0% found this document useful (0 votes)
18 views22 pages

Anomaly Events Classification and Detection System in Critical Industrial Internet of Things Infrastructure Using Machine Learning Algorithms

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
18 views22 pages

Anomaly Events Classification and Detection System in Critical Industrial Internet of Things Infrastructure Using Machine Learning Algorithms

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Multimedia Tools and Applications (2021) 80:12619–12640

https://doi.org/10.1007/s11042-020-10354-1

Anomaly events classification and detection system


in critical industrial internet of things infrastructure
using machine learning algorithms

Gamal Eldin I. Selim 1 & EZZ El-Din Hemdan 1 & Ahmed M. Shehata 1 &
Nawal A. El-Fishawy 1

Received: 13 March 2020 / Revised: 25 September 2020 / Accepted: 22 December 2020 /


Published online: 14 January 2020
# The Author(s), under exclusive licence to Springer Science+Business Media, LLC part of Springer Nature 2021

Abstract
Industrial Control System is used in the industrial process for reducing the human factor
burden and handling the complex industrial system process and communications between
them efficiently. Internet of Things (IoT) is the fusion of devices and sensors by an
information network to enable new and autonomous capabilities. The integration of IoT
with industrial applications known as the Industrial Internet of Things (IIoT). The IIoT is
found in several critical infrastructures such as water distribution networks. Nowadays,
ICS is vulnerable to using the Internet connection to enable industrial IoT sensors to
communicate with each other in Real-Time. Therefore, this paper presents an analytical
study of detecting anomalies, malicious activities, and cyber-attacks in a cyber-physical
of critical water infrastructure in the IIoT infrastructure. The study uses various machine
learning algorithms to classify the anomaly events including several attacks and IIoT
hardware failures. A real-world dataset covering 15 anomaly situations of normal system
activity was analyzed for the research review of the proposed approach. The test
situations involved a wide array of incidents from hardware breakdown to water SCADA
device sabotage. To classify the malicious activity, various machine learning methods,
such as Logistic Regression (LR), Linear Discriminant Analysis (LDA), k-nearest neigh-
bours (KNN), Naïve Bayes (NB), Support Vector Machine (SVM), and Classification
and Regression Tree (CART) are used. The results show that CART and NB have the
best results for accuracy, precision, recall, and F1-score.

Keywords Industrial control system . Data science . Classification and detection . Machine
learning . Critical infrastructure . Industrial internet of things . Cyber-attacks

* EZZ El-Din Hemdan


[email protected]

Extended author information available on the last page of the article


12620 Multimedia Tools and Applications (2021) 80:12619–12640

1 Introduction

Recently, supreme modern innovative technologies such as the Internet of Things [15] and
Cloud computing commonly depend on network and Internet services for information ex-
change and communication. Cybersecurity becomes one of the significant fields for many
specialists around the world in different research subjects such as cloud and IoT forensics [17],
Big Data Security [16], Data Hiding [19], and Critical Infrastructure Security [34]. Industrial
Control System (ICS) includes several categories of control systems such as Programmable
Logic Controllers (PLC), Supervisory Control and Data Acquisition (SCADA) systems, and
Distributed Control Systems (DCS). All of these control systems are found in the industrial
sectors and critical infrastructures such as Gas Pipelines, transportation networks, electric
power distribution networks, gas, and water distribution networks, and nuclear power gener-
ation [12].
The main difference between ICSs and the traditional Information Technology (IT) envi-
ronments is that ICSs interact strongly with the physical instruments and devices. Nowadays,
ICSs are considered cyber-systems, therefore, they are vulnerable to attacks from inside and
outside environments. ICSs are more complex than traditional IT systems because they include
different components found in separate geographical areas [12].
From a cyber-security perspective, as shown in Fig. 1, ICS systems consist of three tiers:
Enterprise tier, Control tier, and Field tier. The enterprise tier consists of production and
business networks, which include IP-based devices connected to the Internet. These networks
are similar to traditional IT environments, so, cyber-security solutions from IT systems are
used in this tier. The control tier consists of distributed control components in SCADA
systems. This tier also involves the control room for monitoring and control purposes. The
control tier has similarities with the enterprise zone such that the entire components are based
on IP protocol. The components of this tier may not be upgraded periodically; consequently,
few cyber-security mechanisms are applied in this tier. The field tier is also known as the
operations or process tier. This tier consists of the control and operational devices and
networks. This tier includes embedded devices such as Programmable Logic Controllers

Fig. 1 Industrial Control Security Model [12]


Multimedia Tools and Applications (2021) 80:12619–12640 12621

(PLCs). The networks in this layer are not IP-based like other tiers. The networks include
different industrial protocols and physical interfaces. The components and networks in this
field tier do not require cyber-security mechanisms like the other tiers. Each tier in this model
has specific and different security requirements. The cyber-attacks on each tier are also
different.
The Internet of Things (IoT) has recently been paid attention from various academics to the
industrial sector. The IoT is a network of various kinds of systems and technology including
sensors, radio frequency identification (RFID), cloud computing, the Internet, intelligent grids,
and transportation networks, and numerous other equipment and new technologies. The IoT
becomes more vulnerable to cyber-attacks and criminal actions. Cyber attackers are qualified
and have more experience in networks, digital systems, and new technologies. There is a huge
amount of information collected about criminals. Data science mechanisms can be used to
monitor and track them in real-time and online by using different information sources [18].
The industrial internet of things (IIoT) is used to improve production and industrial procedures
by using intelligent sensors and actuators. After the creation of IIoT technology, new security
challenges arise with it. Every component connected to the IIoT becomes a risk and potential
liability [18].
In cybersecurity, three security principles “C-I-A”, which are confidentiality, integrity, and
availability. Industrial protection reverses the emphasis of these concepts to be “A-I-C” where
functionality is of the highest priority in manufacturing networks. Besides, a new letter applied
to these protection concepts, named “S.” Safety is important in manufacturing networks,
because cyber threats do not only harm the machine, they also affect human life [18].
Data science becomes an important field including mechanisms and systems to create
knowledge or information from data in different types, either structured or unstructured. Data
science involves data analysis, such as machine learning, data mining, statistics, and knowl-
edge discovery [18].
In this paper, a study analysis with providing a system based on classification
methods is performed for anomaly detection over IIoT systems specifically in water
SCADA systems. The machine learning methods are also used to investigate in cyber-
attacks found in IIoT systems. The classification and detection of intrusions and attacks
will help system administrators and industrial operators to take the prime decision to
protect critical industrial systems from hackers and malicious behaviors as well as
provide detecting anomaly activities including physical component failures, and sabo-
tage. Likewise, the proposed model is used to predict the cyber-attacks that may happen
in the IIoT systems by raising an alarm in the presence of an attack on the industrial
system and help the system administrators to detect digital evidence effectively. The
contributions of this paper are as follows:

& Provide a comprehensive analytical system based on machine learning for critical indus-
trial infrastructure for investigation and classification of anomaly events including cyber-
attacks, sabotage, and industrial hardware failures.
& The proposed system classifies abnormality’s activities through machine learning algo-
rithms for help in the detection of these activities efficiently. This system is evaluated using
the data emerging from the real-world datasets per 14 categories of attacks. We conduct a
systematic evaluation of the proposed system performance through different experiment
scenarios. This system can help the industrial operator to alleviate cyber-attacks when an
event is detected after alarm notifications have arisen.
12622 Multimedia Tools and Applications (2021) 80:12619–12640

The rest of this paper is organized as follows: Section 2 provides preliminary knowledge about
data science, the Industrial Internet of Things, and Machine Learning techniques while the
related work is discussed in section 3. Section 4 presents Knowledge discovery framework for
detection of anomalies in the water based SCADA industrial system while the proposed
system based on data science methods for anomaly events is presented in section 5.
Section 6 presents the experimental environment and results analysis and discussion while
the conclusion and future work are provided in Section 7.

2 Preliminary knowledge

This section provides a theoretical background about data science, the Industrial Internet of
Things, and different Machine Learning algorithms.

2.1 Data science

Data scientific analysis is an interdisciplinary field that encompasses statistics and computer
science on statistical techniques, procedures, and structures to gain data expertise from
structured or semi-structured and unstructured information in different ways [15]. The mixture
of statistics and computer science to take their benefits to manage the massive amounts of data
effectively. The statistics are the science that concerns the collection, analysis, and organiza-
tion of data. From the perspective of statistics, there are several purposes in data analyses such
as predicting the response of upcoming input variables and deduce the association among
response and input variables. Although, from the perspective of computer science, data science
is a process of data mining for converting raw data into valuable knowledge and attempts to
discover valuable patterns in large data storage.

2.1.1 Data science task

The task of execution of data science methods is to store, validate, analyze, visualize, and
extract knowledge from massive amounts of data using computer science and statistical
algorithms. Concisely, the data science field includes several subfields, such as classification,
and clustering.

2.1.2 Data science road map

The Data Science Road Map (DSRM) refers to how to achieve the solving procedure for a data
science problem. This DSRM consists of various phases as shown in Fig. 2 as follows:

& Frame the Problem: It is a critical stage to understand the type of problem that will be
solved using data science methods.
& Understand the Data: Study and understand the data and the real-world things that it
describes, which are related to the problem can help choose the best methods to handle and
manage these data in given frame time.
& Data Preprocessing: This phase includes the required preprocessing techniques to reduce
the data volume to minimize the time to analyze the data sets related to the detected
problem.
Multimedia Tools and Applications (2021) 80:12619–12640 12623

Implement
Code

Data
Detect the Understand Features Model and
Preprocessing
Problem the Data Extraction Analysis

Present and
Visualize
Results

Fig. 2 Data Science Road Map (DSRM)

& Feature Extraction: It is the process of extracting features and hidden patterns from given
data that will feed into the data science model for solving a certain problem.
& Model and Analysis: In this stage, data scientists are building a model that is suitable for a
given problem and analyze the data sets related to the problem.
& Implement Code: Here, the data scientists write code, and they use several of the same
tools as software engineers.
& Results Presentation and Visualization: It is the final stage of designing and implemen-
tation of data science model.

2.2 Industrial internet of things

This division provides an overview of the Industrial Internet of Things (IIoT) Concept,
requirements, and security.

2.2.1 IIoT concept

The Industrial Internet of Things (IIoT) is the technology through it, sensors, advanced
analytics techniques, and intelligent technologies that will transform machines’ communica-
tion and interaction in the industrial field. IIoT technology is a network field that includes
platforms, physical elements, and specific software for communicating and sharing data
between these components [18]. The corporation between the IIoT and existing industrial
technologies will enhance and facilitate the capture of and access to real-time data. The IIoT
will help countries, companies, and organizations to develop their business and open up a new
era of economic growth and competitiveness.
Intelligent techniques in the IIoT are used to increase efficiency, productivity, and opera-
tions of industrial systems. There are many applications for IIoT in people’s life such as a wind
farm on the farm where it is equipped with sensors and other hardware components to
communicate and interact with the other windmills and even request repairs. This wind works
in an intelligent way that enables power generation to be controlled where each windmill
automatically changes its settings and actions based on the data it collects and processes from
local or remote control systems.
12624 Multimedia Tools and Applications (2021) 80:12619–12640

2.2.2 IIoT requirements

Industrial Internet of things requirements helps realize the key objective of industrial IoT to
enhance industrial control systems by making industrial systems intelligent in numerous
applications such as manufacturing products, machines auto-diagnosis, and monitoring ozone
levels. The Industrial IoT business desires inexpensive devices that work easy to install links
such as wired, wireless, power line, and network of the control system as well as the ability to
work safely and reliably. Some of the essential requirements in IIoT [18] are shown in Fig. 3 as
follows: Smart Machines, Cloud Computing, Security, Big Data Analytics, Access (anywhere,
anytime), UX (User Experience), and Assets Management.

2.2.3 IIoT security

Control systems are required in IIoT environments where there are a large number of industrial
components connected through the Ethernet network to produce products to help humans live
in a comfortable environment. Industrial control systems have various kinds of attacks,
therefore special measurements must take to secure, and protect the control systems against
severe attacks. Security is very significant for the reliable operation of IIoT connected devices.
Security characteristics in IIoT will be different from the classical IoT because of the
dissimilarity in the IIoT structure.

2.3 Machine learning techniques

Machine learning focuses on automatic computer learning that is capable of making their own
decisions based on data. Presently, several machine learning algorithms can be used for fraud
detection, such as linear regression, naïve Bayes, random forest, support vector machine
logistic regression, and decision tree. The explanation of these algorithms as follows [33]:

1. Logistic Regression (LR): LR is a predictive regression system where the dependent


variable is categorical. LR uses Maximum Likelihood Estimation to describe the proba-
bilities in which Logistic Regression will take on a particular class, with an iterative
algorithm such as Newton’s method used to obtain the model.

