iCDRET: A Dynamic Cyber Risk Estimation Technique for Intelligent Cyber-Physical Systems in PCS

1. INTRODUCTION

Intelligent healthcare technologies make major contributions to daily life by providing electronic healthcare services and have the potential to improve patient care quality. Technology is used in a variety of applications, including smart homes [1, 2], intelligent businesses [3], intelligent neighborhoods [4], mobility [5], intelligent healthcare [6], and satellites. Due to their tiny size and heterogeneity, smart devices and apps have grown fast in recent years, making them very vulnerable to cyberattacks. The integration of advanced technologies has transformed wearable and healthcare devices, leading to the development of intelligent medical systems [7]. Due to the gadgets and wearables, remote monitoring in healthcare is now feasible, keeping patients safe and motivating clinicians to provide the best treatment possible [8]. Patient participation and comfort have increased, and medical interactions have become more efficient [9]. Unfortunately, the connectivity of this large number of IoMT devices has drawn attackers into the healthcare system. The latest cyberattacks highlighted fundamental flaws in the IoMT ecosystem [10]. Inadequate architecture and security methods can allow attackers to intercept such networks. Unauthorized access poses a security risk due to a lack of detection and prevention. An attacker can modify medicine doses remotely and use IoMT sensors as botnets for DDoS assaults [11]. Healthcare organizations have experienced hacking and unauthorized access, such as the 2018 Ransomware cyber-attack that cost Indiana hospitals $55,000 [12]. A cyber-attack aims to ruin and interfere with computer network operation [13]. The numerous cyber-attack categories are denial-of-service (DoS), logical bombs, spam, sniffers, viruses, worms, Trojan horses, and botnets. The DoS attack keeps the system from communicating with other computers or surfing the internet. Attacks might start fast from one or many scattered sources. Protecting networks and data from several kinds of assaults depends on cybersecurity. It is thus important to have a plan for spotting different types of attacks in IoHT. Apart from safety concerns, medical professionals do not openly access databases on cyber-attacks as sensitive material is at risk and can harm and kill people [14]. CPS is an engineering and physical system that relies on communication, computation, and control to coordinate and monitor processes. This CPS has been used in significant industries, including biomedical, smart grids, and ITS (intelligent transportation systems). The Healthcare Cyber-Physical System (H-CPS) generates a smart healthcare environment all around. From sensors, the H-CPS combines e-health data, IoMT (artificial intelligence), and EHR. To build smart healthcare, H-CPS integrates biosensors, implanted medical devices (IMD), conventional healthcare, ICT, wearable devices, communication mechanisms, and artificial intelligence [15-17]. We use a special technique to identify several cyberattacks to reduce the described risks. Cyber-Physical Systems (CPS) automate and regulate industrial processes by combining cyber elements for processing and communication with physical components for sensing and actuation. Important sectors include healthcare, traffic management, industry, and energy infrastructure, all of which are extensively used. These systems use commercial and open-source software as well as common communication protocols to enable interaction with corporate networks and save infrastructure expenses. These technologies have, however, been susceptible to fresh security concerns and cyberattacks, therefore upsetting normal business operations. Recent advanced attacks on systems draw attention to the necessity of methods and instruments to control cybersecurity vulnerabilities [18]. Early in the course of system design, safety and security needs should be noted and taken care of [19]. IT security risk assessment follows recognized international standards, such as those mentioned in a study [20]. This paradigm presents new hazards compared to traditional computer networks. Data loss can have a wide range of consequences, including service disruption and loss of life. To improve efficiency in e-health systems, risk assessment approaches should be updated accordingly. Trustworthiness and patient confidence in e-healthcare security and data protection are crucial for its widespread adoption. To promote the expansion of electronic linked devices in the healthcare industry, firms must balance low transaction costs with effective and efficient data transfers and acceptable hazards. Effective security mechanisms need increased processing expenses. E-health system builders support risk as an indirect cost [21]. In this study, we are providing a cyber-risk estimation technique.

2. MOTIVATION

Among other uses, CPSs were extensively used in sectors like distribution networks, manufacturing, construction, pharmaceutical, and transportation. Advancements in IMoT technology are resulting from the growing number of connected wearable devices and communication via PCS as it is emerging. Adoption of edge-based CPSs underlines dependability and credibility. We are aware that dependability and trustworthiness are multifaceted aspects intimately related to CPS, human perception, and trust security. Researchers are developing AI-based approaches to solve future CPS difficulties. Researchers have created many healthcare monitoring models; however, limits remain for cloud-enabled systems, making them unsuitable for real-world applications. Cloud computing and healthcare organizations face communication overhead, latency, and privacy challenges when aggregating sensitive data. As the number of IoT-based healthcare networks grows, hostile assaults have become more sophisticated. Privacy concerns for IoT nodes, smartphones, and computer systems on the internet. Companies, especially pharmaceuticals, are increasingly relying on technology for their operations. Businesses have successfully adapted to remote work, with TCS projecting that by 2025, 75% of their personnel will be working from home. As firms adjust to this new work style, mitigating related risks becomes increasingly important. Effective risk management is essential for

digital and technological transformation. Digital risk refers to the risks that arise when a firm transitions to digital platforms. Identifying and mitigating possible risks is crucial for all industries. Businesses might experience data loss and theft of crucial information. Privacy breaches occur as a result of digital advancements in business. Businesses may encounter risks associated with automation and compliance. This research analyses the viewpoints and experiences of subject matter specialists in the pharmaceutical sector, coding the data to draw precise findings. In the detailed study, it was found that there are different types of attacks. Our primary accomplishments of this study effort are as follows:

• We developed algorithms that can detect cyberattacks in pharmaceutical care services.

• Introduced a novel risk estimation factor (REF) to quantify attack severity based on impact and detectability.

• Included anomaly detection and IoT security methods to improve the security and dependability of pharmaceutical care services.

• The proposed algorithms are performing better than the existing ones.

The remaining work is organized as follows: starting with the literature review followed by the proposed scheme. The next segment contains a discussion of the experiment. Finally, the conclusion summarizes the work and outlines potential directions for future research.

3. DIFFERENT TYPES OF CYBER ATTACKS

Table 1 lists all the identified attacks and highlights the various types of risks that could occur if any of these attacks were executed on the system. This section contains details about each attack and also describes the different techniques required to detect these attacks.

• Social engineering attacks: When it comes to cyber security, many people feel that they should defend themselves against hackers that use technological flaws to assault data networks. However, there is another method for infiltrating organizations and networks that makes use of people’s vulnerabilities. “Social engineering” refers to the process of deceiving someone into disclosing information or getting access to data networks. In short, social engineering is the manipulation of individuals so that they can access or expose information or data. Social engineering, like other cyber-attacks, seeks to circumvent an individual’s or organization’s security measures. Anyone can fall prey to a social engineering attack. However, elderly individuals with inadequate technical skills, individuals very minimal human connection, along with those susceptible to impetuous behavior are frequent targets. One’s own/exclusive information should not be disclosed to avoid potential attacks; anyone attempting to communicate should be investigated; URL/address verification must be undertaken; unreliable sources ought to be ignored. Social engineering assaults use human psychology to deceive people into disclosing critical information. Here are some examples of social engineering assaults and the algorithms they use:

◦ Baiting: This assault, like phishing, takes advantage of a target’s greed, temptation, or fear by providing something appealing in exchange for personal information.

◦ Pretexting: This assault employs appealing stories to persuade victims that they are genuine and then exploits their beliefs to obtain personal information.

◦ Tailgating is an exploit that allows hackers to enter restricted regions without appropriate authentication. Corporate Email Compromise (BEC) is an attack in which an individual obtains access to a corporate email account and uses it to send fraudulent emails.

◦ Whaling: Senior executives are the target of this kind of phishing assault, which poses as a genuine email and tempts them to perform a secondary action, such as initiating a wire transfer.

◦ Vishing: This type of targeted assault sends recorded messages over the phone, such as alerting victims that their bank accounts have been hacked. The attacker then gains access to the victims’ accounts when they are asked to enter their information on the keypad of their phone.

◦ Attacks known as “watering holes” entail infecting unprotected websites and online sources that the targeted individuals often access. The objective may obtain exposure to the target’s infrastructure or infect devices with malware.

• Application attacks: Cybercriminals can access unauthorized sites using an application attack. Often, attackers start scanning the application layer for flaws in code-based services. Numerous apps representing different programming languages are attacked, even if certain programming languages are targeted more frequently than others. There are flaws in commercial software and free frameworks and libraries. Cybercriminals can take advantage of application flaws to attack programs in production. These attacks target open-source frameworks and libraries as well as proprietary programs. Cybercriminals exploit a variety of techniques, including flaws in programming, vulnerabilities brought on by outdated certificates, and vulnerabilities brought on by inadequate authentication.

• Cryptography attacks: The technique of storing and sending data in a certain manner such that only the intended receivers can access and comprehend is known as cryptography. The processes of encryption, which transforms plain text into cipher text, and decryption, which transforms cipher text back into plain text, are used to accomplish this. A cryptographic attack occurs when an attacker looks for weaknesses in the code, cipher, encryption protocol, or key handling system to compromise an encryption system. Such assaults can be split into two distinct categories: passive or aggressive. While active attacks change or start an unauthorized flow of information, passive attacks permit the illegal disclosure of data with no compromising with the exchange of information channels. While active assaults entail altering data without authorization, passive attacks are frequently linked to information theft. The confidentiality and integrity of sensitive data may be jeopardized by any kind of assault.

