Introduction

The IoT refers to a network of computers and other electronic gadgets that may exchange information and resources safely through the web. The IoT is superior to existing networks because it requires fewer human interactions, provides a broader context, and can be easily expanded [1].

Home automation, wearable tech, smart firefighting, smart metering, improved production, and intelligent structures are just a few examples of the many innovations made possible by the widespread use of IoT [2]. The security of IoT devices is still an issue, despite the fact that their use cases are expanding all the time. Manufacturers of IoT gadgets are more concerned with making their products more appealing to consumers by adding new features and functionalities and streamlining their designs to make the gadgets smarter and more cost-effective. Inadequate protections have led to a rise in cyber-attacks on Internet of Things gadgets in recent years.

Smart cities, smart homes, smart healthcare, etc. are just a few examples of where the IoT is gaining traction. As a result of this increased connectivity, several novel uses have been developed for IoT devices. The downside is that IoT devices may be used in public places or even dangerous areas [3], making them vulnerable to a wide range of threats. Because of their inherent simplicity, IoT devices are frequently compromised. Large volumes of data generated by many IoT devices could be utilized to control vital industrial facilities, wearable medical equipment, traffic signals [4], and so on. Data manipulation attacks are among the most damaging that an adversary can execute against an IoT device [5]. An adversary’s goal in such an assault is to alter IoT data in a way that causes the system to malfunction and lead to bad control decisions. Incorrect temperature readings, for instance, could lead to the control unit of a factory arbitrarily switching on and off the cooling system, potentially resulting in serious damage to the equipment and even injuries to the workers. As a result, assaults on the IoT that involve data tampering can result in substantial economic loss, damages to infrastructure, and even human injury [6]. This research proposes an integrity detection method to identify data manipulations in IoT devices as a solution to this problem.

To keep data accurate and comprehensive is to ensure its integrity. However, there are several ways in which messages might go wrong during wireless transmission in IoT applications [7], including attenuation, distortion, and the introduction of noise [8]. When there is an error, the receiver is unable to accurately decode the signal and obtain the intended symbol. Error-correcting codes, often known as channel coding [9], are necessary for data security. Error-correcting codes guarantee reliable operation of IoT infrastructure. They protect the reliability of communication channels even when environmental factors such as noise, deformation, and attenuation are present [10]. One of the easiest and most well-known error-detection systems in digital communication uses the parity bit. Information is divided up into chunks [11]. Each block has an extra bit added to it so that the sum of the 11 bits already present in the block, plus the extra bit, adds up to an even number. If there is even a single bit error in the block, the number of ones will be off. Consequently, this enables the isolation of individual mistakes.

Limitations in processing power and memory mean that only a small subset of possible instruction sets can be executed by IoT devices [12]. Therefore, they can’t record, track, and analyze data sent by IoT gadgets. Because of this, forensic investigation of attacks on IoT devices has proven challenging for security researchers. Because of these constraints, gathering evidence might be difficult during a forensic investigation [13]. Enhancing the network’s resilience and security in an IoT environment calls for specialized tools and methods. More powerful forensic procedures need to be developed and used for the research and examination of IoT devices [14]. The forensic analysis method is an effective tool for avoiding the aforementioned problems. To automate the process of detecting attacks on IoT devices and creating the associated logs and alarms, a forensic analysis framework is proposed in this research. To establish the perpetrator, motive, and effects of a security breach, a thorough post attack investigation known as a forensic analysis is conducted. It is similar to Security Incident Management (SIM) [15], in which security events on a network are identified and then acceptable actions are taken to accommodate for compromised security standards. Network auditing is a pre-examination of the vulnerabilities in a network, while forensic analysis is a post-study of the security breaches that documents how and when something happened [16].

A remote logging server circumvents the framework’s data gathering constraints. To facilitate forensic investigation, communication from IoT devices is diverted to a logging server where alarms and logs of malicious attack traffic [17] are generated and kept. A forensic server generates new copies of these logs and analyses them for clues about assaults and their perpetrators [18]. The four phases of any forensic analysis are data collection, inspection, analysis, and documentation and reporting. Information pertinent to a certain assault is gathered in the course of data collecting [19]. The main issue was data collecting, which was hampered by the limited processing capability of IoT devices. When attacks were suspected, no evidence was ever located [20]. The proposed solution employs a monitoring node in the network that maintains logs of malicious traffic and generates alerts to receiving nodes for detecting attacks. The cloud based data integrity verification model is shown in Fig. 1.

