As part of our proposed model for detecting and preventing intrusions in the Internet of UAVs ecosystem, the IDS is a critical component. Within the UAV network, it efficiently identifies threats and abnormalities.
3.3.2. Intrusion Detection Engine
The intrusion detection engine is a critical component within the proposed model responsible for efficiently identifying potential security threats and abnormal activities within the UAV network. It plays a key role in analyzing the collected and preprocessed data to detect any suspicious patterns or behaviors that may indicate intrusion attempts or anomalous activities. The intrusion detection engine is composed of two main stages: data preprocessing and anomaly detection and classification.
Data Preprocessing: Before feeding the data into the anomaly detection and classification stage, the data preprocessing stage performs essential tasks to ensure the data are in a suitable format for analysis. Data normalization, feature extraction, and data transformation are all part of this stage.
Data normalization: Data normalization is an important step in data preprocessing that ensures all features are of equal importance and scale. Normalization techniques vary, but one popular technique is min-max scaling. The data are scaled to a fixed range, typically between 0 and 1, using the following formula:
where
X represents the original data,
represents the dataset’s minimum value, and
represents the dataset’s maximum value.
Feature extraction: Feature extraction entails extracting the most relevant features from the collected data. Principal component analysis (PCA) is a common feature extraction technique. PCA converts the data into a new coordinate system in which the new features, known as principal components, are orthogonal to each other and capture the most variance in the data.
In this step, we will need to calculate the covariance matrix C, which can be calculated as follows:
where
n is the number of data points,
represents each data point, and
is the mean vector of the data points. The term
represents the outer product of the centered data point with itself. We will also need to compute the eigenvectors and eigenvalues of C, as follows:
where
C represents the covariance matrix of the dataset,
V represents a matrix containing the eigenvectors, and
is a diagonal matrix containing the eigenvalues.
After that, we have to compute the transformed data using the PCA equation. PCA is expressed as follows:
where
X represents the original data matrix and
V is the eigenvector matrix derived from the data covariance matrix.
Data transformation techniques: These techniques such as t-distributed stochastic neighbor embedding (t-SNE) are used to further enhance the data representation, especially for visualization purposes. t-SNE is commonly used to reduce high-dimensional data to a lower-dimensional space while preserving the local structure of the data. Here, we compute the pairwise distances between data points in as follows:
where
represents the pairwise Euclidean distance between data points
and
,
n is the number of dimensions (features) in the data, and
and
are the
k-th features of data points
and
, respectively. t-SNE can be represented as follows:
where
and
are data points in the original space,
and
are their corresponding points in the lower-dimensional space,
is the variance of the Gaussian distribution around
,
is the conditional probability that
would pick
as its neighbor,
is the conditional probability that
would pick
as its neighbor, and
is the Kullback–Leibler divergence between
and
.
These data preprocessing steps, including normalization, feature extraction with PCA, and data transformation using t-SNE, are essential for improving the data representation and facilitating more effective anomaly detection and classification in the intrusion detection engine.
Algorithm 5 summarizes the data preprocessing stage.
Algorithm 5 Data Preprocessing Algorithm |
|
Anomaly Detection and Classification: In this stage, the preprocessed data are fed into advanced machine learning algorithms, such as the convolutional neural network-long short-term memory (CNN-LSTM) network, for anomaly detection and classification. The combination of CNN and LSTM allows the system to perform comprehensive anomaly detection and classification, enhancing the intrusion detection system’s ability to effectively identify and respond to security threats in the UAV network.
Convolutional Neural Network (CNN): CNN is a powerful deep learning model commonly used for image and spatial data analysis. The CNN plays a critical role in anomaly detection in the proposed intrusion detection system for UAVs by learning spatial patterns and features from preprocessed data. The CNN architecture is made up of several layers, such as convolutional layers, pooling layers, and fully connected layers.
The convolution operation is the essential building component of a CNN. It entails applying filters (kernels) to input data in order to derive feature maps. In the output feature map, the convolution process for a specific pixel can be expressed as:
where
i represents the output feature map,
is the filter (kernel) value at position
, and
represents the input data at position
.
