contribute to the tremendous growth of IoT devices in the healthcare sector [2]. Integrating IoT devices in healthcare systems increases system interconnectivity and interoperability, allowing collaboration between isolated systems within the healthcare domain [3]. Furthermore, it pushes toward transferring to the decentralized infrastructure since the computation and services can be processed through IoMT devices. However, IoT devices are susceptible and vulnerable to various security risks and attacks; they can be easily compromised since they lack self-protection capabilities. Recent research found that over 90% of IoT devices transmit data insecurely, meaning that 57% are vulnerable to attacks that leak sensitive data [4]. Cyberattacks can pose a threat not only to the operated IoMT devices but also to human lives [5]. Figure 1 illustrates the architecture of the IoMT and presents its common components. In addition, the figure shows how the IoMT is vulnerable to cyberattacks, as these attacks can be launched against any element of the model without security mechanisms. As shown in the figure, a threat actor can establish a cyberattack at various points of the architecture. For example, a threat actor could inject malicious data into the sensor measurements, transmitting inaccurate data to the receiver devices. In addition, a cyberattack can be launched on IoMT devices in the fog layer. Therefore, a security solution is required to identify cyberattacks and protect the integrity of information transferred or held in the fog or cloud layers [6]. Several cyberattacks, including Denial of Service (DDoS) attacks, Injection attacks, Data leakage, and sensor assaults, can target IoMT systems. Thus, the security of IoMT considers a considerable challenge and more research is needed in this field.

Several research studies have been conducted to enhance the security of IoMT by using several technologies, including ML and blockchain [7]. Researchers generally utilize three ML taxonomies: unsupervised, supervised, and reinforcement learning. Supervised learning is used when the model’s output is known and labeled; however, relationships between the input data are not always known. Unsupervised learning is the opposite approach to supervised learning, as the model’s output is unknown. In addition, during the training time, the output class of unsupervised learning is not labeled. Finally, reinforcement learning is used when the model can gain experience through its operational environment and learn based on trial and error [8]. Machine learning can be utilized to develop intrusion detection systems (IDS) and intrusion classification systems (ICS) to tackle cyberattacks [9]. IDS is typically used as a binary classification method to scan through data and distinguish between normal data and malicious data. In contrast, ICS is used to detect multiclass data, making it helpful in identifying different types of cyberattacks. To mitigate cyberattacks targeting IoMT devices, ML models based on artificial neural networks and blockchain can be employed.

A tri-layered neural network (TNN), called a three-layer feedforward neural network, is an artificial intelligence model comprising an input, hidden, and output layer [10]. The input layer receives input data from several resources, such as sensors then the hidden layer obtains the data from the input layer for processing and computation purposes. A TNN can have multiple hidden layers to handle the complex nonlinear relationships of system inputs and outputs to devise the best decision boundaries [11]. Eventually, the computation result of the hidden layer is submitted to the output layer.

TNN may be utilized to recognize and prevent cyberattacks in IoMT security by monitoring device activity and interactions. TNN may also be used to construct a predictive security model to detect and classify cyberattacks, which can assist in improving the security of the IoMT network. Furthermore, the TNN performs anomaly detection to identify malicious data collected from medical sensors. Therefore, cyberattacks are detected and removed from the IoMT systems before data is analyzed in the fog layer.

Blockchain is a groundbreaking technology first introduced by Satoshi Nakamoto in 2008 [12]. It consists of a chain of blocks that holds information. Blockchain is a decentralized and distributed infrastructure that enables secure and transparent transactions without intermediaries [13]. It is not limited to being used only with cryptocurrencies but can also be employed in various other applications, such as IoT, healthcare, and energy sectors [14]. For example, in IoT security, blockchain may be utilized to construct a decentralized devices network capable of securely exchanging information and transactions [15]. It becomes significantly more challenging for hackers to breach the security of a system built based on the blockchain’s decentralized structure [16]. Furthermore, blockchain enables the creation of smart contracts that may be used to autonomously enforce security standards in an IoT network [17].

