Journal of Environmental Protection and Ecology 24, No 7, 2515–2524 (2023)

Computer application

CYBER ATTACKS DETECTION USING GoogleNet

MODEL FOR ENVIRONMENTAL AWARE SMART CITY
APPLICATIONS

A. MEENAKSHIa*, S. DEVI MAHALAKSHMIb,

S. VANITHA SIVAGAMIb, M. RAJASEKARANc
a
HOD-Department of Computer Science and Engineering, Kamaraj College of
Engineering and Technology, 625 701 Near Virudhunagar, Tamil Nadu, India
E-mail: [email protected]
b
Department of Computer Science and Engineering, Mepco Schlenk
Engineering College, 626 005 Sivakasi, Tamil Nadu, India
c
Department of Computer Science and Engineering, Kamaraj College of
Engineering and Technology, 625 701 Near Virudhunagar, Tamil Nadu, India

Abstract. With the exponential rise in cybersecurity assaults, it is more important than ever to de-
velop more accurate prediction models and strategies for sensor systems and IoT-based settings. This
problem is currently unsolved since current attack forecasting techniques are unable to maintain up
with the enormous volume and diversity of attacks. Deep learning approaches in particular have lately
attracted a lot of attention from academics because to their unrivaled efficacy in various prediction-
based areas. This study examines how deep learning algorithms may be used in this environment
to foresee cybersecurity attacks. The cybersecurity research sector has free public access to many
intrusion detection datasets for additional investigation. However, no prior study has thoroughly in-
vestigated the suggested model’s performance on a range of publicly available datasets. The publicly
available intrusion dataset must be refreshed and benchmarked often due to the changing character of
the assault and its quickly evolving attack tactics. This type of study makes it possible to determine
the best effective algorithm for predicting upcoming cyberattacks. We suggested a cutting-edge deep
learning method called GoogleNet for identifying threats. The ideal network settings for the sug-
gested LSTM-AE (Long Short-Term Memory- Autoencode) are chosen using the new version data
set of the KDD’99 (NSL-KDD) dataset. The investigational findings demonstrate the viability and
applicability of the suggested hybrid model for identifying assaults in contemporary circumstances.
Keywords: convolutional neural network, deep neural networks, network intrusion detection, deep
learning, GoogleNet and NSL-KDD dataset.

AIMS AND BACKGROUND

Network-based datasets are used by the majority of intrusion detection methods
in commercial internet of things cyber security1–3. One of the most frequently
targeted protocols is the Modbus one, and in recent years, cyber-attacks involving
IoT/IIoT devices have become a significant danger. Identifying these attacks using
*
For correspondence.

2515
standard approaches may be challenging due to the protocol’s complexity and the
rapid growth of cyber threats4,5. In Ref. 6, the authors employ a hybrid DL models
with an LSTM-AE integrating a cyber-attacks recognition systems to identify and
address research issues using concurrent machine learning techniques and system
implementations. The data set for route scheduling is created by a CAV, which
communicates with it through the cloud-dew network. Many CAVs utilise the same
data profiles in their simulation to plan moves on a single highway environment.
By contrasting different processing units, they assess the setup in a distributed
architecture using synchronous information parallelism, which provides a quicker
training runtime. The TON-IoT dataset is used by researchers to construct an intru-
sion detection system employing reinforcement learning based networks in order to
identify attack on IoT devices7. To more precisely identify online dangers, they use a
deep Q-network (DQN). Researchers compare many well-known machine learning
models to their reinforcement learning model. They discover that their DQN yields
the best results for detecting cyberattacks8. It is proposed that machine learning
methods be used for tracking exchanges of information among controllers, sensors
processes, and final controls on equipment in order to discover abnormalities in
such data transfers. The PCN of energy design is described in several studies. Allan
Bradley’s RSLogic 5000 PLC Simulation software and Deep-Learning Toolkit,
MATLAB, and Python 3.0 Libraries were used to mimic the process control.
The experiments’ findings show how trustworthy and practical different machine
learning techniques are for spotting these problems. Man-in-the-middle (MitM)
attacks could be accurately detected with tree techniques (bagged or coarse), while
accuracy-computation difficulties trade-offs were seen. A methodology for solving
the issue of identifying novel assaults has been described9. It uses a rules-based
deep neural networks technique. The created framework considerably enhances
the outcomes of each benchmark, using the CICIDS 2017 database. The conse-
quences of the tests demonstrate that the offered model maintains a good balance
between assault detection, false positive prices, as with untruthful negative rates.
The model is more than 99% accurate for new assaults. Privacy and security are
the main challenges when network devices interact automatically (IoT). Authors
suggested approach may effectively overcome these challenges and, in the end,
recognise and categorise the various levels of risks. A deep learning with reinforce-
ment technique is suggested as a viable remedy for the issue of power theft10. The
real dataset samples are used as the training environment, and incentives are sup-
plied depending on training-related detection mistakes. Particularly, four different
scenarios are detailed for the recommended method. Using two alternative deep
neural network architectures, deep Q network with double deep Q networking, a
global detecting model is originally built. In order to attain excellent accuracy in
detection while guarding against zero-day attacks, the global detectors are also
utilised to create a tailored detection approach for new clients. Third, in the third

