Professional Documents
Culture Documents
Abstract— Industry 5.0 is rapidly growing as the next industrial services [4]. This connectivity enables data collection, transmission,
evolution, aiming to improve production efficiency in the 21st cen- and analysis. Thus, it will help to optimize the whole production
tury. This evolution relies mainly on advanced digital technologies,
process. However, such a setup may lead to escalating security threats,
including Industrial Internet of Things (IIoT), by deploying multiple
IIoT devices within industrial systems. Such a setup increases the that can target the IIoT network.
possibility of threats, especially with the emergence of IIoT bot- Indeed, new emerging IIoT attacks have been increasing in strength
nets. This can provide attackers with more sophisticated tools to and sophistication; these attacks have become destructive causing
conduct devastating IIoT attacks. Besides, Machine/Deep Learning huge collateral damage and financial losses of $10.5 Trillion (USD)
(ML/DL) are considered as powerful techniques to efficiently detect
IIoT attacks. However, the centralized way in building learning by 2025 [5]. In addition, the recent emergence of IIoT botnets, such
models and the lack of up-to-date datasets that contain the main as Mirai botnet, and the rapidly increasing number of insecure IIoT
attacks are still ongoing challenges. In this context, Multi-access devices (i.e., about 75 billion IIoT devices by the end of 2025 [6]),
Edge Computing (MEC) and Federated Learning (FL) are two can give attackers more powerful tools to conduct IIoT attacks. As
promising complementary technologies. MEC brings computing
capabilities at the edge of the industrial systems, while feder-
example, on the 2nd of October 2016, Mirai botnet conducted a huge
ated learning leverages the edge resources to enable a privacy- attack using IIoT devices (i.e., Closed Circuit Television Cameras
aware collaborative learning, especially in multi-industrial systems (CCTV)), hence, several common Internet services, including Ama-
context. In this paper, we design a novel MEC-based framework zon and Twitter were unavailable for a number of hours. To alleviate
to secure IIoT applications leveraging federated learning, called these issues, Intrusion Detection Systems (IDSs) must be properly
FedGame. Specifically, FedGame enables multiple MEC domains
to collaborate securely to deal with IIoT attack, while preserving conceived to protect the IIoT network from attacks ranging from
the privacy of IIoT devices. Moreover, a non-cooperative game is Distributed denial-of-service (DDoS) attacks to scanning attacks. In
formulated on top of FedGame, to enable MEC nodes acquiring the this context, machine and deep learning (ML/DL) are considered as
needed virtual resources from the centralized MEC orchestrator, to powerful techniques to efficiently detect IIoT attacks. However, the
deal with each type of IIoT attacks. We evaluate FedGame using
real-world IIoT attacks; the experimental results show not only the
centralized way in building learning models, that needs to share all
accuracy of FedGame against centralized ML/DL schemes while data, even privacy ones, at a central node, in addition to the lack of
preserving the privacy of Industrial systems, but also its efficiency up-to-date data that covers all the main IIoT attacks, are still ongoing
in providing required MECs resources, and thus dealing with IIoT challenges, making it difficult to train efficient ML/DL-based models.
attacks.