• Hijacking attacks: Hijacking assaults are a subset of security-related attacks wherein an assailant gains control of computer systems, software applications, and network communications. The majority of cyber attacks depend on some sort of hijacking, and hacking is routinely—if not always—illegal, with grave repercussions for the victim as well as the attacker. Among these incidents are those involving aircraft hijackers or the commandeering of an armored transport truck. There are several varieties of hijack assaults; these are enumerated here: Session, Domain Name System (DNS), browser, clipboard, Internet Protocol (IP) and page hijacking.

• Computer Network Attacks (CNAs): These involve gaining unauthorized control over a computer or network to manipulate, delete, reject, or distort data within the system. CNAs can be used to shut down systems, alter data, exploit resources for botnets, or perform any activity that compromises the availability, confidentiality, or integrity of the targeted system. A CNA executes attacks by manipulating data streams. For example, it might transmit malicious code or commands to the central processing unit (CPU), potentially causing hardware malfunctions or forcing system shutdowns. Attackers join the network and scout it before acting to execute a CNA. Discovery helps one to learn the network configuration and choose the best approach to engage in negative behavior.

• Phishing attacks: Computer Network Attacks (CNAs) involve gaining unauthorized control over a computer or network by modifying, deleting, rejecting, or distorting data within the system. These attacks can shut down systems, alter or erase data, exploit system resources for botnets, and perform other actions that compromise the availability, integrity, or functionality of the targeted system.The CNA runs the attack using the data stream. For example, a CNA might send a code or order to a central processing unit forcing system shutdowns. Attackers join the network and scout it before acting to execute a CNA. Discovery enables an attacker to identify the network configuration and determine the most effective method to carry out malicious activities.

• Paying attention and learning will help prevent phishing attacks. Although email monitoring systems can block many regular phishing attempts, employee email security training can help reduce the number of prospective victims by raising an understanding of phishing risk. Simultaneously, one should be careful of website pop-ups and ensure the URL starts with “HTTPS” and features a closed lock icon next to the address bar to stop phishing efforts.

• Malware attacks: Malware, short for malicious software, is designed to compromise computer systems, steal data, or disrupt users through various harmful activities. Among the several instances of this kind of program are Trojan horses, worms, viruses, and rootkits. Though their main classification is as software, they can resemble simple codes. Often referred to as scumware, malware may be distributed in almost any programming or scripting language and written in several file formats. Malware might keep gathering data and spy for a significant length of time without informing the affected computer system. Moreover, it can be used for extortion of money or payments or for damage or disturbance of the system it targets (such as Stuxnet).

• Bots and botnets: Standing for “robot,” a “bot” is a piece of software designed to do specified, automated, repeating operations. Bots regularly copy or replace the acts of human users. Being automated, they run significantly faster than human users. They may be used practically for customer service or search engine indexing, or they can be used as malware to seize complete control of a machine. To spread spam, scan contact lists, breach user accounts, and complete other evil activities, one can design or hack malware bots and Internet bots. The term “botnet” combines the words “robot” and “network.” A botnet is an assembly of Internet-connected computers interacting with other such devices to achieve goals and repetitive activities. Spam emails are sent using these networks rather often. Under attacker control, a botnet can be as vast as hundreds of thousands of zombie computers or even thousands. Every software agent program also is run remotely.

• Password attacks: One of the most common forms of cyberattacks is the password assault. Both personal and business targets are susceptible to password assaults. By stealing the passwords to any area that needs one, including social media networks, technology, or software that the person or organization uses, the goal is to cause harm to the organization or individuals. Easy passwords are typically preferred by people or organizations to prevent forgetting them. Specifically, social media users can provide a summary of the password text they use on their profiles. For instance, a person’s social media profiles provide a wealth of information, like their date of birth, place of residence, spouse or partner’s name, years of relationship, and the team they support. For hackers, this knowledge is crucial. As a result, disclosing this information makes it easier for hackers to execute password assaults.

• Man-in-the-middle attack: A “man-in-the-middle” attack is the first type of cybercrime in which a hostile person discreetly meddles with two parties’ communication. This hack provides access to and even modification capability for the victim’s supplied data. The attacker succeeds by creating a clandestine, phony link between their devices and the victims. Usually aiming to either mimic one of the parties or get passwords, bank information, and personal data, a man-in-the-middle assault is These deeds, regretfully, might include changing login passwords or beginning a money transfer. The optimum locations for an attack to take place are those with free Wi-Fi. The content of unencrypted packets is easily accessible. Attackers use Wi-Fi sites to control network traffic so it flows across them. Consequently, the assailant turns into the traffic conduit for the users of the network. The assailant who intercepts this message may find passwords or personal information.

• DDoS (Distributed DoS): A kind of DoS attack aimed at one system by use of several hacked systems.

• Denial of Service (DoS): An attack that overwhelms a system or network with traffic or requests to make it unavailable to its users

• Reconnaissance attacks: These include techniques such as packet sniffing, ping sweeps, port scanning, and internet information queries, which are used to gather information about a target system or network.