Fig. 1
figure 1

Cloud based data integrity verification model

Full size image

To aid with IoT forensic analysis, the proposed system combines a machine learning model with specialized forensic analysis reporting model. In addition to assisting in the creation of rules for attack detection, the forensic server can also provide a fresh alarm whenever malicious traffic is detected in the network [21]. These attack rules are considered into the proposed system. Automated defense against attacks is provided by machine learning. After these steps have been completed, several reports detailing the type, frequency, and potential responses to attacks are generated [22]. With this forensic information, the full picture of the attack can be analyzed and the perpetrators can be tracked down.

The forensic analysis process initially considers the evidence identification process from public datasets and then collection of samples is performed. The data collected will be analyzed for forensic process and then the attribute ranges are documented that is used for future processing. The presentation is performed to use the values for analysis for integrity verification. There are four main steps in the forensic process: finding prospective evidence, collecting it, analyzing it, and writing a report. The forensic analysis process is shown in Fig. 2.

Fig. 2
figure 2

Forensic analysis process

Full size image

It takes a lot of data analysis and intelligent computation to spot threats and attacks in an IoT environment. To detect threats, these platforms make use of cutting-edge computer systems based on machine learning and smart computing. To discover and reveal the presence of adversaries, digital forensics requires extensive data analysis, such as retrieving and authenticating system logs, assessing information stored in blockchains, etc. To facilitate virtualized resource sharing, it collects and analyses data from access and system logs using blockchain technology. In the early stages, adversary classification and differentiation are aided by the management of system-related records, audit systems, and access controls. This aids in isolating the source of the attack and preventing it from spreading to other systems. Paradigms in machine learning facilitate the differential appraisal and examination of exact information over time and with less complexity. Regular testing and training are carried out over a wide range of data collected from the IoT ecosystem to detect the presence of such threats. Information analysis and consequences based on trust, authorization, and authentication are crucial in making security-related decisions. This research proposes a Multi-level Data Integrity Model with Dual Immutable Digital Key based Forensic Analysis for securing the IoT data.

For digital forensics to be admissible in court, evidence management must adhere to strict legal criteria. The acquired evidence must be shown to be authentic and unaltered. The investigation of computer-related crimes requires the use of specialized computer forensics software and associated toolkits in accordance with generally acknowledged procedures and criteria. By its very nature, digital evidence is fragile, and any mistakes in its treatment or investigation render it unusable as evidence. Because digital evidence can be altered easily, it must be collected, preserved, and documented with the utmost care. Investigators in the field of computer forensics must operate ethically because their work will be scrutinized by a court of law if the case ends up there.

Any system that stores, processes, or retrieves data must be designed, implemented, and used with the utmost care to ensure data integrity during the whole duration of the data’s life cycle. Even within the same broad field of computers, the phrase might have wildly varied meanings depending on the exact situation. Data integrity is the safeguarding of data against unauthorized alteration [23]. Data privacy refers to the protection of personally identifiable information while it is accessible to the public. Any group or individual can benefit from adhering to strict data privacy guidelines. Information on a person’s life and circumstances is necessarily limited. Users may choose whether or not to share the information. There is little room for privacy for anyone if there is no system in place to protect it. There is a clear distinction between data security, which is generally understood to involve protecting and preserving the information users provide from other unknown persons, and data privacy, which is the act of determining who has access to the data and for what purpose.

Literature Survey

Arlene John et al. [24] evaluated and contrasted a number of AI-based binary classifiers for verifying the authenticity of data collected by IoT-enabled wearable sensors. The amount of information saved and sent can be reduced by detecting data corruption at the network’s periphery and then removing it. As a result, IoT devices can function with less memory and less electricity. In this paper, we look at a number of machine learning-based classifiers for validating ECG data. The feature vectors are computed using Signal Quality Indices (SQIs) that are low-complexity measures of kurtosis and skewness.

The IoT is a cutting-edge innovation that has the potential to revolutionize many different markets by enabling real-time data collecting to boost productivity while cutting costs. The IoT is helping Maritime Transportation Systems (MTSs) prevent ship collisions, boost shipping efficiency, and cut down on revenue loss for harbors and shipyards. IoT-enabled MTS create a vast quantity of real-time data that, when paired with previous data, that was used to efficiently anticipate the future trajectories and concentrations of vessels on the sea. However, the MTS marine traffic data cannot be handled efficiently using conventional big data analysis techniques, and its validity must be verified before it can be used for purposes such as the prediction of vessel paths and high-density zones. Liu et al. [25] designed a data integrity checking scheme for IoT-enabled MTS that is both adaptable and capable of restoring original data. Erasure coding is used to encode vessel data blocks in the proposed approach.

