Received 11 January 2023, accepted 3 March 2023, date of publication 10 March 2023, date of current version 22 March 2023.

Digital Object Identifier 10.1109/ACCESS.2023.3256277

Hybrid Chain: Blockchain Enabled Framework for

Bi-Level Intrusion Detection and Graph-Based
Mitigation for Security Provisioning in Edge
Assisted IoT Environment
AHMED A. M. SHARADQH 1 , HAZEM ABDEL MAJID HATAMLEH2 ,
AS’AD MAHMOUD AS’AD ALNASER 2 , SAID S. SALOUM 3 , AND TAREQ A. ALAWNEH 1
1 Electrical
Engineering Department, Al-Balqa Applied University, Amman 11134, Jordan
2 Applied Science Department, Al-Balqa Applied University, Ajloun 26824, Jordan
3 Computer Engineering and Networks Department, Jouf University, Sakaka 42421, Saudi Arabia

Corresponding author: Ahmed A. M. Sharadqh ([email protected])

ABSTRACT Internet of Things (IoT) is an emerging technology and its applications are flattering amidst
many users, as it makes everything easier. As a consequence of its massive growth, security and privacy
are becoming crucial issues where the IoT devices are perpetually vulnerable to cyber-attacks. To overcome
this issue, intrusion detection and mitigation is accomplished which enhances the security in IoT networks.
In this paper, we proposed Blockchain entrenched Bi-level intrusion detection and graph based mitigation
framework named as HybridChain-IDS. The proposed work embrace four sequential processes includes
time-based authentication, user scheduling and access control, bi-level intrusion detection and attack graph
generation. Initially, we perform time-based authentication to authenticate the legitimate users using NIK-
512 hashing algorithm, password and registered time are stored in Hybridchain which is an assimilation of
blockchain and Trusted Execution Environment (TEE) which enhances data privacy and security. After that,
we perform user scheduling using Cheetah Optimization Algorithm (COA) which reduces the complexity
and then the access control is provided to authorized users by smart contract by considering their trust
and permission level. Then, we accomplish bi-level intrusion detection using ResCapsNet which extracts
sufficient features and classified effectively. Finally, risk of the attack is evaluated, and then the attacks
graphs are generated by employing Enhanced k-nearest neighbor (KNN) algorithm to identify the attack
path. Furthermore, the countermeasures are taken based on the attack risk level and the attack graph is
stored in Hybridchain for eventual attack prediction. The implementation of this proposed work is directed
by network simulator of NS-3.26 and the performance of the proposed HybridChain-IDS is enumerated
based on various performance metrics.

INDEX TERMS IoT network security, hybrid chain, access control, intrusion detection system (IDS), attack
graph generation, deep learning method.

I. INTRODUCTION nections over smart devices for various real-time applications

In recent years, the proliferation of Internet of Things (IoT) in which lot of smart sensors are playing a major part. It is
has gone massive day by day. The real-time systems which are estimated that, the usage of IoT devices increases to 500 bil-
built by adopting IoT are known as Cyber-Physical Systems lion by 2025 and beyond. Many of the applications associated
(CPS) [1]. The IoT is defined as the distributed internet con- with adoption of IoT are civilian purposes, smart agriculture,
detection and tracking of an object, etc.., [2], [3], [4] Even
The associate editor coordinating the review of this manuscript and though, IoT technology is likely to be applied in various
approving it for publication was Hang Shen . fields however, since its development security is considered

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.

VOLUME 11, 2023 For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ 27433
 A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

as a major problem. The security threats in the IoT devices • To improve the intrusion detection accuracy, bi-level
would drastically affect the QoS and also theft the users’ intrusion detection are performed to detect the malicious
valuable private information [5]. To overcome the security traffic in the network by extracting the significant features.
issues, many of the existing works have undergone research • For timely detection and mitigation, the risk assessment
based on IoT security. is evaluated and attack graphs are generated to detect the
Former security measures taken by the existing works attack in advance and attack paths are evaluated from the
includes authentication, access control methods, deployment attack graph for alert generation.
of firewall, and trust computation of the users etc., [6].
Although the above prior methods provides security but lack B. RESEARCH MOTIVATION
of considerable intelligence leads to poor detection. In addi- To provide security in IoT, many existing works perform
tion to that, the existing works were limited with any one of intrusion detection system and alarm generation to reduce the
the prior methods which also increases the security threats. malicious traffic in the network and severity level of attack
To provide strong detection and defense mechanism which which lack of detection accuracy, network security scarcity,
are suitable for large-scale dynamic environment, Intrusion poor mitigation and risk assessment. We are motivated to
Detection System (IDS) for IoT are performed [7], [8]. The solve the existing problems are described as follows,
IDS is considered the effective tool for IoT which can handle
large number of real-time flows which can detect and mitigate i. Lack of Security: Most of the existing work, wouldn’t
the nature of flows (i.e. normal or malicious). The IDS can be provide any access control to the legitimate users and
classified into two types such as [9], some existing work issues all kinds of access to the
legitimate users which leads to security breaches and
• Signature-based Intrusion Detection System data privacy scarcity. In addition, the user’s data were
• Anomaly-based Intrusion Detection System stored in cloud server where the attackers can easily
access that leads to security breaches.
Many of the existing works adopted signature IDS for IoT by ii. High False Positive Rate: Several existing works
training the tool with many real-time datasets such as UNSW- categorize the type of attack by only considering the
NB15, DAS-CIDS, NSL-KDD, CIDDS-001, etc.., [10], [11]. limited features (i.e. statistical features) which leads to
However, the signature-based IDSs are limited with detecting high false positives. In addition to that, all the existing
only known attack patterns while leveraging the unknown work classifies the user’s traffic as normal and abnor-
attack patterns leads to poor security. Besides, anomaly- mal however, the suspicious packets are either fall into
based IDS is also adopted by many of the existing works normal or malicious also leads to high false positive
for detecting unknown attack patterns [12]. However, the rate.
features taken for anomaly traffic detection by the existing iii. Poor Mitigation & risk assessment: After attack
works were not so effective also leads to poor security. The detection, in many of the existing works the coun-
Artificial Intelligence (AI) algorithms such as Machine learn- termeasure (i.e. alert generation) was not taken and
ing (ML) and Deep Learning (DL) algorithms play a major then the most of work alert generation was performed
part in IDS [13], [14]. However, the adoption of conventional randomly which leads to poor mitigation. In addition,
algorithms lacks with high complexity and speed. In some the risk assessment was not evaluated to determine the
works, blockchain technologies along with AI algorithms are attack severity level and the network was unaware of
also adopted whereas the conventional blockchain structure the severity level.
limits the scalability [15]. To leverage the existing issues, the
proposed work adopts robust IDS mitigation mechanism for
C. RESEARCH CONTRIBUTION
IoT using advanced DL and blockchain technology.
In this paper, we proposed HybridChain-IDS framework for
enhancing security in IoT network by performing intrusion
A. AIM AND OBJECTIVES detection. The contribution of this research are illustrated as
The main aim of this research is to provide security in the IoT follows,
environment by performing bi-level intrusion detection and • In first, we perform Time-based authentication by utiliz-
alert generation. In addition, the research also identifies the ing NIK-512 to authenticate the legitimate users using Trust
problems of considering security scarcity, false alarm rate and Authority (TA) which display the user registered time, then
poor countermeasure. The main objectives of this research are it provides security key to users through acquiring password
to provide security by implementing an intrusion detection and registered. Then, the user account will block more than
system with low computational time and high accuracy. The three failure attempts. Moreover, the registered time and pass-
remaining objectives of this research are described as follow, word are stored in hash format in HybridChain which is an
• To enhance the security in IoT, authentication was per- integration of TEE and blockchain which improves network
formed to authenticate the legitimate users and access con- scalability and data privacy.
trol was provide to preserve data privacy by considering the • In second, before accommodates the access control,
generated access policy based on their attributes and role. the authenticated users are scheduled based on numerous