4. CYBER-ATTACK DETECTION TECHNIQUE

• Technique 1: Proof of Source Authenticity (PoSATM) from Memcyco: It employs AI to identify anomalous activity and provides organizations with complete assault information for transparency. Memcyco enhances security by immediately alerting users when they visit a fraudulent website. It provides a comprehensive analysis of the attack and uses a unique, editable watermark to authenticate web pages. As an agentless solution, Memcyco requires no registration or installation from your clients.

• Technique 2: Anomaly Detection: Based on a known pattern in a system, organizations can use tools and procedures to detect anomalous conduct. In this scenario, anomalies are defined as any user or system events that depart from a baseline pattern. Techniques for anomaly detection can be used by businesses to find important incidents.

• Technique 3: Signature-based Detection in Intrusion Detection Systems (IDS): Signature-based detection is a fundamental detection method. By recognizing danger indicators, the approach enables intrusion detection systems (IDS) to identify malicious activity or unauthorized network access. An expert system in cervical dysplasia is a specialized computer-based application designed to assist healthcare professionals, such as gynecologists and pathologists, in the diagnosis and management of cervical dysplasia, a precancerous condition of the cervix [15-17]. This technique combines clinical know-how and artificial intelligence to offer accurate assessments, recommendations, and aid for healthcare practitioners in their choice-making methods.

• Technique 4: Heuristic Analysis Examining code for questionable elements—a technique known as “heuristic analysis”—may also be necessary for threat detection. By enabling security experts to decompile questionable applications and compare them with known malware code stored in a heuristic database, the approach aids in malware identification. If a certain proportion of the program’s source code matches a virus in the database, the software is marked as potentially dangerous.

• Technique 5: Sandboxing is the process of executing and examining code in a secure, segregated section of a network. It is best practice to employ a sandbox that replicates the real end-user operating environment for better outcomes.

• Technique 6: Honey Pots and Honey Nets A fascinating security method called a “honeypot” uses virtual or intruder traps to entice hackers. Security experts create a purposefully weak system that makes it easy for attackers to take advantage of vulnerabilities. To strengthen their cybersecurity posture in the meantime, the security team might research the strategies, methods, and practices used by the threat actors.

• Technique 7: Endpoint Detection and Response (EDR) is an essential tool in today’s dynamic threat landscape. The adage “time is money” holds particularly true, as the faster you can detect, respond to, and recover from security threats, the more effectively you can protect your system. EDR combines automated detection and response, offering a streamlined approach to managing risks.

• Technique 8: Artificial Intelligence and Machine Learning Prior to AI and machine learning, IT systems could only detect known and tested dangers like viruses and malware using rule and signature-based threat detection methods. Unfortunately, the ability of these conventional security methods to identify complex and changing assaults is limited. Missed security events and delayed discovery were encountered by security analysts. EDR is an integrated security method that combines rule-based analysis and response capabilities with real-time endpoint event monitoring and recording.

5. LITERATURE REVIEW

Cyberspace has evolved into a breeding ground for new types of entrepreneurship, technical developments, the spread of free expression, and new social networks that power our economy and reflect our values. Critical infrastructure is required to ensure the nation’s and its economy’s safety, health, and well-being. The efficacy of cyberspace is essential to our national security and economy. Cyberspace, which allows all information infrastructures to be available over the Internet outside all geographical boundaries, poses a tremendous danger to our national security, economic prosperity, and public safety and health. Cyberspace has become the most hazardous area in the world, the number one threat to our Homeland, and defending against cyberattacks is exceedingly tough. Salahuddin et al. [21] designed edge gateway hardware to build a smart healthcare system combining publicly accessible networks and wireless networks of sensors (WSN). Smart gates alert doctors to crises and offer data-driven decision-making. Janjua et al. [22] assessed the insider threat detection capability of many machine-learning techniques. The proposed spam detection algorithm was developed by the authors from a dataset of 24 users’ activity traces spanning five days. With 98.3% accuracy, Adaboost excelled among other methods. In a study [23], the authors introduced affordable block chain task scheduling (CBTS) with many techniques for cyber- physical systems to control security costs and deadlines. Data validation in cyber security drops by 33%; security execution drops by 50%. Fisayo et al. [24] proposed a framework for protecting data against privacy concerns. The authors achieved higher data usefulness compared to other classic anonymization strategies. Manimurugan et al. [25] utilized the CICIDS 2017 dataset to detect various types of attacks—primarily botnet, brute force, DoS, intrusion, and port attacks—using deep belief neural network models. Syed et al. [26] noted that Intensive Care Units (ICUs) commonly contain a range of medical devices, such as ECG monitors, glucose meters, syringe pumps, and others. Among the several assaults, these devices can be subjected to include ransomware, man-in-the-middle, and DoS. Several research applied machine learning algorithms on the medical information mart for intensive care (MIMIC) dataset, comprising discrete structured clinical data, physio-logical waveform data, free text documents, and radiology imaging reports, according to the study. T. Mohamed et al. [27] defined a security architecture suitable for mobile e-health platforms. It uses computerized personal health records to establish and manage pharmaceutical prescription services in mobility settings. This design uses RFID technology to provide safe and authorized interactions. Wireless Sensor Networks (WSNs) are a weak link in e-health systems, prompting researchers to address security concerns. In Gonçalves et al.’s study [28] an end-to-end safe routing using block chain architecture was created and a technique for intrusion prevention in mobile WSNs is offered. The method takes the restricted funds and flexible structure of mobile WSN into account. Table 2 contains a brief overview of the literature review and shows that no technique is available which can identify the cyber- attack as well as the risk can also be estimated. So in this research, our aim is to develop a model that can do both attack detection as well as risk estimation.

