key: cord-0317465-hwzvirv0 authors: Yazdinejad, Abbas; Dehghantanha, Ali; Parizi, Reza M.; Hammoudeh, Mohammad; Karimipour, Hadis; Srivastava, Gautam title: Block Hunter: Federated Learning for Cyber Threat Hunting in Blockchain-based IIoT Networks date: 2022-04-21 journal: nan DOI: 10.1109/tii.2022.3168011 sha: d7dd10b9e1f56d470498d85bdbcce33fa3743b5c doc_id: 317465 cord_uid: hwzvirv0 Nowadays, blockchain-based technologies are being developed in various industries to improve data security. In the context of the Industrial Internet of Things (IIoT), a chain-based network is one of the most notable applications of blockchain technology. IIoT devices have become increasingly prevalent in our digital world, especially in support of developing smart factories. Although blockchain is a powerful tool, it is vulnerable to cyber attacks. Detecting anomalies in blockchain-based IIoT networks in smart factories is crucial in protecting networks and systems from unexpected attacks. In this paper, we use Federated Learning (FL) to build a threat hunting framework called Block Hunter to automatically hunt for attacks in blockchain-based IIoT networks. Block Hunter utilizes a cluster-based architecture for anomaly detection combined with several machine learning models in a federated environment. To the best of our knowledge, Block Hunter is the first federated threat hunting model in IIoT networks that identifies anomalous behavior while preserving privacy. Our results prove the efficiency of the Block Hunter in detecting anomalous activities with high accuracy and minimum required bandwidth. devices are mainly used in B2B (business-to-business) settings, while IoT devices are mostly considered in B2C (business-toconsumer) environments. This would lead to a different threat profile for IIoT networks compared to their IoT counterparts where device-to-device transactions are of utmost importance. IIoT networks provide an umbrella for supporting many applications and arm us to respond to users' needs, especially in an industry setting such as smart factories [1] . Blockchain technology advantages lead to its wide adoption in IIoTbased networks such as smart factories, smart homes/buildings, smart farms, smart cities, connected drones, and healthcare systems [1] , [2] . While the focus of this paper is on the security of blockchain-based IIoT networks in smart factories [3] , [4] , the suggested framework may be used in other IIoT settings as well. In modern smart factories, many devices are connected to the public networks, and many activities are supported by smart systems such as temperature monitoring systems, Internet-enabled lights, IP cameras, and IP phones. These devices are storing private and sensitive data and may offer safety-critical services [3] , [1] . As the number of IIoT devices in smart factories increases, the main issue will be storing, collecting, and sharing data securely. Industrial, critical, and personal data are therefore at risk in such a situation. Blockchain technology can ensure data integrity inside and outside of smart factories through strong authentication and ensure the availability of communication backbones. Despite this, privacy and security issues are significant challenges in IIoT [3] , [4] . The probability of fraudulent activity occurring in blockchain-based networks [2] , [4] is an important issue. Even though blockchain technology is a powerful tool, it is not protected from cyber attacks either. For example, a 51% cyberattack [2] on Ethereum Classic, and three consecutive attacks in August of 2020 [5] , which resulted in the theft of over $5M worth of cryptocurrency, have exposed the vulnerabilities of this blockchain network. Smart factories should protect users' data privacy during transmission, usage, and storage [4] . Stored data are vulnerable to tampering by fraudsters seeking to access, alter or use the data with malicious motives. Statistically speaking, these attacks can be viewed as anomalous events, exhibiting a strong deviation from usual behavior [2] , [6] . Detecting out-of-norm events are essential for threat hunting programs and protecting systems from unauthorized access by automatically identifying and filtering anomalous activities. [6] , [7] . The main objective of this paper is to detect suspicious arXiv:2204.09829v1 [cs.CR] 21 Apr 2022 users and transactions in a blockchain-based IIoT network specifically for smart factories. Here, abnormal behavior serves as a proxy for suspicious behavior as well [4] . By identifying outliers and patterns, we can leverage Machine Learning (ML) algorithms to identify out-of-norm patterns to detect attacks and anomalies on blockchain. Because deep neural networks learn representations automatically from data that they are trained on, they are the candidate solution for detecting anomalies [4] , [7] . However, there are challenges with any ML and deep learning-based anomaly detection techniques. These methods suffer from training data scarcity problems, and privacy issues [7] . Detecting anomalies in the blockchain is a complicated issue [8] . Not only each block needs to be sent to a central server, which increases the training time, but also the model requires new block data in the testing phase [8] . In addition, when ML models are frequently updated to respond to new threats and detect anomalies, malicious adversaries can launch causative/data poisoning attacks to degrade the ML