27434 VOLUME 11, 2023

A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

parameters delay, throughput, resource energy and priority Wireshark are used for analyzing the network flow and then
using Cheetah Optimization Algorithm (COA) which reduces the flow-based features are extracted from the network flow.
the complexity. Then the access control is provided by Smart Based on the flow features the Decision tree (DT) algorithm
Contract to the authorized users based on their trust and was used for binary classification which classifies into normal
permission level. and malicious. Finally, the types of attack such as brute force,
• In third, we implement effective bi-level intrusion detec- heartbleed, botnet, DOS and DDOS are classified by Random
tion using sufficient features where the suspicious pack- Forest (RF) from the occupied malicious network flow. How-
ets are examined again to identify whether the packets are ever, the Random forest was used for categorizing the attack
normal or malicious that helps to enhance the network types which generate the large number of tree while training
security. the attack detection model which leads to high complexity.
Finally, risk assessment is evaluated to analyse the impact In work [18], the author proposed a security model for smart
of the attacks and the attack graph is constructed to identify monitoring and attack detection. Initially, every device in IoT
the attack path. After that, the risk-based countermeasures network are registered with an edge device then based on the
are taken to strengthen the network security and the attack query, time and location the authentication mechanism was
graph is stored in Hybridchain for eventual attack prediction. proceeded. After that, the JnetPcap has utilized for capture
Furthermore, the network are refreshed and reconstructed to the network packet and decode it, subsequently, the feature
prevent from packet loss. extraction was performed by PcapWT. The classification was
performed by Support vector machine (SVM), Artificial neu-
D. PAPER ORGANIZATION ral network (ANN) and Decision tree (DT) thus classifies into
This paper is farther organized into several sections which malignant and benign traffic. Finally, the malignant traffic
are defined as follows, Section II represents the existing was categorized into DOS, DDOS and Botnet then the alert
research works and its limitations. Section III demonstrates was generated. However, the edge device was authenticated
the major problems which are faced on intrusion detection by only considering the query, time and location which are
in IoT. Section IV illustrates the Proposed HybridChain-IDS insufficient to estimate their legitimacy that affects the net-
research methodology which encompasses of mathemati- work security level.
cal equations, pseudocode and algorithm workflows. Sec-
tion V describes the simulation setup and comparison results
of the simulation results and research summary of pro- B. INTRUSION DETECTION SYSTEM USING MACHINE
posed work. Section VI terminates the HybridChain-IDS LEARNING
framework. An adversarial attack detection model with only black-box
access in the IoT network was proposed [19]. Initially, the
II. LITERATURE REVIEW raw packets are collected and the relevant information (i.e.
In this section, the literatures of existing works are summa- IP address, MAC address, port and packet size and packet
rized, which are associated with the proposed HybridChain- timestamp) are extracted using NFQueue and Tshark. The
IDS framework. In addition to that, the sections encountered temporal statistics are calculated and the statistical features
several research gaps and its limitations. This section further are extracted and clustered to form a feature map by Monte-
categorized into three subdivisions which are represented as Carlo method. Finally, the three-layer auto-encoders are inte-
follows, grated to learn the behaviours of each cluster and classify
into normal and malicious. However, all the users are con-
A. INTRUSION DETECTION SYSTEM USING MACHINE sidered as legitimate users where the malicious traffic will
LEARNING increase in network due to the presence of illegitimate users
In work [16], the author proposed a method for anomaly which leads to security breaches. In work [20], the author
detection using traffic features in IoT network. Initially, The proposed a lightweight method for intrusion detection system
IOT gateway centric security monitoring system collect the in IoT environment. Initially, all type of access control was
IOT device traffic in centralized location. The TCPdump and given to every legitimate users to access the data. Then the
Wireshark packet analyzer was used to capture the traffic B-events collection component monitors and records the user
data then the information entropy was extracted from the current activity to train the anomaly detection model. Based
traffic data. The Naive Bayes (NB) algorithm was used for on the network traffic threshold the auto-encoders classify the
extracting the statistical features and classification it classi- network traffic as normal or intrusion. Finally, the D-alarm
fies into two classes such as benign and malicious. Finally, the component blocks the intruder user and then notification
module cut off the communication between the infected node was sent to the system administrator to take necessary mea-
and an alert notification was sent to other users. However, sures. However, without authenticating the legitimate users
the authentication was not performed where all the users are the access control was provided to all the users where the
considered as legitimate users which affect the network secu- attackers can easily access the data which affects the net-
rity. Two-level anomaly detection based on flow features in work security. Collaborative intrusion detection model using
IoT network was proposed [17]. Initially, the TCPdump and deep learning architecture in IoT network was proposed [21].

VOLUME 11, 2023 27435

 A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

Initially, the CICFlowMeter tool was deployed to process C. INTRUSION DETECTION SYSTEM USING MACHINE
the data and to extract the features such as destination port, LEARNING
protocol, flow duration, the total number of packets in the Author in [25], proposed a distributed consensus based trust
forward direction, the number of packets per second of traffic model (DCONST) to detect the multiple-mix attack. Initially,
flows, and the average size of the packet. Then the ensemble- the Trust authority (TA) distributed the asymmetric key to IoT
based multi-feature selection was used to select the important nodes and during the data communication between two nodes
features based on specific threshold. Based on the feature the trust authority provide symmetric key to both sender and
extraction the Generative Adversarial Network (GAN) was receiver to encrypt the transferred packets. The trust evalua-
utilized to classify as normal or malicious traffic. However, tion was performed to measure the node reputation by sharing
the Generative Adversarial Network (GAN) was used for their cognition then the DCONST model detect the malicious
classification where the traditional problem of this algorithm node and begin node. Then the DCONST detect the con-
is it will unstable during the training which become harder to crete attack behaviours and cluster them by K-Means clus-
train that leads to high false positive rate. tering subsequently the malicious node was categorized into
In work [22], the author proposed a low-complexity cyber- DCONST-light, DCONST-normal and DCONST-proactive.
attack detection in IoT edge computing (LocKedge) for multi- However, after attack detection the malicious node was
attack detection. Initially, the raw traffic data are normalized categorized into light, normal or proactive, where there is
by min-max normalization method to convert into numer- no countermeasure taken to alert the users and block the
ical and categorical. The feature extraction was performed malicious node which leads to security breaches.Blockchain
by principal component analysis (PCA) which extracts the enable framework for intrusion detection in IoT Fog-Cloud
features and reduces the dimension. Finally, based on the architecture was proposed in [26]. The privacy-preserving
features extraction, the LocKedge utilize the traditional neu- blockchain was employed for secure data transmission. Ini-
ral network algorithm to classify the multiple attacks such tially, all the entities in the network are authenticated by Trust
as DOS, DDOS, OS, fingerprint etc.., However, the feature Authority (TA) and security was provided. Then the feature
extraction was performed using principal component analysis extraction was performed by principal component analysis
(PCA) which is not able to find optimal principal compo- (PCA) thereby reducing dimension. Finally, the intruders
nents and is sensitive to outliers where the feature extrac- are classified using Gradient boosting algorithm. However,
tions are not efficient which affects the detection accuracy. the PCA was utilized for feature extraction where this algo-
In work [23], deep learning integrated with optimization rithm consumes huge time while working with outliers and
algorithm to perform intrusion detection in IoT network. missing values which increase high latency. Author in [27],
Initially, the work consists of three-phase data collection, proposed a distributed intrusion detection framework using
pre-processing and intrusion detection. The data are col- fog computing to improve network security. Initially, the raw
lected and pre-processed, where the data are standardized traffic are captured and pre-processed by standard Scaler
and into standard normal distribution to reduce data redun- normalization method. The blockchain was implemented for
dancy. Finally, the based on the statistical features, intru- security purpose and mining pool was integrated with intru-
sion detection was performed by Adaptive particle swarm sion detection system to detect suspicious attack. Finally,
optimization algorithm with convolutional neural network the statistical features and packet features are extracted then
(APSO-CNN) to reduce the training complexity and increase XGBoost and Random forest algorithm was utilized sepa-
intrusion detection accuracy. However, the intrusion detection rately for intrusion detection where XGBoost achieve better
was performed using APSO-CNN which preform effectively, accuracy. However, the blockchain was accomplished for
the statistical features are only considered for intrusion detec- privacy preserving which increase network security, but this
tion where the inadequate features leads to high false positive traditional blockchain suffers with non-scalability.
rate. Author in [24], proposed a novel deep learning enable
intrusion detection mechanism. Initially, the framework con-
III. PROBLEM STATEMENT
sists of four modules including database module, intrusion
DNN based network intrusion detection model for IoT gate-
detection system module, controller module and synthesizer
ways was proposed [28]. The network traffic is captured and
module. The raw data packets are captured by data collector
statistical features are extracted by Damped incremental sta-
and packets are processed by label coding, feature scaling
tistical algorithm to detect the intrusion and countermeasure
and feature extraction. The generative adversarial network
was taken. The main problems of this research are listed as
(GAN) was employed, which generates synthetic samples
follows,
to overcome the data imbalance issue. Then the controller
module performs two task where sending synthetic request to • Here all the IoT users are considered as legitimate users
the IDS module and evaluating the pending request. Finally, where the number of malicious traffic increases due
the intruder was detected using GAN. However, this work to the presence of malicious users which affects the
considers all the users as legitimate users and allows the users security level in the network.
to access the network which leads to security breaches due to • In this work, the Damped incremental statistical algo-
presence of illegitimate users. rithm was utilized for feature extraction, where the