For generic IoT applications, Wu et al. [26] provided a safe distributed estimation approach that is immune to data integrity assaults. A resilient optimal estimation target for protecting the entire IoT system is constructed by capitalizing on the attackers’ spatial sparsity. A phony data processor is then created to mitigate the negative outcomes of the assaults. The method’s convergence is examined. It demonstrates that under practical conditions wherein all communication connections and sent data are arbitrarily compromised the estimation error will converge to be uniformly constrained for all circumstances. To back up theoretical findings, the author also gave simulation results using a model Internet of Things network consisting of 50 nodes and 145 edges.

As MTSs that take advantage of the IoT continue to evolve, it will become increasingly important to not only store the huge amounts of data created by these systems in a cost-effective and dependable manner, but also to analyze this data as soon as possible. Users can save their information in the Cloud-based Maritime Transportation Systems (CMTS) without having to worry about factors like cost, storage space, physical location, etc. However, CMTS also raises significant security concerns, the most pressing of which is the integrity protection of outsourced data, which is essential to the security, dependability, and efficiency of shipping channels. To address this issue, Li et al. [27] provided a method of auditing CMTS data for integrity that is both dynamic and based on the user’s identification. By conducting audits in batches, this system reduces the administrative load associated with key management and boosts auditing efficiency. This approach not only eliminates the communication overhead of the auditing phase, but also has the lowest computing cost across all entities, as demonstrated by a comparison of its performance with that of similar schemes.

Threatening cyber-assaults against the IoT-based smart grid include data integrity attacks (DIA). An attacker has a difficult time obtaining or inferring the branch parameters. Time and circumstance can alter or upset them. Zhang et al. [28] developed the whole category of DIA by designing the zero-parameter-information DIA (ZDIA), which allows the attacker to carry out covert data tampering attacks without knowing the parameters of the branches being targeted. Such an attack can be built with only the cut line’s topology information. In addition, the author broaden the scope of ZDIA to include scenarios in which a bus or super-bus has only a few cut lines leading to the outside world.

Yazid et al. [29] discussed a fresh authentication strategy for IoT-based vehicle monitoring systems. The proposed technology, which is based on parallel hash chains, is well suited for low-cost and power-efficient IoT gadgets. The need to send secret keys over the network is eliminated since encryption keys are continuously created on parallel hash chains on both the IoT device and the server. Two transmission handshakes are all that are needed for identification and data transmission with the suggested technique. It eliminates the need for on-device random number generation, which is both hardware intensive and a possible security risk in IoT devices.

Cryptographic hash functions have the critical property of being unable to distinguish between two files if even a single bit of the input is altered. However, a hash function that preserves similarity is essential in computer forensics since it allows for the discovery of previously unknown material. Forensics investigators are having a difficult time figuring out how to use data from these gadgets. For efficient application management, Mahrous et al. [30] introduced a blockchain-based IoT computer forensics architecture that employs both the conventional hash for authentication and the fuzzy hash in order to build the Blockchain’s Merkle tree. When compared to traditional hashing methods, fuzzy hashing increases the likelihood that damaging information may be uncovered.

When it comes to the IoT and its capacity for facilitating smart mobility, the Internet of Vehicles (IoV) has emerged as a crucial data sensing and processing platform. Users of the IoV and law enforcement authorities benefit from the combined efforts of both the cameras installed in vehicles and those stationed along the roadways. To provide these forensic services effectively, it is crucial to ensure that data flow between vehicles is both secure and private. In this research, Zhang et al. [31] presented an incentive authentication scheme (LIAS) that is both lightweight and practical for use in IoV forensic services. The layers of LIAS’s architecture are the cloud, the fog, and the user. The privacy and security concerns around forensic services in IoV for ITS inspired this research. The purpose is to strengthen vehicle security and privacy without sacrificing the convenience and efficiency of data sharing across vehicles. To make the most of the capabilities of near-user edge devices and the links between fog nodes and devices, fog-assisted IoV is introduced. The challenges of protecting the privacy and security of automobiles persist, though. Furthermore, information diffusion in automobiles could be easily tracked due to the inherent flaw of wireless communication.