Furthermore, using a decentralized system overcomes some drawbacks of the centralized system, such as a single point of failure, since centralized infrastructure relies on the client and server approach, which means all devices need to be authorized by a server [18]. Blockchain is a peer-to-peer network that allows communication between untrusted devices without a third party [1]. Therefore, data exchanged between the devices can be maintained and tracked without a centralized server. To add new data to the blockchain, users must solve a cryptographic puzzle (proof of work). Blockchain consists of N blocks; the first is called the Genesis block. Blockchain data is stored chronologically, and the information is held in the blocks and linked to each other through the chain. Participants can view the transaction; however, each user’s identity is kept secret.

This paper utilised a neural network with multiple hidden layers because it learns efficiently from vast quantities of data, unlike a neural network with a single hidden layer. Therefore, hidden layers collaborate to learn more about the complex relationship between the input and the output [11]. Furthermore, the blockchain model is used to distribute the data after it has been cleared from a cyberattack to the IoMT devices in the fog layer. This ensures the security of the transactions since they cannot be altered, increasing the data’s trust and integrity. Therefore, this research proposes a resilient security framework that combines a TNN model and blockchain technology to leverage the security of IoMT.

The main contributions of this paper can be summarized as the following:

• Reviewing recent state-of-the-art methods used to enhance the security of the IoMT.
• Using a TNN to perform anomaly detection procedures for identifying normal data (true data) and malicious data (cyberattacks) collected from medical sensors.
• Utilizing a blockchain-based scheme for non-financial applications to simulate blockchain activity in fog nodes of the IoMT to enhance the data’s integrity and privacy.
• Proposing a security framework for IoMT that combines the power of TNN and blockchain. The TNN is utilized for anomaly detection to capture data injected with a cyberattack. Blockchain maintains the integrity and privacy of the data to ensure that stored and transmitted data cannot be altered.

The dataset called ICUDatasetProcessed [19] was used to test and validate the performance of the proposed framework. The results show that the TNN model recorded 99.99% on the F1-score accuracy metric. In addition, the blockchain-based scheme offers the expected results.

This paper is structured as follows: Section 2 presents the most current security methods used to leverage the security of the IoMT systems. Section 3 provides information about the dataset for assessing this research’s proposed framework. Section 4 discusses and explains the research methodology, TNN, and blockchain technology. Section 5 investigates the result and discussion found in this research. Finally, Section 6 provides a conclusion to this research work.

2. Related Work

This section presents the up-to-date security methods and strategies utilized to enhance the security of IoT devices. Also, it reviews recent technology used to mitigate malicious activities conducted through IoT devices targeting healthcare systems.

Artificial Intelligence (AI) is a common approach used by researchers for protecting IoT devices from threat actors, which provides detection techniques to scan for unusual activities. Several AI models exist, such as neural networks (NN), linear regression, and support vector machines (SVM) [20]. In the research [21], the authors used deep learning models to detect the DDoS targeting IoT systems using CICIDS2017 datasets. The authors implemented four deep-learning approaches: long short-term memory (LSTM), convolutional neural network (CNN), and CNN + LSTM. Among these deep learning approaches, CNN + LSTM achieved the highest accuracy, 97.16%.

The authors in [9] utilized feature engineering techniques to improve ML’s detection and classification accuracy. The authors employed several ML models to identify cyberattacks such as DoS, Mirai, Scan, and man-in-the-middle (MITM) attacks in IoT systems. The authors used Support Vector Machine (SVM), Shallow Neural Networks (SNNs), K-Nearest Neighbor (KNN), Decision Trees (DT), and Bagged Trees (BT). To evaluate their models, they used the IoTID20 dataset. As a result, the accuracy of their ML models ranged between 99.40% to 100%.

