Temporal-Spatial Feature Extraction in IoT-Based SCADA System Security: Hybrid CNN-LSTM and Attention-Based Architectures for Malware Classification and Attack Detection
This research presents a Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM) model developed for malware classification from IoT devices in the SCADA system and for detecting anomalies in the network. The developed model identifies complex attacks in the network by taking advantage...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11028034/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850166108895576064 |
|---|---|
| author | Onur Polat Ali Ayid Ahmad Saadin Oyucu Enes Algul Ferdi Dogan Ahmet Aksoz |
| author_facet | Onur Polat Ali Ayid Ahmad Saadin Oyucu Enes Algul Ferdi Dogan Ahmet Aksoz |
| author_sort | Onur Polat |
| collection | DOAJ |
| description | This research presents a Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM) model developed for malware classification from IoT devices in the SCADA system and for detecting anomalies in the network. The developed model identifies complex attacks in the network by taking advantage of the strengths of CNNs that reveal spatial features and LSTMs that detect temporal dependency. CICIoT 2023 is used as the dataset. ADAM optimization algorithm with cross-entropy loss is used to eliminate overfitting and training is performed. Within the scope of the study, the proposed model is compared by applying it with six deep learning architectures (hybrid CNN-LSTM, Non-Local Neural Network (NLNN), Residual Attention Network (RAN), Dual Attention Network (DANet), Transformer-CNN and Attentional CNN). The obtained results show that the proposed CNN-LSTM model outperforms other complex architectures and achieves a high test accuracy of 99.23%. It has demonstrated remarkable performance according to precision, recall and F1 evaluation metrics in detecting distributed denial of service (DDoS) and denial of service (DoS) attacks. The proposed model successfully identifies Mirai botnet variants and fragmentation-based attacks. Although other models, Transformer-CNN (98.81%) and DANet (98.07%), provide high performance, they fall behind the superior temporal modeling capabilities of CNN-LSTM. When the obtained findings are examined, they highlight the relative strengths of various deep learning approaches for IoT security applications. The performances of the implemented deep learning models reached accuracies exceeding 96%, demonstrating the importance of IoT-based SCADA systems against evolving cyber threats. The study revealed the superior successes of deep learning-based approaches for IoT security. |
| format | Article |
| id | doaj-art-1c1e31bae2bc44a783dc248feb608582 |
| institution | OA Journals |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-1c1e31bae2bc44a783dc248feb6085822025-08-20T02:21:34ZengIEEEIEEE Access2169-35362025-01-011310210910213210.1109/ACCESS.2025.357776111028034Temporal-Spatial Feature Extraction in IoT-Based SCADA System Security: Hybrid CNN-LSTM and Attention-Based Architectures for Malware Classification and Attack DetectionOnur Polat0https://orcid.org/0000-0001-9313-4910Ali Ayid Ahmad1https://orcid.org/0000-0002-6031-9414Saadin Oyucu2https://orcid.org/0000-0003-3880-3039Enes Algul3https://orcid.org/0000-0003-1281-053XFerdi Dogan4https://orcid.org/0000-0002-9203-697XAhmet Aksoz5https://orcid.org/0000-0002-2563-1218Department of Computer Engineering, Bingöl University, Bingöl, TürkiyeDepartment of Electrical Engineering, College of Engineering, University of Kirkuk, Kirkuk, IraqDepartment of Computer Engineering, Faculty of Technology, Gazi University, Ankara, TürkiyeDepartment of Computer Engineering, Bingöl University, Bingöl, TürkiyeDepartment of Computer Engineering, Adıyaman Üniversitesi, Adiyaman, TürkiyeDepartment of Electrical and Electronics Engineering, Kayseri University, Kayseri, TürkiyeThis research presents a Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM) model developed for malware classification from IoT devices in the SCADA system and for detecting anomalies in the network. The developed model identifies complex attacks in the network by taking advantage of the strengths of CNNs that reveal spatial features and LSTMs that detect temporal