As the amount of data transmitted by email continues to rise, investigators are faced with the formidable issue of extracting the necessary semantic information from the massive amounts of emails, which slows down the investigation. The offender now has an advantage when trying to cover their tracks. Existing keyword-based search algorithms and filtering frequently result in irrelevant, short-sequence emails that bypass important content. To address the aforementioned shortcoming, Hina et al. [32] offered a novel efficient method for multiclass email classification called SeFACED, which makes use of Long Short-Term Memory (LSTM) based Gated Recurrent Neural Network (GRU). SeFACED can process long dependencies of 1000 + characters, not just short ones. By comparing its results to those of more conventional machine learning methods, deep learning models, and state-of-the-art research, SeFACED is able to fine-tune the parameters of LSTM-based GRUs for optimal performance.

The increased use of encryption technology in recent years has presented significant hurdles to computer forensic investigation by making it easier for criminals to conceal damaging data from security regulatory bodies. As a result, research into methods for detecting and analyzing encrypted data is essential. In this study, Li et al. [33] offered an approach to decryption that uses deep convolutional neural networks. The unprocessed information is initially transformed into two-dimensional matrices for use as the network’s input. Then, representative features are provided as the input of succeeding layers using the multiscale extraction of features process with different activation functions. The next step is to use the residual learning operation to improve feature discrimination. This method is used to build a network that can automatically learn the global context of encrypted data by extracting it. The proposed technique also reliably identifies encrypted data using a variety of algorithms.

There has been a dramatic rise in the amount of cyber assaults targeting IoT environments recently. The human and monetary costs at all levels of the Internet of Things were high as a result of this. The occurrences of attacks that have attacked the IoT system or its components have become increasingly difficult to identify as cybercriminals have been using anti-forensics activities and deploying strategies and tools to mask their tracks. As a result, the frequency and severity of cyber-attacks against the IoT are both increasing, leading to attacks that are both more efficient and more sophisticated. Conventional safety and forensics solutions, especially in terms of obtaining evidence for attack investigation, are insufficient to prevent and analyze such cyber-attacks. Therefore, there is a pressing want for clearly defined, sophisticated, and sophisticated forensics investigation methodologies to foil anti-forensics methods and identify and apprehend cybercriminals. Jean-Paul A. Yaacoub et al. [34] discussed the rise of anti-anti-forensics as a new forensics defense mechanism against anti-forensics operations and covers the many forensics and anti-forensics approaches that can be implemented in the IoT sector, including tools, techniques, types, and problems. Forensics investigators would benefit from knowing the various anti-forensics tools, methodologies, and techniques used by cybercriminals.

Combining AI with other technologies can boost their efficiency. Smart IoT refers to Internet of Things gadgets that also incorporate artificial intelligence. Wearable devices allow for remote control of smart Internet of Things gadgets. Sensors on wearable electronics like smartwatches and smartbands collect data about their users in order to tailor their services to them. Due to the fact that the generated data are saved in the wearable device’s storage, accessing this data from the device can be helpful in solving crimes. Therefore, Kim et al. [35] offered a forensic paradigm for wearable devices that goes beyond indirect forensics and relies instead on direct interactions made by wireless or interfaces. The ecosystem of wearable gadgets served as inspiration for the forensic paradigm, which was then broken down into separate categories for digital and physical investigation. We tested the forensic model on wearables from Samsung, Apple, and Garmin to ensure its versatility.

The literature survey analyzed numerous forensic models for data integrity and also key handling models are analyzed. Based on the analysis done, there are some limitations identified in the traditional models like less key size, using keys for multiple times and easily cracking of keys. The integrity violations are also made even stronger models are designed. The performance levels of the traditional models can be enhanced using strong cryptography models and accurate authentication models that can enhance the performance levels of the cryptography and data integrity models for forensic analysis.

Proposed Method

Traditional digital forensics makes it simpler to track down and identify hacked devices that may contain useful forensic evidence. However, the variety and unique qualities of IoT devices make forensics an uphill conflict. Including smart appliances, smart meters, smart hubs, virtual assistants, and various wearables, there can be up to seventeen separate possible evidence sources in a modern smart home. In addition, the fluidity of the IoT ecosystem causes borders to blur as devices are continually moving in and out of a particular network, either automatically or because the user has physically relocated them. The devices’ mobility across many networks makes it difficult to demarcate cases.

The proposed model data integrity verification and forensic analysis for cyber-attack detection is shown in Fig. 3.

Fig. 3
figure 3

Proposed framework

Full size image

Initially to perform data transmission the nodes in the IoT has to register. After registration for each and every node a digital key will be generated. The digital key will be used only for one time. with the help of digital key the nodes will be authorized. So attacker nodes cannot act as a normal node, as attacker nodes are not provided with digital key. After digital key is generated a random node is selected for data transmission and that node undergoes verification process to prove its authenticity. At multilevel, after the node authentication the data that is transmitted will be verified. Once the verification process completes then the forensics analysis starts if there is any attack on the data or the node. Finally, the list of attackers will be generated based on the attackers within the network.