The authors in [17] proposed a data security paradigm in an IoT platform incorporating a deep neural network and blockchain. As a result, the platform improves performance regarding latency and accuracy. Furthermore, the work in [22] presented the security architecture of the IoT platform to deliver secure and scalable IoT data for the IoT platform in a decentralised manner. This technology addresses the problem of centralized data in an IoT network.

The study [23] explored the vulnerability of IoT in three layers: the terminal, network, and application layers. Different devices are connected through the network layer in the terminal layer, which transmits data to the cloud. To tackle that issues, the authors utilized blockchain technology to provide decentralized security for IoT devices without needing a third party. The study also uses verification and machine learning techniques to detect unusual network activity.

The authors in [24] proposed a security mechanism based on the InterPlanetary File System (IPFS) and a blockchain network. IPFS is a cluster node primarily used to authenticate patients and their medical devices. The blockchain network is responsible for securing the transferred data between agents such as patients and doctors. Patients and medical devices are initially registered and authenticated before being submitted to the blockchain network through IPFS. Then, the authority and authenticity of the registered patients and medical devices are synchronized. Finally, the information is disseminated into the blockchain to allow the secure transmission of data among different users.

The authors of this study [25] designed an IoMT security evaluation framework (IoMT-SAF) according to web-based applications. Therefore, the stakeholders such as system administrators, patients, and medical professionals through IoMT can examine the degree of security of the IoMT solutions. IoMT solution refers to medical devices’ services and platforms. Medical devices come in different types, for example, wearable devices such as heart monitors, implantable devices such as cardiac function monitors, ambient such as door sensors, and stationery such as computerized tomography scanners. Services refer to web or mobile applications and can be used to analyze data—platforms for facilitating and managing smart devices and applications. Then based on the scenario that the stakeholders selected, the system will show the possible security risks and recommended countermeasures.

Azeem et al. [26] proposed an Efficient and Secure Data Transmission and Aggregation (ESDTA) model to enhance the security of the IoMT a the remote healthcare system. Their methods employ Secure Message Aggregation (SMA) and Security Message Decryption (SMD) algorithms to ensure aggregated and transmitted data security. Data aggregation decreases redundant communications while enabling efficient use of bandwidth and energy. However, data aggregation needs a security mechanism hence a symmetric key is used to encrypt the data in the sensor node, which is then encrypted in the fog node. In the beginning, sensor measurements of wearable devices such as blood pressure, body temperature, and oxygen level are collected and aggregated in a data collector node, a mobile node. Then, data is encrypted and transmitted to the fog node. After that, the data is decrypted and sent to the cloud node for storage and analytical purposes. Finally, doctors can access patient data for diagnosis.

According to several research papers, most IoMT approaches rely on a centralized cloud server [27]. However, this will not cope with the tremendous growth of IoT devices in the healthcare domain. Therefore, blockchain technology can be exploited to move toward a decentralized architecture. Hence, transmitted data is safely stored in peers rather than a centralized server, exposed by a singular point of failure.

In this paper [28], the authors introduced a blockchain model with IoT devices to increase the security and privacy of patient data collected by medical sensors, which doctors can access remotely. In the scenario, the authors considered that the patients use wearable devices to monitor health data such as heartbeats, sleeping conditions, and walking distance. The collected sensor data is sent to the smart contracts responsible for analyzing the received data. Smart contracts are automation algorithms on the blockchain to increase trust without relying on a third party. If a specific condition is met, an alert is sent from the smart contracts to the patient.

Meanwhile, the alert is transmitted to the cloud server, which confirms the digital signature of the node, and if the node is not verified, then the alert is ignored. Next, the hash function is calculated at the cloud server, and then data is transferred to the overlay, a peer-to-peer network consisting of cluster nodes. The overlay network has two types of nodes: patient devices and healthcare providers.

Table 1. Summary of Related Work Security Methods.

