MATEC Web of Conferences 392, 01166 (2024) https://doi.org/10.

1051/matecconf/202439201166
ICMED 2024

Detection of cyber attacks on IoT based cyber

physical systems
G. Anusha1*, Gouse Baigmohammad1 and Uma Mageswari1
1Computer Science and Engineering, Vardhaman College of Engineering, Hyderabad, Telangana,
India.

Abstract. The integration of Internet of Things (IoT) devices in Cyber-

Physical Systems (CPS) continues to proliferate, ensuring the security of
these interconnected systems becomes paramount. In existing research
work focuses on the development and implementation of a cyber attack
detection system for IoT-based CPS, leveraging Support Vector Machine
(SVM) models. The SVM model, known for its effectiveness in binary
classification tasks, is trained on historical data to distinguish between
normal and malicious behavior patterns exhibited by IoT devices within
the CPS. The SVM model is trained to learn the normal behavior of the
system, enabling it to identify deviations indicative of cyber attacks. Real-
world experiments and simulations demonstrate the efficacy of the SVM-
based detection system in identifying various types of cyber threats.
However, this research also acknowledges certain limitations. The SVM
model's performance may be impacted by the dynamic and evolving nature
of cyber threats, as it relies heavily on historical data for training and
detection accuracy issues. To address the limitations of present cyber
threat detection model , in this research work proposed a novel deep
learning based CNN Model. The proposed model improve cyber attacks
detection and performance metrics. The proposed model outperforms with
the comparison of previous model. The performance measured in terms of
accuracy, precision, recall and f1-score.

Keywords - Internet of Things, Cyber Physical Systems, Cyber Attacks, Machine

Learning, Deep Learning

1 Introduction
In recent years, the proliferation of the Internet of Things (IoT) has become
increasingly pervasive in the real world. Growing concerns about the security and
privacy of networks are prevalent today, with a heightened emphasis on system safety
measures due to the expanding role of information technology in daily life. The evolution
of various Internet applications and the emergence of advanced technologies, such as the

*
Corresponding author: [email protected]

© The Authors, published by EDP Sciences. This is an open access article distributed under the terms of the Creative
Commons Attribution License 4.0 (https://creativecommons.org/licenses/by/4.0/).
MATEC Web of Conferences 392, 01166 (2024) https://doi.org/10.1051/matecconf/202439201166
ICMED 2024

Internet of Things (IoT), have sparked new endeavors aimed at compromising machine
networks and computer systems. The IoT, comprising interconnected objects and smart
devices operating without direct human intervention, has witnessed a surge in development.
Many smart IoT devices are equipped with sensors that facilitate internet connectivity,
enabling the exchange of information across various nodes, spanning applications in
healthcare, agriculture, transportation, and more[1]. The deployment of IoT devices is
driven by the desire to streamline processes, conserve time and resources, and revolutionize
work practices. The IoT not only offers numerous advantages but also presents extensive
possibilities for information exchange, customization, and expansion.
Security threats are pervasive on the internet and within the Internet of Things (IoT), as the
cyberspace serves as the central hub for IoT systems. Unlike the traditional internet, IoT
junctions face limitations in terms of capacity and resources, often relying on manual
commands. The rapid integration of IoT smart devices into daily life has made it
challenging to identify and address IoT security issues, necessitating the implementation of
network-based security solutions[2]. While modern techniques are employed to detect
certain cyber attacks, the identification of others remains a more formidable challenge. The
escalating prevalence of network cyber-attacks emphasizes the need for more advanced and
efficient techniques in cyber attack detection. Machine Learning algorithms are
instrumental in enhancing the intelligence of IoT networks, with Machine Learning (ML)
recognized as a powerful computational model. ML methods find applications in various
network security tasks, including intrusion detection, network traffic analysis, and bot-net
recognition, thereby contributing significantly to the improvement of network safety
Machine Learning (ML) can be defined as the capacity of an intelligent device to adapt its
behavior and state based on acquired knowledge, constituting a crucial component of
solutions within the Internet of Things (IoT) paradigm. ML has the capability to extract
valuable insights from both machine-generated and human-generated data, enabling its
application in diverse tasks like classification and regression. Furthermore, ML plays a
significant role in providing security services within IoT networks[3]. The use of ML in
addressing challenges related to cyber attack detection has emerged as a prominent and
evolving area, contributing to various applications in the cybersecurity domain. While
several research studies have employed ML methods to identify effective techniques for
detecting threats, limited groundwork exists specifically tailored to the unique
characteristics of IoT environments within the broader field of cyber-physical systems.
Machine Learning (ML) can be employed for the task of cyber attack detection through two
primary categories of cyber-analysis: misuse-based techniques, utilizing signatures, and
anomaly-based techniques. Misuse-based methods aim to identify known cyber attacks by
analyzing specific properties within cyber traffic, often referred to as "signatures" in
contemporary cyber-attacks. Detection using these methods offers advantages, such as the
ability to identify recognized cyber attacks accurately without generating a significant
number of false positives[4].