Any system that stores, processes, or retrieves data must be designed, implemented, and used with the utmost care to ensure data integrity during the whole duration of the data’s life cycle. Even within the same broad field of computers, the phrase might have wildly varied meanings depending on the exact situation. Data integrity is the safeguarding of data against unauthorized alteration. Data privacy refers to the protection of personally identifiable information while it is accessible to the public. Any group or individual can benefit from adhering to strict data privacy guidelines. Information on a person’s life and circumstances is necessarily limited. Users may choose whether or not to share the information. There is little room for privacy for anyone if there is no system in place to protect it. There is a clear distinction between data security, which is generally understood to involve protecting and preserving the information users provide from other unknown persons, and data privacy, which is the act of determining who has access to the data and for what purpose.

This research proposes a Multi-level Data Integrity Model with Dual Immutable Digital Key based Forensic Analysis (MLDIM-DIDKbFA) for securing the IoT data.

The following algorithm provides the pseudocode for Data Integrity verification and Forensic analysis for cyber-attack detection.

Algorithm

figure a

Consider a set of nodes N = {N1, N2,…, Nm} where there can be m number of IoT nodes in a network. Initially the node registrations are performed where each node information is maintained by the network manager for further communication. The node registration is performed as

$${\text{nodeaddr}}\left( n \right) = {\text{getlogaddr}}\left( n \right) \in {\text{getphaddr}}\left( n \right)$$
(1)
$${\text{NregSet}}\left[ M \right] = \mathop \sum \limits_{n = 1}^{M} {\text{nodeaddr}}\left( n \right) + {\text{timeInst}}\left( n \right) + \frac{{{\text{getnoderange}}\left( n \right)}}{{{\text{nextNodeaddr}}\left( n \right)}} + {\text{Th}}$$
(2)

Here nodearr() is the model used to consider the IoT node address and the node entry time for registration is considered using timeInst() of current node n and the maximum range of IoT network is considered using getnoderange() model. Th is the threshold value added during the registration for avoiding attackers to mislead the registration of nodes.

After each node set Nm are registered with the network, each node is assigned with a digital immutable key that cannot be altered in the network. The digital key is used for validation of nodes during data transmission. The digital node is used for only one time by a node. The immutable digital key generation is performed as

$${\text{TimeS}} \leftarrow {\text{getTime}}\left( {{\text{MMSS}}} \right)$$
(3)
$${\text{Rval}} \leftarrow {\text{rand}}\left( {{1,}\,{\text{getnoderange}}\left[ {\text{M}} \right]} \right)$$
(4)
$${\text{Min}} \leftarrow {\text{input}}\left( n \right) {\text{where len}}\left( n \right) > 5$$
(5)
$${\text{Max}} \leftarrow {\text{input}}\left( n \right){\text{where}}\ n > {\text{min}}$$
(6)
$${\text{Ival}} \leftarrow {\text{getPrime}}\left( {{\text{Min,}}\,{\text{Max}}} \right)$$
(7)
$${\text{Sval}} \leftarrow {\text{Input}}\left( n \right){\text{where}}\ n\left\langle {{\text{Rval and}}\ n} \right\rangle {\text{Ival}}$$
(8)
$${\text{Ikset}} = \mathop \sum \limits_{n = 1}^{M} \frac{{{\text{Rval}} \oplus {\text{Sval}}}}{{{\text{Rval}}||{\text{Ival}}}}$$
(9)
$${\text{Dkey}}\left[ M \right] = \mathop \prod \limits_{n = 1}^{M} \frac{{{\text{Ikset }}\& \& {\text{Rval}}}}{{{\text{Sval}} \oplus {\text{Ikset}}}} \ll 2$$
(10)
$${\text{Dkey}}\left[ {{\text{Status}}} \right] \leftarrow 1\,{\text{if}}\,\left( {{\text{getTime}}\left( {{\text{MMSS}}} \right)} \right){ < }\,{\text{Time}}S + 15$$
(11)

To monitor the data transmission and behavior of IoT nodes in the network, arbitrary node AN is selected that has best delivery rate and low delay levels. The arbitrary node selection is performed as

$${\text{Anode}}\left[ M \right] = \mathop \coprod \limits_{n = 1}^{M} {\text{Node}}\left( {{\text{NregSet}}\left( n \right)} \right) + {\text{max}}\left( {\mu \left( n \right)} \right) + {\text{max}}\left( {\delta \left( n \right)} \right)$$
(12)

Here µ is the node computational capability level, δ is the transmission success rate. The node whose computational capabilities and transmission rate are maximum is selected as AN node for monitoring the IoT network.

