Received August 2, 2021, accepted August 24, 2021, date of publication August 30, 2021, date of current version

September 13, 2021.

Digital Object Identifier 10.1109/ACCESS.2021.3109081

IoT Intrusion Detection System Using Deep

Learning and Enhanced Transient
Search Optimization
ABDULAZIZ FATANI 1,2 , MOHAMED ABD ELAZIZ 3 , ABDELGHANI DAHOU 4,

MOHAMMED A. A. AL-QANESS 5 , AND SONGFENG LU 6,7

1 School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China
2 Computer Science Department, Umm Al-Qura University, Makkah 24381, Saudi Arabia
3 Department of Mathematics, Faculty of Science, Zagazig University, Zagazig 44519, Egypt
4 LDDI Laboratory, Faculty of Science and Technology, University of Ahmed Draia, Adrar 01000, Algeria
5 State Key Laboratory for Information Engineering in Surveying, Mapping and Remote Sensing, Wuhan University, Wuhan 430079, China
6 Hubei Engineering Research Center on Big Data Security, School of Cyber Science and Engineering, Huazhong University of Science

and Technology, Wuhan 430074, China

7 Shenzhen Huazhong University of Science and Technology Research Institute, Shenzhen 518057, China

Corresponding author: Songfeng Lu ([email protected])

This work was supported in part by Hubei Provincial Science and Technology Major Project of China under Grant 2020AEA011, in part by
the Key Research and Development Plan of Hubei Province of China under Grant 2020BAB100, and in part by the Project of Science,
Technology and Innovation Commission of Shenzhen Municipality of China under Grant JCYJ20210324120002006.

ABSTRACT The great advancements in communication, cloud computing, and the internet of things (IoT)
have opened critical challenges in security. With these developments, cyberattacks are also rapidly grow-
ing since the current security mechanisms do not provide efficient solutions. Recently, various artificial
intelligence (AI) based solutions have been proposed for different security applications, including intrusion
detection. In this paper, we propose an efficient AI-based mechanism for intrusion detection systems (IDS)
in IoT systems. We leverage the advancements of deep learnings and metaheuristics (MH) algorithms that
approved their efficiency in solving complex engineering problems. We propose a feature extraction method
using the convolutional neural networks (CNNs) to extract relevant features. Also, we develop a new feature
selection method using a new variant of the transient search optimization (TSO) algorithm, called TSODE,
using the operators of differential evolution (DE) algorithm. The proposed TSODE uses the DE to improve
the process of balancing between exploitation and exploration phases. Furthermore, we use three public
datasets, KDDCup-99, NSL-KDD, BoT-IoT, and CICIDS-2017 to assess the performance of the developed
method, which achieved higher accuracy compared to several existing approaches.

INDEX TERMS Internet of Things (IoT), security, cyberattack, intrusion detection system, feature selection,
optimization algorithms.