Research	Security Methods
Roopak et al. [21]	CNN + LSTM
Alsulami et al. [9]	KNN, SNNsNN, SVM, DT, BT
Wang et al. [17]	deep neural network and blockchain
Qian et al. [23]	Blockchain
Kumar et al. [24]	IPFS
Alsubaei et al. [25]	IoMT-SAF
Azeem et al. [26]	ESDTA
Dwivedi et al. [28]	blockchain

contains a list of security methods discussed in the related work section.

Overall, the related work focused on security methods used to enhance the security of IoMT, which were implemented based on an ML model and blockchain technology. However, this research proposes a resilient security framework that integrates ML and blockchain technology to ensure the security of IoMT.

3. Dataset

This section introduces the ICUDatasetProcessed [19] dataset, which is used to test and validate the proposed security framework in this research. First, the use case scenario for collecting the dataset, as employed by the authors [19], is discussed. Subsequently, statistical information about the dataset is presented.

The IoMT dataset was generated using IoT-Flock, an open-source tool that can generate IoT synthetic traffic with many scenarios depending on a user’s choice [29]. The scenario created by the authors of the ICUDatasetProcessed dataset is based on an Intensive Care Unit (ICU).

The following medical devices were used in the ICU scenario:

• ECG monitoring: this device is used to monitor the heart rate.
• Electromyography (EMG) Sensor is used for measuring the electrical signal produced by the muscles.
• Infusion Pump: this device is used to deliver medications or nutrients.
• AirFlow Sensor is utilized for measuring the patient’s breathing level.
• Pulse Oximeter (SPO2): this device can be placed on the finger of the patient to measure the Oxygen level.
• Glucometer: It measures the amount of glucose within the blood.
• A blood pressure device is utilized for checking the individual’s blood pressure.
• The Galvanic Skin Response (GSR) Sensor measures the skin’s electric signal.
• Finally, a body Temperature Sensor is used for measuring the temperature of an individual’s body.

The following environmental sensors were used in the ICU scenario:

• An air humidity sensor is utilized for measuring the air’s humidity.
• Air temperature sensor: it calculates the temperature of the air.
• CO sensor: this device is used to sense the carbon monoxide level in the ICU room.
• Fire sensor: this device detects fire or flame in the ICU room.
• Smoke sensor: this device is used to detect the level of smoke in the ICU room.
• Barometer: this device measures the air pressure in the ICU room.
• Solar radiation sensor: this device is used to measure the power of the heat of the light or the sun.

There are four cyberattacks generated at the application layer: MQTT DDoS, MQTT publishes flood attack, brute force attack, and SlowITE attack. MQTT is an acronym for Message Queuing Telemetry Transport. MQTT is a publisher and subscriber protocol used for message queuing at the application layer in IoT systems [30]. All four cyberattacks are labeled as attacked data in the dataset.

The dataset contains 42 features and 187,643 records. In addition, it consists of three labels: patient monitoring, environment monitoring, and cyberattack.

Table 2. Labels and Number of Records.

Labels	Type	Number of Records
Patient Monitoring	Normal	76,810
Environment Monitoring	Normal	31,758
Attack	Malicious	79,075
Total Records	187,643

lists a statistical summary of the dataset records. There are 108,568 records labeled as normal data and 79,075 as malicious data.

4. Methodology

This section explores and discusses the topology of the proposed method in this study, which combines TNN and blockchain models. The TNN is responsible for detecting abnormalities in the data collected from medical sensors. Therefore, malicious data is discarded from the IoMT traffic; however, normal data is transmitted to the blockchain model to ensure that data cannot be tampered with after being filtered by the TNN model. In addition, this section provides a detailed explanation of the implementation of the TNN and blockchain models.

