A Self-Learning Approach for Detecting Intrusions in Healthcare Systems

The rapid evolution of the Internet of Medical Things (IoMT) introduces the healthcare ecosystem into a new reality consisting of smart medical devices and applications that provide multiple benefits, such as remote medical assistance, timely administration of medication and real-time monitoring. However, despite the valuable advantages, this new reality increases the cybersecurity and privacy concerns since vulnerable IoMT devices can access and handle autonomously patients’ data. Furthermore, the continuous evolution of cyberattacks, malware and zero-day vulnerabilities require the development of the appropriate countermeasures. In the light of the aforementioned remarks, in this paper, we present an Intrusion Detection and Prevention System (IDPS), which can protect the healthcare communications that rely on the Hypertext Transfer Protocol (HTTP) and the Modbus/Transmission Control Protocol (TCP). HTTP is commonly adopted by conventional healthcare-related services, such as web-based Electronic Health Record (EHR) applications, while Modbus/TCP is an industrial protocol adopted by IoMT. Although the Machine Learning (ML) and Deep Learning (DL) methods have already demonstrated their efficacy in detecting intrusions, the rarely available intrusion detection datasets (especially in the healthcare sector) complicate their global application. The main contribution of this work lies in the fact that an active learning approach is modelled and adopted in order to re-train dynamically the supervised classifiers behind the proposed IDPS. The evaluation analysis demonstrates the efficiency of this work against HTTP and Modbus/TCP cyberattacks, showing also how the entire accuracy is increased in the various re-training phases.


I. INTRODUCTION
The progression of the Internet of Medical Things (IoMT) has led the healthcare organisations to digitise the care services by adopting medical telemetry and interconnected medical devices, such as wearables [1] and medical implants that handle and store patient data autonomously in Electronic Health Records (EHRs). Although this new reality offers multiple benefits, such as remote medical assistance, preventive care and health education, it also increases the existing security and privacy concerns [2]. Moreover, among the other Critical Infrastructures (CIs), the healthcare domain is considered as the most vulnerable due to the vast amount of personal and administrative data stored and managed by the smart medical devices and EHRs [3]. Based on the European Union Agency for Network and Information Security (ENISA), the healthcare sector continues to lead in the number of cybersecurity incidents (27%). In particular, compared to other critical sectors, such as government and finance, the healthcare domain lags largely regarding the cybersecurity preparedness. A characteristic cybersecurity incident related to the health sector was the WannaCry ransomware, which paralysed the United Kingdom's National Health Service in May 2017. Furthermore, in the light of many reports, such as that of Online Trust Alliance's, 2017 was the "worst year ever" for cybersecurity incidents, while healthcare seems to be one of the most targeted industries by cyberattackers. Therefore, the challenge of ensuring a smart, safe, sustainable and efficient healthcare ecosystem becomes critical. This fact is validated by the European Union (EU) NIS Directive, enforcing all CIs to report any critical security incident to the Computer Security Incident Response Team (CSIRT).
It is estimated that the investments for a digitised healthcare ecosystem with the appropriate methods, tools and practices will exceed 65B over the next five years. However, this conversion is not straightforward. Based on the aforementioned remarks, it is evident that the timely and reliable intrusion detection and prevention is an essential need. Although the Machine Learning (ML) and Deep Learning (DL) solutions have already proved their capacity in detecting cyberthreats, the peculiarities of the healthcare sector render their adoption a challenging issue. In particular, the healthcare sector constitutes a sensitive CI, where the necessary datasets for the ML and DL solutions cannot be provided publicly. This fact complicates the cybersecurity analysts to construct appropriate intrusion detection datasets and train their models. Moreover, the heterogeneous nature of the healthcare ecosystem makes the adoption of such models more difficult since each healthcare environment is characterised by different attributes, such as medical devices and communication protocols.