model deliberately. Attackers may intentionally send crafted payloads to evade anomaly detection. A novel and practical approach would be to employ Federated learning (FL) models to detect anomalies while preserving data privacy, and monitoring data quality [7] , [9] . FL allows edge devices to collaborate during the training stage while all data stays on the device. We can train the model on the device itself instead of sending the data to another place, and only the updates of the model are shared across the network. FL has become a trend in ML where smart edge devices can simultaneously develop a mutual prediction between each other [7] , [10] . In addition, FL ensures multiple actors construct robust machine learning models without sharing data, addressing fundamental privacy, data security, and digital rights management challenges. Considering these characteristics, this paper uses an FL-based anomaly-detection framework called Block Hunter capable of detecting attack payloads in blockchain-based IIoT networks. The main contributions of the paper are summarized as follows: 1) Utilize a cluster-based architecture to formulate an anomaly detection problem in blockchain-based smart factories. The cluster-based approach increase hunting efficiency in terms of bandwidth reduction and throughput in IIoT networks. 2) Apply a federated design model to detect anomalous behaviour in IIoT devices related to blockchain-based smart factories. This provides a privacy-preserving feature when using machine learning models in a federated framework. 3) Implementation of various anomaly detection algorithms such as clustering-based, statistical, subspace-based, classifier-based, and tree-based for efficient anomaly detection in smart factories. 4) The impact of block generation, block size, and miners on the Block Hunter framework are considered. Moreover, the performance measurements like Accuracy, Precision, Recall, F1-score, and True Positive Rate (TPR) anomaly detection are discussed. Here is a breakdown of the rest of the paper. Section II discusses anomaly detection works in the blockchain and FL. Section III describes the Block Hunter framework and presents the network model and topology design. In Section IV, methodology and machine learning approaches to identify anomalies are discussed. In Section V, we present the assessment of the Block Hunter framework. Finally, In Section VI, we conclude the paper and point out future work directions. In the face of increasing cybersecurity threats and enlarging attack surfaces, it is becoming more complex and challenging to secure IIoT networks and environments [11] , [12] . Furthermore, as blockchain technology is increasingly applied in a broad range of fields, anomaly detection is becoming more and more important. Anomalies can thus occur in a wide range of blockchain-based applications. This section discusses research relating to anomaly detection, especially in relation to blockchain and FL. In [13] , the authors proposed a framework as BAD to detect anomalies in blockchain-based systems. BAD collects potential malicious activities using blockchain meta-data and has interesting features like distribution to avoid the central point of failure, trust, and privacy. Another work, [14] , suggests blockchain and anomaly detection systems that recognize frauds when IoT meter data is tampered with. This research uses polynomial regression, DBSCAN, autoencoder, and LSTM methods to detect tampering. The research by Sayadi et al. [15] proposes an algorithm for anomaly detection over bitcoin electronic transactions. They examined the One-Class Support Vector Machines (OCSVM) and the K-means algorithms to group outliers similar in both statistical significance and type. They analyzed their work by generating detection results and found that we could obtain high-performing results on accuracy. In [16] , the authors suggested an approach based on the semantics of anomalies in blockchain-based IoT Networks. A method was presented to detect anomalous behavior in blockchain that gathers metadata in forks to determine mutual informational recognition of anomalous activity. They developed a tool that improves blockchain security and connected devices. Also, in [17] , has introduced encoder-decoder deep learning regression for detecting blockchain security. This work developed an anomaly detection framework that relies on aggregate information derived from bitcoin blockchain monitoring. Their experiments have demonstrated that their model can detect publicly reported attacks using the historical logs of the Ethereum network. Investigation in blockchain shows blockchain Edge of Things (BEoT) can enable future services and applications, according to [18] . The authors discuss the latest developments and applications of BEoT. Their findings show that blockchain technology has grown inquisitive beyond cryptocurrency in the Edge of Things (EoT) as it provides decentralization, immutability, and traceability, in EoT systems. The field of FL is undergoing several new kinds of research. The article cited in [7] provided the FL approach to anomaly detection in smart buildings that FL with additional recurrent neural networks is proposed as a privacy-by-design approach. It shows that it is more than twice as fast during training as its centralized counterpart. They were able to achieve superior performance in both classification and regression responsibilities