Each IoT Node Ni will be allowed to initiate data transmission only after validation. The IoT node validation during transmitting and receiving is performed by the AN node that is performed as

$$\begin{aligned} {\text{NValid}}\left[ M \right] = & \mathop \sum \limits_{n = 1}^{M} {\text{Node}}\left( {{\text{NregSet}}\left( n \right)} \right) + {\text{Dkey}}\left( n \right) \leftarrow {\text{Anode}}\left( {{\text{Dkey}}\left( n \right)} \right)\left\{ {\begin{array}{*{20}l} {{\text{set }}T \leftarrow {\text{active if Dkey}}\left[ {{\text{Status}}} \right] = = } \hfill & 1 \hfill \\ {T \leftarrow {\text{deactivat}}e} \hfill & {{\text{Otherwise}}} \hfill \\ \end{array} } \right. \\ {\text{Kreq}}\left[ L \right] = & \mathop \sum \limits_{n = 1}^{L} {\text{getKey}}\left( {{\text{NregSet}}\left( n \right)} \right) \to {\text{AN}}\left( {{\text{Dkey}}} \right)\left\{ {{\text{if Dkey}}\left[ {{\text{Status}}} \right] = = 0} \right. \\ \end{aligned}$$
(13)

If T is active, then the sender can transmit and receive cans receive the data. The node validation is performed only when the key status is 1. Otherwise new key request of remaining L nodes is made to the AN node.

It is known that data integrity has been preserved when it is guaranteed to be free of corruption and readily available only by authorized parties. Data integrity, the maintenance and guarantee of accurate and consistent information across all communication channels so as to prevent attackers from modifying the data, must be taken into account in the development, execution, and maintenance of any system that maintains, processes, or retrieves data. The data integrity verification is performed as

$$\begin{gathered} {\text{Dintegrity}}\left[ M \right] = \,\prod\limits_{n = 1}^{M} {\frac{{{\text{simm}}({\text{D}}\left( {{\text{NregSet}}\left( n \right)} \right),{\text{D}}\left( {{\text{NregSet}}\left( {n + 1} \right)} \right)}}{\lambda }} + \hfill \\ \min \left( {{\text{NregSet}}\left( D \right)} \right)\left\{ {\begin{array}{*{20}l} {{\text{set}} {\text{Int}} \leftarrow {\text{Max}} {\text{if}} {\text{NValid}} = = 1 {\text{and}} D\left( {{\text{simm}}} \right){\text{and}} {\text{key}} \in {\text{DKey}}\left[ M \right] = } \hfill & G \hfill \\ {{\text{set}} {\text{Int}} \leftarrow {\text{Norm}} {\text{if}} {\text{NValid}} = = 1 {\text{and}} D\left( {{\text{simm}}} \right){\text{and}} {\text{key}} \in {\text{DKey}}\left[ M \right] < } \hfill & G \hfill \\ { {\text{disimilar}}} \hfill & {{\text{otherwise}}} \hfill \\ \end{array} } \right. \hfill \\ \end{gathered}$$
(14)

The cyber-attack detection forensic analysis is performed if an attack is detected in the network causing violation to data integrity. The forensic analysis report is performed and the attack causing nodes ATK{A1, A2,…. AN} are generated as

$${\text{ATKset}}\left[ M \right] = \mathop \sum \limits_{n = 1}^{M} \frac{{{\text{NregSet}}\left( n \right)}}{{{\text{noderange}}\left( M \right)}} + \left\{ {\begin{array}{*{20}c} {{\text{Node}}\left( {{\text{NregSet}}\left( n \right)} \right) \leftarrow {\text{Nodeaddr}}\left( n \right)if\left( {{\text{Int}} \leftarrow {\text{disimilar and Norm}}} \right)} \\ {{\text{Node}}\left( {{\text{NregSet}}\left( n \right)} \right) \leftarrow if\left( {{\text{nodeadrr}}\left( n \right)} \right) \notin NregSet\left[ M \right]} \\ \end{array} } \right.$$
(15)