27436 VOLUME 11, 2023

A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

limited feature (statistical feature) was extracted this is users password and registered time and store it in blockchain
not enough to analyse the attack category which leads to that leads to increase the security level, then the access control
low detection accuracy. is provided to the user based on their role by priority entrench
• The proposed attack detection model utilizes the deep user scheduling to achieve better QoS thereby reduce in
neural network, which requires massive data to train the complexity. The Bi-level intrusion detection is implemented
model which leads to high computational power and by extracting the significant features to categorize the attack
increase high complexity. types which will improve the detection accuracy. The feature
Anomaly-based intrusion detection framework to protect extraction and intrusions detection is performed by ResCap-
the IoT device was introduced in [29]. Then the statistical fea- Net which combines of Residual network and capsule net-
tures are extracted and intrusion was classified by one-class work where the capsule network extracts the features signifi-
algorithms and precautions were taken by action manager. cantly with small sample size which reduces the high energy
The major problems of this research are explained below, consumption. Furthermore, bi-level intrusion detection are
• The proposed Passban signal an anomaly even if the executed where the first level IDS classifies normal, suspi-
incoming traffic contains a pattern that is not an attack, cious and malicious then the suspicious traffic are classified
but somehow it diverges from the routine traffic which as normal or malicious in second level which will reduce the
leads to false positive rate. false positive rate. Then the attack graph is generated to detect
• Here, the isolation forest algorithm was utilized for the attack path which will utilize to notify the users opti-
classification where the model generate large number of mally which helps to reduce the high latency. Finally, hybrid
tress while leads to high computational time. chain is proposed by combining blockchain and trusted
• In this work, the alert notification was sent to the users execution environment (TEE) which minimizes the compu-
randomly without determine the attack path which leads tational burden and increases the blockchain and privacy
to high latency. scalability.
A deep blockchain framework to execute security-based
collaborative intrusion detection system (CIDS) was pro- IV. HYBRIDCHAIN-IDS SYSTEM MODEL
posed in [30]. Here, privacy based encrypted data transmis- In this research, we concentrate on providing security in the
sion was accomplished using blockchain and (Bi-LSTM) was IoT environment through effective bi-level intrusion detec-
utilized for CIDS at cloud network. The problems of this tion. This proposed methodology consists of several lay-
research are defined as follow, ers including physical layer consists of IoT users (i.e. IoT
• The deep blockchain framework was utilized for data
devices), edge layer consists of edge nodes and cloud layers
preserving and privacy data transmission even though consists of cloud storage. Figure 1 represents the architec-
it performs well, it is traditional blockchain that suffers ture of the proposed HybridChain-IDS framework. In this
from lack of confidentiality due to its non-scalability. work, we proposed Hybrid chain, which is combined of
• Here the Bidirectional LSTM was proposed to perform
blockchain and trusted execution environment that helps to
CIDS, which will hinder its applicability on large data reduce the network computation burden and provide high
and high energy consumption due to its high computa- security. The blockchain-based authentication and access
tional time. control is proposed to achieve high security and privacy
• In this work, the network traffic was classified as normal
preservation.
or malicious, whereas the suspicious traffic will be taken
as normal traffic which leads to a high false positive rate. A. PHYSICAL LAYER
Collaborative intrusion detection system (CoLL-IoT) to This is a fundamental layer of IoT network which is responsi-
detect the malicious activities in IoT device was introduced ble for gathering data from all IoT users for data transmission
in [31]. The raw packets are captured by chi square algo- and storing their data in cloud server from various sensors in
rithm for feature extraction and intrusion detection was clas- secure manner. The IoT devices can access in any location
sified using XGBoost. This major problems of this research through mobile phones, laptops, computers, etc..,
includes are narrated below,
• Here, the XGBoost algorithm was utilized for intrusion B. TRUSTED AUTHORITY (TA)
detection where the algorithm does not perform well on The Trust Authority is deployed in the physical layer by
sparse and unstructured data and the algorithm is very blockchain for providing authenticity to IoT users by achiev-
sensitive to the outliers which leads to hardly scalable. ing their credentials and affording them with security keys.
• In this work, the feature extraction was performed by
chi-square method where it is difficult to interpretation C. EDGE LAYER
and it need large sample size which leads to high energy The edge layer is comprised of several edge nodes which are
consumption. responsible for collecting the network traffic. Furthermore,
Research Solutions: Initially, time-based authentication is the bi-level of IDS is accomplished in edge layer to strengthen
performed by Nik-512 hashing algorithm which will hash the the security and privacy of IoT users.

VOLUME 11, 2023 27437

 A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

FIGURE 1. Architecture of the proposed HybridChain framework.

D. CLOUD LAYER work for minimizing computational burden and allows stor-
The cloud layer is composed of blockchain to increase net- ing transactions securely.
work security and reduce computational burden. Moreover,
it is responsible for performing countermeasures to enhance 1) TIME-BASED AUTHENTICATION
network security. Initially, we perform authenticating the IoT users (∋) to
ensure legitimacy. For
that, the ∋ are register with their details
such as user name , user ID (α), device ID (1), PUF (β),
E. HYBRID BLOCKCHAIN role (∄), password (ρ) and mail ID (ϑ) to the trusted authority
The hybrid chain incorporates blockchain with Trusted Exe- (TA) which sends the details into the blockchain to enhance
cution Environment (TEE) which adopts hierarchical net- security. After registering, the trust authority displays the

27438 VOLUME 11, 2023

A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

user registered time in hour (δ), minute (γ ) and seconds (ε) indices, 2≤i≤16 transformation is executed as:
then TA provides security key, based on the user credentials  ^ 
including password (ρ) and their registered time hour (δ), Xi := (¬Xi ≫1) ⊕Yi ⊕ ¬Xi−6 Yi−3 (6)
minute (γ ) and seconds (ε). The steps involved in registration For all Xi and Yi , the transformation are executed according
and authentication are defined below. to following formula:
• Step 1: Initially, the (∋) is
registered to Trust Authority ( 32
by providing the credentials , (α), (1), (β), (∄), (ρ) and Xi := X i mod2  (7)
(ϑ) which can be composed, Yi := Yi + Xi xX(i+d 3 )mod16 mod232
, (α) , (1) , (β) , (∄) , (ρ) , (ϑ)


TA ← Reg (1) where d denoted as number of current round (i.e. for first
round d = 0 and d = 31 as last round). Furthermore, then
, (α) , (1) , (β) , (∄) , (ρ) ,
(ϑ) denotes the


where, Reg
the secret key hashed with 512-bits (SK512 ) was generated
registration of (∋) with parameters , (α) , (1) , (β) , and provided to the ∋ by TA. The user should remember
(∄) , (ρ) , and (ϑ) respectively. the time displayed after registration, during every login the
• Step 2: Once (∋) is registered, the Trust Authority dis- user intends to enter their username, password and displayed
played the user registered time which is used for user login. register time. If the user forgot their password or registered
TA ← dis {(δ) , (γ ) , (ε)} (2) time, then by choosing forgot password the trust authority
will send a security code to the user registered mail id that
where, dis {(δ) , (γ ) (ε)} denotes the hour (δ), minute (γ ) and allows the user can view their password and registered time
seconds (ε) which display (∋) registered time. which is also limited to only three times. The threshold T is
• Step 3: After (∋) registered, the TA generates the 512-bit calculated as:
secret key to the registered user for authentication which is X
T (r, s) = − r(n) log s(n) (8)
illustrated as,
nϵχ
TA ← SK512 [(ρ) , (δ) , (γ ) , (ε)] (3) where, r and s are discrete probability distribution and n
denotes the threshold range limited for the user which is set
where, (ρ) , (δ) , (γ ) , (ε) denotes the password with user
as three threshold ranges.
registered hour, minute and seconds. After authentication, the (
blockchain stores the password and user registered time in 0 if 0.3 ≥ n Mail Generated
hash format which cannot compromise by the attackers this = (9)
1 if 0.3 < n User Blocked
improves the security level. For that purpose, we proposed
NiK-512 hashing algorithm which resistant all cryptographic Through this authentication, the security level is increased
attacks, including quantum collision attacks. The crypto- and unauthorized users are eliminated which reduces the
graphic hash function is developed for hash output length computational complexity and malicious traffic in the net-
of 512-bits which utilizes Miyaguchi-Preneel Structure for it work. Furthermore, by storing the (SK512 ) in hash for-
generates 512-bits long values and X is stored as an array of mat at hybrid permission blockchain, the confidentiality is
16 32-bits elements. The hashing of SK512 are divided into enhanced. The hybrid chain combines of blockchain with
512-bit blocks and the padding of last block with zero to the Trusted Execution Environment (TEE) it comprises of four
proportion of 512 bits. layers includes data layer, verification layer, estimation
In the beginning, the is computed as 0, the function layer and application layer. The computational burden are
works whether keyless mode or while key value assuming minimized by employing hierarchical network by reducing
that key mode is utilized. The SK512 computed with first latency of on-chain by executing major heavy weight com-
block of password and registered time block being processed. putation in off-chain. The hybrid chain is advantaged by
Furthermore, the compression function is employed which enabling each participant to share their data through secure
taken from internal state of current values then password and communication protocol. Moreover, the hybrid chain elon-
registered time block that have to be processed. The input gates the reservation memory, which permits the blockchain
obtains the arrays of current values X and Y. In addition, the application to execute in TEE that enhances the storing of
classical memory required are estimated as: transactions securely and documentation of whole storage
of key-value codes situated in TEE outside. The data layer
m = 2l/5 (4) consists of data storage and techniques of encryption in
blockchain embraces of chain structure, data blocks, hash
For Āi , according to the formula (4) the transformation is function and digital signature. The verification layer com-
executed (modulo 16 are taken as indexes of elements). prises of transmission protocol where the verification of exe-
Xi := (Xi ≫1) ⊕ (¬Yi ) ⊕ (Xi+6 ∧¬Yi+3 ) (5) cution result is performed by utilizing Practical Byzantine
Fault Tolerance (PBFT) consensus algorithm. The estimation
The array is revolved, the element of (i)− th becomes (i − layer is conducted for verification of transactions and exe-
1)− th element, the zero element as last element. For Xi with cution of smart contract in Virtual machine (VM) and key