compared to baseline methods. Also, in [19] , Nguyen et al. presented a self-learning federated system for detecting anomalies in IoT networks. Their system is based on device communication profiles that can detect adverse changes in IoT devices' communication. It employs FL for efficiently aggregating behavior profiles. It was one of the first systems to employ this approach to anomaly detection. Since this system can handle emerging new threats, it can be used to handle a wide variety of threats. The authors of [20] put forward an approach via FL for detecting abnormal client behavior. The ability to detect anomalous client behaviour at the server level is mentioned in their paper. They detected abnormalities across networks using low-dimensional surrogates of model weight vectors. Experimentally, the detection-based method significantly outperforms the conventional methods based on defence. Furthermore, there is a work [21] involving the use of Deep Learning and blockchain-based FL to detect COVID-19. They develop a framework to gather data from various sources and generate a global deep learning model using blockchain-based federated training. By using blockchain to authenticate the data, FL enables models to be trained while preserving privacy. By combining blockchain with federated e-learning, they developed a system for training global models collaboratively. Their results show better performance in detecting patients via this method. Chai et al. [22] proposed a hierarchical blockchain framework and FL to learn and share environmental data. This framework is functional and efficient for large-scale vehicular networks. FL-based learning meets the Internet of Vehicles' distributed pattern and privacy requirements. Sharing behavior is modeled as a multi-leader, multi-player trading market process to stimulate knowledge sharing. Simulated results indicate that an algorithm based on hierarchical structures can enhance sharing, learning, and managing specific malicious attacks. Furthermore, the authors in [23] deliver a comprehensive investigation on how FL could supply better cybersecurity and prevent various cyberattacks in real-time. This work highlights some main challenges and future directions on which the researchers can focus for adopting FL in real-time scenarios. BLOCKCHAIN-BASED IIOT NETWORKS Fig. 1 presents a detailed overview of the proposed blockchain-based IIoT network for smart factory applications. This cluster-based architecture combines users, base stations, WiFi, service providers, and smart factories connected to the blockchain network. Smart factories include several smartconnected devices. The service provider can collect sensor data in smart factories and use them based on their applications and services. In addition, Fig. 1 illustrates the relationship between the peers in terms of information between the factory and its smart devices. A transaction represents the exchange of sensitive factory information between parties during working in the blockchain network. There are several inputs and outputs in a transaction. Blocks consist of a list of transactions, a reference to the previous block, and a hash. Every block is made up of transactions that the block creator, referred to as the miner, has accepted into its memory pool from the previous block. Considering rigid industrial standards that should be followed when designing and implementing smart factories, it is practical to assume that the functionality of smart factories in each cluster is the same. Detecting anomalous activities is a significant contributor to automatically protecting a system from unexpected attacks. Anomalies in blockchain must be detected by sending each block of data to a central server for each block update. This is not efficient and also imposes privacy concerns. FL solutions are promising in tackling this issue. We use FL to update the model frequently and to obtain a global model for detecting an anomaly. After learning about each smart factory's data, devices, and service provider, the model's parameters will be sent to the parameter server for aggregation and to update our general model. We provide the details of implementing the Block Hunter framework in the following sub-sections. We distribute local models across the blockchain-based IIoT network instead of learning an anomaly detection model and evaluating it on a single node. As shown in Fig. 2 , the FL setup involves local models as well as distributed smart factories nodes. Instead of a centralized learning environment, K smart factories learn a local model in an FL manner. The k = 1, . . . , K local models have the same structure, but they are trained with different datasets that originate from their connected clients. Our proposed federated anomalydetection algorithm for smart factories in IIoT networks is shown in Algorithm 1. C represents the batch size for the global operation; B determines the local batch's size; a factor of k indexes the K smart factories; E indicates the number of local epochs, and h represents the rate of learning. Initializing begins the process of initializing the model parameters. During the training step, FedAvg [24] is sent to smart factories and updates the model. Finally, our updated trained model can be tested to detect any anomalies. Based on Algorithm 1, the parameter server starts the FL scheme at t = 0, initializing local models with the first set of weights. Next, these