Experimental Results

This research proposes a Multi-level Data Integrity Model with Dual Immutable Digital Key based Forensic Analysis (MLDIM-DIDKbFA) for securing the IoT data. The proposed model is compared with the traditional Binary Classifiers for Data Integrity Detection in Wearable IoT Edge Devices (BCDTED) [25] and Distributed Estimation against Data Integrity Attacks in IoT Systems (DEA-DIA) [26]. Generally blockchain is used to maintain the security, but to create a block and to insert the data and update the data in a block it is a time consuming process and the time complexity will be increased. So the proposed model consumes less time for maintaining the data integrity, without using blockchain the proposed model is maintaining high data integrity levels when compared to the existing model. The proposed model when compared with the traditional models performs better in node registration time levels. The time taken for node registration of proposed model is less than the traditional models. The immutable digital key generation accuracy levels of the proposed model is high than the traditional models. The intermediate node verification accuracy levels is observed as high than the traditional models. The forensic analysis accuracy levels of the proposed model is high that reflects that the proposed model performance is high in multiple levels.

The proposed model also performs nodes registration to maintain nodes information to the network for node to node communication. The nodes can be easily recognized in the network. The Node registration time levels of the proposed and existing models are shown in Table 1 and Fig. 4. In the IoT network, each node establishes a wireless contact with other nodes for information transmission. Each node in the network have to register with the network administrator so that node information is used and node recognition will be done easily with the unique identity allocated after registration. The proposed model takes only 12 ms for registering 300 nodes and allocating unique identities for future communication. The time it consumes for registration is very less than the traditional models that consumes 18.6 and 21 ms, respectively for 300 nodes.

Table 1 Node registration time levels
Full size table
Fig. 4
figure 4

Node registration time levels

Full size image

A immutable digital key is a key that is used by nodes in IoT for the verification to involve in communication that is used to avoid cyber-attacks in the network. The forensic investigation can be performed for the detection of attacks. For nodes validation, the immutable digital key is helpful. The Immutable Digital Key Generation accuracy levels of the proposed and traditional models are represented in Table 2 and Fig. 5. The proposed model generates immutable keys for the nodes in IoT network for authentication of nodes during transmission. The keys generated are strong and cannot be tampered. The Immutable digital key generation process achieved accuracy of 97.6% for generating keys for 300 nodes. The proposed model uses lightweight cryptography technique for this key generation that is strong and accurate. The traditional models achieved 92.6 and 89.8 percent accuracy that is very less when contrasted with the traditional models.

Table 2 Immutable digital key generation accuracy levels
Full size table
Fig. 5
figure 5

Immutable digital key generation accuracy levels

Full size image

In IoT, each node will transmit the data to the neighbor nodes for successful data transmission. The nodes in the IoT can be authenticated for maintaining data integrity. The attack detection can be performed with node verification. Table 3 and Fig. 6 show the Intermediate Node Verification Accuracy Levels of the proposed and existing model. The proposed model performs intermediate node verification for analyzing node performance levels. The node performance metrics like loss, delay and transmission rate are analyzed and the proposed model achieved 98.2% accuracy in assessing 300 nodes in the IoT network. The traditional models achieved 92.5% and 94.8% respectively for 300 nodes that is less than the existing models. The integrity model performs better in verification of node performance levels.

Table 3 Intermediate node verification accuracy levels
Full size table
Fig. 6
figure 6

Intermediate node verification accuracy levels

Full size image

There are a number of reasons why it’s crucial to safeguard IoT data. One benefit of data integrity is that it guarantees data can be recovered and searched, as well as traced and connected. Stability, performance, and reusability are all boosted by safeguarding data accuracy and validity. Data integrity helps in avoiding modification of data with attacks. The multi-level data integrity verification time levels of the proposed and existing models are shown in Table 4 and Fig. 7. The proposed model performs multi-level data integrity verification for checking if they is any tampering or modifications in the forensic data that helps in strong integrity verification. The proposed model performs multi-level data integrity verification by assessing 300 nodes in only 16.4 ms. The time consumed by the proposed model for multi-level data integrity verification at each node is very less than the traditional models who achieved this in 18.7 and 19.8 ms, respectively.

Table 4 Multi-level data integrity verification time levels
Full size table
Fig. 7
figure 7

Multi-level data integrity verification time levels

Full size image

A cyber-attack is any intrusion into a computer, network, or other electronic device with the intent of obtaining, altering, or deleting data. Malware, social engineering, and systems vulnerabilities are only some of the tools at the attacker’s disposal. Any attempt to gain unauthorized access to a network, personal computer, or digital device with the goal to steal, expose, modify, disable, or damage data, applications, or other assets is considered a cyber-attack. The cyber attack detection accuracy levels of the existing and proposed models are shown in Table 5 and Fig. 8. The proposed model detects the cyber-attacks in the network with an accuracy of 98.5% for 300 nodes. The proposed model accuracy levels are very high than the traditional models who achieved 95.4% and 91.2% respectively. The proposed model analyzes each node attributes and change in the attribute ranges and detects the cyber-attacks accurately. Multiple attack patterns can be recognized in the proposed model.