I. INTRODUCTION and organizations. it is a part of IOT that stores IOT data.

The Internet of Things (IoT) has ushered in a modern era However, the transition process to cloud platforms is a com-
in which a network of computers and devices capable of plex problem due to the existence of different operations and
interacting and engaging with one another is propelling new security mechanisms. One of the most critical issues in cloud
business process technologies [1]. People and companies computing technology is security because of the huge amount
have experienced a broad range of issues related to credibility, of data storage in the cloud. The growth of cyberattacks is
enforcement, financing, and business operations as a result of increased due to several reasons. The availability and easy
widespread and rapid increase cybersecurity attacks on IoT access of hacking tools are one of the most important reasons
systems [2]. Cloud computing can be defined as the model since a hacker does not need comprehensive knowledge or
that supplies different services and resources to users on- brilliant skills to perform an attack [4].
demand, with minimal intervention between providers and With sufficient computing power and huge volume of data
users [3]. It has received significant attention among users collected from interconnected devices, DL models can be
considered to optimize the IoT security in terms of intru-
The associate editor coordinating the review of this manuscript and sion detection, user behaviors analysis, vulnerabilities, and
approving it for publication was M. Anwar Hossain . privacy preserving. DL techniques and especially CNNs can
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.
123448 For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ VOLUME 9, 2021
A. Fatani et al.: IoT IDS Using DL and Enhanced TSO
be used to learn, extract, and identify complex features and
patterns directly from raw IoT data thus improving the utility
of the device to efficiently detect possible threats and attacks
in the IoT environment. Moreover, DL models are more
efficient in automatic feature extraction rather than relying
on traditional machine learning methods that demand hand-
crafted statistical features. In the past decades, researchers
had developed many mechanisms for Intrusion Detection
Systems [5]. Different machine learning (ML) techniques
were proposed for security issues, such as support vector
machine (SVM) [6], [7], k-nearest neighbor (kNN) [8], [9],
decision tree (DT) [10], [11], k-means [12], [13], and oth-
ers [14]–[16]. Most recently, deep neural network models
have been utilized for intrusion detection in cloud, fog, and
several IoT based structures, such as deep recurrent neu-
ral network (RNN) [17], multi-layered perceptron neural
network [18], Restricted Boltzmann Machines (RBM) [19],
convolutional neural networks (CNN) [20], and others [21].
In addition, DL models can be used in problem in IoT envi-
ronment such as generative adversarial networks (GANs) [22]
to protect user’s private information and improve the device
utility.
Feature selection techniques have showed significant
performance in IDS with various classifiers. In recent
years, metaheuristics (MH) optimization algorithms have
been adopted for various complex problems, including fea-
ture selection. They have been also applied for intrusion
detection, example, genetic algorithm [23]–[25], particle
swarm optimization (PSO) [26], gery wolf optimizer (GWO)
[27], [28], random harmony search (RHS) [29], and crow
search algorithm (CSA) [30].
In this paper, we propose an efficient IDS system rely-
ing on the advancements of deep learning (DL) and MH
optimization algorithms. First, we develop a simple yet effec-
tive feature extractor model with a convolutional neural net-
work (CNN) as a backbone. The CNN model contains several
convolution blocks to extract relevant and complex features.
In addition, the CNN blocks are followed by a fully con-
nected layer for feature extraction and intrusion detection
(classification). Mainly, the CNN model is trained to classify
each attack type with the aim of reaching the best accuracy
and learn meaningfully representations from the raw data.
Later, the raw data will be fed again to the trained model
to convert raw samples attributes to the learned features by
the CNN. Second, we develop a new feature selection (FS)
method to enhance IDS classification using a new variant of
the Transient search optimization (TSO). TSO is a new opti-
mization MH algorithm proposed by Qais et al. [31]. It was
inspired by the transient behavior of switched circuits with
storage elements, for example, capacitance and inductance.
As described in [31]. TSO was applied to solve various opti-
mization problems, and it showed competitive performance.
For example, it has been applied to estimate the parame-
ters of photovoltaic as in [31], and it has been established
its performance against other methods. In [32], a modified
version of TSO has been presented and applied to find the
VOLUME 9, 2021
solution for different global optimization problems. In [33],
authors used TSO to determine the optimal allocation of
multiple distributed generators in the radial electrical distri-
bution network. With these advantages achieved by TSO in
real-world applications, it still requires more improvements,
especially the process of balancing between the exploration
and exploitation during the searching process. Therefore,
we adopt a new enhanced version of the TSO as an FS method
to enhance IDS. We use a well-known technique to boost the
search performance of the TSO and to avoid its limitations,
such as trapping at local optima. The differential evolution
(DE) [34] is used to balance between the exploitation and
exploration phases and enhance the diversity of the agents.
The proposed model starts by training a CNN model as a
feature extractor for each evaluated dataset. After extracting
the feature vector with a fixed length for each sample, the rel-
evant features are determined using the modified TSODE.
The developed CNN model and TSODE are evaluated using
three public datasets, KDDCup-99, NSL-KDD, and BoT-IoT.
Additionally, TSODE was compared to the traditional TSO
alongside several well-known optimization algorithms used
for FS applications. The application of DE has significantly
enhanced the performance of the traditional TSO, and the pro-
posed TSODE showed significant performance in all tested
datasets.
To sum up, in this paper, we present the following
contributions:
• Propose an efficient IDS approach using advantages of
deep learning and MH optimization algorithms.
• Develop a CNN-based feature extraction method to
extract relevant features from the input datasets.
• Propose a new variant of the TSO algorithm, called
TSODE, using the DE operators that are employed to
enhance exploration phases and diversity of the agents
to of the traditional TSO and avoiding its shortcomings.
• Evaluate the TSODE with extensive comparison to state-
of-art methods using three public datasets.
The structure of the rest of this paper is given as:
In section II, the related work is given. Section III intro-
duces the basic steps of Transient search optimization and
Differential Evolution. Section IV describes the developed
IoT security model. Section V presents the results and discus-
sion. Finally, the conclusion and future works are discussed
in Section VI.
II. RELATED WORKS
In this section, we highlight a number of studies that
applied metaheuristic algorithms for intrusion detection.
Saljoughi et al. [35] proposed an attack intrusion detection
scheme for cloud computing using a combined model of
deep learning and swarm intelligence. They used a Multilayer
Perceptron (MLP) Neural Networks and particle swarm opti-
mization(PSO) algorithm for attacks and intrusion detection.
Both KDD-CUP and NSL-KDD datasets were applied in the
evaluation experiments, and the proposed scheme showed
enhanced accuracy in attacks and intrusion detection.
123449