local models are downloaded from the parameter server to each of the k = 1, . . . , K smart factory. Third, using the corresponding blockchain datasets' training data, each of the E = 1, . . . , E local models computes in parallel a new local set of weights. Finally, the parameter server aggregates the weights in each client's local model to create an improved global model using weighted averaging (weighted average). Each time the cycle repeats, a new epoch is initiated until a certain stop criterion has been reached. According to McMahan, we utilize the same design policy for FL as he does [24] , [25] . They develop the FL problem as a federated optimization problem by distributing the model, m t to (a subset of) K clients of the learning federation at time t 0 . To summarize, steps for FL in the Block Hunter framework are categorized: • Federation Construction: The subset of smart factory members, cluster, selected to receive the model locally. • Decentralized Training: When a cluster of smart factories is selected, it updates its model using its local data. • Model Accumulation: Responsible for accumulating and merging the data models. Data is not sent and integrated from the federation to the server individually. • Model Aggregation (FedAvg): Parameter server aggregates model weights to compute an enhanced global model. At runtime, pre-trained models as local models are sent to clusters in the Block Hunter framework from the Parameter server, considering blockchain-based IIoT networks environments. The local models are sent to smart factories for training based on local epochs. Then the parameters and hyperparameters will be forwarded to the Parameter Server for aggregating model weights to compute the global model. The global model is an ML model that holds in the Parameter Server to update its parameters. When a new cluster joins our framework, the latest global model will send to that cluster as a pre-train model that in the real-world application, we can simply follow this approach. The updated global model is sent to clusters gradually during evolution. Smart factories have sensitive data, so storing it on the blockchain with its limited storage is both financially and computationally costly. Therefore, the actual smart device and sensor data are stored in the smart factory. The smart factory data includes information about the type of data and control states as well. The premise behind the development of an anomaly detection framework for the blockchain-based IIoT networks in smart factories lies in providing a new decentralized system based on FL that leverages all smart factory data while protecting their privacy. Additionally, we will reach a point where we need to attend to the issue of a fork in the blockchain scope during anomaly detection. In some instances, devices or nodes do not agree on the state of the blockchain, leading to the fork issue in the blockchain. When blockchain-based applications are being developed, forks become more concerned because they have the potential to be used for malicious purposes. Indeed, a global ML model can use all of the collected information from previous forks to detect anomalies during training. This approach has the advantage that while attacks may only happen once within a smart factory, they behave the same way when repeated against other smart factories over time. Hence, information on past attacks may help us blacklist them and prevent them from occurring in the future. The advantage of FL is clear since it will train the global ML model for anomaly detection. Based on Fig. 1 , each participant in a smart factory can provide a fake blockchain transaction as a side-channel to deliver a message. A malicious transaction, as well as creating a fake block, are also possible in this situation. A malicious transaction is a special type of fake transaction, which consists of a hidden message which is aimed at disrupting the network by hitting a specific peer. Inserting fake blocks are blockchain blocks that contain one or more stolen/malicious transactions. Fake blocks can either be eventually discarded or accepted into the mainstream chain. Our solution considers smart factories' data and chain forks. We collect, enrich, and share such information with other local ML models across the network. We used the specific information for training anomaly detection in each local ML model that contains sensitive smart factory data, the features of previous forks, and the number and type of malicious transactions that occurred. As a result, we can hunt an anomaly by Block Hunter in a blockchain-based IIoT network for smart factories. To protect the privacy of the data, we only share the parameters of trained models instead of the original data from smart factories and their blockchain. This work aims to train a global anomalous detection model through locally trained sub-protocol models based on the Block Hunter framework. Regarding the threat model, the solution proposed in this paper has been designed to be resilient against any class of attacks where a malicious entity can append to the blockchain system. This section discusses the efficient network model and topology design for blockchain-based IIoT networks. Wireless sensor networks have a variety of topologies, which affect their performance and behavior. Some of the metrics include throughput, reliability, energy consumption, and latency [26] . Therefore, we propose