Table 2.

Author	Limitation				Technique
	PCS	iPCS	Cyber Attack Detection	Cyber Attack Risk Estimation
[21]	×	×		×	Decision Fusion
[22]	×	×		×	Naive Bayes, LR, KNN, Adaboost
[23]	×			×	Task Schedul- ing
[24]	×			×	PAD
[25]	×	×		×	Deep Learning
[27]	×	×		×	Random Forest, Neural Network
[29]	×	×	×		Decision- analysis- based
[30]	×	×			Blockchain
[31]	×				Penetration

6. METHOD

6.1. Problem Statement

6.1.1. Notation

This study is related to pharmaceutical care services. There are 10 stakeholders in our research. The stakeholders are as follows. The patient is the main element of the PCS, followed by the Hospital, Staff, Doctors, MR, Retailers, Wholesalers & Raw Material Manufacturers, Investors, Drug Manufacturers and lastly PBM & Governance. For each, the notation is mentioned in Table 3. Subsequently, different features were selected to design a PCS plan for a patient. The complete features are listed in Table 4. When a plan is prepared for the patient, many factors must be considered before training and testing.

Table 3.

Stakeholder’s Name	Notation
Patient	NP
Hospital	NH
Staff	NS
Doctor	ND
Medical Representative	NMR
Retailer	NR
Wholesalers & Raw material Manufacturer	NW(RM)
Investor	NI
Drug Manufacturer	NDM
Pharmacy Business Management & Governance	NPBM(G)

Table 4.

Feature	Sub Feature	Patient (Pnt)	Pharmacist (Phst)	Doctor (Dor)	Healthcare Organisation (Horg)
Demographic (Pde)	Name(Pn)	√	×	√	√
	Age(Pa)	√	×	√	√
	Gender(Pg)	√	×	√	√
	DoB(Pdob)	√	×	√	√
Medical (Pme)	Weight & Height(Pwh)	√	×	√	√
	Current Symptoms(Psym)	√	×	√	√
	Past Medical History(Pmh)	√	×	√	√
	Lab Information(Pli)	√	×	√	√
	Allergies and Intolerance(Pai)	√	×	√	√
	Vital Sign(Pvs)	√	×	√	√
Design Therapist Plan (Pdtp)	Prescribe medication(Pme)	√	√	√	√
	Medication used Before(Pmeb)	√	×	√	√
	Medical Regimen(Pmr)	√	×	√	√
	Compliance with therapy(Pct)	√	×	√	√
	Medication allergies and Intolerances(Pme)	√	×	√	√
	Lab Test(Plt)	√	×	√	√
Lifestyle(Pl)	Diet Exercise(Pde)	√	×	√	√
	Recreation(Pre)	√	×	√	√
	Tobacco/alcohol/caffeine/other substance use or abuse(Pls)	√	×	√	√
	Daily activities(Pda)	√	×	√	√
Implementing Therapeutic Plan(Pitp)	Dosage(Pdo)	√	√	√	√
	Medical Regimen(Pmr)	√	×	√	√
	Diet Exercise(Pde)	√	×	√	√
Monitoring Therapeutic Plan(Pmtp)	Patient Status(Pst)	√	×	√	√
	Patient Condition(Pco)	√	×	√	√
	Medication theraphy(Pmt)	√	×	√	√

6.2.2. Proposed Model

In Fig. (1), the suggested model is displayed. Architecture is created with CPS’s assistance, with smart medical devices at the bottom that gather the necessary data from the surroundings. Following that, the data is examined using a variety of cutting-edge technologies, each of which is accessed through an interface. This filtered data is available for use by various parties. We have chosen 11 stakeholders: Patient, Hospital, Staff, Doctors, MR, Retailers, Wholesalers, Raw Material Manufacturers, Investors, Drug Manufacturers, and last is the PBM and Governance for our study, and protecting privacy and security is our top priority. For this, we have developed algorithms that can detect different types of cyberattacks on 11 different stakeholders, and after that, risk estimation is also done. For analysis and preprocessing, Algorithm 1 is used. For detection, Algorithm 2 is used.