The activation function adds nonlinearity to the CNN, allowing it to simulate complicated data relationships. ReLU (rectified linear unit) and sigmoid are two common activation functions. The ReLU activation function is defined as follows:
Pooling layers reduce the spatial dimensions of the feature maps, lowering computational cost and preventing overfitting. The MaxPooling operation picks the largest value inside a particular window, while the Average Pooling operation computes the average value. The MaxPooling procedure can be represented as follows:
where
represents the pooled output, and
represents the input data in the pooling window.
Algorithm 6 summarizes the functionality of CNN in our proposed model.
Algorithm 6 Convolutional Neural Network (CNN) Algorithm |
|
The CNN is largely in charge of recognizing and differentiating anomalies from routine UAV operations. It is particularly good at learning spatial features and patterns from preprocessed data. As a result, by evaluating geographical information, it may detect unexpected or abnormal patterns in data, indicating potential security threats or breaches.
Long Short-Term Memory (LSTM): The LSTM is a recurrent neural network (RNN) variant designed to handle sequential data, making it well-suited for time-series analysis and capturing temporal dependencies. It is important in the context of our proposed IDS as it takes detected anomalies from the convolutional neural network (CNN) and classifies them into specific categories or types based on their temporal characteristics. The LSTM is composed of memory cells that accumulate information over time, allowing it to remember and learn patterns that span multiple time steps. Its unique ability to retain long-term dependencies enables it to recognize complex temporal patterns in the sequence of detected anomalies, facilitating accurate anomaly classification.
The LSTM computationally processes sequential data by employing a set of gating mechanisms that regulate the flow of information. The input gate, forget gate, and output gate are examples of these mechanisms. The LSTM’s cell state stores information over time, while the gates determine how much information is retained or discarded at each time step. The following are the LSTM equations:
Hidden State Update: where
is the input at time step
t,
is the hidden state at time step
t,
is the cell state at time step
t,
,
, and
are the input, forget, and output gates’ activations at time step
t, respectively,
is the candidate cell state at time step
t,
W and
b are weight matrices and bias vectors, and
is the sigmoid activation function, and ⊙ represents element-wise multiplication. Algorithm 7 summarizes the functionality of LSTM in our proposed model.
Algorithm 7 Long Short-Term Memory (LSTM) Algorithm |
|
LSTM is chosen in our proposed model for classifying intrusions due to its exceptional ability to capture temporal dependencies within sequential data. Its unique architecture analyzes the temporal dynamics of anomalies over time, recognizing recurrent patterns and sequential behaviors crucial for accurate anomaly classification. By leveraging LSTM, our IDS effectively identifies and categorizes diverse intrusion scenarios, enhancing UAV operations’ security in a smart-city environment. Categorizing intrusions offers benefits such as improved response strategies, focused investigation, enhanced situational awareness, adaptive anomaly detection, and simplified forensic analysis, enhancing overall system reliability and safety in a dynamic smart-city environment.
Figure 2 illustrates the hybrid CNN-LSTM Model for intrusion detection and classification in our proposed SP-IoUAV model.
3.3.3. Real-Time Decision Mechanism
The real-time decision mechanism, a critical component of our proposed model, comprises blacklist management and real-time alert provision.
Blacklist Management: Blacklist management is a crucial part of the real-time decision mechanism in our proposed model. It involves maintaining and updating a blacklist that contains identified malicious entities, such as unauthorized intruders or suspicious activities. The primary goal of blacklist management is to prevent future interactions with known threats and enhance the security of the unmanned aerial vehicle (UAV) network.
We can represent the blacklist as follows:
where
represents the
i-th entity or intrusion identified as a threat.
Algorithm 8 summarizes the blacklisting functionality in our proposed model.
The blacklist management algorithm first checks if a new intrusion, , is already present in the current blacklist. If not, it adds the new intrusion to the blacklist. If is already present, the algorithm updates its entry with any new information. Finally, the algorithm returns the updated blacklist, , which is then used to prevent any future interactions with known threats.