Table 5 Cyber-attack detection accuracy levels
Full size table
Fig. 8
figure 8

Cyber-attack detection accuracy levels

Full size image

Latency refers to the amount of time IoT network takes for a data packet to travel from its point of origin to its final destination. Latency is typically expressed in terms of milliseconds. A IoT power consumption decreases the longer it is dormant. This also means less chances for nodes to communicate with another and share data. Because of this, the gadget will run more slowly, a phenomenon called as latency. The latency levels of the proposed model is shown in Table 6 and Fig. 9. The proposed model uses light weight cryptography for key generations and performs multi-level integrity for each node in IoT network. The proposed model strategy in forensic analysis and data integration uses simple mathematical models that provides high security and low maintenance. The latency levels of the model is very less than the traditional models in which proposed model observes 11.4% delay levels that is very less than the traditional models that observes 17.6 and 19 percent latency levels, respectively.

Table 6 Latency levels
Full size table
Fig. 9
figure 9

Latency levels

Full size image

When a security breach occurs or when a node of a network breaks the rules or the law, a forensic analysis is conducted to determine what happened and which node is turned as an attacker node, forensic analysis is frequently associated with the presentation of evidence to the court. The four main steps in any forensic investigation include collecting potential evidence, examining that evidence, writing up a report, and presenting the results. Table 7 and Fig. 10 represents the forensic analysis accuracy levels of the existing and proposed models.

Table 7 Forensic analysis accuracy levels
Full size table
Fig. 10
figure 10

Forensic analysis accuracy levels

Full size image

Forensic analysis serves the overarching goal of analyzing, recovering, documenting, and preserving evidence for a given case. There are four steps involved in the data forensics process: collection, analysis, reporting, and presentation. Data forensic investigations may employ a number of different methods. Cross-drive analysis is one method used for this purpose since it can connect data found on different drives. There are a number of administrative and legal difficulties that investigators must contend with in addition to the more obvious technological obstacles. Attributing malicious conduct in cyberspace can be challenging due to the intricacies of cyber threats and attacks. There are many different standards for data forensics, but they are not universally accepted, and there is no central authority to guarantee that practitioners are competent and adhering to best practices.

The proposed model performs node authentication, multi-level node integrity verification and analyzes the node attributes and changes observed. The nodes that are causing cyber-attacks can be easily detected with the change in attributes and integrity violations. The proposed model performs node assessments at each level and observes 98.6% accuracy in forensic data analysis. The traditional models accuracy levels are very less that are observed as 92% and 89.8% accurate in forensic data analysis and reporting. The results shows that the proposed model performance in multiple aspects are high that represents that when the proposed model is made available in real time forensic analysis, it will be useful in data analysis and achieves better accuracy in predictions.

Conclusion

Forensic analysis is the process of thoroughly investigating an attack after the fact to determine what motivated the attacker. The suggested forensic analysis solution gets around the constraints of IoT devices, such as their limited battery life and storage space. The suggested forensic system improves the efficiency and credibility of IoT device forensics in a direct-connected setting. Network traffic is diverted to the logging server and analyzed by comparing it to rules without disrupting connection between devices. The forensics server stores and can recreate these logs of malicious traffic using a variety of methods. When assaults are logged on IoT devices, not only are the logs recreated, but a dataset is also made. Data manipulation attacks are particularly dangerous because they can cause widespread disruption to an IoT system. An adversary’s goal in such an assault is to alter IoT data in a way that causes the system to malfunction and lead to bad control decisions. Large volumes of private information are generated by IoT devices. Internet-of-Things devices, however, are open to cyber threats because they rely on the public Internet for data transport. It's possible that widespread harm and outages could emerge from an attack that tampers with or modifies data in order to disrupt data. Multiple reports are then generated to summarize the specifics of the attack, including the sort of attack, the frequency with which it was launched, and any potential next steps. With this forensic information, the full picture of the attack can be documented, and the perpetrators can be tracked down. The proposed model achieved 98.5% accuracy in data integrity verification and optimized forensic evaluation metrics can be applied. More assaults, categorized and sub-categorized, can be added to broaden the scope of this study. To further expand the reach of hybrid machine learning based forensic investigation, the dataset of everyday IoT devices can be utilized and Hash based MAC can also be applied.