Federated learning (FL) has emerged as a promising technique
Index Terms— Edge Computing, Federated Learning, to train a global attack detection model on several edge devices,
IIoT, Non-Cooperative Game, Security threats. without sharing their private sensitive data [7] [8]. Hence, FL can
significantly reduce the privacy risks, which makes it an ideal
candidate in multi-industrial systems. Besides, Multi-access Edge
I. I NTRODUCTION Computing (MEC) has emerged as a novel architecture that brings
Industry 5.0 is rapidly growing as the next industrial evolution cloud computing capabilities, i.e., processing and storage capacity, at
towards more resilient, sustainable, and human-centric industry [1]. the edge of networks [9]. We note that a MEC node comprises a set
Industry 5.0 complements and extends Industry 4.0, in order to of applications’ instances that run as virtual machines, or containers,
optimize the productivity of manufacturing systems in the 21st on top of a virtualization platform. Thus, one pertinent solution is to
century. This evolution combines physical operations and production deploy the IDS application at the MEC nodes, to secure industrial
with advanced digital technologies and Artificial Intelligence (AI) to systems. However, deploying such application may be not supported
build a better and more holistic connected ecosystem, for companies by the MEC computing resources, such as storage, CPU, and memory,
that focus on supply chain management and manufacturing [1] [2]. especially when considering that 5G network is mainly based on
According to the Industry 4.0 standard [2] [3], Industrial Internet MEC, to deploy several services such as collision avoidance, virtual
of Things (IIoT) will play a vital role in taking decentralized and and augmented reality, and data caching. Noting also that MEC nodes
autonomous decisions, by monitoring and supervising manufacturing are limited in terms of resources, as compared to traditional cloud
systems in real time. IIoT refers to a set of interconnected actuators, computing. Therefore, it is critical for the network operators to ensure
sensors, robots, and machines, which build a complex network of an efficient share of MECs’ resources, and hence optimizing the MEC
resource usage.
* Equal contribution In this paper, we design a two-stage distributed and secure collab-
Z. A. El Houda is with the L@bISEN, ISEN Yncréa Ouest, Carquefou, orative architecture, called FedGame. FedGame first leverages MEC
France, e-mail: (zakaria.abou.el.houda@umontreal.ca) and FL to allow multiple MEC based domains, to collaboratively
B. Brik is with the DRIVE EA1859, university of Bourgogne Franche-
Comté, France, e-mail: (bouziane.brik@u-bourgogne.fr) build an efficient learning model. The latter is able to detect IIoT
A. Ksentini is with the Communication Systems Department, EURE- attacks, while preserving the privacy of IIoT devices’ data. Then,
COM, France, e-mail: (adlen.ksentini@eurecom.fr) when detecting an IIoT attack, the MEC nodes compete to get more
L. Khoukhi is with ENSICAEN, Normandie University, GREYC CNRS, virtual resources (i.e., memory, storage, and CPU), to be able in
Caen, France, e-mail: (lyes.khoukhi@ensicaen.fr)
M. Guizani is with the Machine learning Department, Mohamed Bin
dealing with such attacks. However, the required quantity of virtual
Zayed University of Artificial Intelligence, The United Arab Emirates (e- resources depends mainly on the type of detected attack as well as
mail: mguizani@ieee.org). the other critical applications that are already executed on top of each
2 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS.
MEC node. Therefore, we model a non-cooperative game between space and time. Finally, the authors used machine learning schemes
MEC collaborators to scaling up or down their virtual resources, (i.e., k-Nearest Neighbor (k-NN), Random Forest (RF), and support
based on both the type of detected attack and each MEC’s critical vector machine (SVM)) to identify individual attacks stages in the
applications. We evaluate FedGame using UNSW-NB15 dataset [10], generated alert. Ravi et al. [18] proposed LEDEM, a novel method to
[11], which contains the main IIoT attacks, including, shellcode, detect DDoS attacks in SDN. LEDEM focused on mitigating DDoS
generic, analysis, reconnaissance, fuzzers, exploits, DDoS, backdoors, attacks triggered by malicious IoT devices; it used a semi supervised
and worms. The main contributions of this paper can be summarized machine-learning algorithm i.e., extreme learning machine (ELM) to
as follows: detect DDoS attacks.