In this paper, we provide an Intrusion Detection and Prevention (IDPS) system for the healthcare environments that use the Hypertext Transfer Protocol (HTTP) and the Modbus protocols. On the one hand, HTTP is a common Information and Communication technology (ICT) protocol, which is used by several computing systems, including multiple ehealthcare applications, such as EHR. On the other hand, Modbus/Transmission Control Protocol (TCP) [4] is an industrial protocol, which is widely adopted by both legacy and smart medical devices. The proposed IDPS applies an active learning approach, where first, the IDPS is trained with an initial dataset and then is re-trained continuously by its detection results in order to optimise the detection performance. The main contributions of this work are summarised in the following key-points. The rest of this paper is organised as follows. Section II presents relevant works. Section III provides the architecture of the proposed IDPS. Section IV is focused on the active learning approach. Section V is devoted to the evaluation analysis. Finally, Section VI concludes this paper.

II. RELATED WORK
Several papers have already studied the cybersecurity and privacy issues of the healthcare ecosystem. Some of them are listed in [5]- [8]. In particular, T. Yaqoob et al. in [5] provide a comprehensive study about the vulnerabilities of the smart medical devices and discuss relevant countermeasures. In [6]. M. Hassan et al. present a detailed analysis of the differential privacy techniques for Cyber-Physical Systems (CPS). U. Sun et al. in [7] introduce a survey regarding the cybersecurity challenges, requirements and threats related to IoMT, thus identifying directions for future research works. Finally, in [8], A. Hady et al. present a thorough review about the Intrusion Detection Systems (IDS) in the healthcare area. Below, we analyse further some notable cases. Each case is analysed in a dedicated paragraph.
In [9], R. Mitchel and I. Chen provide a specificationbased IDS for Medical CPS (MCPS). The proposed IDS is focused on operational data related to the core functionality of MCPS. In particular, they examine three cases: (a) vital sign monitor, (b) cardiac device (CD) and (c) patient-controlled analgesia. Based on the core functionality of these actuators, the authors construct behaviour-based specification rules that define the normal status and operation. Next, these rules are transformed into state machines in order to facilitate the comparison between benign and malicious states. Finally, based on an extensive threat modelling for each case, the appropriate thresholds are identified. The simulation results verify the detection performance of the proposed IDS, exceeding two similar approaches.
In [10], G. Thamilarasu et al. introduce a mobile agentbased IDS for the IoMT. Their implementation is focused on Wireless Body Area Networks (WBANs) [11], [12] and is capable of recognising cyberattacks at the device or network level. After introducing the necessary background about (a) IoMT, (b) WBANs, (c) security attacks and solutions and (d) mobile agent-based IDS, the authors discuss the mobile agent-based IDS requirements as well as the main threats against WBANs. In particular, the authors discriminate three threats: (a) DoS, (b) data fabrication and falsification and (c) privacy data breach. However, it is worth noting that the proposed IDS cannot distinguish the aforementioned threats, but rather it identifies three classes: (a) normal, (b) malicious and (c) suspicious. Next, the architectural schema is presented, which consists of three main agents (a) sensor agents, (b) cluster agents and (c) detective agents. The sensor agents operate at the device level, while the cluster agents work at the network level. The detective agents are additional nodes that support the other agents when their detection outcome is not accurate. The agents adopt regression and typical classification ML techniques, such as Support Vector Machine (SVM), Naive Bayes, Random Forest, Decision Tree and K-Nearest Neighbour (KNN). The authors evaluate the proposed IDS in a simulation environment constructed by Omnet. The simulation results demonstrate the efficiency of the proposed implementation in terms of detection accuracy and resource overhead.
M. Mohamed et al. in [13] introduce a specification-based IDS for WBANs. In particular, the authors focus on (a) jamming, (b) sinkhole and (c) flooding cyberattacks against Electrocardiogram (ECG) and Electromyogram (EMG) sensors. These cyberattacks are emulated by introducing the appropriate noise to medical signals. The operation of the proposed IDS relies on six steps, namely (a) Data Acquisition, (b) Filtering, (c) Intrusion Detection, (d) Cancellation, (e) Anomaly Detection and (f) Diagnostic. The intrusion and anomaly detection processes rely on particular specification thresholds defined for the aforementioned medical sensors. More specifically, first, the proposed IDS adopts filters with the aim to reduce medical-based interference. Next, the intrusion detection procedure takes place based on the signal frequency and amplitude. Then, the recognised intrusions are cancelled in order to follow the medical anomaly detection that will lead to the disease diagnosis. Based on the simulation results made in Matlab, the detection performance of the proposed implementation is validated.