VOLUME 11, 2023 27439

 A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

Pseudocode Time-Based Authentication

Input:

User Credentials
, (α) , (1) , (β) , (∄) , (ρ) , (ϑ)
Output: Authenticated or Not
Begin
,α, 1, β, ∄, ρ, ϑ do


For all User in registration
Perform registration using Eq. (1)
Display ∋ registered time using Eq. (2)
NiK-512 generate SK512 using Eq. (3) and Store ∋
credentials and SK512 in Blockchain
End For
For User in Login
Phase do
If Épr == ∪pl then // Épr user current password and
time, ∪pl registered password and time.
Authentication success
Else
Execute threshold range for ∋ password recovery using
Eq. (8)
If (0.3≥n) then // n threshold range
obtain password
Else
Account Blocked
End if
End if
End For
End

FIGURE 2. User scheduling and access control.

management. Furthermore, the access control is provided by

confidentiality preserving smart contract with high perfor-
cheetah population and L is optimization problem in dimen-
mance. The application layer is configurable implementation
sion. Furthermore, the new position of cheetah i is updated
of blockchain, smart contracts and algorithms.
by utilizing random search function, arbitrary step size and
current position of each arrangement are follows,
2) USER REQUEST SCHEDULING AND ACCESS CONTROL
After successful authentication, based on the user role and Ci,j Ci,j + ẑ−1
k+1 k
i,j .τi,j
k
(10)
attribute the policy is generated. The user sends a service
k+1 k are the forthcoming and current position
request to the blockchain where the access control manager in where Ci,j and Ci,j
smart contract collects the user request that consists of mixed of cheetah i at arrangement j, k denotes time of current hunt-
k and ẑ−1 are step length and randomized parameter of
ing, τi,j
types of service requests. Hence we need to schedule the user i,j
request to reduce the latency and waiting time which helps to cheetah i at arrangement j. Let, K denotes length of maximum
use available user resources. Figure 2 illustrates the flowchart hunting time, and the randomization parameter is the second
of user scheduling and access control. For that, we proposed term where the random numbers are normally distributed ẑi,j
Cheetah Optimization Algorithm (COA), the steps involved from the standard distribution. In most slow walking search,
are represented below as follows, the step length τi,j k > 0 is set at 0.001x k/K where in some

In order to perform user scheduling, the cheetah (cloud case τi,j can be regulated between the distance of cheetah i and
k

server) search the hunting prey (user) in two modes includes its leader or neighbour. The updation of every arrangement
scanning mode and active mode, depending upon the fitness of cheetah is perform by assuming τi,j k equal to 0.001 x k/K

value the cheetah might select the optimal mode to hunt which is multiplied by maximum of step size. For others,
the prey. The fineness value where estimated by considering τi,j
k in every cheetah’s arrangement is estimated through the

delay, throughput, resource energy and priority. Moreover, multiplying distance between cheetah position i and cheetah
the cheetah optimization algorithm consists of three strat- selected randomly. Depending on the distance between the
egy includes searching strategy, sitting & waiting strategy prey and leader, the leader position is chosen entrenched some
and attack strategy (rushing and capturing). In mathemati- variables of prey position are changed to obtain best solu-
cal modelling of searching strategy of cheetahs, assume Ci,j k tion. Furthermore the optimization problem can be effectively
represent the current position of cheetah i = (1, 2, · · ·, m) at solved by employing any randomised parameter with random
arrangement of j = (1, 2, · · ·, L)) where m denotes number of step size (i.e. ẑ−1
i,j and τi,j ).
k

27440 VOLUME 11, 2023

A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

The mathematical modelling of sit and wait strategy,

in most of the cases the prey attempt to escape from cheetah,
to avoid this the cheetah decide to trap (lying on ground or
hiding among shrubs) and hunt the prey by getting closure.
Hence, here the cheetah residue at its position and allow the
prey to come nearer by waiting, this attempt can be illustrate
as follows:
k+1 k
Ci,j = Ci,j (11)
k+1 k denotes
where Ci,j is updated cheetah position and Ci,j
current position of cheetah i at arrangement j. This strat-
egy acquires best solution without change every cheetahs
continuously, so it evade premature convergence. Besides
the mathematical modelling of attack strategy, the cheetah
utilizes flexibility and speed strategy to hunt the prey. The
attacking approach of cheetah can be defined as follows:
k+1
Ci,j k
= CE,j + ẑi,j · νi,j
k
(12)
k represent the prey current position in arrangement
where CE,j
j (best position of current population), ẑi,j and νi,j
k are turning

factor and the interaction factor of cheetah arrangement. CE,j k

is the cheetah’s rushing tactics by employing maximum speed FIGURE 3. Workflow of ResCapsNet.
to get closure to prey in short time. Hence, it evaluates the i−
th new position of cheetah based on current prey’s position.
Furthermore, the νi,j k deliberate interaction during capturing then the corresponding penalty is regulated for that specify
phase between the leader and cheetah or between cheetahs. person by turned off their state for particular time to reduce
This factor, mathematically defined the difference in neigh- complexity. The trust computation embraces of input vector
f
borhood cheetah’s position, CE,j = (f ̸ = i) and cheetah’s ∋ = ∋1 , ∋2 , . . . denotes each user, weight vector (depends
k . The random number of ẑ turning factor
position i− th, Ci,j on user behaviour) = G1 , G2 , . . .. The output of demanding
i,j
is equal to the weights Gi(i=[1...h]) to inputs ∋j(j=[1...q]) is the trust value
which is generated based on,
zi,j ( i,j ) sin 2π zi,j
exp z /2

(13) q
X
where normally distributed zi,j is standard normal distribution Trust = Gi ∋i (14)
of random numbers which deliberate the cheetahs sharp turns i=1

of capturing phase. By utilizing these strategies, the cheetah Once the trust value is estimated, the trust level is assumed
optimizer performs effective user scheduling to reduce the as low (misbehaved) and high (not misbehaved). Further, the
complexity. permission levels are examined based on their role and the
After user scheduling, access control is performed, in our requests are permitted or repudiated, corresponding to their
process, the access control is provided by smart contract in permission level and if the trust level is high. Otherwise, the
blockchain where the smart contract generates by multiple access is denied and the alert message was generated for each
agents to manage data and service sharing among network user (i.e. Access Granted !, Requests are Concealed !, Static
users. The multiple agents are the Access control manager Check Stoped !, Misbehavior Detected !,Static Check failed
(ACM), user register manager (URM) and judge evalua- & Misbehavior Triggered !). By performing user scheduling
tor (JE). The ACM is the main smart contract that admin- and access control, the complexity is reduced thereby enhanc-
isters the access control among IoT device. Whenever, ∋ ing security level.
generate the request ACM is executed and it forwards the
request of ∋ by checking correlated permission level. The 3) BI-LEVEL INTRUSION DETECTION
URM creates the registration table to store user credentials After providing access control, bi-level intrusion detection
acquired while authentication and also it stores the infor- in the network is carried out effectively to enhance network
mation of user-accessed service (data) with time. Moreover, security. The bi-level intrusion detection is implemented by
the JE judge the user behavior and evaluate the trust value deep network ResCapNet algorithm which is combined of
based on user behavior to provide access control. The mis- capsule network (Capsnet) and residual network (ResNet).
behavior includes, when the ∋ send numerous of request Figure 3 demonstrates the workflow of ResCapsNet.Initially,
simultaneously for service and the ∋ who cancelled their the first level of IDS is performed in the edge layer, where the
generated request. Once if the ∋ have been misbehaved, filtration of incoming network packets based on the packet