• We design a two-stage distributed collaborative architecture McDermott et al. [19] developed a new model that makes use
(FedGame) that leverages MEC and FL to allow multiple MEC of SVM and NN to detect network anomalies in wireless sensor
based domains, to collaboratively build an efficient learning networks (WSNs). Moustafa et al. [20] developed a new model that
model. makes use a Gaussian mixture of outliers (OGM)-based architecture
• We model a non-cooperative game between MEC collaborators to detect web attacks; it consists of (1) An Association Rule Mining
to scaling up or down their virtual resources, based on both the (ARM) scheme to extract input features dynamically; and (2) An
type of detected attack and each MEC’s critical applications. OGM classifier to detect network attacks using the best/informative
• We evaluate FedGame in accuracy, detection rate, and F1 score features. The same authors [21] designed a novel framework that uses
using the UNSW-NB15 dataset. The results of the experi- beta mixture-hidden Markov models (MHMMs) to detect network
ments show that FedGame outperforms centralized ML and attacks/anomalies in the context of the industry 4.0. MHMMs was
DL schemes in accuracy and F1 score, while preserving the evaluated on both well-known public datasets i.e., UNSW-NB15 and
privacy of industrial systems. Also, FedGame demonstrates the CPS dataset of sensors.
efficiency of our non-cooperative game in providing required Based on our review of these existing ML and DL-based
MECs resources, and thus dealing with IIoT attacks. schemes [12]–[21], they are based on some specific networks; which
The rest of this paper is organized as follows. In Section II, we generally leads to inaccurate IIoT attack detection models, especially
present a review of related works. Section III describes the design when encountering new IIoT attacks. Besides, in [22], the authors
and specification of the proposed two-stage, FedGame. In Section IV, proposed a survey on MEC-based schemes for resource provisioning.
we evaluate FedGame. Finally, section V concludes the paper. However, most of cited works addressed the question of where
should MEC nodes be deployed? or how to enable an efficient users’
tasks offloading while ensuring a low latency delay?, to the best
II. R ELATED WORK of our knowledge, we found only one work that addresses virtual
The rapid development of ML and DL techniques has revo- resources provisioning from the centralized orchestrator to the MEC
lutionized many domains, including security domain; since then, nodes, proposed in [23]. However, this work targets a very specific
several schemes have adopted ML and DL techniques to improve application of collision detection/avoidance between vehicles. In our
the efficiency of their IDSs. Li et al. [12] designed a two-stage intru- game formulation, we consider not only the requirement of IDS
sion/anomaly detection framework based on artificial intelligence to application, but also the other applications that are running at the
detect intrusions in Software defined Internet of Things networks(SD- MEC level.
IoT). The authors used Bat scheme with two emergent techniques
(i.e., swarm division and binary differential mutation) to select the III. F ED G AME : T WO S TAGE MEC-E NABLED S CHEME
most informative input features. Then, the authors used Random
In this section, we describe the main steps of our FedGame scheme.
Forest (RF) for classification. The proposed solution achieved high
Fig. 1 illustrates the general flow diagram of FedGame steps.
accuracy in detecting illegitimate flows with lower overhead. Luo
et al. [13] proposed a novel framework, called EDL-WADS, that
uses ensemble Deep Learning (DL) techniques to detect IoT attacks, A. Stage1: A Federated Learning-based Model
including web attacks. More specially, the authors designed three DL In this subsection, we describe our federated learning based model,
models, namely the MRN model, the LSTM model, and the CNN ranging from the distributed architecture, to the developed multi-
model to detect these attacks. Then, the authors designed an ensemble classifier model, through the used dataset.
leaning classifier for final classification/decision. Then, an ensemble MEC-enabled architecture: Fig. 2 shows the system architecture
classifier has been used to make the final decision. The authors of our proposed solution. We consider four MEC domains (i.e.,
have evaluated EDL-WADS using CSIC 2010 dataset. Jia et al. [14] MECs: A, B, C, D), where each MEC-based domain supports the
proposed an edge-centric IoT defense scheme, called FlowGuard, to requirements defined for the MEC ETSI standards, each one covers
detect IoT Distributed Denial-of-Service (DDoS) attacks. FlowGuard a particular geographical area in which a set of IIoT devices are
includes the detection, classification, and the mitigation of this attack; already deployed. In addition, the four MEC domains are connected
it uses a novel algorithm that is based on traffic variation metric to the MEC Orchestrator (MEO) and the organization. MEO is in
along with two ML algorithms (i.e., LSTM and CNN) to detect charge of deploying the MEC applications, such as IDS, Collision
malicious traffic. They have evaluated the efficiency of FlowGuard detection/avoidance between mobile robots, and entertainment ap-
with the well-known CICDDoS2019 dataset. Ashfaq et al. [15] plications, on top of virtualized platform at each MEC server. Our
proposed Fuzzy-IDS, a novel method that uses NN along with Sample architecture enables not only building learning models for IIoT-related
Categorization (SC) to detect network anomalies/attacks. Sudheera et intrusion detection, but also to deploy efficiently the IDS application
al. [16] proposed a distributed framework, called Adept, to effectively at the MEC domain level, as detailed in the next sub-sections.