In [14], Undoubtedly, the works mentioned previously give significant insights and methodologies. Some of them utilise specification-based techniques, while others adopt anomalybased techniques, such as ML solutions. On the one side, the specification-based techniques are more accurate since they define the normal state and recognise potential deviations. However, they cannot easily discriminate particular cyberattack types. Moreover, they are not scalable since each healthcare device is characterised by different specifications. Therefore, the security experts need to identify and form the necessary specification rules for each of them. Also, the configuration of these devices can be changed or re-programmed, thus making it necessary to adjust the corresponding rules. On the other side, ML and DL methods can distinguish particular cyberattacks, but they rely on intrusion detection datasets that rarely are available publicly, especially for CIs. For this reason, the researchers use existing intrusion detection datasets, such as AWID [15] and KDD-Cup 1999. However, such datasets do not reflect the unique peculiarities of a healthcare environment. Moreover, it is worth mentioning that none of the previous papers investigate intrusions against healthcare communication protocols, such as HTTP and Modbus/TCP. As mentioned, HTTP is widely adopted by many healthcare computing systems, such as EHR, while Modbus/TCP is an application-layer protocol, which is adopted in IoMT. Hence, in this paper, we introduce an IDPS, which recognises efficiently HTTP and Modbus/TCP cyberattacks and adopts active learning in order to re-train itself based on the detection outcome. Moreover, Fig. 1 depicts the steps of the Active Learning methodology, which is composed of four main steps. In the first step, the unlabelled data is assessed by the query strategy named Uncertainty Data Sampling. Then, the data approved by the Uncertainty Data Sampling is fed to the supervised classifiers depending on the corresponding network flows (i.e., HTTP network flows or Modbus/TCP network flows). Next, the supervised classifiers predict the labels that also are verified by a security expert. It is worth mentioning that the security expert has the ability to intervene and change the labels predicted by the supervised classifiers. Finally, the new labelled data is introduced to the new training dataset, which is used to update and re-train the supervised classifiers. The Active Learning methodology is detailed in section IV.

A. Network Flow Monitoring and Collection Module
The Network Flow Monitoring and Collection Module monitors the examined healthcare infrastructure through a Switch Port Analyzer (SPAN), thus receiving the overall network traffic generated by the connected healthcare devices. In particular, it applies Tcpdump in order to capture the network traffic and then CICFlowMeter to generate bidirectional network flow statistics. Two kinds of network flow statistics are generated related to (a) HTTP and (b) Modbus/TCP. The differentiation between these statistics is achieved through the source and destination TCP/IP ports. HTTP utilises the 80 TCP port or the 443 TCP port whether the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol is applied. On the other side, Modbus/TCP listen to the 502 TCP port.

B. Intrusion Detection Engine
The Intrusion Detection Engine is the core module of the proposed IDPS. It consists of two supervised classifiers for the HTTP and Modbus/TCP, respectively. The HTPP classifier can recognise four relevant cyberattacks, namely (a) DoS, (b) SQL injection, (c) bruteforce and (d) XSS. The first HTTP-related cyberattack floods the target healthcare system with HTTP packets. The SQL injection intends to accomplish unauthorised access cyberattacks. The bruteforce attack aims to discover the passwords of web applications by using all possible choices. Finally, XSS injects malicious scripts into the web applications. On the other side, our previous work in [4] describes the possible Modbus/TCP cyberattacks. In particular, the Modbus classifier is capable of discriminating the following cyberattacks: (a) modbus/function/readHoldingRegister, (b) modbus/scanner/uid, (c) modbus/function/readDiscreteInput, (d) modbus/dos/writeSingleCoils, (e) modbus/function/writeSingleRegister, (f) modbus/function/readInputRegister, (g) modbus/function/readCoils (DoS), (h) modbus/function/readHoldingRegister (DoS), (i) (modbus/function/readDiscreteInputs (DoS)), (j) modbus/dos/writeSingleRegister, (k) modbus/scanner/getfunc, (l) modbus/function/writeSingleCoils and (m) modbus/function/readInputRegister (DoS). Regarding the ML and DL techniques, for the HTTP protocol, a Decision Tree classifier is utilised, while the Random Forest classifier is used for Modbus/TCP. The evaluation of these classifiers is analysed in V.