4.1. Proposed Security Framework of IoMT

It is well known that IoMT devices are not immune from cybersecurity threats. Therefore, this paper proposes a security framework based on the TNN model and blockchain technology. Figure 2 illustrates a block diagram of the top-level architecture of the IoMT after integrating security models TNN and blockchain to show the interaction activity between IoMT components when a security mechanism is in place. Firstly, two types of data are sent to the TNN model. The first is normal data measured by medical sensors, and the second is malicious data injected by an attacker. Next, the TNN performs anomaly detection to distinguish normal data (patient monitoring, environment monitoring) and attacked data (MQTT DDoS, MQTT publishes flood, brute force, and SlowITE attacks). As a result, malicious data is excluded from the IoMT system, while normal data is transmitted to the fog layer. Then, the blockchain is established in the fog layer to ensure data integrity and immutability, which is accomplished by validating each transaction in the blockchain [31]. Finally, because of the limited capacity of the fog layer, data can be sent to the cloud layer for further analysis. Also, it can be noticed that data can be viewed through user devices from fog or cloud layers.

4.2. Tri-Layered Neural Network Classifiers

This research employs a TNN model to detect medical sensor data, which has two categories: normal data (patient monitoring and environment monitoring) and attack. The dataset used to train and test the TNN model is ICUDatasetProcessed [19] since it was collected from the IoMT domain; therefore, it is relevant for this research. The architecture of the TNN model is depicted in Figure 3. It is a feedforward neural network following a supervised learning approach, consisting of three fully connected hidden layers and one output layer. Each hidden layer comprises ten neurons, and the output layer has only one neuron. The input vector, in our case, the 42 features, is fed to the first hidden layer. Each layer is supposed to multiply the input vector by the weight (w), and the result is added to the bias (b) vector. Then the activation function at each layer is used to allow non-linearity and prevent linearity [32]. The activation function technique used is Rectified Linear Units (ReLUs) [33]. The output of the TNN is patient monitoring, environment monitoring, and attack.

Figure 4 shows the preprocessing flow of the TNN detection model. The first stage is to import the dataset Comma-Separated Values (CSV) file into a Matlab project. The second step is to prepare the data in which any record with an empty or inappropriate value is deleted. There are two numerical labels in the data: 0 refers to normal, and 1 refers to attack. The third step is to train and test the implemented TNN model. The size of the dataset used for training and testing is (187,643 × 42). It contains 187,643 records and 42 features. 70% of the data was used for training and 30% for testing. The k-fold cross-validation technique was used to validate the training procedure, and the k value was set to 10 [34]. This means the entire data is divided randomly into ten folds with equal sizes to prevent overfitting. One-fold is used for testing, and the remaining folds are used for training. The TNN detection model’s output is obtained in the fourth step, either a normal record or an anomaly (attack) record. The fifth step is to evaluate the TNN model, which will be covered in the Section 5.

4.3. Blockchain

This research utilized blockchain technology because it is a modern technology that solves the challenge of centralization, privacy, and trust. Blockchain is a formal technique used in the cryptocurrency industry, such as Bitcoin [35]. One can think of blockchain as a database storing transactions inside blocks using a peer-to-peer network with a decentralization approach that eliminates the existence of the third party. The blockchain’s decentralized structure increases system availability and reliability while reducing the probability of a single point of failure. Figure 5 depicts the blockchain model implemented in this study. The first block in the blockchain is called the genesis block, and there are N numbers of blocks. Each block contains two hashes (except Genesis block), difficulty, nonce, timestamp, and transactions. A hash is a mathematical function used to encrypt data with variable length into encrypted data with fixed length [36]. The hash is used to replace the trust in the traditional functional system. Each block except the Genesis block has two hashes, the previous and its hash; therefore, it only has information about the previous block. Thus, blockchain technology ensures the immutability of data held in fog nodes by leveraging the blockchain hashing function, which builds secure links between blocks. When a computer wants to participate in blockchain networks, it typically chooses the longest valid blockchain to join. Controlling the growth of blocks becomes important since attackers might increase the number of fabricated blocks to attract the new joiner. This is why mining difficulty is used, which refers to delaying the creation of a new block by increasing the mining difficulty level using a Proof-of-Work (PoW) algorithm [37]. Therefore, the difficulty is essential in controlling how fast the block can be mined. PoW is the most popular consensus protocol in blockchain industries, such as Bitcoin. A nonce is a random value miners use to compute the hash [35]. It also verifies the hash because a nonce number is used once. Transactions are the activities produced by system participants. In addition, each block has many transactions from 1 to N, depending on the block size. When a transaction is initiated, then this transaction is broadcasted to every node in the network. All nodes that receive the new transaction verify it and hold it in their ledger.