detect and identify individual IoT attack. Adept is a hierarchically Description of IIoT Dataset: In our study, we use UNSW-NB15
distributed framework that works in three phases. First, Adept dataset, which covers the main real-world IIoT attacks. UNSW-NB15
processed locally IoT network traffic for detecting malicious IoT contains a variety of IIoT attacks, including 2218761 records for
devices. Then, once an IoT attack is detected, the security manager normal behavior, in addition to several IIoT attacks, divided as fol-
received a potential anomaly alert to detect patterns correlated across lows: analysis (2677 records), fuzzers (24246 records), DDoS (16353
Z. ABOU EL HOUDA et al.:WHEN FEDERATED LEARNING MEETS GAME THEORY: A COOPERATIVE FRAMEWORK TO SECURE IIOT APPLICATIONS ON EDGE
COMPUTING 3
Industrial IoT
Networks
5.0
MEC Nodes MEC Orchestrator
1
Data Training of local models
Global model 4
5
Data Attack Detection
Parameters
W W W W
W1 W2 W3 W4
records), backdoors (2329 records), reconnaissance (13987 records), class. Algorithm 1 illustrates the steps executed by MEC collaborator
generic (215481 records), exploits (44525 records), shellcode (1511 i. Finally, the MEC orchestrator, i.e. MEO, aggregates local updates
records), and worms (174 records). and transmits the aggregated value to the MEC collaborators(see steps
Federated learning-based Model: We formalize the problem of 3 and 4 in Fig. 1). This procedure is then repeated until a maximum
federated collaborative learning across multiple MEC-based domains round rmax is achieved. Algorithm 2 describes the main steps of
as a problem of optimization et al. [7]. For optimization, we use the global model runs at the MEC orchestrator level.
a local Stochastic Gradient Descent (SGD) on each MEC-based
domain. At the beginning of each round r, each MEC-based domain
calculates the average gradient independently at the actual shared B. Stage2: MEC Resources Provisioning
global model wr using its own local dataset (see steps 1 and 2 in Once detecting an IIoT attack (step 5 in Fig. 1), the MEC nodes
Fig. 1). To test FedGame, we use a deep neural network with an input compete to get more virtual resources from the centralized MEO, in
layer of 49 neurons that corresponds to the dimension of UNSW- order to be able in dealing with such attacks. However, the required
NB15 dataset, four hidden layers with LeakyReLU, and an output quantity of virtual resources (storage, CPU and bandwidth) depends
layer of ten neurons that correspond to the category of the attack mainly on the type of detected attack as well as the other critical
4 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS.
Algorithm 1 MEC Collaborator i resources. We note that there exist many functions, which can
Require: Local Data Di , size of batches Siz, Epochs e, learning be used as utility functions such as sigmoidal, logarithmic,
rate η. exponential, linear, and square root [24]. We select the square
Ensure: Updated model U pdk+1 . root function for each MEC player pi , due to its strictly
1: concave, as follows:
2: M ECU pdate(i, U pd) p
υi (ηi ) = ηi + 1, with i = 1, 2, . . . , m (1)
3: for epoch from 1 to e do
4: batches ← Di / Siz 2) Attack Priority Cost: this cost reflects both the priority of each
5: for Batch B ∈ batches do attack, j, and the number of attackers performing such attack.