In [36], the artificial bee colony (ABC) was employed
to enhance the classifier to detect and tackle denial-of-
service (DOS) attacks in the cloud. The prediction results
were enhanced by applying the ABC algorithm com-
pared to quantum-inspired particle swarm optimization tech-
nique (QPSO), with an average detection rate of 72.4%.
Dash [37] proposed two methods to train artificial neural
networks (ANN) for intrusion detection using metaheuristic
optimization algorithms. The first one is using the gravita-
tional search (GS) algorithm, where the second one is by com-
bining both GS and PSO. GS and GS-PSO were employed
to train the ANN, and they confirmed their high quality for
the NSL-KDD dataset in comparison with several approaches
used to train ANN, such as gradient descent, PSO, and genetic
algorithm (GA).
In [38], a feature selection method based on GA for intru-
sion detection was proposed. The GA was applied with a
fuzzy support vector machine (SVM) and showed significant
performance when was evaluated with KDD Cup 99 datasets.
Nazir and Khan [39] proposed a new feature selection using
the Tabu Search (TS) algorithm to train the Random For-
est (RF) classifier to build a robust intrusion detection system.
The proposed system, called TS-RF, was evaluated using
UNSW-NB15 dataset. The evaluation outcomes showed that
the TS outperformed several feature selection methods, and
the proposed TS-FS enhanced the classification accuracy.
SaiSindhuTheja and Shyam [30] proposed a new Detec-
tion of Denial of Service (DoS) attack detection system
using a modified Crow Search Algorithm (CSA) for fea-
ture selection. The Opposition Based Learning (OBL) is
combined with the CSA to boost its performance. Then,
the Recurrent Neural Network (RNN) is applied as a
classifier. The evaluation results confirmed the competi-
tive performance of the proposed feature selection method
using the improved CSA and high classification accu-
racy of the RNN with CSA. Mayuranathan et al. [29] pro-
posed an improved intrusion detection system with a new
feature selection technique using the Random Harmony
Search (RHS) optimization algorithm. The Restricted Boltz-
mann Machines were applied as a classifier for detection
Distributed Denial-of-Service (DDoS). The evaluation was
implemented with KDD’99 datasets, and the proposed system
obtained significant performance. RM et al. [28] developed
an efficient feature selection approach using a hybrid of
principal component analysis (PCA) and grey wolf opti-
mization (GWO) algorithm. The proposed approach, called
PCA-GWO, is employed to optimize the deep neural network
to improve its performance in the application of intrusion
detection on the internet of medical things applications. The
classification and prediction accuracy verified the successful
application of the PCA-GWO as a feature selection method
that boosts the classification accuracy in comparison to other
methods. Furthermore, Alsaedi et al. [40] proposed a new
dataset, called TON_IoT. They used several classification
methods to evaluate the collected dataets, and they found that
RF and Classification and Regression Trees (CART) obtained
123450
A. Fatani et al.: IoT IDS Using DL and Enhanced TSO
the best results, whereas LSTM and KNN came in the second
rank compared to other classification methods.
III. BACKGROUND
A. TRANSIENT SEARCH OPTIMIZATION
In this section, the steps of the transient search optimiza-
tion (TSO) are introduced [31]. In general, TSO simulates
the transient behavior of switched electrical circuits that con-
tains capacitance and inductance. In addition, the exploration
phase in TSO represents the oscillations of the second-order
RLC circuits around zero. Meanwhile, the exploitation repre-
sents the exponential decaying of the first-order discharge.
The first step in the mathematical modeling of TSO is to
generate the population (X ) of N agents and determine the
best of them Xb . The next step is to update these agents using
the operators of TSO as defined in the following equation.
Xi
(
Xb + (Xi − C1 × Xb ) × e−T if r1 < 0.5
=
Xb + e−T (cos(2πT ) + sin(2πT )) × Dib Otherwise
(1)
In Eq. (1), Dib = |Xi − C1 × Xb | C1 and T are random
coefficients that defined as in Eq. (2) and Eq. (3), respectively.
T = 2 × Z × r2 − Z (2)
C1 = k × Z × r3 + 1 (3)
where r2 and r3 are random numbers generated from [0, 1].
While, Z represents a random number changed from 2 to 0 as
follows:
t
Z =2−2×( ) (4)
tmax
where t and tmax refer to the current generation and the
total number of generations respectively. The next step is to
compute the fitness value of each solution and update the best
agent Xb . Then the terminal conditions are tested, and when
they are satisfied, then the process of updating the agents is
stopped and return the best agent.
B. DIFFERENTIAL EVOLUTION
DE is a well-known optimization algorithm [34], which was
adopted to solve various problems due to its advantages,
such as the fast convergence and the fast implementation
(it requires less computing time). The DE works by randomly
initializing X population; after that, it updates the popula-
tion by applying crossover and mutation operators. Mutation
operator is employed to the current Xi as in Eq. (5):
zti = Xrt1 + F × (Xrt2 − Xrt3 ), (5)
In which r1 , r2 , and r3 are the random indices, and they
are different from the current index i. Where F > 0
is the mutation scaling factor, and the iteration number is
represented by t.
VOLUME 9, 2021
A. Fatani et al.: IoT IDS Using DL and Enhanced TSO