Blockchain Scheme

This section presents the implementation of the blockchain scheme of this research. Four algorithms are implemented using Python: BlockchainMain(), BlockchainClass, and BlockClass. We follow the basic model of designing a public blockchain scheme, which was first introduced in [38]

Algorithm 1 demonstrates the steps of the primary function of the blockchain model implemented in this research. The two lists, rows, and chunk, are declared initially. The rows list stores every dataset record, and the chunk list stores pieces of records depending on the number of IoMT devices used in the blockchain network. The variable chunk_size is assigned a value of N depending on the number of simulated IoMT devices. Then the CSV file, which has the dataset, is read. After that, data is split into chunks. Then the loop from lines 7 to 14 shows the main procedures of the blockchain technique. In line 8, the blockchain class is called, which will be explained in Algorithm 2. In line 10, the device class is called, which will be discussed in Algorithm 3. In line 12, a new thread of a device object is created—finally, line 13 stops calling new threads until the currently processed threads are terminated.

Algorithm 1: BlockchainMain()
1:	Initialize the following variables:
2:	rows ← [ ]
3:	chunk ← [ ]
4:	chunk_size ← N
5:	Read the CSV file and store the rows in the list “rows”.
6:	Split the list “rows” into chunks based on the chunk_size
7:	for each chunk in chunks:
8:	call BlockchainClass
9:	blockchain = BlockchainClass()
10:	call device class
11:	deviceobject = DeviceClass(blockchain, chunk)
12:	Start a new thread of device object
13:	Wait for all device threads to finish
14:	End for

Algorithm 2 shows the implementation of the blockchain class. Initially, an object lock is created to serve as a lock for the thread so that only one can access the critical code section at a time. Then the difficulty is set to one as a proof-of-concept prototype of our blockchain-based solution to reduce the computing power needed to mine a block. After that, the block list is created, which stores the values of the block. The first block stored in the list is the Genesis block, with the previous hash value equal to zero because it is the first block. Next, the transactions list is initialized to store the transactions of each block. Then, in line 5, the add_block function is created and used to create a new block to be stored in the blocks list. The if clause is used to check whether the previous block’s hash is equal to the last block’s hash to confirm the validity of the new block. Next, the broadcast_transaction function adds a new transaction to the transactions list while locking the list to prevent concurrent access. Then the mine_block function creates a new_block object with a list of transactions, the last block hash, and difficulty. Next, the mine function is called and will be explained in Algorithm 3. At the end, the algorithm returns the object new_block.

Algorithm 2: BlockchainClass
1:	Create an object “lock” with a threading lock
2:	Set the difficulty to 1
3:	Initialize the blocks list and assign the Genesis_block as the first item
4:	Initialize the transactions list = [ ]
5:	add_block(block)
6:	if block.previous_hash == blocks[last].hash
7:	add the block to the blocks list
8:	return True
9:	else
10:	return False
11:	broadcast_transaction(transaction)
12:	Use thread lock object
13:	transactions = [transaction]
14:	mine_block()
15:	new_block = BlockClass(transactions, blocks[last].hash, difficulty)
16:	new_block = mine()
17:	return new_block

Algorithm 3 represents the block class used to create a block in the network. The class has the following attributes:

• Data: the data stored in the block.
• previous_hash: the hash value of the previous block in the blockchain.
• Hash: the hash value of the current block.
• Difficulty: the difficulty level for mining the block.
• Nonce: the arbitrary number used to change the block’s hash value during mining.
• Timestamp: the time at which the block was mined.