6: U pd ← U pd − η∇f (U pd, T ) (∇f (U pd, T ) is the average We assign a priority, P rij = ]0, 1], to each attack type based
gradient on batch B at the model U pd) on the needed vCPU. So, attacks need more vCPU resources
7: end for have more priority than those require less vCPUs, to deal with.
8: end for In addition, this cost is directly impacted by the number of
9: return U pd to server aggregator. involved attackers (Attackers). Indeed, attack with multiple
source has a high impact on the network and thus will require
more vCPU resources. We define this cost as follows:
Algorithm 2 The global MEO
1
ηi ∗ P rij ∗Attackers , if there is an attack
Require: Number of MEC collaborators M and rounds Round, Size
of batches Siz, Local epochs e, Learning rate η. Υi (ηi , j) =
Ensure: Aggregated model GLM k+1 .
1, Otherwise
1: (2)
2: Initialize GLM0 3) Critical Applications Cost: the quantity of assigned vCPU
3: for r = 1 to Round do resources to each MEC node must consider the other MEC’s
4: M = set of MEC collaborators applications. We classified the IIoT applications into two main
5: for MEC domain i ∈ M in parallel do classes: (i) critical applications, which include safety-related
6: Lr+1
i ← M ECU pdate(i, Lr ) application requiring ultra-low latency, such as collision detec-
7: end for tion/avoidance between mobile robots in industrial systems. (ii)
1 Pi=|M | r+1
8: GLM r+1 ← |M | i=1 Li no-critical applications that cover the other type of applications
9: end for such as entertainment and publicity applications. In our model,
10: return GLM r+1 to MEC collaborators. we choose to assign more resources to MEC nodes ensuring
safety critical applications (Cri App). Thus, we define the
critical applications cost of player pi as follows:
applications that are already executed on top of each MEC node. For
Cri Appi
instance, the MEC nodes need more vCPU resources to deal with ϱi (ηi , Cri Appi ) = ηi ∗ 1 − , ∀i ∈ P (3)
T otal Appsi
a DDoS attack, as compared to scanning attacks e.g., User to Root
Attack (U2R). Therefore, we model a non-cooperative game between Where Cri Appi is the number of critical applications ex-
MEC collaborators to scaling up or down their virtual resources, ecuted at the MEC node i, while T otal Appsi is the total
based on both the type of detected attack and each MEC’s critical number of MEC i applications (critical and no critical).
applications (steps 6, 7, and 8 in Fig. 1). We note that we focus Finally, the payoff function of each MEC player pi is defined as
more on virtual CPU (vCPU) resources, however, our scheme can follows:
be easily extended/applied for other virtual resources such as storage Φi (ηi , η−i ) = αi υi (ηi ) − βi Υi (ηi , j) − ψi ϱi (ηi , Cri Appi ) (4)
and bandwidth.
1) Non-cooperative game formulation: We model the compet- With η−i = [ηL ]L∈P and i ̸= L is the requested vCPU resources
itive behavior of MEC nodes to get vCPU resources using a non- by all MEC players (strategies) except MEC player pi , and αj , βj ,
cooperative game, G = (P, Si , Φi )i∈P , as follows: and ψj are MECs’ coefficients for the three functions υi , Υi , and
ϱi , respectively, where αi , βi , and ψi > 0, ∀i ∈ P . The values of
1) Players (p1 , . . . , pi , . . . , pm ): a set P of m MEC players that
these parameters are chosen in such way that the global requirement
are connected to the same MEC orchestrator, M EOj .
of our model are met. For instance, if the value of ψi is greater,
2) Players’ strategies, Si : the actions that each MEC player pi can
the difference between vCPU resources (ηi ) of MEC nodes having
take during the game, ∀i ∈ P . MEC players may ask for vCPU
high number of critical applications and those having low number of
resources
Qm between zero and η max . Thus, Si = [0, ηimax ] and
applications is higher and vice versa.