VOLUME 11, 2023 27441

 A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

flow are captured by gateways. Then, based on the network similarity score ij might appraise both possibility of feature
packet flow the packet features are extracted by ResNet. The attribute and feature existence, embrace neurons, that barely
ResNet is employed to optimize the network layer and then contemplate the feature existence possibility. Furthermore,
to achieve the identity of mapping and assure that the layer if activation ei of capsule i is notably low, therefore the ei is
of input and output identity are same. In ResNet, the iden- proportional of êj|i extent, ij might be still low; if the detail
tity layer are regulated automatically by performing training feature of capsule is not activated, where the overall feature
and several layer of this original network are changed into and correlation among detail feature is notably low. The ij
residual block. The residual operation is illustrated below as coupling coefficient is quantified by softmax of ij in equation
follows: (22).
H = V2 µ (V2 a) (15) ij ← êj|i Xωj (21)
b = H (a, {Vi }) + a (16)


exp ij
b = H (a, {Vi }) + Vw a ij ← P (22)
c exp ( ic )
(17)
where µ in equation (15) denotes non-linear ReLU function, Hence, ResCapsNet classified the network packets into nor-
b is the shortcut common output of second ReLU. The input mal, malicious and suspicious. The ResCapsNet defends the
and output dimension of equation (17) required to change, integrity of the information and performs effectively which
includes changing of linear transformation Vw can be execute helps to improve intrusion detection accuracy. In this work,
on a using shortcut operation and number of channels. the ResCapsNet is adopted and modified to be appropriate
Once the significant features are extracted, intrusion detec- for intrusion detection. The Resnet-34 comprises of four
tion is accomplished by CapsNet. The Capsule network can partitions, where each partition has 3, 4, 6 and 3 of the
fetch spatial information and more important features by identity blocks. Identity block in each partition contains 64,
representing the features in vector and also it can provide 128, 256 and 512 filters individually. Consecutively, to extract
high accuracy in less training data which helps to reduce the significant features with low complexity, convolutional
the high energy consumption. The CapsNet is comprised of kernel size is minimized in the first convolutional layer
capsules where the neuron generates its output as scalar, and from 7 to 3. Ever since, the number of filters reduced is uti-
capsule output as vector. The extent of each vector describes lized for every identity block in four partitions subsequently
the evaluated probability of object existence, and the aspect of to 16, 28, 40 and 52, then there is no classification layer is
each vector enrol the object posture parameters incorporates acquired for generating output. The dynamic routing param-
exact rotation, thickness, position, object size and tilt. The eter as digit caps for data is set to 3. The network traffic flow is
CapsNet functions as equation follows, classified in three classes (normal, malicious and suspicious)
êj|i = Wij ei (18) hence the numbers of vector in primary and digit caps are set
X to 3 furthermore the number of capsules taking part in digit
Dj = ij êj|i (19) caps is set to 3.
i Likewise, the second level IDS are performed where the
where vectors are the input and output of capsule, ei and ωj , suspicious network traffic are analyzed using ResCapsNet to
the output ei of previous capsule is multiplied with affine ensure network security. Here the packet features are again
transformation matrix Wij for turning ei into êj|i . Then the examined by ResCapNet to classify the suspicious network
weighted sum Dj is estimated corresponding to weight ij traffic as normal or malicious. Finally, if the malicious traffic
which is coupling coefficient enumerated by the iteration of was detected then the attack type was categorized by consid-
dynamic process. ij is measure includes capsule as i and the ering the behavioral, spatial, temporal and content features.
activate capsule as j. By performing, bi-level intrusion detection the network secu-
2 rity level is amplified.
Dj Dj
ωj = 2
(20)
1 + Dj Dj 4) ATTACK GRAPH CONSTRUCTION AND MITIGATION
where the activation function of Dj is compressed rather of After the intrusions are detected, the risk assessment is eval-
ReLU, hence the extent of vector final output ωj is among uated and attack graph is generated to provide risk-based
0 and 1. The output of activation function is achieved through countermeasures by path detection based on attack graph
compression function. The Capsule Network evaluates the which are illustrated in subdivisions.
output through estimating intermediate value ij by iteration
of dynamic routing. The prediction vector êj|i in equation a: RISK ASSESSMENT AND ATTACK GRAPH GENERATION
(18) and (19) is the prediction through capsule i and has Once the bi-level IDS is completed, the risk assessment was
effect of output capsule j. The two capsules are high corre- performed to identify the severity level of the intrusion. For
lated, if activation vector has huge similarity with prediction generating attack graph and detecting shortest attack path,
vector where the similarity is computed through prediction we need to calculate the risk of detected attacks. The attack
vector and activation vector of scalar product. Hence, the category and the attack mode are integrated to analysis the

27442 VOLUME 11, 2023

A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

severity level of attack (i.e. password-based attack is consid- attack training set , it constructs
GNN that conducts on
ered as low risk and vulnerability based are considered as graph representation = ∀ ; for input vector provide
high risk). The attack impact and feasibility are estimated to the training to identify

the equivalent label vector as
execute the risk assessment. The attack impact is evaluated y = f( ) = f ∀ ;
− . It initially embedded each i
as: into ς dimensional initial node denotes vector which utilizes
embedded function as M(0),i = i , i= 0, . . . , k. For


,
= +Þ+∅ (23)
graph construct, a message passing process is executed by
where denotes data loss, Þ is legislation or privacy and using two major functions: message function ϖ and update
∅ represents the operation. According to the impact parame- function ϑ. The node representation of vectors M( ),i are
ters, the sum is perhaps generated to acquire the attack impact modified as:
level. Then the attack feasibility is expressed as: ( ),i
 
M( −1),j , i
X
= ϖ i,j
(27)
= + + (24)
j| j∈ / i

where the attack feasibility is generated by considering ( ),i

 
M( ),i
= ϑ M( −1),i
, , i (28)
parameters

( ) window of opportunity, ( ) equipment and
TOE knowledge. Furthermore, the risk value Y is After time message passing steps, set of node represen-
described as:
tation of vectors M( ),i =0 is achieved per node. The
 N
q

2
2  ( ),0 N
= + (25) 0-th node of set M =0
is then progressed with the
function of readout ξ to acquire final identification of label
where and are weight parameters of and . The risk
as follows:
contributions are concluded as same by both attack impact n
and feasibility where and are set at 0.5. After risk assess- oN 
−y = ξ M( ),0 (29)
ment, the risk level should be regulated based on the evaluated =0
attack impact and feasibility level. The matrix perhaps by
utilizing the calculated risk value in (25) and the risk level The fundamental functions , ϖ , ϑ and ξ are parameter-
is represented as follows: ized like neural networks, is the two-layer fully con-
nected function in neural network along ς tanh units in each
ℓ+ ℓ


= (26) units. Furthermore, the specified attack training data =
where is the risk level computed by ℓ value of attack impact {( , )} =1 , the method determine a given

task kNN rule
level and ℓ value of feasibility level and denotes the risk from in the form of −y = f ∀ ; . The prediction
function of ℓ and ℓ. Based on the quantified risk level, method f is trained entrenched on representation of graph
attack level is categorized into low and high. utilizing the objective function ∪ as follows:
Then the attack graph was generated to detect the attack 1 X
path and take optimal countermeasure action. The attack ∪= ( n, −yn)
graph generation is carried out by improved k-Nearest Neigh- 
,

∈
bor, the kNN is enhanced by integrating Graph Neural Net-
work (GNN) which will effectively learn the attack structure 1 X



= n, f ∀ ; (30)
and provide a significant attack graph. Assume that the train-  
, ∈
ing attack training set = {( , )} =1 is given, where
∈Qς is the − th input vector for input variables and is
where denotes the loss function, which depends upon the
the label vector for output variables. This method reconstructs

target task. Moreover, the generated attack graph was stored
each input vector into graph = ∀ ; where ∀
in blockchain where the attackers cannot access are modify
represents the transformation function. The k, and are the
it, will improves the network security.
numbers of nearest neighbor and distance function which are
the two hyper parameters required to be determined which
b: ATTACK PATH DETECTION AND MITIGATION
are only employed to operate the transformation function ∀
for kNN search from ; but they are not exploited explicitly From the generated attack graph, the attack path is detected by
in learning procedure. For every , its kNN occurrence are considering attack root privilege, source attack node, target
searched from \ {( , )} entrenched on distance function node and stage weight information. Initially, the attack node
n ok, path is detection to discover the shortest attack path. The
(i)
, illustrated by ( ) = , (i) . attack node path disclosure method represents security state
i=1
The proposed mechanism is an end-to-end method, and relationship among its states and connection matrix of
it adapts graph neural network for graph construction by all the hosts is acquired in network. The attack node path
utilizing message passing neural network framework for detection is defined as follows:
enhancing general node and the edge node including iso-  Assume that node i denotes network states where Ŝ =
morphic invariance. To determine kNN regulation from the 0 , 1 , . . . , n the collection of all network states is, and

VOLUME 11, 2023 27443

 A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

then the attack graph is taken as: where t′ f illustrates connection matrix of , n j denotes the
n o number of nodes in , o denotes transition of attackers from
Ŝ, E| 0 , m, T one node to another node, and fj denotes each vulnerable
= (31) point attribute. Moreover, the shortest path P∗ of attack inten-
i ei
tion recognition is evaluated as follows:
where, ei edge is utilized to represent intrusion attack mode,
which alleviates the condition of E = {e0 , e1 , . . . , en } , E κd (T ,n) (∇, E)
P∗ = (37)
describes the all possible methods of attack in network, T Zf u
describes the security attributes of network. Suppose that ð where κd describes the vulnerable point in difficulty degree
denotes the vulnerabilities set in network, describes attack and Zf describes hiding degree of vulnerable point. The attack
rule, and S denotes the connection relationship. T is esti- map is explained corresponding to the correlation connection
mated by: between hosts, the attack intention reachability is evaluated,
ð, , S the attack intention recognition in probability is obtained,