Security

Smart Machines
User Experience

IIoT Requirements

Access Asset Management

Big Data Cloud Compung

Fig. 3 Requirements of Industrial Internet of Things (IIoT)


Multimedia Tools and Applications (2021) 80:12619–12640 12625

2. Linear Discriminant Analysis (LDA): The main idea of Linear Discriminant Analysis
(LDA) is that it decreases dimensions of a given classification task, focusing on maxi-
mizing the separability among known categories. In practice, LDA creates a new axis by
maximizing the distance between the means and by minimizing the variation. It then
projects the data onto this new axis while reducing the dimensionality.
3. K-Nearest Neighbors (KNN): KNN is a type of supervised learning algorithm and it is
mostly used for regression and classification issues. Known data must implement the
KNN technique. Unlike other machine learning techniques, KNN does not have a training
phase. The prediction of a test observation is done based on the distance between
observations. The main idea of this technique is to detect K number of neighbors and
predefined different classed assigns a class to the unknown point.
4. Classification And Regression Tree (CART): Decision tree is a type of supervised
learning algorithm, which is mostly used in classification problems. A decision tree is a
flowchart structure in which each node signifies a test feature, each branch represents a
test result and each leaf or node includes a class name. A decision tree both numerical and
categorical data can be managed by CART.
5. Gaussian Naive Bayes (NB): NB classifies the tested features based on the probability.
This technique uses normal probability distributions and assumes that the data are
normally distributed, as that way the classification process is more efficient.
6. Support Vector Machine (SVM): SVM fits a hyperplane between data points in space, i.e.
support vectors, such that the samples are separated by the largest gap possible.

3 Related work

The security of critical infrastructures and IIoT systems has become critical; therefore, different
studies are related to this field.
In [20] H. Hindy et al. applied classification mechanisms on the water system. They created
different scenarios on the specific features in the water system dataset. The advantage of this
work is that the dataset has been collected from real critical infrastructure. However, the
authors calculated only the accuracy of the classification mechanisms.
Robert Mitchell and Ing-Ray Chen [30] created a survey on intrusion detection systems of
the Cyber-Physical Systems (CPS). They categorized CPSs into two classes based on the
potential detection mechanism. The first class is Knowledge-Based, or Misuse Detection, and
the second class is Behavior-Based. This survey focused on network traffic rather than the
accuracy of the data transferred through the network.
In [5, 6] Amin et al. developed a security assessment of a cyber-physical system for critical
infrastructure. This assessment includes different layers; supervisory and control networks.
The research introduced a grey-box penetration testing approach to be able to penetrate a
deception attack on the system to act as an Intrusion Detection System (IDS).
In [11] Cheng et al. developed a new technique to prevent different types of cyber-attacks
such as code-injection attacks, control-oriented attacks, and code-reuse attacks on embedded
devices. The authors developed a new approach called Orpheus. It presents the advantage of
the event-driven nature of embedded devices that controls industrial critical infrastructure.
In [28] Mathur presents the restrictions and challenges for detecting attacks in critical
infrastructures by using possess analysis techniques. The author presents two techniques. The
first technique is the CUSUM [9]. CUSUM is a statistical technique that allows determining
12626 Multimedia Tools and Applications (2021) 80:12619–12640

anomalies on time series related to the detected process. This technique requires two factors to
operate, the threshold, and the bias. CUSUM helps the operator identify the state of the facility
and the changes in behavior resulted from the attack. The second technique depends on State
Entanglement (SE) [4]. The SE technique integrates the states of multiple components of a
system to build a state space. The state space is considered a blacklist.
In [22] Mohammad R. et al. proposed a lossless data aggregation technique to decrease
information that is redundant of industrial sensing and embed control and managerial data. The
proposed technique can be modified using an intentioned statistical method by a double-set
interpolating based embedding with the greedy weight network. Their solution to stable
wireless payload communications is innovative about improved integration capabilities. The
results of the simulation for the synthetic video-opening radar suggest that the theoretical
analysis is supported and that the method exceeds previous works.
In [29] Varun GMenon et al. proposed a new technique. In the past, they had developed a
Smart Accident Precognition Device (SAPS), the device that reduces the risk of car accidents
and enhancing passenger safety. Their research advances the past technique by using Google
Assistant with the SAPS. The proposed system can be used in cars by integrating several
embedded devices that monitor features such as distance, speed, safety parameters like door
locks, seatbelt, handshakes. The data obtained from the embedded devices are saved in the
cloud in real-time and the vehicle will respond to different previous conditions. The proposed
IoT real-time vehicle device can sense and respond to change in different situations. Besides,
the car is safe than ever before RFID keyless entry authentication. This new solution is highly
effective for current networks and would have a direct positive effect on the automotive and
social sectors.
In [2] Mahdi Abbasi et al. proposed a communication micro-core for the classification of
packets in high-speed, flow-based network systems. This microcore classification measures the
length of the rules with the hash technique. As a result, the memory consumption of 14.5 bytes
per law and 324 Mpps in their tests is accomplished with a mixture of SRAM and BRAM
memory cell, as well as the installation of two ports on Virtex ® 6 FPGAs. The efficiency of
the specification proposed in memory is also the best compared with its principal predecessors
and can fulfill the speed and power consumption requirements at the same time.
In [25] Wenmin Lin et al. Proposed a system of decentralized IoT data sharing settlement
that would be allowed by blockchain. First, a time interaction scheme based on Bitcoin is
introduced for creating an equal and decentralized settlement platform. Besides, an improved
functional Byzantium- tolerant fault consensus protocol called ReBFT is introduced to im-
prove transparency for all transactions, allowing all participants associated with the IoT data
sharing system to accomplish the same mutual ledger documentation of all transactions.
Finally, the viability of their plan is tested by tests.
In [1] Abbasi et al. suggested an appropriate port encoding technique. This technique
comprises three major steps: Layering, bit allocation, and encoding. In the first step, a greedy
algorithm positions higher layers of the ranges. Then, each layer is allocated multiple bits using
an auction-based algorithm according to its range number. Finally, the bits are defined for the
desired range in each plate, based on the weight order of the ranges. In comparison to previous
storage field methods, the approach suggested not only improves the classification speed but
also allows more effective use of the capability of TCAM in the second process.
In [3] Mahdi Abbasi et al. proposed a processing model for the issue in which a solution is
developed between energy consumption and delay in processing fog workload. The NSGAII
algorithm solves this multi-target model of the problem. The statistics reveal that both energy
Multimedia Tools and Applications (2021) 80:12619–12640 12627

consumption and delay can be increased using the proposed algorithm for workload assign-
ment in a fog cloud scenario. Besides, energy consumption and delay are reduced by assigning
25% of IoT working loads to fog equipment.
In [23] Mohammad R. et al. introduced a new data aggregation strategy for effective
payload sharing in Video Synthetic Aperture Radar (ViSAR). Their approach is to merge a
recent interpolation-based data hiding (IBDH) technique with a visual data transformation
protocol using a Discrete Cosine Transformation (DCT) to implement the reference process in
terms of its ability to integrate data.