The mine function is used to add a block to the blockchain network. In this process, the previous hash is needed to link the new and previous blocks.

Algorithm 3: BlockClass
1:	Initialize the objects:
2:	data,
3:	previous_hash,
4:	hash,
5:	difficulty,
6:	nonce,
7:	timestamp
8:	mine()
9:	Calculate hash using sha256

Algorithm 4 is used to demonstrate the device class. The class device is inherited from the Thread function to simulate the concurrent operation of multi-devices. Each block created in a device should contain 35 transactions (this number can be customized). However, if the number of transactions reaches 35, then the block is mined.

Algorithm 4: DeviceClass
1:	Define a class named “device” that inherits from the thread function
2:	Use the following object:
3:	blockchain
4:	rows
5:	pending_transactions = 0
6:	create a dictionary called transaction[]
7:	run()
8:	for each row in rows
9:	if pending_transactions < 35
10:	transaction = [data]
11:	broadcast_transition (transaction)
12:	pending_transactions += 1
13:	else
14:	block = mine_block()
15:	pending_transactions = 0

5. Result and Discussion

Our solution combines the TNN and blockchain models. The TNN is responsible for detecting cyberattacks in the data collected from medical sensors. The blockchain model distributes and stores the data after being vetted and cleared of cyberattacks in the fog layer. Therefore, malicious data is detected and discarded by the TNN model before transmitting normal or clear data to the blockchain model. In other words, we use the blockchain algorithms to manage and store the normal or clear data acquired from the dataset Comma-Separated Values (CSV) file after data is filtrated by the TNN model.

The TNN model was evaluated using a confusion matrix to calculate the accuracy of the TNN. The general form of the confusion matrix is shown in Figure 6. True positive (TP) means the TNN successfully classified normal sensor data as normal. True negative means the TNN was able to classify malicious data as anomalous. However, false positive (FP) means the TNN mistakenly classified normal sensor data as malicious. Finally, a false negative (FN) means the TNN mistakenly classified malicious data as normal [39].

The detection result of the TNN model is represented in Figure 7. Label 0 in the figure refers to normal data, and Label 1 refers to attacked data. TNN detector could classify 32,568 records of the tested data as normal and only missed classifying two records as attacked data. However, the model successfully classified all attacked data as attacked data. The classification accuracy was calculated using Equation (1), and the TNN model scored 99.99% [40].

Also, the multiclassification result of the TNN model was computed in this study, as shown in Figure 8. The reason for studying the multiclassification problem using the TNN model is to identify the class of data collected by the medical sensors. As mentioned in the dataset section, the ICUDatasetProcessed dataset consists of three categories: patient monitoring, environment monitoring, and cyberattack. The TNN classifier was able to categorize attacked data with zero misclassification instances. In addition, only three records of patient monitoring data were misclassified. However, 441 environmental monitoring records were mistakenly classified; meanwhile, the classification accuracy of the TNN classifier is 99.2%.

$$\mathrm{Classification} \mathrm{Accuracy}=\frac{\mathrm{TP}+\mathrm{TN}}{\mathrm{TP}+\mathrm{FP}+\mathrm{TN}+\mathrm{FN}}\times 100$$

(1)

Researchers usually do not rely solely on classification accuracy. For that reason, F1-score is calculated using Equation (4). One way to easily calculate F1-score is by first calculating precision and recall, as shown in Equations (2) and (3). For example, the TNN detector model precision recorded 99.99%, recall recorded 100%, and the F1-score for the model was 99.99% [36]. Similarly, the precision, recall, and F1-score metrics were calculated for the TNN classifier. The model scored 99.36% on precision, 98.45% on recall, and 98.91% on F1-score.

$$\mathrm{Precision}=\frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FP}}\times 100$$

(2)

$$\mathrm{Recall}=\frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FN}}\times 100$$

(3)

$$\mathrm{F}1-\mathrm{score}=\frac{\mathrm{Precision} \times \mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}\times 100$$

(4)

It can be observed that the TNN model achieved high accuracy based on the accuracy metrics discussed above; therefore, TNN can serve this research purpose as a detection model. To validate the performance of the TNN model, we compared our results with those of Hussian et al. [19]. We chose to compare our findings with [19] because the authors used the same dataset as we did in this research, ensuring a fair comparison.