2 Literature Review
Manal Abdullah Alohali et al[5] , In the pursuit of facilitating remote access, surveillance,
and analysis, Cyber-Physical Systems (CPSs) commonly integrate networks, making them
susceptible to cyber attacks arising from the presence of insecure networking devices. The
violation of internet security by attackers can disrupt system functions, resulting in severe
consequences. The integration of Fog with the Internet of Things (IoT) presents a potential
solution, enabling quicker attack detection compared to cloud-based CPS. However, the

2
MATEC Web of Conferences 392, 01166 (2024) https://doi.org/10.1051/matecconf/202439201166
ICMED 2024

detection of attacks in CPS remains challenging due to targeted efforts by cybercriminals,

intensifying the difficulty of identification. This paper introduces a novel swarm-based
feature selection algorithm, Enhanced Chicken Swarm Optimization (ECSO), designed to
enhance attack detection in an IoT-based CPS environment. The algorithm incorporates
self-learning abilities for feature selection from preprocessed data, and the selected features
are utilized by ensemble classifiers executed in the cloud. While the proposed ECSO-based
ensemble classifier demonstrates promising performance against the NSL-KDD dataset, it
is crucial to acknowledge limitations, including potential dataset-specific effects and the
need for further exploration of real-world implementation and scalability in diverse CPS
scenarios.
Surjeet Dalal et al [6], The Internet of Things (IoT) has become an integral part of
daily life with billions of connected devices, yet this interconnectedness also exposes
IoT systems to an escalating number of cyber threats. This paper presents a next-
generation cyber attack prediction framework tailored for IoT systems. Leveraging multi-
class support vector machine (SVM) and improved CHAID decision tree machine learning
methods, the framework aims to enhance the categorization of various types of attacks
within IoT traffic. The SVM model classifies IoT traffic, and its optimization is achieved
through the CHAID decision tree, emphasizing the most relevant attributes for attack
categorization. Despite the framework's success in accurately categorizing attacks, certain
limitations need consideration. The generalizability of the proposed technique may be
influenced by the specifics of the real-world dataset used, and further exploration across
diverse datasets is essential. Additionally, the framework's performance in dynamic and
evolving cyber threat landscapes remains a subject for investigation. While the approach
focuses on network traffic characteristics as indicators of cybersecurity threats in IoT
networks, the adaptability and scalability of the proposed technique should be thoroughly
assessed in real-world IoT environments.
Hamid Al-Hamadi et al[7] introduces a methodology for capturing and analyzing the
dynamic interplay between attack and defense strategies in intrusion detection within an
autonomous distributed Internet of Things (IoT) system. In our approach, each node is
actively engaged in lightweight intrusion detection of its neighboring target node. Good
nodes adopt defense strategies to protect the system, while bad nodes employ attack
strategies to achieve their objectives. Our analytical model, based on Stochastic Petri Net
(SPN) modeling techniques, facilitates the formulation of optimal defense strategies by
good nodes to maximize the system lifetime, considering a set of parameter values
characterizing the operational environment of the distributed IoT system. Despite the
success in demonstrating how intrusion detection system (IDS) defense mechanisms can
counter malicious attacks under the ADIoTS system using a dataset from a reference
autonomous distributed IoT system with 128 sensor-carrying mobile nodes, limitations
exist. The generalization of findings may be influenced by the specifics of the experiment
dataset, and further exploration across diverse datasets is necessary. Additionally, the
robustness of the proposed methodology in addressing various failure conditions requires
further investigation to enhance its applicability in real-world IoT environments.
Keval Doshi et [8] is addresses the inherent security risks in Internet of Things (IoT)
networks, where the proliferation of sensors, actuators, and various connected devices
poses a significant