T = ⊗ 0 (32) the attack intention and the shortest path is achieved which
m
anticipate the abnormal information through attack intention.
where m is attack state achieved through intrusion map, 0 Once the intrusion is detected, then countermeasures are
defines initial state and the paths utilized by attack maps are taken based on the risk assessment and attack path detected.
moderated by 0 . Furthermore, the ℘ denotes the author- If the attack risk level is low, then the alert message is gen-
ity state of real-time intruder, where λ ℘j predicted attack


erated to the specific user, and if high risk level is detected,
effect of intruder is calculated as follows: then the administrator blocks the communication between the
κ  malicious node and the alert message is generated to that
λ ℘j =



b (33) specific users and correlated nodes which are connected with
℘⊗H (ε) malicious node and also the correlated nodes are examined to
where H (ε) describes host attribute, κ  describes any identify if any other nodes are attacked. Then the network was

refreshed and reconstructed to avoid packet loss. The network
behavior of attack in network, and b describes every
reconstruction is performed by obtaining attack chains from
attacks on all possible paths of attack graph. Moreover, opti-
attack graph to analysis about attack scenario. For instance,
mal attack path is discovered to predict the attack intention of
if A − B − C − D − E is the generated attack path where
IoT environment. Assume that ð denotes the vulnerabilities
the D is malicious node which tends to be high risk, then the
set, cve , pre and post denotes CVE number according
D malicious node is blocked and the alert message is sent
to vulnerability, I denotes the intention set that attack might
for other nodes A, B, C and E. Furthermore, these nodes are
reach in the network, name and gap denotes the graph name
examined and the E node is reconnected with its one-hop
and intention action point respectively, then tab transfer
relation of node C (i.e. A−B−C −E) which will be prohibited
correlated of attack behaviour among nodes are calculated as:
n o from packet loss thereby enhancing reliability.
J ∗ gap name
(34) V. EXPERIMENTAL RESULTS
tab =
cve , pre ,

ð± post In this section, we represent the proposed HybridChain-IDS
framework in an IoT environment. This experimental
Assume that (∇, E) describes graph of attack path which
research comprises of three subsections specifically simula-
is explicated as an itemized graph, ∇ describes node set in
tion setup, comparison analysis and research summary. The
distribution state at different level such as protection domain,
result section illustrates that the proposed work achieve supe-
vulnerability and host and ð and describes host vulnerabil-
rior performance with compared to previous work.
ity set, then
j,

ð j+1 { 0 1} A. SIMULATION SETUP
(∇, E) = (35) The simulation result of this proposed work is implemented
∇, E tab
by NS-3.26 network simulator which improves the perfor-
where j and j+1 describes vertex sets, 0 and 1 describes
mance of this research. The proposed framework is compared
the edges of newly directed. Suppose that rl is assigned as
with several performance metrics and proven that our work
real-time attacker location, denotes key condition that the
achieves superior performance. Table 1 describes the system
intention of attacker can be recognized. If there is the path
configuration and Table 2 describes the network parameters
denoted by rl → in , it can be determined that the
configuration.
reachable intention will be reconstructed into the problem
of path search among nodes. The attack intention reachability
B. COMPARATIVE ANALYSIS
can be calculated as:
In this section, we represented the comparison analysis
ťf ∓n j o ∓ fj between the proposed HybridChain-IDS framework and
(T ,n) = (36)
rl ∓ rl → existing works where we consider two existing works such

27444 VOLUME 11, 2023

A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

TABLE 1. System configuration. TABLE 2. Network parameters for HybridChain-IDS.

as Lit-IDS [28] and Passban-IDS [29]. The main objective

of this research is to provide security in IoT network by
accomplish intrusion detection. The proposed work achieved
better performance in terms of accuracy, detection rate, false
alarm rate, precision, recall and F1-score concerning number
of IoT users.

1) IMPACT OF ACCURACY
This metric is utilized to estimate the accuracy of proposed
HybridChain-IDS framework. The highest accuracy demon-
strates the system detects the intrusion accurately. Generally,
the accuracy is obtained as the summation of true negative
and
 true positive are divided by total samples. The accuracy
 is mathematically represented as follows:

+
 = (38)
+ + d′ +

where represents the true positive, denotes the true neg-

ative, d′ shows the false positive and denotes the false
negative.
Figure 4 represents the comparison of accuracy with
respect to number of IoT users. The comparison result
describes that the proposed work achieves high accuracy FIGURE 4. Accuracy vs. number of users.
when compared to other two previous woks such as Lit-IDS
and Passban-IDS. In our work, the significant features
are considered for performing intrusion detection which which can be defined as follows:
increases the detection accuracy. In addition to that, by per-
forming effective bi-level intrusion detection where the sus- d
Dr = (39)
picious packets are also classified as normal or malicious
by contemplating significant features using ResCapsNet. The where, Dr describes the detection rate of attack, d describes
existing works are performed intrusion detection by consid- the attacks detected and represent the increasing users.
ering limited features which tends to high false alarm rate The network with high detection rate can achieve a secure
and the suspicious packets are not examined. The proposed network. Figure 5 represent the comparison of detection
HybridChain-IDS framework achieves 14% better accuracy rate with respect to number of IoT users of both proposed
compared to existing works. and existing works. The comparison results illustrate that
the proposed work has attained better detection rate with
2) IMPACT OF DETECTION RATE compare to Lit-IDS and Passban-IDS existing works. In our
This metric is utilized to estimate the rate of attack detec- work, we perform time-based authentication to exclude ille-
tion in IoT network. Commonly, this is represented as ratio of gitimate users which reduces the malicious traffic in the
number of detected attacks to the number of user increasing network and avoids misclassification. Furthermore, bi-level

VOLUME 11, 2023 27445

 A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

FIGURE 5. Detection rate vs. number of users.

FIGURE 6. False alarm rate vs. number of users.

intrusion detection is performed by considering effective fea-

tures, where bi-level intrusion detection enhances the attack
detection rate. In existing works, the authentication is not
accomplished where illegitimate users can also access the net-
work, this increases the numerous of malicious traffic in the
network and leads to misclassification and high complexity
that might result in ineffective detection thereby low detection
rate. The proposed work reached 15% high detection rate
compared to existing works.

3) IMPACT OF FALSE ALARM RATE

This metric is used to evaluate the rate of false alarm in IoT
environment. Generally, the false alarm rate is defined as the
ratio of false alarm to summation of true
negative and the
false positive. The false alarm rate d′ r can be formulated FIGURE 7. Precision vs. number of users.
as follows:
d′ 4) IMPACT OF PRECISION
d′ r = ′
(40)
+d This metric is used to calculate the value of positive predictive
based on specificity; furthermore it also defines the detec-
where d′ r denotes the false alarm rate, d′ describes false tion performance. The precision is measured as ratio of true
positive and denotes the true negative. A network with positive to the summation of false positive and true positive.
low false alarm rate can improve the accurate intrusion The mathematical representation of precision is illustrated as
detection in the network. Figure 6 illustrates the compari- follows:
son result of false alarm rate in both proposed and existing
works. The comparison result shows that proposed work = (41)
HybridChain-IDS achieve low false alarm rate with com- + d′
pare to existing works. In our research, we perform bi- where ( ) represent the precision. Figure 7 describes the
level intrusion detection by employing ResCapsNet where comparison result of proposed HybridChain framework and
in first level of intrusion detection is performed which clas- existing works with respect to number of IoT users. The
sifies into three categories namely normal, malicious and comparison result shows that the proposed work achieves
suspicious. Moreover, in second-level intrusion detection the better performance compared to existing works. In our
suspicious traffic flow are identified whether it is normal work, we perform time-based authentication to authenticate
or malicious which reduces the false alarm rate. Further- the legitimate users and authorized user are only entrance
more, the existing works classified the network traffic as to the network this will exclude the illegitimate users and
normal or malicious where the malicious traffic are taken as reduce the innumerable malicious traffic. The ResCapsNet is
either normal or malicious which affects the network security proposed to perform bi-level intrusion detection where this
and increase the high false alarm rate. The proposed work algorithm extracts the significant features and spatial infor-
achieves 15% low false alarm rate when compared to existing mation is fetched effectively which helps to perform accu-
works. rate detection. The existing works are limited with network

27446 VOLUME 11, 2023

A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

FIGURE 9. F-score vs. number of users.