4 Knowledge discovery model for anomaly detection in water SCADA


system

The knowledge discovery model for anomaly detection in the SCADA water system is shown
in Fig. 4. This model includes three phases. The first phase applied to the dataset is pre-
processing. Pre-processing includes data cleaning and reduction to make the data much smaller
in volume and produces the same analytical results. In the pre-processing phase, all instances
for each scenario have been selected from the log file. The second phase feature extraction,
which includes the choice of the significant features or columns from the dataset and detecting
the classes or labels used in the experiments. The third step is a machine learning model of six
classification algorithms that classify data by class. The results of this model can be found in
the section of experimental results.

5 Anomaly events classification and detection system using machine


learning

The intelligent data science system for anomaly events analysis and classification of IIoT for
the critical water system is shown in Fig. 5. The proposed system consists of three phases as
follows:

Stage 1. Data Gathering


1. The data is raw signal measurements directly gathered from aquatic storage and distri-
bution cyber-physical subsystem
2. The measurements have been collected from one ultrasound depth sensor, four discrete
sensors, two pumps, and a communication network

Water System Dataset

Anomaly
Pre- Feature
processing Extraction ML Model
Normal

Performance Evaluation

Fig. 4 Knowledge Discovery model for anomaly detection in SCADA Water system
12628 Multimedia Tools and Applications (2021) 80:12619–12640

Stage 1: Data Gathering

Discrete Ultrasound Stage 2: Data Management


Sensors Sensor

Data Preprocessing

Hardware System
(Water Tanks)
Noise Removal

Monitoring and Control


SCADA System Features Handling and
Selecon

Industrial Data

Stage 3: Classificaon and Detecon for Anomalies and physical behaviors

Uncertain Data Classificaon

Class 1 Class 2 Class 3 Class 4 Class 5 Class 6

Model Valuaon

Dashboard for Industrial Operators

Fig. 5 A suggested system for anomaly events classification and detection using ML in Critical IIoT based
SCADA Water System

3. The measurements are sent to the monitoring and control SCADA system
4. After gathering all data, it is used to create a dataset for applying the experimental
analysis
Stage 2. Data Management
1. Pre-processing includes data cleaning and reduction to make the data much smaller in
volume and produces the same analytical results.
2. In the pre-processing phase, all instances for each scenario have been selected from the
log file. Each log file includes 10 rows per instance and each row consists of the Date,
Time, the Register Number, and the Register value of the PLC.
3. The data has been split into two sets; one set has 80% for training and another set has
20% for testing.
4. Remove any noise existing in the collected data
5. Selecting the suitable attributes to be the features which are used to classify the results by
using machine learning algorithms
Multimedia Tools and Applications (2021) 80:12619–12640 12629

Stage 3. Classification and Detection for Anomalies and physical behaviors


1. Classifying the collected data and splitting it to six classes
2. Evaluate with classification accuracy, precision, recall, and F1-score
3. Perform the comparative analysis between different ML algorithms for six classes which
are an anomaly, affected component, combined affected component, Combined Situa-
tion, operational, and operational Situation.

Displaying the results on the dashboard to make an alarm if there is any anomaly appeared
in the collected data.

6 Experimental study

This sections provides experimental environment and results analysis of the proposed system
with different machine learning algorithms.

6.1 Experimental environment

According to the environment used to implement machine learning techniques and calculate
the values of the performance evaluation metrics, Python codes have been applied using
Anaconda navigator and spyder [35]. The specifications of the laptop used to run the Python
code are CPU Intel core i5 and 16 GB of memory.
The system was used to collect the dataset is shown in Fig. 6. It is a SCADA controlled
critical infrastructure system, including a computer network. This network has different
vulnerabilities within the hardware and software components. Figure 6 presents an overview
of the network architecture of the system. There are two tanks; the main tank and a secondary
tank. The contents of each tank can be water or fuel. Each tank can be set to storage mode or
distributor mode. The primary tank volume is nine litres, while the secondary tank size is seven
litres. The main tank consists of four separate sensors attached to the PLC. The PLC is then

MAIN TANK
Discrete Discrete Discrete Discrete
Sensor 0 Sensor 1 Sensor 2 Sensor 3
D C B A

0000ABCD

Pump 1 PLC

Pump 2 UltraSounder
Monitoring and
Control
Secondary TANK

Fig. 6 Network Architecture for water SCADA System


12630 Multimedia Tools and Applications (2021) 80:12619–12640

linked to both pump1 and pump2. These pumps regulate the flow of water between the two
tanks. The aim of the four sensors in the main tank is to decide the amount of water or fuel
within the tank. The ultrasonic sensor in the secondary tank is used to track the volume of the
oil. The task of the control and monitoring room is to collect all data obtained from the sensors
using the Modbus protocol.

6.2 Dataset

This section describes the dataset gathered by the ICS and scenarios recorded. In [24] Laso
et al. discussed and illustrated how the dataset has been collected and the most important
features that describe the characteristics of the dataset. The data are raw signal measurements
directly gathered from the aquatic storage and distribution cyber-physical subsystem. The
measurements have been collected from one ultrasound depth sensor, four discrete sensors,
two pumps, and a communication network. The dataset has been gathered to investigate how
information and data can detect anomalies and malicious actions in critical infrastructure (CI)
systems. Data were obtained using a cyber-physical subsystem composed of fuel or water fluid
tanks, as well as its integrated control and information procurement facilities.
The collected data represent five operational scenarios. These scenarios are normal, anom-
alies, breakdown, sabotages, and cyber-attacks. The data set consists of 15 scenarios. Each
scenario includes one of the operation scenarios; sabotage, accident, breakdown, or cyber-
attack. There are 6 affected components (i.e. None, Ultrasound Sensor, Discrete sensor 1,
Discrete sensor 2, Network, or whole subsystem). These components are system components.
Therefore, their effects are critical in the critical infrastructure.
The 5 working situations contain 15 files. There are 15 cases. These 15 conditions are
common, obstructed steps, surface-swimming objects, system errors, service denial, spoofing,
inaccurate communication, and tank strike at various intensities. These 15 scenarios are
ordinary. The components affected may be a processor, a processor, or the whole circuit.
The data form is primitive signals obtained from a cyber-physical delivery and storage device.
This system comprises two tanks, four separate sensors in the primary tank and the secondary
tank has an ultrasound depth sensor. There are also two pumps and a communication network.