By continuously updating the blacklist with newly identified threats, the blacklist management component ensures that the UAV network remains protected from previously encountered malicious entities, significantly reducing the risk of security breaches and enhancing the overall security posture of the system.
Algorithm 8 Blacklist Management Algorithm |
|
Real-Time Alert Provision: In our proposed model, real-time alert provision serves as a crucial mechanism for promptly notifying key stakeholders about detected security threats. Specifically, the mechanism sends alerts to the smart city control center, the privacy-preserving ensemble, and individual UAVs.
When it comes to UAVs, real-time alert provision offers flexibility in notification methods. Depending on the nature and severity of the detected intrusion, UAV operators can receive notifications either on a global level, where all UAVs are informed collectively, or on an individual level, where each UAV is notified separately. This adaptability allows UAV operators to tailor their response strategies based on the specific context of the intrusion.
By notifying the smart city control center, the privacy-preserving ensemble, and UAVs in a timely manner, our proposed model ensures a coordinated and swift response to security threats. This proactive approach enhances the overall security and resilience of UAV operations in the dynamic smart-city environment, facilitating effective threat mitigation and safeguarding critical assets and data.
Algorithm 9 summarizes the real-time alert provision mechanism.
Algorithm 9 Real-Time Alert Provision Algorithm |
|
In the real-time alert provision algorithm, the variables and hold crucial roles. represents the type of detected intrusion, while captures the UAV operators’ preferences for alert notifications, whether they prefer global alerts or individual alerts. The algorithm begins by assessing the severity of the detected intrusion. For critical intrusions, alerts are dispatched to the smart city control center, the privacy-preserving ensemble, and UAVs based on their specified preference. In cases where the intrusion is not deemed critical, the algorithm sends alerts exclusively to UAVs, again adhering to their preferred notification method. By employing this approach, the algorithm ensures that relevant entities receive timely notifications tailored to the nature of the intrusion and the specific preferences of UAV operators.
3.3.4. Intrusion Detection Database
The database is a crucial component in our proposed model, serving as a central repository for securely storing and managing critical information related to the intrusion detection system (IDS). It plays a pivotal role in efficiently storing preprocessed data collected by the data collector from various sources within the UAV network. These data are critical for the intrusion detection engine’s real-time decision-making, anomaly detection, and classification, which employs powerful convolutional neural network-long short-term memory (CNN-LSTM) algorithms.
In addition, the database maintains a complete record of all identified intrusions and their types, providing valuable historical references for analysis and auditing. These historical data allow the IDS to fine-tune its anomaly detection algorithms and response tactics, improving the overall efficacy and resilience of the intrusion detection and prevention system. Moreover, the database is critical in blacklist management, which protects the UAV network by preventing future contacts with known dangerous entities or sources of intrusion attempts.
Database Protection: Our proposed model employs a strong multi-factor authentication (MFA) mechanism to ensure the highest level of security for sensitive data and secure system access. The MFA system combines three types of authentication: traditional username and password, and advanced facial recognition technology. In the first layer of authentication, users must provide a unique username and a strong, complex password during the login process. By preventing unauthorized access and protecting against brute-force attacks, this traditional method adds a fundamental level of security. A username and password combination serves as an important security barrier, allowing only authorized users to access the system.
Facial recognition is used as an additional authentication layer in our model to increase security. During the login process, the system uses a camera or an image sensor to capture the user’s facial features. These facial features are then compared to the stored biometric data to confirm the user’s identity. Facial recognition adds a biometric factor to the authentication process, making it extremely difficult for unauthorized users to impersonate legitimate users. This advanced layer of security significantly strengthens the system’s defense against unauthorized access attempts.
By integrating these three authentication factors, multi-factor authentication ensures a robust and secure access control system. Even if an attacker manages to obtain the username and password through phishing or other means, they would still need to pass the facial recognition step, ensuring that only authorized users gain access to the system. As a result, our intrusion detection system (IDS) for unmanned aerial vehicles (UAVs) in the smart-city environment remains protected from potential security breaches and data breaches, upholding data privacy and system integrity.
Algorithm 10 summarizes the database accessibility.
Algorithm 10 Database Accessibility Algorithm with MFA |
|