S = i=1 Si = [0, η1 ] × . . . × [0, ηimax ] × . . . × [0, ηm
max max
]
2) Proof of Nash equilibrium: Nash Equilibrium (NE) reflects
represents the strategy profile for all MEC players.
the state where no MEC player can benefit by changing its strategy,
3) Payoff function, Φi : Si → R: each MEC player, pi ; ∀i ∈ P ,
while the other players keep theirs unchanged. Therefore, if this state
has to maximize Φ, in order to increase its profit in getting
exists, the modeled game admits a solution.
more vCPU (ηi ).
In our game, a set of requested vCPU resources (strategies), s∗ ∈ S
Beside, we model the MECs’ payoff function to include three main with s∗ = [η1∗ , . . . , ηi∗ , . . . , ηm
∗
], corresponds to a Nash equilibrium
functions: (i) MEC nodes objectives to maximize the obtained vCPU state if no MEC node can improve its payoff, as it changes its action.
resources from the centralized MEO (utility), (ii) priority of the More specifically, NE is N-tuple {ηi∗ } ensuring:
detected attack (Attack priority cost), (iii) and critical applications
that are executed at each MEC node (Critical applications cost). These Φ ηi∗ , η−i ∗
≥ Φ ηi , η−i ∗
, ∀i ∈ P, ηi∗ ̸= ηi (5)
functions are defined as follows: In this subsection, we prove the uniqueness and existence of NE for
1) Utility: it reflects MECs profit when they got more vCPU our game G.
Z. ABOU EL HOUDA et al.:WHEN FEDERATED LEARNING MEETS GAME THEORY: A COOPERATIVE FRAMEWORK TO SECURE IIOT APPLICATIONS ON EDGE
COMPUTING 5
(a) (b)
Fig. 3: Model loss for FedGame using U N SW − N B15 dataset for: a) 10 rounds case; and b) 25 rounds case.
Normal 99.8% 0.2% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% Normal 99.9% 0.1% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%
DoS 0.0% 99.5% 0.5% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% DoS 0.0% 99.9% 0.1% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%
0.8 0.8
Generic 0.0% 0.1% 99.0% 0.9% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% Generic 0.0% 0.0% 99.9% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%
Exploits 0.0% 0.0% 0.2% 99.8% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% Exploits 0.0% 0.0% 0.0% 100.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0%
0.6 0.6
Fuzzers 0.0% 0.0% 0.0% 1.3% 98.1% 0.6% 0.0% 0.0% 0.0% 0.0% Fuzzers 0.0% 0.0% 0.0% 0.0% 99.8% 0.2% 0.0% 0.0% 0.0% 0.0%
Reconnaissance 0.0% 0.0% 0.0% 0.0% 0.0% 99.9% 0.0% 0.1% 0.0% 0.0% Reconnaissance 0.0% 0.0% 0.0% 0.0% 0.0% 100.0% 0.0% 0.0% 0.0% 0.0%
0.4 0.4
Backdoors 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 99.4% 0.2% 0.4% 0.0% Backdoors 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 99.8% 0.1% 0.1% 0.0%
Analysis 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 100.0% 0.0% 0.0% Analysis 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 100.0% 0.0% 0.0%
0.2 0.2
Shellcode 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.9% 99.1% 0.0% Shellcode 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.1% 99.9% 0.0%
Worms 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.1% 0.0% 0.4% 99.6% Worms 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 0.2% 99.8%
0.0 0.0
Worms
Worms
Fuzzers
Fuzzers
Reconnaissance
Reconnaissance
Normal
Normal
DoS
Exploits
Backdoors
Analysis
DoS
Exploits
Backdoors
Analysis
Generic
Shellcode
Generic
Shellcode
(a) (b)
Fig. 4: Confusion matrices of FedGame using U N SW − N B15 dataset for: a) 10 rounds case; and b) 25 rounds case.