6.3 Performance evaluation metrics

In the experiments, six machine learning (ML) algorithms have been used for classification.
These ML algorithms are Logistic Regression (LR), Linear Discriminant Analysis (LDA), K-
Nearest Neighbor (KNN), Classification And Regression Tree (CART), Gaussian Naive Bayes
(NB), and Support Vector Machine (SVM) [10]. The confusion matrix has been calculated for
each ML algorithm. An essential table with four parameters is a confusion matrix, as shown in
Table 1. This matrix is used to measure the output of an evaluation model or the classifier used
in a sequence of test data that know the truth and false values [37].

Table 1 Confusion Matrix

Predicted Negative Predicted Positive

Actual Negative TP FN
Actual Positive FP TN
Multimedia Tools and Applications (2021) 80:12619–12640 12631

Four important parameters are True Positive (TP), True Negative (TN), False Positive (FP),
and False Negative (FN). TP is the number of anomaly instances and a correct scenario has
been detected. TN is the number of normal instances that are incorrectly detected. FP is the
number of normal instances which are determined as one of the anomaly scenarios. FN is the
number of anomaly instances which are detected as normal scenarios. After calculating the
parameters in the confusion matrix, we can calculate the evaluation metrics, which are
accuracy, precision, Recall, and F1-Score.
& Accuracy is the most important performance metric. It is simply the submission of true
positives and true negatives divided by the total values of confusion matrix components
as shown in Eq. 1. The model with the highest accuracy is the best one but it’s
important to ensure that we have symmetric datasets where false positive values and
false negative values are almost the same. Therefore, it’s necessary to calculate the
other parameters to evaluate the performance of our model.

TP þ TN
Accuracy ¼ ð1Þ
TP þ FP þ FN þ TN

& Precision is the ratio between the predicted true positive values and the submission of total
predicted positive values, as shown in Eq. 2.

TP
Precision ¼ ð2Þ
TP þ FP

& Recall is the ratio between the predicted true positive values and the submission of
predicted true positive values and predicted false negative values, as shown in Eq. 3.

TP
Recall ¼ ð3Þ
TP þ FN

& F1 score as shown in Eq. 4, is the average of precision and recall, so, both false positives
and negatives are taken into consideration to calculate this score. If false positives and
negatives have an almost similar cost, we can depend on accuracy in this case. However, if
the cost of false positives and negatives is different, it’s better to depend on precision and
recall or F1 score.

2*ðRecall*PrecisionÞ
F1 Score ¼ ð4Þ
Recall þ Precision

6.4 Results analysis and discussion

In the experiments, the evaluation metrics calculated are accuracy, precision, recall, and F1-
score. These metrics have been calculated for 6 classification techniques LR, LDA, KNN,
CART, NB, and SVM. There are 6 experiments, each of which has a different class or label.
The purpose of the first experiment is to alert the administrator or operator when an anomaly
occurs without showing the associated scenario. This experiment will provide the operator of
12632 Multimedia Tools and Applications (2021) 80:12619–12640

the critical infrastructure with binary output. Figure 7 shows the results for evaluation metrics
for six classification techniques applied to the dataset. The highest accuracies reached were
94%, 91%, and 88% for CART, KNN, SVM, and LDA, respectively. The best classification
techniques in precision are SVM, LDA, and CART, respectively. According to recall, the best
technique is CART then NB. Finally, the best technique in F1-score is CART then KNN and
SVM, respectively. Therefore, in this experiment, CART is considered the best technique
because it results in the highest scores for accuracy, recall, and F1-score.
The second experiment detects the affected component in the water system. The results of
this experiment help the operator detect the component of the water system affected by the
attack. In this experiment, the results are not binary, such as the first experiment but the results
are none, Ultrasound Sensor, Discrete sensor 1, discrete sensor 2, Network, and Whole
subsystem. Fig. 8 shows the results for evaluation metrics for six classification techniques
applied to data. The highest accuracies reached are 82%, 55%, and 53% for CART, LR, and
NB, respectively. The best classification techniques for precision are CART, L, and LDA,
respectively. According to recall, the best technique is CART then NB. Finally, the best
technique in F1-score is CART then LR and LDA, respectively. Therefore, in this experiment
also, CART is considered the best technique because it results in the highest scores in all
evaluation metrics.
The third experiment detects the combined affected component. In this experiment, the
results are not binary, such as the first experiment, but the results are none, Ultrasound Sensor,
Discrete sensor, Network, and Whole system. Figure 9 shows the results for evaluation metrics
for six classification techniques applied to data. The highest accuracies reached are 84%, 62%,
and 56% for CART, LR, and LDA, respectively. The best classification techniques in
precision are CART, L, and NB, respectively. According to recall, the best technique is CART
then NB. Finally, the best technique in F1-score is CART then LR and NB, respectively.
Therefore, in this experiment also, CART is considered the best technique because it results in
the highest scores in all evaluation metrics and then the second and third techniques with high
scores are LR and NB, respectively.
The fourth experiment detects the combined situation. The values of this class are normal,
plastic bag, Blocked measure, Floating objects, Humidity, Sensor Failure, Denial of Service

Anomaly
100%
90%
measurements
performance

80%
70%
60%
50%
40%
30%
20%
10%
0%
Accuracy Precision Recall F1-Score
LR 87% 78% 51% 49%
LDA 88% 87% 53% 53%
KNN 91% 85% 70% 75%
CART 94% 86% 86% 86%
NB 67% 63% 80% 60%
SVM 91% 90% 68% 74%