2516
scenario, the existing consumers’ shifting consumption patterns are taken into ac-
count. The 4th case study talks about the difficulties in stopping recently started
cyber attacks. According to considerable testing that was done, the recommended
DRL approach may be able to effectively detect new consumption trends, changes
in the purchase behaviors of present clients, and newly launched cyber attacks.
Additionally, it can help identify hacks that steal electricity. Because of the fast
creation and dissemination of sophisticated cyber attacks throughout the Internet,
some analysts use various information analysis and learning methodologies to
create cyber security. Redesigning security systems to be more responsive to
threats and more successful in preventing intrusions is necessary to combat the
growing prevalence of cyber attacks. To effectively assess cyber security data as
well as build the necessary tools and forms to shield against cyber-attacks, you
need more than a basic set of functional specifications and information around
risk or vulnerabilities. The suggested system is based on machine learning, with
an emphasis on cyber security as well as intrusion detection. Where a dataset
consisting of information gathered from major cyber security resources (KDDs)
is being constructed to counteract cyber security threats.

EXPERIMENTAL
To get the best results for detection, the dataset should be processed extensively
before being utilised for classification. For improving the precision of category
recognition, the right data processing approach is essential. When taking into ac-
count the likelihood that the actual data were produced (Table 1).

Table 1. Tuning parameters via a matrix

Parameters
ε ρ δ Accuracy
0.1 0.03 0.2 96.06
0.5 0.04 0.5 96.10
0.5 0.02 0.8 96.17
0.01 0.05 0.7 96.13

Classifier detection necessitates processing due to issues such as differences

in kind or order of magnitude. Classifier outputs are dependent on both the clas-
sification approach and the data treatment technique used, as discussed futher.
Nominal type conversion. The network is a rich source of information for intrusion
detection, with various attributes included in each connection record. Attribute
features of the minimal type are also included here, in alongside the more fun-
damental numeric kinds. Unfortunately, the vast majority of currently available

2517
classifiers can only handle numeric data, making it essential to transform any data
of nominal kind.
Since information of the numerical kind in the range of values [0, 1] may be
retrieved directly, this work employs the PMF technique to transform the nomina-
tive type in the set of data into a numeric one (Fig. 1). Since the data dimensions
are unaltered, there is no requirement for normalising the output. This reduces the
complexity of preparing the data since it is the same as conducting a nominal type
conversion with normalisation simultaneously.

Training set

Train classifier

Optimal parameters

Feature
Data Preprocessing Accuracy results
vectors

Test set

Trained classifier

Attack detection

Fig. 1. Proposed system architectural flow

Numerical type normalisation. An important aspect of the collection is the normalis-

ing of numerical types. Indeed, the value range varies across records in the collec-
tion due to the fact that feature values vary between dimensions. By establishing
a level of comparability between the features of many dimensions, normalisation
greatly enhances the quality of the data.