Table 3. Accuracy of Various Security Detection Techniques.

Detection Model	Classification Accuracy	Precision	Recall	F1-Score
NB	52.18%	79.67%	99.71%	68.51%
KNN	99.49%	99.65%	99.69%	99.59%
RF	99.51%	99.71%	99.80%	99.65%
AB	99.50%	99.55%	99.45%	99.47%
LogR	99.50%	95.29%	90.35%	94.71%
DT	99.48%	99.69%	99.80%	99.64%
Proposed TNN	99.99%	99.99%	100%	99.99%

lists various detection models implemented based on ML algorithms to detect cyberattacks in the dataset ICUDatasetProcessed. Regarding the classification accuracy metric, our proposed TNN scored the highest results compared with the rest of the detection models. The Naive Bayes (NB) scored the lowest classification accuracy, precision, and F1-score results, but the TNN achieved the highest result in each metric. K-Nearest Neighbors (KNN) Random Forest (RF), Adaboost (AB), Logistic Regression (LogR), and Decision Tree (DT) scored very close results to the TNN. Overall, by looking at Table 3, we can observe that TNN outperforms other ML models based on accuracy, precision, recall, and F1-score metrics. The closest model in terms of performance to our model is RF.

Figure 9 and Figure 10 show samples of the JSON output of two consecutive blocks in the blockchain network recorded from Python. JSON stands for JavaScript Object Notation, a textual representation of transporting and storing data [41]. JSON, which is a language-independent data format, can be used to transfer data between computers using any programming language. We used JSON to enable data interchange between peers and to enhance system interoperability. Figure 9 represents the data extracted from the CSV file after data preparation and filtration by the TNN model. The practical blockchain environment and implementation are based on the foundational model of designing a public blockchain scheme, first introduced in Nakamoto’s paper titled “Bitcoin: A Peer-to-Peer Electronic Cash System”. Figure 9 shows a block sample with the following parameters: hash, previous_hash, difficulty, nonce, timestamp, and transactions. The transactions parameter has several transactions determined by the size of the block. In our case, we assumed that each block could contain up to 35 transactions, but users can customize this number based on the capacity of the IoMT devices. Figure 10 represents a second block sample, and we noticed that the previous_hash parameter matches the hash value in Figure 9 because the two block samples are consecutive.

6. Conclusions

The security of IoMT is a critical concern due to the system’s complexity and the security limitation of IoT devices which are vulnerable and susceptible to cyberattacks. This paper proposed a robust security framework leveraging Tri-layered Neural Network (TNN) and Blockchain models. Specifically, the TNN model was utilized to detect cyberattacks on data from medical sensors by identifying malicious data, which was then blocked from the IoMT system. A Blockchain model was employed at the fog layer to ensure the integrity of the data stored in the IoMT devices after being vetted by TNN. The results demonstrate that the TNN model achieved high accuracy, precision, and F1-score metrics and perfect recall performance, outperforming existing methods such as NB, KNN, RF, AB, and LogR. Furthermore, the proposed blockchain-based simulation scheme yielded the expected outcomes, and its parameters can be customized to cater to different purposes. Due to its versatility, the proposed framework can be easily adapted to other applications and datasets by adjusting the settings to the new environment. Due to its trade-off, the proposed blockchain-based solution concentrates on security, not performance. The system performance will be evaluated against a private blockchain implementation in future work.