Fig. 7 Comparison between classification techniques for anomaly class


Multimedia Tools and Applications (2021) 80:12619–12640 12633

Affected Component
100%
90%
80%
measurements
performance

70%
60%
50%
40%
30%
20%
10%
0%
Accuracy Precision Recall F1-Score
LR 55% 60% 53% 55%
LDA 51% 56% 51% 51%
KNN 44% 45% 38% 40%
CART 82% 82% 81% 81%
NB 53% 51% 54% 47%
SVM 46% 54% 38% 40%

Fig. 8 Comparison between classification techniques for affected component class

(DoS), Spoofing, Wrong connection, and Person hitting. Figure 10 shows the results for
evaluation metrics for six classification techniques applied to data. The highest accuracies
reached are 81%, 60%, and 51% for CART, LR, and LDA, respectively. The best classifica-
tion techniques for precision are CART, NB, and SVM, respectively. According to recall, the
best technique is CART then NB. Finally, the best technique in F1-score is CART then LR and
NB, respectively. Therefore, in this experiment also, CART is considered the best technique
because it results in the highest scores in all evaluation metrics.
The fifth experiment detects the operational scenario that can be Normal, Accident/Sabo-
tage, Breakdown/Sabotage, Breakdown, Cyber-attack, and Sabotage. Figure 11 shows the
results for evaluation metrics for six classification techniques applied to data. The highest
accuracies reached are 83%, 63%, and 59% for CART, LR, and LDA, respectively. The best
classification techniques for precision are CART, LR, and LDA, respectively. According to
recall, the best technique is CART then LR. Finally, the best technique in F1-score is CART

Combined Affected Component


100%
measurements

90%
performance

80%
70%
60%
50%
40%
30%
20%
10%
0%
Accuracy Precision Recall F1-Score
LR 62% 71% 57% 57%
LDA 56% 62% 54% 50%
KNN 48% 52% 43% 46%
CART 84% 86% 86% 86%
NB 54% 63% 64% 54%
SVM 49% 59% 43% 46%

Fig. 9 Comparison between classification techniques for Combined Affected Component class
12634 Multimedia Tools and Applications (2021) 80:12619–12640

Combined Situation
100%
90%
80%
70%
measurements
performance

60%
50%
40%
30%
20%
10%
0%
Accuracy Precision Recall F1-Score
LR 60% 59% 60% 54%
LDA 51% 54% 62% 51%
KNN 42% 52% 53% 52%
CART 81% 87% 87% 87%
NB 40% 64% 62% 53%
SVM 45% 60% 49% 52%

Fig. 10 Comparison between classification techniques for Combined Situation class

then LR and LDA, respectively. Therefore, in this experiment similarly, CART is considered
the best technique because it results in the highest scores in all evaluation metrics.
The sixth experiment detects the situation. The values of this class are normal, plastic bag,
Blocked measure, Floating objects, Humidity, Sensor Failure, Denial of Service (DoS),
Spoofing, Wrong connection, Person hitting low intensity, and Person hitting high intensity.
Figure 12 shows the results for evaluation metrics for six classification techniques applied to
data. The highest accuracies reached are 81%, 60%, and 52% for CART, LR, and LDA,
respectively. The best classification techniques for precision are CART, NB, and SVM,
respectively. According to recall, the best technique is CART then NB. Finally, the best
technique in F1-score is CART then NB and LR, respectively. Therefore, in this experiment
also, CART is considered the best technique because it results in the highest scores in all
evaluation metrics.
To validate the study in this work, a comparative study between six machine learning
algorithms for the six experimental scenarios is provided as presented in Table 2. From the
results, it is perceived that the CART algorithm gives the best accuracy value with most of the
classes compared to the other algorithms. The simulation results in present comparative

Operational Scenario
100%
90%
measurements
performance

80%
70%
60%
50%
40%
30%
20%
10%
0%
Accuracy Precision Recall F1-Score
LR 63% 73% 59% 59%
LDA 59% 71% 57% 56%
KNN 45% 50% 42% 44%
CART 83% 85% 85% 85%
NB 31% 49% 38% 33%
SVM 47% 56% 42% 45%

Fig. 11 Comparison between classification techniques for Operational Scenario class


Multimedia Tools and Applications (2021) 80:12619–12640 12635

Situation
100%
90%
measurements

80%
performance

70%
60%
50%
40%
30%
20%
10%
0%
Accuracy Precision Recall F1-Score
LR 60% 63% 60% 57%
LDA 52% 59% 65% 53%
KNN 42% 55% 54% 54%
CART 81% 90% 90% 90%
NB 47% 79% 76% 72%
SVM 44% 64% 48% 51%

Fig. 12 Comparison between classification techniques for Operational Situation class

analysis with detailed results for better justification and analysis of the performance of machine
learning algorithms with the projected system. The results reveal that the CART method
provides acceptable results regarding the classification precision, sensitivity, and F-Score, for
classification purposes. Likewise, From Table 3, the importance of the proposed system is
quite evident. The proposed system is introduced to develop an anomaly detection scheme for
the Water-based IIoT system for using machine learning algorithms. Therefore, the proposed
scheme can support to accomplish the following:

& Offer a data science system for anomaly events and activities classification in water-based
critical industrial infrastructure comprising cyber-attacks, sabotage, and industrial hard-
ware failures using several machine learning algorithms.
& Classify and detect abnormality events to prevent illegitimate activities by criminals
against the industrial systems. Therefore, this system can help the industrial operator to
alleviate cyber-attacks when an incident is detected after alarm notifications have arisen.
This scheme is assessed over real-world datasets along with conducting a performance
assessment through different experiment scenarios with different machine learning
approaches.