blockchain technology's cluster-based formation model for smart factories. Cluster-based architecture provides more efficient use of resources [27] and throughput during the blockchain run in each smart factory. Clustering reduces the computational complexity in the creation of the underlying network through a hierarchical approach [26] . It is especially so with blockchain-based IIoT networks that are expected to encompass large numbers of individual devices. Also, we believe that cluster-based architecture will enable us to hunt and manage anomalies better in each smart factory zone and increase the network's throughput. In each cluster, the smart factory controls all IIoT devices' activities, and one of the smart factories is usually known as Cluster Head (CH) or a leader node. A CH can perform extra duties in blockchain-based networks like taking part in the mining process by reviewing aspects such as energy, memory, and computing power. Fig. 1 shows the clustering strategy in the blockchain-based smart factory network model. Based on the target Block Hunter framework, which can be represented as a directed graph G = (S, D) with D being the set of IIoT devices, representing smart devices, D = {d 1 , d 2 , . . . , d n }, and S = {s 1 , s 2 , . . . , s n } is the set of smart factories in each cluster. In S 1T = [t 1 , t 2 , . . . , t m ], we consider the set of transactions in smart factory S 1 that belongs to the blockchain network. B = [b 1 , b 2 , . . . , b 3 ] represents the number of existing blocks in the blockchain network. More formally, s n = k j s j × D kj , with k being the number of deployed clusters, and j is smart factories in that cluster. It should be noted that the set of IoT devices refer to a smart factory, D kj ∈ [1, j] in the K th cluster. It is possible to summarize the distribution of smart factories with their devices in the Block Hunter, the proposed clusterbased architecture, in Equation 1, distance function, Df. This is the point at which smart factories and IoT devices will cluster based on most centrality derived from a distance measure based on the presence or absence of shared neighboring devices in the space of (i, j). The clustering part is shown in Algorithm 2, and it can be considered a piece of the overall algorithm in the Block Hunter. Algorithm 2 collects the locations of smart factories and their IIoT devices. Based on Equation 1, we measure each smart factories' distance and their devices and record it until we obtain the cluster-based architecture. Afterward, the cluster calculates a collection of S nearest smart factories for each IoT device, D. Setting model parameters in the parameter server and sending pre-trained models to clusters happen during initializing. Next, local models are trained by clusters in the training step to aggregate models and update the global model parameters. In this section, we study several machine learning techniques for identifying and detecting anomalies in the Block Hunter framework. An example of a classifier-based anomaly detection algorithm is the neural encoder-decoder model. The proposed anomaly detection framework develops a neural encoderdecoder model that summarizes the information about the blockchain's status and transactions and then rebuilds the initial data from this space. Encoding/decoding preserves the data's basic properties when the current status is consistent. Differently, anomalous situations exhibit inconsistent values, ultimately leading to a failing reconstruction. In an encoderdecoder, this quantity would be paraphrased as noise and therefore would be failing when reconstructing. Therefore, the difference between the initial and reconstructed values would highlight the anomalous and abnormal situation, thereby triggering an alert [8] , [28] . Neural encoder-decoder models analyze sequences of temporally sorted events. In general, we suppose that the data will be sequenced as P = {P 1 , P 2 , . . . , P n } concerning some period of observation, where P t is an assessment of the properties of the t th event in the chronological order of events in P . Anomalous events occur in P , i.e. a vector P t drastically various from its neighbors P t . The Isolation Forest (IF) model falls under the Tree-based anomaly detection algorithms category. The approach has gained much universal acceptance in recent years because it is unsupervised. Isolation forest is a concept based on the idea that it's more prudent to isolate data anomalies rather than generalize the norms. It's a recursive and random partitioning process to isolate the anomalous data point in the dataset until it simply describes the stored data. A tree structure represents the recursive partition. A forest of isolation trees is the foundation of the isolation forest algorithm, where cells in the dataset are randomly selected from the data to form a forest of normal and outlier cells. These trees are binary trees that have zero or two child nodes, and an isolation forest contains isolation trees of this type [8] , [29] . Consider that X is either a leaf node that does not have any children or a parent node that has two children named XL and XR. To choose which child nodes belong to which parents, a test must be attached to node X. The testing procedure involves selecting a random feature f across all the data points and an arbitrary splitting point q. Node f < q is in the zone of XL, and f ≥ q is in the zone of XR. Our