6.3.3. Problem Formulation

First, we gathered the dataset for analysis of the performance of the suggested approach from many healthcare institutions. For analysis and comparison of the suggested method’s performance with the already-existing algorithm, other algorithms are also applied, including Decision tree, Random forest, Diffie-Hellman, Deep convolution network, and Naïve Bayes. To start the investigation, we eliminated null and undesired elements from all three datasets using conventional pre-processing techniques. We applied data computation and normalizing

methods to remove duplicate features. We also scale features using principal component analysis (PCA). Based on the component variance factor, several traits were determined: we mapped category features to numerical values using the label encoding method. We investigated binary and 13-class classifications of different cyber threats and attacks. Aiming to consolidate data distribution, the centralized technique for multi-source transfer learning assesses the relationship depending on consistency and similarity. In data transmission, the Kullback-Leibler (KL) divergence gauges the entropy difference between two different distributions. We examine the likelihood of uniform information distribution using the KL divergence. The first algorithm uses a centralized multi-source transfer learning method. We assume a cyber-attack occurs at an unknown moment (y) and try to find it as soon as possible. The attacker’s techniques and talents. This presents the quickest change detection problem for which the objective is to reduce the false alarm rate as well as the average detection latency. Fig. (2) explains this issue. Two hidden states exist: suspicious state and preliminary attack due to the unknown attack launch time y: At each time t_i, after collecting the measurement vector y_t, the agent (defender) has two options: halt and announce an attack or proceed to take observations. When the action stop option is selected, the system is assumed to enter a terminal state and remain there permanently.

Under normal operating conditions, the system model can estimate the conditional observation probability associated with the initial state. However, due to unknown attacking strategies, the conditional observation probability for the prevention state is assumed to be completely unknown. The chance of transitioning between the preliminary state and the prevention state is uncertain due to the unknown assault launch time (r). To reduce detection delays and false alarm rates, both false alarm and detection delay events should incur charges. Let c > 0 represent the proportional cost of a detection delay v/s a false alarm occurrence. If the true underlying state is the preliminary state and the action to halt is taken, a false alarm occurs, resulting in a penalty of 1 for the defender. If the underlying state is the prevention state and the action to continue is chosen, the defender incurs a cost of c due to the detection delay. For all other (hidden) state-action pairings, the cost is set to zero. Once the action halt is chosen, the defender will not incur any more costs while in the terminal state. The defender’s goal is to minimize their predicted total cost during this time. The defender’s goal is to minimize its predicted overall cost by carefully picking its actions. The defender must identify the appropriate moment to declare an attack depending on their observations. We suggest using a limited history of observations. We suggest employing an RL algorithm to learn an AT(s, a) value, which represents the projected future cost for each observation-action combination (s, a). This value is then kept in an AT-table. After learning the AT-table, the defender’s policy will be to select the action a with the lowest AT(s, a) for each observation. To train, a simulation environment is constructed. During the procedure, the defender acts based on their observations and receives a cost from the simulation. Based on this experience, the defender modifies and learns an AT-table.

During the online detection phase, observations are used to select the action with the lowest projected future cost (AT value) based on the previously learned AT-table. The online detection phase continues until the defender chooses the action prevention state. When the preventive state is selected, an attack is declared and the process terminates. After announcing an attack, the online detection phase can be resumed after the system has been restored to normal operating circumstances. That is, once a defender is taught, no more training is required. We summarize the learning and online detection stages of

Algorithm 1: Learning Algorithm

1: Collect Sample Data from the iCPS server for all 10 nodes (N_P, N_H,N_S, N_D, N_MR, N_R, N_W(RM),N_I,N_DM,N_PBM(G))

2: Process the primary data for removing unwanted features

3: SD<- split(x,y)

4: for i=1,2….10 do

for sd subset SD do

ES<- ES-ŋ Ṿf_e(ES,SD)

end inner loop

end outer loop

5.Process data from the server

6.Feature Selected

7. Use PCA (Model dataset)

8. while PCA (DataSet Features) do

Evaluate the covariance matrix

Acquire eigenvalues and values

end loop

9. Represents the reduced feature set obtained after PCA.

10. Divide the data set into D1 and D2

11.D1^old=D1^old_i

D2^old_{i =} D2^oldL_i U D1^oldU_i

12. Map D1 D2 into relation matrix

13. for i=1,2,….,N do

compute wⁱ by MMD

Train the learner on a weighted sample from D1

End loop

14. The initial a

Initialize AT(s,a)

for i= 1 to 10 do

for j=1 to 10 do

t ← 0

st ← preliminary

select an initial state ‘st’ based on the preliminary state and choose initial action a=continue

while st ≠ prevention and t< T do

ti←ti+1

if a= stop then

st← Prevention

r← ᴨ{t< г}

AT (s,a) ← AT (s,a)+α(r- AT (s,a))

elseif a=continue then

If ti>= г then

r ←c

st ←suspected

else

r←0

endif

Collect measurements m_t and update the Kalman filter using:

ê_t∣t−1​=M1ê_{t−1∣t−1}​+M2u_t−1​ and

P_t∣t−1​=M1P_{t−1∣t−1}​M1^T+AT

Update: Kalman Gain

K_t​=P_t∣t−1​H^T(HP_t∣t−1​H^T+R)⁻¹

State Update

ê_t∣t​=ê_t∣t−1​+K_t​(m_t​−Hê_t∣t−1​)

Error Covariance Update

P_t∣t​=(I−K_t​H)P_t∣t−1

AT(s, a) ← AT(s, a) + α (r + AT(s’, a’) − AT(s, a))

s ← s’, a ← a’

end if

end while

end for

end for

Procedure Risk Estimation (StT,ADT(1 to 10))

1: for each stakholder in StT do

2: AttackList ← IdentifyRelevantAttacks using Algorithm 2

3: for each attack in AttackList ADT do

4: Impact ← Calculate Attack Impact (ADT)

5: Detectability ← Calculate Attack Detectability(ADT)

6: REF ← Impact × Detectability

7: MitigationList ← GetAttackMitigation (FMT)

8: end for

9: end for

10: return AttackLists, Risk Estimation and MitigationLists

11: end procedure

Algorithm 2: Cyber Attack Detection Algorithm

1. Input: Algorithm-learned AT-table 1.

2: Select the initial a = continue and an initial s depending on the prior situation.

3. t ← 0

4: do 5: t → t + 1 while a ≠ stop

Sixth, gather measurements for each item.

7: Find the new s as it appears in Algorithm 1 lines 20–22.

8: a ← arg minaQ(o, a).

9: finish whilst

10: Claim an assault and stop the process.

In Algorithm 1, after detecting an attack, we have also defined a procedure for risk estimation. The approach is to systematically assess risks by identifying attacks for each stakeholder, quantifying their effect and detectability, and suggesting mitigation solutions. Data gathered from the intelligent cyber-physical system (iCPS) server is processed and prepared for cyberattack detection by this algorithm. It starts by dividing the dataset into subsets and eliminating any unnecessary features. Using an evaluation function, superfluous variables are removed as part of the feature selection process. After that, dimensionality is decreased and key features are extracted using Principal Component Analysis (PCA). For additional processing, the dataset is split into two sets (D1 and D2), guaranteeing an optimal feature representation that improves the effectiveness of attack detection. Impact: It indicates the severity of the effects if the attack is successful. Detectability: This measures how readily the attack may be discovered or detected by the system or security team. The Risk Estimation Factor (REF) combines impact and detectability to provide an overall assessment of the danger presented by an assault. A greater REF signifies a more serious threat. Mitigation refers to the techniques or procedures utilized to lessen the danger or severity of an attack. Algorithm 2 is used to find the stakeholder’s relevant attack types and put them in AttackList. Loop through each assault in AttackList that matches one of the attack types mentioned in the ADT. This algorithm uses a reinforcement learning-based methodology to identify cyberattacks. It iteratively adjusts its state depending on gathered measurements after beginning with an initial state and action based on historical data. By reducing the attack risk function, the system detects possible threats and continuously assesses its current state. By adding additional observations to state estimates, the Kalman filter improves detection accuracy. The operation halts and the system marks an assault if an attack is identified. In order to prioritize the required mitigation steps, the risk estimate process then computes the attack impact, detectability, and risk estimation factor (REF). To evaluate the impact of each attack, it is important to consider how damaging it is to the system, the stakeholders, and the overall organizational objectives. Additionally, assess how easily the attack can be detected by factoring in the level of monitoring, auditing, and available defense mechanisms.. The Risk Exposure Factor (REF) is computed by multiplying the attack’s impact by its detection probability. This provides an overall risk assessment that accounts for both the harm and the chance of identifying the assault. Viable mitigation measures for each assault using the FMT are determined as below:

Store the mitigation techniques in the MitigationList.

End the loop that processes each attack for the stakeholder.

End the loop that iterates through each stakeholder.

Return the AttackList, RiskEstimationList, and MitigationList.

The final result includes lists of potential attacks, evaluated risks, and recommended mitigations.

7. RESULT AND DISCUSSION

We assessed the suggested model by dividing the data into training and testing sets. About 30% of the data is set aside for testing to evaluate generalization on unobserved data, while the remaining 70% is used for training to ensure that the model captures a variety of attack patterns. This ratio ensures an accurate performance evaluation while preventing underfitting by offering enough training samples. Finding the ideal balance between accuracy and practical applicability is a regular procedure in cybersecurity research. Depending on the size and complexity of the dataset, alternative splits like 60-40 or 90-10 may be utilized. The following are the performance metrics:

• Precision: (Eq.1) calculates the fraction of accurately classified attack classes compared to expected attack results.

• Recall: The fraction of properly classified assaults compared to the total number of attacks is obtained using (Eq. 2).

• F1-Score: It is denoted as the mean of the harmonic between RC and P, which is determined as shown in Eq. 3.