Table 2 An assessment of the six ML algorithm with six different classes

Class Algorithms

LR LDA KNN CART NB SVM


Accuracy %

Anomaly 87 88 91 94 67 91
AffectedComponent 55 51 44 82 53 46
CombinedAffectedComponent 55 51 44 82 53 46
CombinedSituation 62 56 48 84 54 49
Operational Scenario 63 59 45 83 31 47
Situation 60 52 42 81 47 44
12636 Multimedia Tools and Applications (2021) 80:12619–12640

Table 3 Comparative analysis of the proposed scheme with existing systems

Author and Year Dataset Techniques Evaluation Metrics

H. Hindy et al. Water Dataset LR, NB, KNN, SVM, DT and RF Accuracy
2019 [21]
Pahl et al. 2018 Own dataset K-Means BIRCH Clustering Accuracy
[31]
Liu et al. Own dataset Light Probe Routing Identification Rate
2018 [27]
Diro et al. 2018 NSL-KDD [26] Neural Network Accuracy
[14]
Brun et al. 2018 Own dataset Random Dense Neural Network attack probability predicted
[8] by the Dense RNN
Aditya Mathur Own dataset CUSUM method –
2018 [28] The newer method based on the
notion of state entanglement
Pajouh et al. NSL-KDD [26] Naive Bayes Identification Rate
2018 [32] K-Nearest Neighbor
Anthi et al. Own dataset Naive Bayes Precision
2018 [7] recall
f1 score
D’angelo et al. NSL-KDD [26] U-BRAIN Accuracy
2015 [13] Real Traffic Data
TaeshikShon et. live dataset captured Enhanced SVM m-fold cross-validation
al. 2007 [36] from a real network
Proposed System Critical Infrastructure LR, LDA, KNN, CART, NB, and Accuracy
(Water System) SVM Precision
Recall
F1-Score

7 Conclusion and future work

The prime aim of this research is to anomaly events analysis and classification in critical IIoT
based SCADA water Infrastructure through using an intelligent data science system. This
proposed system was evaluated and tested with different experiments. The performance
evaluation had been calculated after testing the proposed system by using a real-world dataset
covering 15 anomaly scenarios. Likewise, several machine learning algorithms are used such
as Logistic Regression (LR), Linear Discriminant Analysis (LDA), K-Nearest Neighbor
(KNN), Classification and Regression Tree (CART), Gaussian Naive Bayes (NB), and
Support Vector Machine (SVM). The results taken into account in this paper suggests that
the CART algorithm gives the best results for classification based on the assessment param-
eters and metrics such as accuracy, precision, recall, and F1-score. In future work, we plan to
apply different deep learning algorithms within the proposed scheme along with working in
different datasets in the area of critical Industrial control systems.

References

1. Abbasi M, Vakilian S, Fanian A, Khosravi MR (2019) Ingredients to enhance the performance of two-stage
TCAM-based packet classifiers in internet of things: greedy layering, bit auctioning and range encoding.
EURASIP J Wirel Commun Netw 2019(1):1–15
Multimedia Tools and Applications (2021) 80:12619–12640 12637

2. Abbasi M, Mousavi N, Rafiee M, Khosravi MR, Menon VG (2020) A CRC-Based Classifier Micro-Engine
for Efficient Flow Processing in SDN-Based Internet of Things. Mob Inf Syst 2020
3. Abbasi M, Pasand EM, Khosravi MR (2020) Workload allocation in IoT-fog-cloud architecture using a
multi-objective genetic algorithm, J Grid Comput, pp 1–14
4. Adepu S, Mathur A (2016) Distributed detection of single-stage multipoint cyber attacks in a water
treatment plant. In: Proceedings of the 11th ACM on Asia Conference on Computer and
Communications Security, pp 449–460
5. Amin S, Litrico X, Sastry SS, Bayen AM (2012) Cyber security of water SCADA systems part II: attack
detection using enhanced hydrodynamic models. IEEE Trans Control Syst Technol 21(5):1679–1693
6. Amin S, Litrico X, Sastry S, Bayen AM (2012) Cyber security of water SCADA systems part I: analysis and
experimentation of stealthy deception attacks. IEEE Trans Control Syst Technol 21(5):1963–1970
7. Anthi E, Williams L, Burnap P (2018) Pulse: an adaptive intrusion detection for the internet of things
8. Brun O, Yin Y, Gelenbe E, Kadioglu YM, Augusto-Gonzalez J, Ramos M (2018) Deep learning with dense
random neural networks for detecting attacks against iot-connected home environments. In: International
ISCIS Security Workshop, pp 79–89
9. Cárdenas AA, Amin S, Lin Z-S, Huang Y-L, Huang C-Y, Sastry S (2011) Attacks against process control
systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM symposium on
information, computer and communications security, pp 355–366
10. Chen F, Deng P, Wan J, Zhang D, Vasilakos AV, Rong X (2015) Data mining for the internet of things:
literature review and challenges. Int J Distrib Sens Networks 11(8):431047
11. Cheng L, Tian K, Yao DD (2017) Orpheus: Enforcing cyber-physical execution semantics to defend against
data-oriented attacks. In: Proceedings of the 33rd Annual Computer Security Applications Conference, pp
315–326
12. Colbert EJM (2016) Cyber-security of SCADA and Other Industrial Control Systems, vol 66. Springer
13. D’angelo G, Palmieri F, Ficco M, Rampone S (2015) An uncertainty-managing batch relevance-based
approach to network anomaly detection. Appl Soft Comput 36:408–418
14. Diro AA, Chilamkurti N (2018) Distributed attack detection scheme using deep learning approach for
internet of things. Futur Gener Comput Syst 82:761–768
15. El-Din HE, Manjaiah DH (2017) Internet of Nano Things and Industrial Internet of Things, in Internet of
Things: Novel Advances and Envisioned Applications, Springer, pp 109–123
16. Essa YM, Hemdan EE-D, El-Mahalawy A, Attiya G, El-Sayed A (2019) IFHDS: intelligent framework for
securing healthcare BigData. J Med Syst 43(5):124
17. Hemdan EE-D, Manjaiah DH (2016) A cloud forensic strategy for investigation of cybercrime, in 2016
International Conference on Emerging Technological Trends (ICETT), pp 1–5
18. Hemdan EE-D, Manjaiah DH (2018) Cybercrimes investigation and intrusion detection in internet of things
based on data science methods. In: Cognitive Computing for Big Data Systems Over IoT, Springer, Cham,
pp 39–62
19. Hemdan EED, El Fishawy N, Attiya G, El-Samie FA (2013) An Efficient Image Watermarking approach
based on Wavelet Fusion and Singular Value Decomposition in Wavelet Domain. In: Proceeding of 3rd
International Conference on ADVANCED CONTROL CIRCUITS AND SYSTEMS (ACCS’013), no 1–
10
20. Hindy H, Brosset D, Bayne E, Seeam A, Bellekens X (2019, January) Improving SIEM for critical SCADA
water infrastructures using machine learning. In Computer Security: ESORICS 2018 International
Workshops, CyberICPS 2018 and SECPRE 2018, Barcelona, Spain, September 6–7, 2018, Revised
Selected Papers (Vol. 11387). Springer, p 3
21. Hindy H, Brosset D, Bayne E, Seeam A, Bellekens X (2019) Improving SIEM for critical SCADA water
infrastructures using machine learning. Lect Notes Comput Sci (including Subser Lect Notes Artif Intell
Lect Notes Bioinformatics) 11387 LNCS:3–19
22. Khosravi MR, Samadi S (2019) Reliable data aggregation in internet of ViSAR vehicles using chained dual-
phase adaptive interpolation and data embedding. IEEE Internet Things J 7(4):2603–2610
23. Khosravi MR, Samadi S (2019, 2019) Efficient payload communications for IoT-enabled ViSAR vehicles
using discrete cosine transform-based quasi-sparse bit injection. EURASIP J Wirel Commun Netw (1):262
24. Laso PM, Brosset D, Puentes J (2017) Dataset of anomalies and malicious acts in a cyber-physical
subsystem. Data Br 14:186–191
25. Lin W, Yin X, Wang S, Khosravi MR (2020) A Blockchain-enabled decentralized settlement model for IoT
data exchange services, Wirel. Networks
26. Lippmann RP et al (2000) Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion
detection evaluation. Proc DARPA Information Survivabil Confer Exposition DISCEX’00 2:12–26
27. Liu X, Liu Y, Liu A, Yang LT (2018) Defending ON–OFF attacks using light probing messages in smart
sensors for industrial communication systems. IEEE Trans Ind Informatics 14(9):3801–3811
12638 Multimedia Tools and Applications (2021) 80:12619–12640