C. Notification and Response Module
The Notification and Response Module notifies the security expert about the possible security events via a webbased interface. The security events follow the format of the AlienVault OSSIM security events [16]. Moreover, through the aforementioned web interface, the operator has the ability to check and change the labels of the potential security events. Furthermore, the Notification and Response Module generates and applies some automate firewall rules that can mitigate or even prevent the various cyberattacks. For this purpose, the Linux firewall, namely iptables, is adopted, utilising data from the TCP/IP network flows extracted by the Network Flow Monitoring and Collection Module.

IV. ACTIVE LEARNING: PROBLEM FORMULATION AND METHODOLOGY
Active Learning is commonly adopted when there are no available labelled training datasets as in our case (i.e., intrusion detection in a healthcare ecosystem) since CIs cannot label and disclose their sensitive data. It provides an operational framework, which selects the most useful and informative data samples from a set of unlabelled data in order to optimize and construct a training dataset, which in turn will lead to producing more accurate supervised ML and DL classifiers (hypothesis). Unlike Passive Learning, which collects and feeds data samples randomly, Active Learning assesses the data samples based on particular criteria, thereby providing a training dataset with fewer data samples that include the most informative observations. These samples should be characterized by three main properties: (a) they should be represented, (b) they should be representative and (c) they should output accurate detection results. Usually, there is an external factor that annotates the samples investigated, such as a human annotator. Three main methods are utilized by an Active Learner in order to query for data samples: (a) query synthesis, (b) stream-based selective sampling and (c) pool-based sampling. The first case synthesizes the data samples de novo, thus producing never observed data samples. However, it does not consider the data distribution, which can be informative by the hypothesis. The other methods solve this problem. The stream-based selective sampling method receives data samples as streams continuously and decides based on a query strategy which data samples should be labelled or not. After the labelling process by the external factor (e.g., a human operator), they are moved into the training set. On the other side, the pooling method creates first a pool with unlabelled data samples and sequentially decides based on a query strategy which of them will be labelled. After the labelling process by the external factor, they are moved into the training set.
Supposing that the TCP/IP network flows from the healthcare environment flow continually and utilizing the poolingbased sampling method, let x be an unlabelled network flow from the input space X and y the respective label defined by the HTTP and Modbus/TCP threats discussed in subsection III-B, including also the normal state. Moreover, let U be a set of unlabelled TCP/IP network flows within a pool. The later is collected by the Network Flow Monitoring and Collection Module. Moreover, let L be the training dataset consisting of the labelled TCP/IP network flows. We define the function f (x) = y as the target function, which absolutely classifies the unlabelled TCP/IP network flows in the correct classes. On the other side, we define h(x) = y as the respective, supervised classifier, which predicts the label of an unlabelled TCP/IP network flow after the training process. Thus, the generalization error E can be expressed by equation 1.
where l is the squared error function defined by equation 2.