cluster-based local outlier factor (CBLOF) model belongs to the classifier-based algorithm-based anomaly detection category. Our cluster-based local outlier factor (CBLOF) model belongs to the classifier-based algorithm-based anomaly detection category. Within this algorithm's anomaly detection methodology, the data is clustered into clusters, based on which anomaly scores can be computed similar to those of the local outlier factor algorithm and so on. This algorithm's underlying principle of anomaly detection is based on clustering data sets together. This algorithm creates clusters using groups in a dataset by arbitrary clustering algorithms that assign a specific observation to a cluster. The clusters are sorted in each case corresponding to their respective sizes of |F 1 | > |F 2 | > . . . > |F k | where F 1 , F 2 , . . . , F k all represent the cluster for which number k is the cluster number [8] . A pair of clusters, when intersecting with each other, should give rise to an empty set. However, all these clusters' unions should represent all of the observations in Dataset D. we are supposed to search for a boundary index value that separates the Small Clusters from the Large Clusters. Finally, we calculate the CBLOF scores for each observation by using the following equation, 1 ≤ i ≤ k: A PCA model is a subsequence-based anomaly detection algorithm. PCA is commonly considered a method to reduce the dimensionality algorithm. The variance-covariance of dataset characteristics can be used to construct new variables known as principal components, which are functions of original variables. For principal component analysis, one uses p distinct linear combinations of random variables x 1 , x 2 , . . . , x p . The principal component has the following characteristics: they are uncorrelated to each other. Each component's variance decreases in descending order, with the principal component containing the highest variance and the subsequent details having lower variances. When combining all the principal components' variations, the sum of the total variation of the original features is always equal to the total variation of all the principal components. To estimate the principal components of a system, we can use eigenanalysis to get the correlation matrix, or covariance matrix of data features [8] , [30] . The PCA algorithm detects anomalies by getting rid of any outliers. The outliers are determined by Mahalanobis distance that is carried out repeatedly to eliminate all data points with high Mahalanobis distance values. Where S is a covariance matrix, x i is the measure of an observation of the i th feature in data, and x is the mean of all observations, Mahalanobis distance is denoted as follows: In the cluster-based detection algorithms category, K-means is a clustering-based algorithm. As one of the most popular clustering algorithms, K-means is also commonly used as an anomaly detection algorithm. It has been introduced as an unsupervised learning scheme. The data is divided into k different clusters, with each sample belonging to the cluster with the closest mean value within each cluster. Across clusters, there is a cluster centroid c, which is the mean of observations from each cluster in that cluster. When assessing the similarities among independent observations, the similarity measure employed is Euclidean distance, where x i is the measurements and c i is the centroids, and n outlines the number of independent measurements [8] , [31] . V. DISCUSSION & EVALUATION This section evaluates the performance of the Block Hunter and provides results and discussion. We formed an experimental setup on Intel(R) Core(TM) i7-10700KF CPU @ 3.80GHz 3.79 GHz, Linux 64-bit operating system (Ubuntu 20.04), and equipped it with 16 GB DDR4 memory. To evaluate our network model and cluster-based topology design in the proposed framework, we apply Bitcoin Simulator 1 . Bitcoin Simulator is an open-source bitcoin simulator developed on NS3. The Bitcoin Simulator has been tested with NS3. Also, we consider LENA as an NS-3 module to simulate 3GPP networks. The NR module is a pluggable module for NS-3 that can be used to simulate New Radio (NR) cellular networks. NS-3 supports the widest variety of network models and protocols and supports the greatest variety of networking devices. Indeed, wireless networks and protocols rely on the NS-3 to determine their performance. Therefore, the assessment of the proposed federated framework will do on the performance metrics such as the impact of block size, number of blocks, number of IoT devices, and number of miners. The implementation details of the Block Hunter framework is presented in Table I . For the federated setup, we have considered PySyft 2 and PyTorch 3 . PySyft is an open-source library that allows us to create VirtualWorkers for training our machine learning models to detect an anomaly. It is designed to allow users to create a private and secure ML model, and it is built into some existing ML libraries, such as PyTorch. Our framework is trained with the FedAvg method with E = 4 local epoch and fraction c = 6e − 3. E mentions to Local batch size used at each learning iteration, and c refers to the number of smart factories used at each iteration. It is also important to emphasize e. The e is denoted exp, which is short for exponential. Finally, an SGD optimizer is used for training the models with a learning rate of 3e − 2. The proposed