CLASSIFICATION

A subset of machine learning called deep learning focuses on how neurons in the
brain work. In the form of artificial neural networks (ANNs), these techniques
are implemented. Various strategies, including both supervised also unsupervised
learning, can be utilised to train a machine learning or deep learning algorithm.
The categorisation of data examples that have been labelled throughout the train-
ing phase requires supervised learning.
Filtering the data can assist minimising the quantity of data needed, as deep
learning models need a lot of data to train. For instance, removing pointless or
redundant characteristics might make the data less dimensional and easier to train

2518
on. Additionally, data cleansing can assist guarantee that the information used
to train a model are impartial and representative. Predictions that are unjust or
immoral might result from biases in the data, such as race or gender biases. The
datasets are adjusted for all features to prevent disparities in the results of feature
quantifying and to stop features with a broad value range from affecting the model’s
output. Data normalisation may increase the model’s accuracy and hasten model
solution. The dataset containing a collection of features is assumed to be X1, X2,
and the Min-Max normalisation technique is used. The following equation is the
normalisation equation for a particular collection of data, Xi, in the set:
Xi′ = (Xi – XMin)/(XMax – XMin), (1)
where Xi′ is the dataset’s normalised data, while XMin and XMax represent the dataset’s
minimum and maximum values, respectively.

224 *224 *3 channels Multi-label

Sigmoid

Multiple convolutional layer +ReLu activation+max

pooling layer+Transfer learning + dense Predictions

Fig. 2. GoogleNet architecture

A subtype of deeper neural networks called GoogleNet was previously em-

ployed to assess network functions and performed better than VGG Networks and
other models. By choosing the properties of the kernel function, this convolution
function preserves the spatial relationship between the input data. The kernel val-
ues are changed automatically according to the optimal structural configuration.
The aspect plot’s size is determined by the layer depth. Prior to convolution, the
supplemental nonlinear function is used to create feature maps. According to equa-
tion (2), the nonlinear activation might resemble a ReLu (Rectified linear unit).
A multiple levels neural layer called the Fully Connected Layer (FCL) starts the
result layer using softmax initiation. The nodes of the following layer are linked
to those of the preceding layer. A straightforward GoogleNet model may be built
as shown in Fig. 2. Equation (2) is used to calculate the categories cross-entropy
loss function, which measures the loss of a sample:
cutput_size
Loss = – ∑i=1 yi logi. (2)
The loss function’s derivatives with respect to every weight in the network’s
layers and for every value in the training set may be calculated using the above
formula as in equation (2) since the softmax value is used for activating the output

2519
layer. The ReLu activation mechanism is used to activate additional hidden layers.
Gradient-based optimisation methods, which need smooth and continuous data, are
used to optimise deep learning models. If there are any abnormalities or outliers in
the data, the optimisation algorithm can have trouble locating the global minimum.

RESULTS AND DISCUSSION

DATASET SPECIFICATION

One of the most popular training sets is the KDD Cup 99 database, which depends
on the DARPA 1998 database. There are 4 900 000 repeated assaults in this dataset.
Five main categories – DoS (Denial of Services attack), U2R (User via Root attack),
Space probes (Probing attack), and Normal – are used to classify the 22 various
types of attacks. There is just one variation of the typical kind that is considered
normal. Every record in the KDD Cup 99 data collection has 41 specified feature
qualities and a class identification. Seven of the 41 fixed qualities are symbolic in
nature, whereas the others occur consistently. Every record in the KDD Cup 99
data set has 41 specified feature attributes and class identification. Seven of the 41
fixed traits are symbolic, while the remainder is continuous. The predetermined
selection of sequences with ‘normal’ connections has provided distribution for
both incursions and regular traffic flow in an initial DARPA database. There are
numerous probability distributions for training and test sets. There are around
five million entries in the complete training dataset. 22 distinct attack types are
included in both the complete training database and the equivalent “10%” in the
same sequence as in the 1998 DARPA trials. A “10%” subset of the test set, which
contains around three million documents, is offered as test data both unlabelled and
labelled, however the entire test set is only accessible unlabelled. With an alternate
breakdown and new assaults not included in the training set, it is designated as
the “corrected” subset. The “10%” subgroup was created with training in mind
during the KDD Cup’99 competition (Table 2). Performance testing may be done
on the roughly 300 000 records that contain 37 distinct assaults that make up the
“corrected” sample.