28. Mathur A (2018) On The Limits of Detecting Process Anomalies in Critical Infrastructure. In: Proceedings
of the 4th ACM Workshop on Cyber-Physical System Security, pp 1–1
29. Menon VG, Jacob S, Joseph S, Sehdev P, Khosravi MR, Al-Turjman F (2020) An IoT-Enabled intelligent
automobile system for smart cities. Internet of Things, 100213
30. Mitchell R, Chen I-R (2014) A survey of intrusion detection techniques for cyber-physical systems. ACM
Comput Surv 46(4):55
31. Pahl M-O, Aubet F-X (2018) All eyes on you: Distributed Multi-Dimensional IoT microservice anomaly
detection. In 2018 14th International Conference on Network and Service Management (CNSM), pp 72–80
32. Pajouh HH, Javidan R, Khayami R, Ali D, Choo K-KR (2016) A two-layer dimension reduction and two-
tier classification model for anomaly-based intrusion detection in IoT backbone networks. IEEE Trans
Emerg Top Comput
33. Randhawa K, Loo CK, Seera M, Lim CP, Nandi AK (2018) Credit card fraud detection using AdaBoost and
majority voting. IEEE access 6:14277–14284
34. Selim GEI, Hemdan EZZ, Shehata AM, El-Fishawy NA (2019) Anomaly Activities Detection System in
Critical Water SCADA Infrastructure Using Machine Learning Techniques. Menoufia J Electron Eng Res
28(ICEEM2019-Special Issue):343–384
35. Sheppard K (2012) Introduction to python for econometrics, statistics and data analysis. Self-published
University of Oxford version 2
36. Shon T, Moon J (2007) A hybrid machine learning approach to network anomaly detection. Inf Sci (Ny)
177(18):3799–3821
37. Simple guide to confusion matrix terminology. [Online] (2020). Available: https://www.dataschool.io/
simple-guide-to-confusion-matrix-terminology/. [Accessed: 19-Mar-2020].

Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and
institutional affiliations.

Gamal Eldin I. Selim has received his B.Sc from the Department of Computer Science & Engineering, Faculty
of Electronic Engineering, Menoufia University, Egypt, in 2011. He received his M.Sc. From the Department of
Computer Science and Engineering, Faculty of Electronic Engineering, Menoufia University, Egypt, in 2016. He
is working towards his Ph.D. degree in the Department of Computer Science & Engineering, Faculty of
Electronic Engineering, Menoufia University, Egypt. His research area of interest includes; Data Science,
Machine Learning, Cyber-Security, and Industrial Internet of Things.
Multimedia Tools and Applications (2021) 80:12619–12640 12639

Ezz El-Din Hemdan has received his B.Sc from the Department of Computer Science & Engineering, Faculty of
Electronic Engineering, Menoufia University, Egypt, in 2009. He received his M.Sc. From the Department of
Computer Science and Engineering, Faculty of Electronic Engineering, Menoufia University, Egypt, in 2013. He
received his Ph.D. degree in the Department of Computer Science, Mangalore University, India in 2018. He has
several publications in national/international conferences and journals. His research area of interest includes;
Canacelable Biometric, Blockchain, Digital Twins, Image Processing, Virtualization, Cloud Computing, Internet
of Things/Nano-Things, Cryptography, Data Hiding, Digital Forensics, Cloud Forensics, Big Data Forensics,
Data Science and Big Data Analytics.

Ahmed M. Shehata has received his B.Sc from the Department of Computer Science & Engineering, Faculty of
Electronic Engineering, Menoufia University, Egypt, in 1995. He received his M.Sc. from the Department of
Computer Science and Engineering, Faculty of Electronic Engineering, Menoufia University, Egypt, in 2001. He
received his Ph.D. degree in the Department of Computer Science and Engineering, Faculty of Electronic
Engineering, Menoufia University, Egypt, in 2007. His research area of interest includes; Deep learning,
Database analysis, Authentication, biometrics, Data Science, and Big Data Analytics.
12640 Multimedia Tools and Applications (2021) 80:12619–12640

Nawal A. El-Fishawy received the Ph.D. degree in mobile communications, Faculty of Electronic Eng.,
Menoufia University, Menouf, Egypt, in collaboration with Southampton University in 1991. Her research
interest includes computer communication networks with emphasis on protocol design, traffic modeling, and
performance evaluation of broadband networks and multiple access control protocols for wireless communica-
tions systems and networks. Now she directed her research interests to the developments of security over wireless
communications networks (mobile communications, WLAN, Bluetooth), VOIP, and encryption algorithms. She
has served as a reviewer for many national and international journals and conferences.

Affiliations

Gamal Eldin I. Selim 1 & EZZ El-Din Hemdan 1 & Ahmed M. Shehata 1 &
Nawal A. El-Fishawy 1

Gamal Eldin I. Selim


[email protected]

Ahmed M. Shehata
[email protected]

Nawal A. El-Fishawy
[email protected]

1
Computer Science and Engineering Deptartment, Faculty of Electronic Engineering, Menoufia University,
Menoufia, Egypt

You might also like