We evaluated our suggested model using 16-class and binary classification to analyze threat identification and prediction of various cyber-attack types. We evaluated detection accuracy using a centralized multi-source transfer learning model, taking into account heterogeneity, data availability, and privacy. Centralized learning allows for better identification of unknown large-scale threats due to the abundance of available data. This research compares several machine learning and deep learning approaches to the suggested model. The models’ performance is evaluated using the same datasets through four steps: dataset processing and analysis, centralized learning, feature selection, and data classification with a transfer learning model. Fig. (3) compares the performance of a centralized multi-source transfer learning system to current techniques, including Random Forest (RF), Decision Tree (DT), Diffie-Hallman, Support Vector Machine (SVM), Naïve Bayes and Deep Convolution Neural Network (DCNN). Fig. (3) shows an examination of potential algorithms for 16-class, 8-class, and 4-class classifications. The suggested approach achieves the maximum accuracy at 97.89% for 16-class classification, 98.45% for 8- 8-class classification, and 98.97% for 4-class classification.

Tables 5-14 compares machine learning methodologies to the proposed centralized multi-source transfer learning model for 16-class classification, including Precision, Recall, and F1-Score for all 10 stakeholders. Tables 5-14 compare the performance parameters of recall (RC), precision (P), and F1-score for 16-class classification utilizing machine learning approaches including SVM, RF, Naive Bayes, DT, Diffie-Hellman, and DCNN. Each table is generated for all 10 stakeholders. Table 5 is for Patients, Table 6 is for the Hospital, Table 7 is for Staff, Table 8 is for Doctors, Table 9 is for MR, Table 10 is for

Retailers, Table 11 is for Wholesalers & Raw Material Manufacturers, Table 12 is for Investors, Table 13 is for Drug Manufacturers, and lastly, Table 14 is for PBM & Governance. Algorithm 1 will collect sample data from all 10 stakeholders, and in the loop, Algorithm 2 will run multiple times to detect the attack and will update the stakeholder's state in Q-Table. Tables 5-14 display the results achieved with the suggested approach for the same metrics. The suggested model works well in predicting various assaults. Different types of attacks include: Social engineering attacks, Cryptography attacks, Control Hijacking attacks, Computer network attacks, Phishing attacks, Malware attacks, Password attacks, DDoS Attack, Identity-Based Attacks, and DoS Attacks. All stakeholders will be identified for these attacks. So we have 10 tables as a result for each stakeholder by running different algorithms for attack detection.\color{black} The suggested approach achieves high accuracy rates of 93.98% for precision, 94.42% for recall, and 96.67% for F1-Score for diverse assaults, including Social engineering attacks, Cryptography attacks, Control Hijacking attacks, Computer network attacks, Phishing attacks, Malware attacks, Password attacks, DDoS Attack, Identity Based Attacks, DoS Attacks. Compared to current strategies, our suggested model outperforms all others and achieves a high detection/accuracy rate for 16-class classification. Fig. (4) illustrates the local analysis performance of the proposed model on several edge IoT devices with varied patient counts. Using the EOT framework, we utilized an Intel i7-3200 CPU with three cores and a virtual machine with 32GB RAM and 3.2GHz for local and global processing. Increasing data size results in a linear speedup for the suggested model. The distributed technique significantly reduces performance overhead by reducing global and local processing steps based on the number of virtual machines. Different Edge IoT devices are used to determine the time difference between single, 8, and 16 devices for a specific number of patients. Fig. (5) illustrates the performance study of a simulated dataset across several edge IoT devices. Fig. (6) depicts a study of accuracy for synthetic datasets with varying numbers of data points. Distributed analysis requires a shorter execution time than centralized analysis. The accuracy varies according to the size of the data set. Furthermore, VMs with a range of 1% to 20% may be impacted. In the end, we did a comparative analysis of all algorithms for all stakeholders and found that the proposed algorithm best determines the precision, recall, and F1 score, which is shown in Fig. (7).

CONCLUSION & FUTURE SCOPE

This paper proposes an Edge of Things (EoT)-based centralized Multi-Source Transfer Learning system to analyze cybersecurity attacks in pharmaceutical care services. This model focuses on assessing machine learning-based intrusion detection systems in a centralized mode. We utilized principal component analysis to extract 16 major features from three datasets and analyzed accuracy, precision, recall, and F1-score for the suggested model. The simulation results of the proposed study are compared to existing machine-learning approaches. The suggested model outperforms existing models, achieving more than 95% accuracy in detecting diverse attacks. In the future, we aim to investigate multi-class classification performance using additional datasets and feature selection strategies. The key constraint of this proposed work is the impact of training settings on model performance. Furthermore, the spread of Edge IoT devices is limited, and other distributions cannot be obtained owing to time constraints. The execution duration of our model grows with more patient data. However, we would prefer to use this effort to address the constraint as a future concern.

REFERENCES