3
MATEC Web of Conferences 392, 01166 (2024) https://doi.org/10.1051/matecconf/202439201166
ICMED 2024

threat to both Internet services and cyber-physical systems linked to the Internet. The
existing vulnerabilities in billions of IoT devices make them susceptible to compromise,
particularly in the context of emerging threats such as the Mongolian Distributed Denial of
Service (DDoS) attack, characterized by its widely distributed nature and small attack size
from each source. The proposed anomaly-based Intrusion Detection System (IDS) aims to
timely detect and mitigate this stealthy form of DDoS attack. However, certain limitations
must be acknowledged. The generalizability of the proposed IDS may be influenced by the
specifics of the experiments, and further exploration across diverse scenarios and datasets
is necessary. Additionally, while the proposed IDS demonstrates effectiveness in detecting
and mitigating stealthy DDoS attacks with very low attack sizes per source, real-world
implementation and scalability considerations remain areas for further investigation.
Prabhakar Krishnan et al[9] . In response to the growing prominence of Internet of
Things (IoT) devices in contemporary networks and Industry 4.0, this study introduces a
software- defined framework aimed at enhancing network intrusion detection systems
through the incorporation of manufacturer usage description (MUD) for improved
behavioral monitoring in IoT networks. The goal is to investigate whether Industrial IoT
(IIoT) devices, common in cyber- physical systems, exhibit predictable communication
patterns that can be formally defined in MUD profiles. The framework leverages digital
twins and software-defined networking to fortify the security of IIoT environments,
profiling MUD data and evaluating actions on the network digital twin before
implementation in the physical network. While the proposed system demonstrates
significant advancements in attack detection accuracy, incident prediction, response time,
and resource usage compared to existing approaches, certain limitations must be
acknowledged. The efficacy of the framework may be influenced by specific IIoT
deployment scenarios and network configurations, necessitating further validation across
diverse environments. Additionally, real-world implementation challenges and scalability
considerations need to be addressed for comprehensive applicability.

3 Proposed Methodology

3.1 Problem Statement

The main problem addressed in this research is the evolving nature of cyber threats in IoT-
based Cyber-Physical Systems (CPS) and the limitations associated with the existing cyber
attack detection system that relies on Support Vector Machine (SVM) models. While the
SVM model has shown effectiveness in binary classification tasks and has been trained on
historical data to identify normal and malicious behavior patterns in IoT devices, its
performance is impacted by the dynamic and evolving nature of cyber threats. This leads to
issues in detection accuracy. To address these limitations, the research proposes a novel
deep learning-based Convolutional Neural Network (CNN) model for cyber threat
detection in IoT-based CPS. The goal is to improve the overall performance metrics,
including accuracy, precision, recall, and f1-score, thereby enhancing the system's ability to
detect and mitigate a broader range of cyber threats.

4 Deep Learning CNN Model

4
MATEC Web of Conferences 392, 01166 (2024) https://doi.org/10.1051/matecconf/202439201166
ICMED 2024

4.1 Data Collection and Pre-process

In IoT security applications, including cyber attack detection systems of neural networks,
are increasing rapidly to make detection task of anomaly activities more accurate and
robust.

Fig 1 - Architecture of Proposed Model

The first block discussed about data collection and processing. This process is often
referred to as the data engineering. This step is critical for a successful learning process.
Data processing has three steps, namely, cleaning, normalization and feature selection. The
feature selection process is conducted using a filter-based method inspired by the ml
algorithm for generating feature importance scores.

4.2 Feature Selection

In the feature selection process for the UNSW-NB15 dataset, initial steps involve
understanding the dataset, addressing missing values, and conducting exploratory data
analysis. Correlation analysis is performed to identify and eliminate redundant features,
while tree-based models assess feature importance. Filter methods, including correlation-
based selection, and wrapper methods like Recursive Feature Elimination are employed to
iteratively choose the most relevant features.. Domain knowledge is considered for manual
inclusion or exclusion of features. Cross- validation ensures the stability of feature
importance rankings, and machine learning models are trained and evaluated iteratively
with the selected features, refining the subset for optimal performance in network intrusion
detection tasks.

4.3 Proposed CNN Model

The task of cyber attack detection using the UNSW-NB15 dataset, a Convolutional Neural
Network (CNN) model is designed to automatically learn hierarchical features from
network traffic data. The input to the CNN comprises the relevant features extracted from
the UNSW- NB15 dataset, representing network activities. The architecture typically

5
MATEC Web of Conferences 392, 01166 (2024) https://doi.org/10.1051/matecconf/202439201166
ICMED 2024

includes convolutional layers to capture spatial patterns in the data, followed by pooling
layers for dimensionality reduction. Additional fully connected layers enable the network to
learn intricate relationships between features. The proposed model is trained using a
labeled dataset to distinguish normal network behavior from cyber attacks. To enhance
generalization, techniques such as dropout and batch normalization may be employed. The
performance is evaluated on a separate test set, and fine-tuning can be performed based on
the results. The CNN-based approach leverages the inherent capabilities of deep learning to
automatically discern patterns in network traffic data, making it well-suited for effective
cyber attack detection in the context of the IoT network cyber physical systems.