dependency. CICIoT 2023 is used as the dataset. ADAM optimization algorithm with cross-entropy loss is used to eliminate overfitting and training is performed. Within the scope of the study, the proposed model is compared by applying it with six deep learning architectures (hybrid CNN-LSTM, Non-Local Neural Network (NLNN), Residual Attention Network (RAN), Dual Attention Network (DANet), Transformer-CNN and Attentional CNN). The obtained results show that the proposed CNN-LSTM model outperforms other complex architectures and achieves a high test accuracy of 99.23%. It has demonstrated remarkable performance according to precision, recall and F1 evaluation metrics in detecting distributed denial of service (DDoS) and denial of service (DoS) attacks. The proposed model successfully identifies Mirai botnet variants and fragmentation-based attacks. Although other models, Transformer-CNN (98.81%) and DANet (98.07%), provide high performance, they fall behind the superior temporal modeling capabilities of CNN-LSTM. When the obtained findings are examined, they highlight the relative strengths of various deep learning approaches for IoT security applications. The performances of the implemented deep learning models reached accuracies exceeding 96%, demonstrating the importance of IoT-based SCADA systems against evolving cyber threats. The study revealed the superior successes of deep learning-based approaches for IoT security.https://ieeexplore.ieee.org/document/11028034/SCADAIoT securitymalware traffic analysiscritical infrastructureshybrid deep learningnetwork intrusion detection |
| spellingShingle | Onur Polat Ali Ayid Ahmad Saadin Oyucu Enes Algul Ferdi Dogan Ahmet Aksoz Temporal-Spatial Feature Extraction in IoT-Based SCADA System Security: Hybrid CNN-LSTM and Attention-Based Architectures for Malware Classification and Attack Detection IEEE Access SCADA IoT security malware traffic analysis critical infrastructures hybrid deep learning network intrusion detection |
| title | Temporal-Spatial Feature Extraction in IoT-Based SCADA System Security: Hybrid CNN-LSTM and Attention-Based Architectures for Malware Classification and Attack Detection |
| title_full | Temporal-Spatial Feature Extraction in IoT-Based SCADA System Security: Hybrid CNN-LSTM and Attention-Based Architectures for Malware Classification and Attack Detection |
| title_fullStr | Temporal-Spatial Feature Extraction in IoT-Based SCADA System Security: Hybrid CNN-LSTM and Attention-Based Architectures for Malware Classification and Attack Detection |
| title_full_unstemmed | Temporal-Spatial Feature Extraction in IoT-Based SCADA System Security: Hybrid CNN-LSTM and Attention-Based Architectures for Malware Classification and Attack Detection |
| title_short | Temporal-Spatial Feature Extraction in IoT-Based SCADA System Security: Hybrid CNN-LSTM and Attention-Based Architectures for Malware Classification and Attack Detection |
| title_sort | temporal spatial feature extraction in iot based scada system security hybrid cnn lstm and attention based architectures for malware classification and attack detection |
| topic | SCADA IoT security malware traffic analysis critical infrastructures hybrid deep learning network intrusion detection |
| url | https://ieeexplore.ieee.org/document/11028034/ |
| work_keys_str_mv | AT onurpolat temporalspatialfeatureextractioniniotbasedscadasystemsecurityhybridcnnlstmandattentionbasedarchitecturesformalwareclassificationandattackdetection AT aliayidahmad temporalspatialfeatureextractioniniotbasedscadasystemsecurityhybridcnnlstmandattentionbasedarchitecturesformalwareclassificationandattackdetection AT saadinoyucu temporalspatialfeatureextractioniniotbasedscadasystemsecurityhybridcnnlstmandattentionbasedarchitecturesformalwareclassificationandattackdetection AT enesalgul temporalspatialfeatureextractioniniotbasedscadasystemsecurityhybridcnnlstmandattentionbasedarchitecturesformalwareclassificationandattackdetection AT ferdidogan temporalspatialfeatureextractioniniotbasedscadasystemsecurityhybridcnnlstmandattentionbasedarchitecturesformalwareclassificationandattackdetection AT ahmetaksoz temporalspatialfeatureextractioniniotbasedscadasystemsecurityhybridcnnlstmandattentionbasedarchitecturesformalwareclassificationandattackdetection |