FIGURE 8. Recall vs. number of users.
F-score is formulated as follows:
+
security level and true positive rate. The unauthorized users = 2× (43)
×
are allowed in the network where the intruder can act as legiti-  
mate users and easily compromise the legitimate users which where denotes the F-score. Figure 9 illustrates the com-
increases the malicious packets in the network and leads to parison result of both proposed and existing works F-score
less positive predictive rate. The proposed work attains 16% values with respect to number of IoT users. In, the pro-
better positive predictive value compared to existing works. posed HybridChain-IDS, the F-score are enhanced with the
number of IoT users. Furthermore, the increasing of F-score
5) IMPACT OF RECALL also denotes the accuracy of this work that is if the F-score
This metric is measured the value of negative predictive based is obtained high then the accuracy of intrusion detection
on sensitivity of the intrusion detection in IoT network. The is increased. The HybridChain-IDS performs time-based
recall is evaluated the proportion of true positive to the addi- authentication to enhance network security. The user schedul-
tive of false negative and true positive which is represented ing and access control is provided to authorize users based
as follows: on their trust and permission level which improves data pri-
vacy thereby reducing in complexity. The Hybrid blockchain
= (42) enhances the security in IoT environment. Moreover, bi-level
+

intrusion detection is executed by considering effective fea-
where represent the recall. Figure 8 represents the pro- tures to amplify the detection accuracy. The proposed work
posed and existing recall value with respect to number of IoT achieves 17% high F-score compared to existing works.
users. In our research, we perform user scheduling and access
control to increase network security. C. RESEARCH SUMMARY
The user scheduling is executed to reduce the complexity The research summary divides into two subdivisions, where
and the users are scheduled on priority based which improves the security analysis and research highlights are illustrated.
the access control service. The trust-aware access control sup-
port increasing the data integrity level and reducing negative 1) SECURITY ANALYSIS
prediction through permission-based access control. More- In this section, we define security analysis of the proposed
over, the suspicious packets are examined again to reduce the HybridChain-IDS framework. We examine the security dis-
negative prediction. The existing works are neither provides pensed by HybridChain-IDS framework in IoT network.
access control in considerable manner where the users can We enumerate our research with 5% of malicious node in the
approach the data without any restrictions and condition that network. The comparison results prove that our work achieves
affect the data privacy. The intrusion detection is performed high security. In our work, we concentrate on identifying
with insufficient features which tend to high negative predic- the brute force attack, SYN flood attack and phishing attack
tive value. Moreover, the suspicious packets are not exam- which are explained below,
ined which increases the high negative predictive value. The
proposed work accomplished 18% better negative predictive a: BRUTE FORCE ATTACK
compared to existing works. Our proposed framework mitigates brute force attacks. The
characteristic of brute force attacks are falls into weak
6) IMPACT OF F-SCORE password-related targets where the attackers seek to guess
The F-Score is described as the harmonic mean of precision the password through numerous attempts. In our work,
and recall. Generally, the F-score is evaluated as proportion time-based authentication is executed to avoid the brute-force
of recall product to the precision and recall summation. The attacks. Once, the users is registered using their credentials

VOLUME 11, 2023 27447

 A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

TABLE 3. Numerical analysis of proposed and existing work. VI. CONCLUSION

IoT environment, lack of security and privacy are the major
issues. In this research, the HybridChain-IDS framework is
proposed to execute effective bi-level intrusion detection.
Initially, time-based authentication is achieved to authenti-
cate legitimate users by providing 512-bit security key using
NIK-512 hashing algorithm. The password and registered
time are stored in Hybrid chain (Blockchain and TEE) and
this blockchain improves the scalability of blockchain and
data privacy. Then the authenticated users are scheduled to
reduce the complexity and then access control is provided
entrenched on user permission level and trust level. After that,
then the TA displayed the user registered time and provides we perform effective bi-level intrusion detection employing
security key based on the password and registered time which ResCapsNet which enhances network security. Furthermore,
is stored in hash format using NIK-512 in blockchain. the risk assessment is executed to enumerate the attack impact
level and attack graph is generated for attack path identifi-
cation. Then the risk-based countermeasures are taken and
b: SYN FLOOD ATTACK
the attack graph is stored in blockchain. Finally, the network
Our proposed work performs against the SYN flood attacks
is refreshed and reconstructed to hinder packet loss. The
which are type of DDoS attack focused to make server
proposed HybridChain-IDS is achieved better performance in
unavailable by sending numerous of packets. In our work,
terms of accuracy, detection rate, false alarm rate, precision,
the authenticated users are scheduled based on priority and
recall and F-score.
then the access control is provided based on their trust and
permission level. In case, if the user transmits numerous of
REFERENCES
packets then that user’s state will turn off.
[1] A. N. Jahromi, H. Karimipour, A. Dehghantanha, and K.-K. R. Choo,
‘‘Toward detection and attribution of cyber-attacks in IoT-enabled
c: PHISHING ATTACK cyber–physical systems,’’ IEEE Internet Things J., vol. 8, no. 17,
This is a type of attack where the attacker transmits fraudulent pp. 13712–13722, Sep. 2021.
[2] S. Aheleroff, X. Xu, Y. Lu, M. Aristizabal, J. Pablo Velásquez, B.
message outlines to trick the legitimate user for revealing Joa, and Y. Valencia, ‘‘IoT-enabled smart appliances under indus-
personal information. In our work, we execute bi-level intru- try 4.0: A case study,’’ Adv. Eng. Informat., vol. 43, Jan. 2020,
sion detection where suspicious packets are examined again. Art. no. 101043.
Furthermore, the blockchain ensures every transaction which [3] Y. B. Zikria, R. Ali, M. K. Afzal, and S. W. Kim, ‘‘Next-generation Inter-
net of Things (IoT): Opportunities, challenges, and solutions,’’ Sensors,
enhances network security. vol. 21, no. 4, p. 1174, Feb. 2021.
[4] Q. V. Khanh, N. V. Hoai, L. D. Manh, A. N. Le, and G. Jeon, ‘‘Wireless
2) RESEARCH HIGHLIGHTS communication technologies for IoT in 5G: Vision, applications, and
challenges,’’ Wireless Commun. Mobile Comput., vol. 2022, pp. 1–12,
In this section, we elucidate the experimental results in sum- Feb. 2022.
mary which also proven that the proposed HybridChain-IDS [5] T. Mohammed, A. Albeshri, I. Katib, and R. Mehmood, ‘‘UbiPriSEQ—
framework achieves superior performance through compar- Deep reinforcement learning to manage privacy, security, energy, and QoS
in 5G IoT HetNets,’’ Appl. Sci., vol. 10, no. 20, p. 7120, 2022.
ison results. The performance of proposed work is enumer- [6] K. Sha, T. A. Yang, W. Wei, and S. Davari, ‘‘A survey of edge computing-
ated in terms of accuracy, detection rate, false alarm rate, based designs for IoT security,’’ Digit. Commun. Netw., vol. 6, no. 2,
precision, recall and F-score which are described in Figure 4 pp. 195–202, 2020.
[7] D. J. Atul, R. Kamalraj, G. Ramesh, K. Sakthidasan Sankaran, S. Sharma,
to Figure 9. Table 3 demonstrates the performance metrics and S. Khasim, ‘‘A machine learning based IoT for providing an intru-
in numerical analysis of proposed and existing works. The sion detection system for security,’’ Microprocessors Microsyst., vol. 82,
highlights of this research are described as follows, Apr. 2021, Art. no. 103741.
[8] M. Said Elsayed, N.-A. Le-Khac, S. Dev, and A. D. Jurcut, ‘‘Network
• For enhancing the security in IoT, time-based authen- anomaly detection using LSTM based autoencoder,’’ in Proc. 16th ACM
tication is performed to authenticate legitimate users Symp. QoS Secur. Wireless Mobile Netw., Alicante, Spain, Nov. 2020,
using Nik-512 hashing algorithm. pp. 37–45.
[9] P. Maniriho, E. Niyigaba, Z. Bizimana, V. Twiringiyimana, L. J. Mahoro,
• For increasing the detection accuracy, the significant
and T. Ahmad, ‘‘Anomaly-based intrusion detection approach for IoT
features are extracted and bi-level intrusion detection is networks using machine learning,’’ in Proc. Int. Conf. Comput. Eng.,
implemented by utilizing ResCapNet algorithm which Netw., Intell. Multimedia (CENIM), Surabaya, Indonesia, Nov. 2020,
pp. 303–308.
improves the accuracy. [10] S. Choudhary and N. Kesswani, ‘‘Analysis of KDD-Cup’99, NSL-KDD
• For timely detection and mitigation, the attack graph was and UNSW-NB15 datasets using deep learning in IoT,’’ Proc. Comput. Sci.,
generated using improved KNN algorithm for timely vol. 167, pp. 1561–1573, Jan. 2020.
attack detection in the future and attack path was evalu- [11] Z. A. El Houda, B. Brik, and L. Khoukhi, ‘‘‘Why should i trust your IDS?’:
An explainable deep learning framework for intrusion detection systems
ated to alert generation which reduce the attack severity in Internet of Things networks,’’ IEEE Open J. Commun. Soc., vol. 3,
level then the attack graph was stored in the blockchain. pp. 1164–1176, 2022.