framework is evaluated by two datasets on the blockchain side, providing conditions for blockchain adoption in smart manufacturing systems, and also two IIoT-related datasets for assessing BlockHunter for smart factories. The Bitcoin Transaction Dataset (BTD) 4 designed for research on blockchain anomaly and fraud detection. It has been donated to the IEEE data port online community for academic exploration. Because the dataset is imbalanced and contains roughly 30 million transactions, it presents a challenge in creating an anomaly-detection model that captures all of them. The dataset is an implementation of a research project that presents anomaly detection within the context of blockchain technology and its applications in the monetary domain. It extracts blockchain data and uses machine learning techniques to hunt potentially malicious transactions. Another dataset is Ethereum Classic (ETC) 5 that is a Big-Query Dataset. We will be able to access Ethereum Classic transactions and block history in this dataset. The Ethereum Classic open-source, based on the Ethereum platform, is a platform that enables distributed computing by using a public, distributed decentralized network for executing scripts with the ability to manage smart contracts. The dataset consists of all blocks, contracts, logs, tokens, traces, and transactions contained within the blockchain network. In choosing IIoT related datasets, two well-known datasets have been considered: Gas Pipeline (GP) and Secure Water Treatment (SWaT). They are well fit for the IIoT environments and are publicly available [32] , [33] . A cluster-based architecture provides more efficient use of resources and throughput during the blockchain run in smart factory applications. To evaluate the performance of the Block Hunter, cluster-based architecture, the simulation parameters are presented in Table I .To accomplish more realistic results, we did the simulation 20 times and designed another scenario as a non-cluster model to compare the architectural models' performance during the simulation. The non-cluster model combined blockchain technology with the standard network model and did not consider and divide it into cluster architecture. It has no features and typologies of clusterbased architecture such as adjacencies with other clusters or part of the network, flexibility, and scalability during run time. Conversely, in cluster-based architecture, each cluster has adjacencies with other clusters and supports the dynamic characteristics of a network. In the following, we address the impact of Block generation, the impact of the Block size, and the impact of the number of miners in the evaluation. In the proposed framework, the public blockchain network is deployed among clusters that include smart factories. We need a public blockchain to allow any smart factories to join and keep the system completely decentralized. Additionally, public blockchains give all participants equal access to the chain. the block generation will be more efficient to support nodes than in a distributed network with a solid and organized structure. Further, since blocks are generated more frequently in individual clusters instead of generated in batches that consume a considerable amount of bandwidth, we can better manage and use the bandwidth. Fig. 3(a) shows the bandwidth efficiency of the clusterbased design (proposed architecture) compared to the non-cluster-based design. Although there is an increase in block generation time in the non-cluster-based design, more blocks will be generated in the network and consume more and more bandwidth. Hence, cluster-based architecture provides better performance since the nodes are distributed across the whole network (currently, there are 5000 reachable nodes in K = 50 Clusters). • Impact of the Block size Block size has a significant impact on the performance of blockchain. The block size determines the highest number of transactions that can be approved within a block. This size, thus, controls the throughput (transactions/second) obtained by the proposed design. Larger blocks cause more sluggish propagation in each cluster than smaller blocks. In Fig. 3(b) and Fig. 3(c) , we show that the bandwidth consumption and throughput increase with increasing block size from 0.5 MB to 8 MB. This directly impacts both the bandwidth and throughput of the proposed model. As expected, Block Hunter has a higher performance because of better network communication, efficient topology management, and minimized delay. • Impact of number of miners The number of miners in a given architecture directly impacts throughput (transactions/second). According to Fig. 3(d) , an increasing number of miners from 16 to 256 and the block size to 1 MB in all clusters increased the model throughput. The increase in the number of miners makes it easier for smart factories to reach a consensus. Additionally, the proposed cluster-based architecture can handle more transactions in each block by increasing the block size. Consequently, it will grow the proposed architecture's throughput rate and offer better performance. 