5 Result Analysis

5.1 Environment Details

The implementation a Convolutional Neural Network (CNN) model for cyber attack
detection using the UNSW-NB15 dataset in Python, a comprehensive environment can be
set up. Utilizing popular libraries like TensorFlow or PyTorch for deep learning, along with
scikit-learn for data preprocessing and evaluation, establishes a robust foundation. Pandas
can be employed to handle and manipulate the dataset, while Matplotlib or Seaborn aids in
visualizing key insights. Jupyter Notebooks provide an interactive environment for
development and experimentation. Additionally, tools such as Anaconda or virtual
environments help manage dependencies. Lastly, leveraging specialized packages like
Keras for high-level neural network abstractions streamlines CNN model implementation.
This combined Python environment offers flexibility, scalability, and ease of use,
facilitating the seamless creation, training, and evaluation of CNN models for cyber attack
detection using the UNSW-NB15 dataset.

5.1 Comparative Analysis

The UNSW-NB15 dataset is a comprehensive cyber attacks dataset designed for evaluating
and developing cyber attacks detection systems. It encompasses a diverse range of network
attacks, totaling nine different types, such as Denial of Service (DoS), worms, Backdoors,
and Fuzzers. These attacks represent various cyber threats that can compromise network
security. The dataset is particularly valuable for training and testing cyber detection models
due to its inclusion of raw network packets, providing a detailed representation of network
traffic patterns during both normal and attack scenarios. In terms of dataset size, the
training set consists of 175,341 records, allowing for extensive model training, while the
testing set comprises 82,332 records. The inclusion of both attack and normal instances in
the dataset enables the development of robust intrusion detection models capable of
accurately distinguishing malicious activities from regular network behavior. Researchers
and practitioners can leverage this dataset to explore and implement advanced machine
learning and deep learning techniques for the detection and classification of network
intrusions, contributing to the enhancement of cybersecurity measures.

5.3 Performance Metrics

The performance evaluation of a Convolutional Neural Network (CNN) model on the
UNSW- NB15 dataset for network intrusion detection, several key performance metrics are
commonly used to assess the model's effectiveness. These metrics provide insights into
how well the model is able to distinguish between different classes (attack and normal) and

6
MATEC Web of Conferences 392, 01166 (2024) https://doi.org/10.1051/matecconf/202439201166
ICMED 2024

its overall generalization capabilities. Some of the standard performance metrics include:
Accuracy
The proportion of correctly classified instances, calculated as (True Positives + True
Negatives) / Total.
Precision
The ability of the model to correctly identify instances of a specific class (e.g.,
attacks), calculated as True Positives / (True Positives + False Positives).
Recall
The ability of the model to capture all instances of a specific class, calculated as True
Positives / (True Positives + False Negatives).
F1-Score
The harmonic mean of precision and recall, providing a balanced measure of a
model's performance, calculated as 2 * (Precision * Recall) / (Precision + Recall).
Table 1 Performances Comparison
Algorithm Accuracy Precision Recall F-Score

Name

SVM 86.01 87.66 80.08 82.44

CNN 99.45 99.35 99.39 99.37

The "Accuracy" column represents the overall proportion of correctly classified instances,
where the CNN outperforms the SVM significantly with an accuracy of 99.45% compared
to 86.01%. "Precision" reflects the model's ability to correctly identify instances of a
specific class, and the CNN demonstrates superior precision at 99.35% compared to SVM's
87.66%. "Recall" (or sensitivity) measures the ability to capture all instances of a particular
class, where CNN excels with a recall of 99.39% compared to SVM's 80.08%. Lastly, the
"F-Score" column, which considers both precision and recall, underscores the CNN's
overall strong performance at 99.37% compared to SVM's 82.44%. The table succinctly
illustrates the superior intrusion detection capabilities of the CNN algorithm on the UNSW-
NB15 dataset.

The "Accuracy" column represents the overall proportion of correctly classified instances,
where the CNN outperforms the SVM significantly with an accuracy of 99.45% compared
to 86.01%. "Precision" reflects the model's ability to correctly identify instances of a
specific class, and the CNN demonstrates superior precision at 99.35% compared to SVM's
87.66%. "Recall" (or sensitivity) measures the ability to capture all instances of a particular
class, where CNN excels with a recall of 99.39% compared to SVM's 80.08%. Lastly, the
"F-Score" column, which considers both precision and recall, underscores the CNN's
overall strong performance at 99.37% compared to SVM's 82.44%. The table succinctly
illustrates the superior intrusion detection capabilities of the CNN algorithm on the UNSW-
NB15 dataset.