27448 VOLUME 11, 2023

A. A. M. Sharadqh et al.: Hybrid Chain: Blockchain Enabled Framework

[12] M. A. Alsoufi, S. Razak, M. M. Siraj, I. Nafea, F. A. Ghaleb, F. Saeed, AHMED A. M. SHARADQH received the Ph.D.
and M. Nasser, ‘‘Anomaly-based intrusion detection systems in IoT using degree in computer science and computing sys-
deep learning: A systematic literature review,’’ Appl. Sci., vol. 11, no. 18, tems and networks from the National Technical
p. 8383, Sep. 2021. University of Ukraine ‘‘Igor Sikorsky Kyiv Poly-
[13] M. H. Faruk et al., ‘‘Malware detection and prevention using artificial technic Institute,’’ Ukraine, in 2007. Since 2009,
intelligence techniques,’’ in Proc. IEEE Int. Conf. Big Data (Big Data), he has been an Associate Professor with the Com-
Dec. 2021, pp. 5369–5377. puter Engineering Department, Faculty of Engi-
[14] K. S. Kiran, R. K. Devisetty, N. P. Kalyan, K. Mukundini, and R. Karthi, neering Technology, Al-Balqa Applied University.
‘‘Building a intrusion detection system for IoT environment using machine
His research interests include the performance of
learning techniques,’’ Proc. Comput. Sci., vol. 171, pp. 2372–2379,
networks, quality services, security networks, the
Jan. 2020.
[15] T. M. Hewa, A. Kalla, A. Nag, M. E. Ylianttila, and M. Liyanage, IoT, image processing, digital systems design, operating systems, and micro-
‘‘Blockchain for 5G and IoT: Opportunities and challenges,’’ in Proc. IEEE processors.
8th Int. Conf. Commun. Netw. (ComNet), Hammamet, Tunisia, Oct. 2020,
pp. 1–8.
[16] Y. Sun, J. Yu, J. Tian, Z. Chen, W. Wang, and S. Zhang, ‘‘IoT-
HAZEM (MOH’D SAID) ABDEL MAJID
IE: An information-entropy-based approach to traffic anomaly detec- HATAMLEH was born in Irbid, Jordan, in 1973.
tion in Internet of Things,’’ Secur. Commun. Netw., vol. 2021, pp. 1–13, He received the M.Sc. and Ph.D. degrees from the
Dec. 2021. National Technical University of Ukraine ‘‘Igor
[17] I. Ullah and Q. H. Mahmoud, ‘‘A two-level flow-based anomalous activity Sikorsky Kyiv Polytechnic Institute,’’ in 2007.
detection system for IoT networks,’’ Electronics, vol. 9, no. 3, p. 530, He is currently an Associate Professor with the
Mar. 2020. Applied Science Department, Ajloun University
[18] R. W. Anwar, K. N. Qureshi, W. Nagmeldin, A. Abdelmaboud, College, Al-Balqa Applied University. His cur-
K. Z. Ghafoor, I. T. Javed, and N. Crespi, ‘‘Data analytics, self- rent research interests include computer networks,
organization, and security provisioning for smart monitoring systems,’’ wireless networks, the IoT, image processing, and
Sensors, vol. 22, no. 19, p. 7201, Sep. 2022. computer graphics.
[19] H. Qiu, T. Dong, T. Zhang, J. Lu, G. Memmi, and M. Qiu, ‘‘Adversarial
attacks against network intrusion detection in IoT systems,’’ IEEE Int.
Things J., vol. 8, no. 13, pp. 10327–10335, Jul. 2021. AS’AD MAHMOUD AS’AD ALNASER received
[20] S. Fenanir, F. Semchedine, S. Harous, and A. Baadache, ‘‘A semi- the Ph.D. degree in computer engineering from the
supervised deep auto-encoder based intrusion detection for IoT,’’ National Technical University of Ukraine ‘‘Igor
Ingénierie des Systèmes d Inf., vol. 25, no. 5, pp. 569–577, Nov. 2020. Sikorsky Kyiv Polytechnic Institute.’’ He is cur-
[21] L. Nie, Y. Wu, X. Wang, L. Guo, G. Wang, X. Gao, and S. Li, ‘‘Intru- rently an Associate Professor with the Department
sion detection for secure social Internet of Things based on collaborative of Applied Science, Ajloun University College,
edge computing: A generative adversarial network-based approach,’’ IEEE
Al-Balqa Applied University. His research inter-
Trans. Computat. Social Syst., vol. 9, no. 1, pp. 134–145, Feb. 2022.
ests include wireless and mobile networks, internet
[22] T. T. Huong, T. P. Bac, D. M. Long, B. D. Thang, N. T. Binh, T. D. Luong,
protocols, image processing, and graph theory and
and T. K. Phuc, ‘‘LocKedge: Low-complexity cyberattack detection in IoT
edge computing,’’ IEEE Access, vol. 9, pp. 29696–29710, 2021. its applications.
[23] X. Kan, Y. Fan, Z. Fang, L. Cao, N. N. Xiong, D. Yang, and X. Li,
‘‘A novel IoT network intrusion detection approach based on adaptive par-
SAID S. SALOUM was born in Irbid, Jor-
ticle swarm optimization convolutional neural network,’’ Inf. Sci., vol. 568,
pp. 147–162, Aug. 2021.
dan. He received the Higher Diploma degree in
[24] M. H. Shahriar, N. I. Haque, M. A. Rahman, and M. Alonso, ‘‘G-IDS: Gen- radio-physics and electronics from Kaluga State
erative adversarial networks assisted intrusion detection system,’’ in Proc. University, Russia, in 1995, and the Ph.D. degree
IEEE 44th Annu. Comput., Softw., Appl. Conf. (COMPSAC), Jul. 2020, in computer engineering from Izhevsk State Tech-
pp. 376–385. nical University, Russia, in 2004. He is currently
[25] Z. Ma, L. Liu, and W. Meng, ‘‘Towards multiple-mix-attack detection an Assistant Professor with the Computer Engi-
via consensus-based trust management in IoT networks,’’ Comput. Secur., neering and Networks Department, Jouf Univer-
vol. 96, Sep. 2020, Art. no. 101898. sity, Saudi Arabia. His research interests include
[26] P. Kumar, R. Kumar, G. Srivastava, G. P. Gupta, R. Tripathi, image processing, machine learning, and deep
T. R. Gadekallu, and N. N. Xiong, ‘‘PPSF: A privacy-preserving and learning.
secure framework using blockchain-based machine-learning for IoT-driven
smart cities,’’ IEEE Trans. Netw. Sci. Eng., vol. 8, no. 3, pp. 2326–2341,
Jul. 2021. TAREQ A. ALAWNEH was born in Irbid, Jordan,
[27] R. Kumar, P. Kumar, R. Tripathi, G. P. Gupta, S. Garg, and in 1984. He received the B.S. and M.S. degrees
M. M. Hassan, ‘‘A distributed intrusion detection system to detect in computer engineering from the Jordan Univer-
DDoS attacks in blockchain-enabled IoT network,’’ J. Parallel Distrib. sity of Science and Technology (JUST), Irbid, in
Comput., vol. 164, pp. 55–68, Jun. 2022. 2006 and 2009, respectively, and the Ph.D. degree
[28] X.-H. Nguyen, X.-D. Nguyen, H.-H. Huynh, and K.-H. Le, ‘‘Realguard: in computer engineering from the University of
A lightweight network intrusion detection system for IoT gateways,’’ Hertfordshire, U.K., in 2021.
Sensors, vol. 22, no. 2, p. 432, Jan. 2022.
From 2010 to 2013, he was a full-time Lecturer
[29] M. Eskandari, Z. H. Janjua, M. Vecchio, and F. Antonelli, ‘‘Passban
with the Electrical and Computer Engineering
IDS: An intelligent anomaly-based intrusion detection system for IoT
Department, Tafila Technical University (TTU),
edge devices,’’ IEEE Internet Things J., vol. 7, no. 8, pp. 6882–6897,
Aug. 2020. Al-Tafila, Jordan. He was an Assistant Professor with Fahad Bin Sultan
[30] O. Alkadi, N. Moustafa, B. Turnbull, and K.-K. R. Choo, ‘‘A deep University (FBSU), Saudi Arabia, in 2021. He is currently an Assistant
blockchain framework-enabled collaborative intrusion detection for pro- Professor with the Electrical Department, Al-Balqa Applied University. His
tecting IoT and cloud networks,’’ IEEE Internet Things J., vol. 8, no. 12, research interests include cache partitioning algorithms, low-power designs,
pp. 9463–9472, Jun. 2021. cache coherence protocols, high-performance dynamic random access mem-
[31] H. M. Alshahrani, ‘‘CoLL-IoT: A collaborative intruder detection sys- ory (DRAM) for multimedia applications, multi-core systems, tiled-chip
tem for Internet of Things devices,’’ Electronics, vol. 10, no. 7, p. 848, multiprocessors (tiled-CMPs) systems, and the IoT.
Apr. 2021.

VOLUME 11, 2023 27449