2520
Table 2. KDD Cup 99 database’s characteristics – cite in the text!!!
No Structures Categories No Structures Categories
1 duration Continuous 22 is_guest_login Symbolic
2 protocol type Symbolic 23 count Continuous
3 service Symbolic 24 sry count Continuous
4 flag Symbolic 25 serror_rate Continuous
5 src bytes Continuous 26 Sn serror rate Continuous
6 dst bytes Continuous 27 rerror rate Continuous
7 Land Symbolic 28 srv rerror rate Continuous
8 wrong fragment Continuous 29 same_sn_ rate Continuous
9 urgent Continuous 30 diff sn rate Continuous
10 hot Continuous 31 drv diff host_rate Continuous
11 num_failed_logins Continuous 32 dst_host_count Continuous
12 logged in Symbolic 33 dst bost sry count Continuous
13 num_compromised Continuous 34 dst_host_same_srv_rate Continuous
14 root_shell Continuous 35 dst_host_diff_srv_rate Continuous
15 su attempted Continuous 36 dat host same sre port rate Continuous
16 num root Continuous 37 dst host_srv diff host rate Continuous
17 num file creations Continuous 38 dst_host_serror_rate Continuous
18 num shells Continuous 39 dst host sry serror rate Continuous
19 num_access_filles Continuous 40 dst_host_rerror_rate Continuous
20 num outhound cmds Continuous 41 dst host sn rerror nate Continuous
21 is bost login Symbolic

PERFORMANCE METRICS

We outline the steps involved in implementing and evaluating the DBN-IDS model
and give supporting information here. At first, we provide the experimental setup,
including hardware and software, as well as assessment metrics and datasets. We
then detail the experimental procedure and data preparation approach. Finally, we
discuss the experiment’s findings and provide a comparison to the most cutting-
edge practices now in use.
The DBN-IDS classification system’s experiments and model construction
were carried out on a server PC furnished with a 3.60 GHz Intel i7-7700 CPU,
Windows 10 operating system, 8 GB of RAM, TensorFlow versions 1.14.0 in
addition Python 3.5.
(1) Its goal is to provide the network model with the parameters and the
forward processing results of the propagation in accordance with the model’s
specifications (Table 3).

2521
Table 3. Confusion matrix’s essential requirements
Classes Forecast negative class Forecast positive class
Actual positive class False negative (FN) True positive (TP)
Actual negative class True negative (TN) False positive (FP)
Note: FN – Forecasts a positive class as a negative class; TP – Forecasts a positive class as a posi-
tive class; TN – Forecasts a negative class as a negative class, and FP – Forecasts a negative class
as a positive class.

(2) This device may be used to provide the data sources, the loss function, as
well as optimisation strategy for back propagation.
(3) The session is constructed, batch data are organised and passed for compu-
tation, the backpropagation process is optimised, and the model is saved at regular
intervals using the graphs built in stages one and two.
Classification reliability (ACC), recall rates (R), accuracy (P), and F-measure
are used to estimate the suggested method for a multi-classification issue. As in-
dicated in Table 4, these metrics may be derived from the confusion matrix’s four
primary criteria.

Table 4. Distinct forms of malicious activity in the NSL-KDD data set

Depiction Attack type Common categories
Denial of service attacks Dos ping-of-death, smurf, syn flood
Unauthorised local superuser privileged U2r buffer overflow attack
access
Unauthorised access from a distant host R21 guessing password
Port tracking nor scanning Probe port-scan, ping-sweep

Several indicators are determined using the four primary criteria presented
in Table 1:
ACC = (TP + TN)/(TP + TN + FP + FN) (3)
P = TP/(TP + FP) (4)
R = TP/(TP + FN) (5)
F-measure = (2 P R)/(P + R) (6)
FPR = FP/(FP + TN), (7)
where ACC is likelihood of a dataset being correctly classified; P – the prediction
that a given class’s dataset contains a greater-than-zero amount of true positive
cases; R – the total number of correctly predicted instances for any particular class
in the data set; F-measure – the F-measure is a complete assessment indicator of
accuracy and recall, which may be thought of as a weighted mean of modelling
precision and recall, and FPR – the fraction of every one of the negative samples
is accounted for by the instance that is determined to be positive.