7
MATEC Web of Conferences 392, 01166 (2024) https://doi.org/10.1051/matecconf/202439201166
ICMED 2024

Performance
1 Comparision
2
0

1
0
0 SV
M
8
CN
2
0

0 Accur Precis Rec F-

acy ionPerformanceall Scor
Metrics

Fig 2 Performance Comparison Model

Each algorithm is represented by a distinct color or pattern on the graph. The x-axis denotes
the different evaluation metrics (Accuracy, Precision, Recall, F-Score), while the y-axis
represents the corresponding metric values as percentages. Vertical bars or line plots for
SVM and CNN
highlight the values for each metric, providing a clear visual comparison of their
performance. The graph visually emphasizes the substantial superiority of the CNN
algorithm across all metrics, particularly showcasing its remarkable accuracy, precision,
recall, and F-score compared to SVM. This visual representation facilitates a quick and
comprehensive understanding of the algorithms' relative strengths in the context of
intrusion detection on the UNSW-NB15 dataset.

6 Conclusion
The integration of Internet of Things (IoT) devices into Cyber-Physical Systems (CPS)
highlights the critical need for robust cyber attack detection systems. The existing research
has focused on leveraging Support Vector Machine (SVM) models for this purpose,
demonstrating their effectiveness in binary classification tasks through training on
historical data. This SVM- based system proves successful in identifying various cyber
threats in both real-world experiments and simulations. However, the research
acknowledges the limitations inherent in the SVM model, particularly its susceptibility to
the dynamic nature of evolving cyber threats and accuracy issues related to historical data
reliance. In response to these challenges, the current study proposes a novel deep learning-
based Convolutional Neural Network (CNN) model. The proposed model aims to enhance
cyber attack detection and performance metrics, outperforming the previous SVM-based
approach. Performance metrics such as accuracy, precision, recall, and F1-score are used to
evaluate the proposed model, demonstrating its superiority and addressing the limitations of
the existing cyber threat detection model. This shift towards a deep learning approach
represents a promising advancement in strengthening the security of IoT-based CPS,

8
MATEC Web of Conferences 392, 01166 (2024) https://doi.org/10.1051/matecconf/202439201166
ICMED 2024

offering improved adaptability and efficacy in the face of evolving cyber threats.

References
1. Malathi, C. and Padmaja, I.N., 2023. Identification of cyber attacks using machine
learning in smart IoT networks. Materials Today: Proceedings, 80, pp.2518-2523.
2. Jahromi, A.N., Karimipour, H., Dehghantanha, A. and Choo, K.K.R., 2021. Toward
detection and attribution of cyber-attacks in IoT-enabled cyber–physical systems. IEEE
Internet of Things Journal, 8(17), pp.13712-13722.
3. Koroniotis, N., Moustafa, N., Sitnikova, E. and Turnbull, B., 2019. Towards the
development of realistic botnet dataset in the internet of things for network forensic
analytics: Bot-iot dataset. Future Generation Computer Systems, 100, pp.779-796.
4. Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Shabtai, A., Breitenbacher, D. and
Elovici, Y., 2018. N-baiot—network-based detection of iot botnet attacks using deep
autoencoders. IEEE Pervasive Computing, 17(3), pp.12-22.
5. Alohali, M.A., Elsadig, M., Al-Wesabi, F.N., Al Duhayyim, M., Hilal, A.M. and
Motwakel, A., 2023. Swarm intelligence for IoT attack detection in fog-enabled cyber-
physical system. Computers and Electrical Engineering, 108, p.108676.
6. Dalal, S., Lilhore, U.K., Faujdar, N., Simaiya, S., Ayadi, M., Almujally, N.A. and
Ksibi, A., 2023. Next-generation cyber attack prediction for IoT systems: leveraging
multi-class SVM and optimized CHAID decision tree. Journal of Cloud Computing,
12(1), p.137.
7. Al-Hamadi, H., Chen, R., Wang, D.C. and Almashan, M., 2020. Attack and defense
strategies for intrusion detection in autonomous distributed IoT systems. IEEE Access,
8, pp.168994-169009.
8. Doshi, K., Yilmaz, Y. and Uludag, S., 2021. Timely detection and mitigation of
stealthy DDoS attacks via IoT networks. IEEE Transactions on Dependable and Secure
Computing, 18(5), pp.2164-2176.
9. Krishnan, P., Jain, K., Buyya, R., Vijayakumar, P., Nayyar, A., Bilal, M. and Song, H.,
2021. MUD-based behavioral profiling security framework for software-defined IoT
networks. IEEE Internet of Things Journal, 9(9), pp.6611-6622.