1) nomaly detection rate This subsection aims to assess some well-known machine learning models such as K-means, PCA, CBLOF, IF, and NED to hunt anomalies in the Block Hunter framework. We evaluate these models by comparing their average performance, such as Accuracy, Precision, Recall, and F1-score as follows. These include, Accuracy (Acc) = T P +T N T P +T N +F N +F P , Recall (Rec) = T P T P +F P , Precision (Pre) = T P T P +F P and F1-score (F1) = 2 * T P 2 * T P +F N +F P . presented in a federated setting. By examining the visuals and using the highest level of accuracy metric,the AUC for ROC curves show a comparable ROC curve for all algorithms. The AUC for CBLOF, Kmeans, PCA, IF, and NED are (0.80, 0.84), (0.82, 0.85), (0.86, 0.89), (0.90, 0.93), and (0.95, 0.97) based on BTD and ETC datasets, respectively. While running the Block Hunter framework with each ML model, we obtain a global model whose parameters are frequently updated via the FedAvg approach [24] . Table IV presents the hunting of anomalies in global models using NED as the local model. This table shows the moment where the Block Hunter framework can hunt an anomaly while doing transactions. This consists of K = 30, 40, 50 clusters and 1 to 35 transactions per second for 100 seconds. Based on the cluster-based structure in Block Hunter, it is almost certain that this system's accuracy is acceptable during anomaly hunting, as shown in Table IV . The Block Hunter framework also works perfectly as the number of transactions and clusters increases. We also evaluated the performance of Block hunter on several IIoT standard datasets as shown in Table V . The model performance was evaluated using different ML models namely K-means, PCA, CBLOF, IF, and NED on GP and SWaT datasets. NED has the highest accuracy as it preserves data encoding/decoding. Blockchain-based IIoT networks are the underlying technology for the future smart factories, hence an emerging attack target, which shows the significance of this work. To the best of our knowledge, Block Hunter is the first federated threat hunting model in IIoT networks that identifies anomalous behavior while preserving privacy. We used FL to build a threat hunting framework that utilizes a cluster-based architecture to formulate an anomaly detection combined with several machine learning models. Our results indicate the superior performance of our model in automatically hunting for anomalies while preserving data privacy. In this paper, we developed the Block Hunter framework to hunt anomalies in blockchain-based IIoT smart factories using a federated learning approach. Block Hunter uses a cluster-based architecture to reduce resources and improve the throughput of blockchain-based IIoT networks hunting. The Block Hunter framework was evaluated using a variety of machine learning algorithms (NED, IF, CBLOF, K-means, PCA) to detect anomalies. We also examined the impacts of block generation interval, block size, and different miners on the performance of the Block Hunter. Using generative adversarial networks (GAN) to design and implement a block hunterlike framework would be an interesting future research work. Furthermore, designing and applying IIoT-related blockchain networks with different consensus algorithms would also be worth investigating in the future. A blockchain-based solution for enhancing security and privacy in smart factory Blockchain attack discovery via anomaly detection An effective blockchain-based, decentralized application for smart building system management A machine learningbased method for automated blockchain transaction signing including personalized anomaly detection Veriblock foundation discloses mess vulnerability in ethereum classic blockchain Exploring the attack surface of blockchain: A comprehensive survey A federated learning approach to anomaly detection in smart buildings Anomaly detection in blockchain Federated learning for drone authentication Chained anomaly detection models for federated learning: An intrusion detection case study A blockchainempowered crowdsourcing system for 5g-enabled smart cities Blockchainbased database in an iot environment: challenges, opportunities, and analysis Bad: a blockchain anomaly detection solution Blockchain and anomaly detection based monitoring system for enforcing wastewater reuse Anomaly detection model over blockchain electronic transactions The semantics of anomalies in iot integrated blockchain network A deep learning approach for detecting security attacks on blockchain Blockchain for edge of things: Applications, opportunities, and challenges Dïot: A federated self-learning anomaly detection system for iot Abnormal client behavior detection in federated learning Blockchain-federated-learning and deep learning models for covid-19 detection using ct imaging A hierarchical blockchainenabled federated learning algorithm for knowledge sharing in internet of vehicles Federated learning for cybersecurity: Concepts, challenges, and future directions Communication-efficient learning of deep networks from decentralized data Federated learning: Strategies for improving communication efficiency An energy-efficient cluster-based routing protocol using unequal clustering and improved aco techniques for wsns Energy efficient decentralized authentication in internet of underwater things using blockchain Deep in the bowel: highly interpretable neural encoder-decoder networks predict gut metabolites from gut microbiome Clustering multivariate functional data using unsupervised binary trees Principal component analysis Unsupervised k-means clustering algorithm A new scada dataset for intrusion detection research Battle of the attack detection algorithms: Disclosing cyber attacks on water distribution networks