2522
 We created a model with one GoogleNet as well as two GoogleNet in the
hidden layers of our experiment. DBN-IDS goes through layer-by-layer training
in the pre-training phase to mimic the directions of a single GoogleNet using two
GoogleNet. We use the CD method with these settings for model training: batches
size of 100, fixed amount of training sessions of 100, rate of learning of 0.5, and
step size of 1. The NSL-KDD estimates an experimentally relevant number of 90,
60, and 30 neurons in the hidden layer.
Table 5 shows the best settings for investigating how different DBN-IDS pa-
rameters affect classification precision. The variance factor, the sparsity constraint
variable, and the learning rate are all listed in Table 5.

Table 5. Benchmarks for the proposed model

Depiction R P FPR F-measure ACC
Normal 0.94903 0.96868 0.02334 0.95875 96.17%
Dos 0.98042 0.99348 0.00332 0.98691
Probe 0.98265 0.95427 0.00587 0.96825
R21 0.95243 0.88198 0.01808 0.91585
U2r 0.75500 0.74384 0.00240 0.74938

CONCLUSIONS
In this article, we suggest brand-new two-stage intrusion detection systems that
makes use of a very effective architecture and can examine network behaviour.
For real-time data processing and evaluation, the system uses a distributed deep-
learning model, which contains the GoogleNet model that was chosen for in-depth
comparison with the suggested model. The NSL-KDD Dataset model was trained
and evaluated. To the greatest extent of our understanding, our system employs
the suggested mixed approach to more accurately detect assaults and is capable
of identifying malicious behaviour in a distributed way. The suggested model has
application in several DL areas, including agriculture, health, as well as translating
languages, and has demonstrated a significantly reduced training-related loss rate.

REFERENCES
1. K. B. ADEDEJI, A. M. ABU-MAHFOUZ, A. M. KURIEN: DDoS Attack and Detection Meth-
ods in Internet-enabled Networks: Concept, Research Perspectives, and Challenges. Journal of
Sensor and Actuator Networks (JSAN), 12 (4), 51 (2023).
2. U. D. LEARNING, B. K. SWAIN, C. L. CHOWDHARY, R. GAIN: Indian Sign Language.
Investigations in Pattern Recognition and Computer Vision for Industry 4.0, 2023. p. 53.
3. Ü. ÇAVUŞOĞLU, D. AKGUN, S. HIZAL: A Novel Cyber Security Model Using Deep Transfer
Learning. Arab J Sci Eng, 1 (2023).
4. T. H. ALDHYANI, H. ALKAHTANI: Cyber Security for Detecting Distributed Denial of Service
Attacks in Agriculture 4.0: Deep Learning Model. Mathematics, 11 (1), 233 (2023).

2523
 5. M. M. MOUSSA, L. K. ALAZZAWI: Distributed Hybrid DL Cyber-attacks Detection Using
Data Parallelism in Cloud-Dew Computing. In: Proceedings of the 2023 IEEE Transportation
Electrification Conference & Expo (ITEC), 2023, 1–6.
6. S. ARAVINDAN, A. RAJARAM: Secured Routing Algorithm for MANET in the Environment
Risk Assessment Period. J Environ Prot Ecol, 23 (8), 3583 (2022).
7. C. ROOKARD, A. KHOJANDI: Applying Deep Reinforcement Learning for Detection of
Internet-of-Things Cyber Attacks. In: Proceedings of the 2023 IEEE 13th Annual Computing
and Communication Workshop and Conference (CCWC), 2023, 0389–0395.
8. U. O. OBONNA, F. K. OPARA, C. C. MBAOCHA et al.: Detection of Man-in-the-Middle (MitM)
Cyber-attacks in Oil and Gas Process Control Networks Using Machine Learning Algorithms.
Future Internet, 15 (8), 280 (2023).
9. S. CHAKRABORTY, S. K. PANDEY, S. K. MAITY, L. DEY: Detection and Classification of
Novel Attacks and Anomaly in IoT Network Using Rule Based Deep Learning Model. ArXiv,
abs/2308.00005, (2023).
10. A. T. El-TOUKHY, M. M. BADR, M. MAHMOUD, G. SRIVASTAVA, M. M. FOUDA, M. AL-
SABAAN: Electricity Theft Detection Using Deep Reinforcement Learning in Smart Power
Grids. IEEE Access, 11, 59558 (2023).
Received 22 September 2023
Revised 28 October 2023

2524