1.0 1.0
0.8 0.8
True Positive Rate
0.6 0.6
0.4 ROC curve of Normal (area = 0.99) 0.4 ROC curve of Normal (area = 1.00)
ROC curve of DoS (area = 0.96) ROC curve of DoS (area = 0.99)
ROC curve of Generic (area = 0.99) ROC curve of Generic (area = 1.00)
ROC curve of Exploits (area = 0.99) ROC curve of Exploits (area = 1.00)
ROC curve of Fuzzers (area = 0.99) ROC curve of Fuzzers (area = 1.00)
0.2 ROC curve of Reconnaissance (area = 0.97) 0.2 ROC curve of Reconnaissance (area = 0.99)
ROC curve of Backdoors (area = 0.99) ROC curve of Backdoors (area = 0.99)
ROC curve of Analysis (area = 0.97) ROC curve of Analysis (area = 1.00)
ROC curve of Shellcode (area = 0.99) ROC curve of Shellcode (area = 1.00)
0.0 0.0
0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0
False Positive Rate False Positive Rate
(a) (b)
Fig. 5: ROC curves of FedGame using U N SW − N B15 dataset for: a) 10 rounds case; and b) 25 rounds case.
Z. ABOU EL HOUDA et al.:WHEN FEDERATED LEARNING MEETS GAME THEORY: A COOPERATIVE FRAMEWORK TO SECURE IIOT APPLICATIONS ON EDGE
COMPUTING 7
(a) (b)
(c) (d)
Fig. 6: Performance evaluation of FedGame, when generating IIoT’s single source attacks at 180s. (a) A DDoS attack on MEC A; (b) An
analysis attack on MEC B; (c) A fuzzers attack on MEC C; (d) A backdoors attack on MEC D.
99% in recall, accuracy, F1 score, and precision, respectively, with observe that FedGame has an Area Under the ROC Curve (AUC)
only 172 seconds of federated training. score of 0.99, while it has a AUC score of 0.99 for 25 rounds of
Fig. 3 shows the learning curves of our MEC-based tested models training.
over rounds; it shows the loss values during, training and testing
phases, for 10 rounds and 25 rounds of training, respectively. We compared the results achieved by FedGame with the following
We observe that, during the federated training phase, the loss of recent ML and DL models: Fuzzy-IDS [15], RF-IDS [17], WSN-
each MEC-based model decreases until a minimum is reached IDS [19], OGM [20], and MHMM [21]. Table III shows the metric
(almost zero in the test case). Fig. 4 shows Confusion matrices of values of FedGame and the centralized ML and DL models. We
FedGame using the U N SW − N B15 dataset for 10 rounds and observe that FedGame achieves the highest accuracy of 99%, the
25 of federated training, respectively. For 10 rounds of training, highest DR of 99%, and the highest F1 score of 99% with only 172
we observe that 99% of almost all IIoT attack traffic is correctly seconds of training time. The results of experiments confirm that
classified as malicious traffic and also 99% of Normal traffic (i.e., FedGame outperforms centralized ML and DL models, in accuracy,
benign data samples) is correctly classified as benign traffic. For 25 DR, and F1 score, while preserving the privacy of industrial systems’
rounds of training, we observe that 99% of almost all IIoT attack users.
traffic is correctly classified as malicious traffic and also 99% of
benign traffic is correctly classified as benign traffic. Fig. 5 shows B. Evaluation of Game-based MEC resource provisioning
the roc curves of FedGame on the U N SW − N B15 dataset for 10 Fig. 6 shows the vCPUs assignment to each MEC node during
rounds and 25 rounds of federated training, respectively. The ROC 600s. We generated different types of IIoT attacks: DDoS, analysis,
curves show TPR according to FPR. For 10 rounds of training, we fuzzers, and backdoors, addressing MEC A, B, C, D, respectively,
8 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS.