where l is the squared error function defined by equation 2. Therefore, the Active Learning problem lies in the fact that the generalisation error should be minimised based on the new optimum training dataset L. In other words, we need to identify and label those unlabelled TCP/IP network flows in the pool that next will be used in order to re-train the supervised classifiers (hypothesis) for the HTTP and Modbus/TCP protocols with the most efficient accuracy. To this end, there are various query strategies, namely (a) Uncertainty Sampling, (b) Query-by-Committee, (c) Expected Model Change, (d) Expected Error Reduction, (e) Variance Reduction and (f) Information Density. In this paper, we adopt the Uncertainty Sampling strategy, which takes advantage of the classifier's (hypothesis) detection uncertainty. In particular, the rationale behind the Uncertainty Sampling in the proposed IDPS is to ask the external factor about those unlabelled TCP/IP network flows for which the hypothesis is less confident. In our case, the external factor is the same hypothesis since the IDPS should be re-trained by itself. Moreover, a security expert can verify or change the labels of the selected unlabelled TCP/IP network flows from the web-based interface of the Notification and Response Module. The key point of the Uncertainty Sampling lies in the criterion used for calculating the uncertainty. For this purpose, various measures have been specified in the literature, such as (a) entropy, (b) least margin and (c) the least confident of prediction. In this work, we adopt the entropy criterion, which is defined by equation 3.
where p θ denotes the probability of class i for the observation x, while θ denotes the parameters of the supervised classifier (hypothesis). Therefore, the entropy criterion selects those TCP/IP network flows x * from the pool U that satisfy the equation 4. In this paper, δ is defined experimentally.
Based on the aforementioned remarks, Algorithm 1 defines the active learning procedure of the proposed IDPS. First, L is an initial training dataset with a few data samples that are used to train h(x) for the HTTP protocol and the Modbus/TCP protocol, respectively. In particular, for the HTTP protocol, L was formed, utilising the CIC-IDS2017 dataset, while regarding the Modbus/TCP protocol, L was constructed, by emulating the cyberattacks analysed in our previous work [4]. On the other side, the Network Flow Monitoring and Collection Module fills U . While the size of U is greater than zero and if the entropy criterion is satisfied for each record in U , h(x) predicts the label of the corresponding record and the security expert verifies or changes the outcome of this prediction via the webbased interface of the Notification and Response Module. Next, the specific record of U is added in L, which then is used to re-train h(x).  Accuracy = T P + T N T P + T N + F P + F N (5) T P R = T P T P + F N F 1 = 2 × T P 2 × T P + F P + F N Moreover, a plethora of ML supervised classifiers were tested, including (a) Decision Tree, (b) Random Forest, (c) KNN, (d) SVM, (e) Naive Bayes, (f) Multi-Layer Perceptron (ML) as well as two DL supervised classifiers, namely Dense Deep Neural network (DNN) Relu and Dense DNN Tanh originating from our previous work in [17]. After the last retraining procedure implemented by the Active Learner, Table I shows the evaluation results for the cyberattacks against the HTTP protocol. The Decision Tree achieves the best performance, where Accuracy = 0.9644, T P R = 0.9111, F P R = 0.0222 and F 1 = 0.9111. In a similar manner, Table II depicts the evaluation results related to the detection of the cyberattacks against the Modbus/TCP protocol. In this case, the best performance is carried out by Random Forest, where Accuracy = 0.94454, T P R = 1, F P R = 0.10166 and F 1 = 0.94250. Finally, Figs.3-2 show how the accuracy is increased in each case during the re-training phases. The new reality in the healthcare ecosystem introduces significant cybersecurity issues that can lead to devastating consequences or even fatal accidents. In this paper, we presented an IDPS, which is capable of detecting and mitigating cyberattacks efficiently against the HTTP and Modbus/TCP protocols that are widely adopted in the e-healthcare services. On the one hand, HTTP is utilised by typical, ICT healthcare services, such as EHR, while Modbus/TCP is used by IoMT. Given the rarely available intrusion detection datasets related to CIs and especially to the healthcare domain, the main novelty behind the proposed IDPS is its ability to re-train itself, utilising an Active Learning approach. The evaluation analysis demonstrates the efficiency of the proposed IDPS against HTTP and Modbus/TCP cyberattacks, showing additionally how the overall accuracy is increased during the re-training phases.

VII. ACKNOWLEDGEMENT
This project has received funding from the European Unions Horizon 2020 research and innovation programme under grant agreement No. 787011 (SPEAR).