[16] K. L. K. Sudheera, D. M. Divakaran, R. P. Singh and M. Gurusamy, Adlen Ksentini received the Ph.D. degree in
”ADEPT: Detection and Identification of Correlated Attack Stages in computer science from the University of Cergy-
IoT Networks,” in IEEE Internet of Things Journal, vol. 8, no. 8, pp. Pontoise on QoS provisioning in the IEEE
6591-6607, 2021. 802.11-based networks. Since 2016, he has
[17] K. Singh, S. Guntuku, A. Thakur, C. Hota, Big Data Analytics frame- been a Professor with the Communication Sys-
work for Peer-to-Peer Botnet detection using Random Forests, Informa- tems Department, EURECOM. He is currently
tion Sciences, Volume 278, 2014, Pages 488-497, ISSN 0020-0255. an IEEE COMSOC Distinguished Lecturer on
[18] N. Ravi and S. M. Shalinie, ”Learning-Driven Detection and Mitigation topics related to 5G and Network Softwarization.
of DDoS Attack in IoT via SDN-Cloud Architecture,” in IEEE Internet His current research topics are in the field of
of Things Journal, vol. 7, no. 4, pp. 3559-3570, 2020. architectural enhancements to mobile core net-
[19] C. Mcdermott, A. Petrovski, 2017. Investigation of computational intel- works, mobile cloud networking, network func-
ligence techniques for intrusion detection in wireless sensor networks. tions virtualization, and SDN. He received the Best Paper Award from
International journal of computer networks and communications [on- IEEE WCNC 2018, IEEE IWCMC 2016, IEEE ICC 2012, ACM MSWiM
line], 9(4), pages 45-56. 2005, and the IEEE Fred W. Ellersik Prize for the Best IEEE Communi-
[20] N. Moustafa, G. Misra and J. Slay, ”Generalized Outlier Gaussian cations Magazine for 2017.
Mixture Technique Based on Automated Association Features for Sim-
ulating and Detecting Web Application Attacks,” in IEEE Transactions
on Sustainable Computing, vol. 6, no. 2, pp. 245-256, 2021.
[21] N. Moustafa, E. Adi, B. Turnbull and J. Hu, ”A New Threat Intelligence
Scheme for Safeguarding Industry 4.0 Systems,” in IEEE Access, vol.
6, pp. 32910-32924, 2018.
[22] F. Spinelli and V. Mancuso, ”Toward Enabled Industrial Verticals in
5G: A Survey on MEC-Based Approaches to Provisioning and Flex
Communications Surveys Tutorials, vol. 23, pp. 596-630, 2021.
[23] B. Brik and A. Ksentini, ”Toward Optimal MEC Resource Dimensioning
for a Vehicle Collision Avoidance System: A Deep Learning Approach,”
in IEEE Network, vol. 35, no. 3, pp. 74-80, 2021.
[24] Wang and G. -S. G. S. Kuo, ”Mathematical Modeling for Network Lyes Khoukhi received the Ph.D. degree in
Selection in Heterogeneous Wireless Networks — A Tutorial,” in IEEE electrical and computer engineering from the
Communications Surveys Tutorials, vol. 15, no. 1, pp. 271-292, 2013. University of Sherbrooke, Canada, in 2006.
[25] H. Nikaidô and K. Isoda, ”Note on non-cooperative convex games” in From 2007 to 2008, he was a Post-Doctoral
Pacific Journal of Mathematics, vol. 5, pp. 807- 815, 1955. Researcher with the Department of Computer
[26] J. B. Rosen, “Existence and Uniqueness of Equilibrium Points for Science and Operations Research, University
Concave N-Person Games.” Econometrica, vol. 33, no. 3, [Wiley, Econo- of Montreal. Currently, he is Full Professor with
metric Society], 1965, pp. 520–34. the ENSICAEN, Normandie University, GREYC
CNRS. His current research topics are in the
field of cybersecurity, attacks detection and per-
formance evaluation in advanced networks like
cloud networking, 5G/SDN, IoT/V2X and CPS.