Algorithm 1 Steps of TSO where TSi is the ith set of features (i.e., [tf11 , tf12 m . . . , tf1d ])
1: Input: the number of agents N . of traffic. n and d refer to the number of samples and features
2: generate initial population X . respectively. The next step is to normalize the dataset using
3: repeat the min−max normalization method that defined as:
4: Compute fitness value of each agent Xi ,
tfij − min(TSj )
i = 1, 2, . . . , N DNij = (9)
5: Determine the best of them (i.e., Xb ). max(TSj ) − min(TSj )
6: for i = 1 : N do
In Eq. (9), tfij denotes the value of jth feature of the
7: Update the value of T and C.
ith sample. In this study, we used the min-max normalization
8: Update Xi using Eq. (1).
since it transforms the given data with varying scales. There-
9: end for
fore, no specific feature can dominate the statistics. In addi-
10: until Stop conditions met
tion, it doesn’t make hypothesis about the distribution of the
11: Return Xb .
datasets for example, artificial neural networks and k-nearest
neighbours. In contrast, the Standardization is useful in the
case the data following Gaussian distribution.
Thereafter, crossover operator is employed to produce a The normalized version of TS is given as:
new vector vi as:
DN11 DN12 . . . DN1d
(  
t zt if r ≤ Cr  DN21 DN22 . . . DN2d 
vi = i t (6) NTS =  (10)
Xi otherwise  ... ... ... ... 


in which r represents a random value at [0, 1], where Cr
represents the crossover probability.
Furthermore, the current individual can be replaced by the
generated individual vti , if the vti obtained a better fitness,
as follows:
(
t+1 vt if f (vti ) < f (Xit )
Xi = i t (7)
Xi otherwise
The steps are repeated till meeting stop criterion.
IV. PROPOSED MODEL
The framework of the developed Internet of Things network
security is given in Figure 3. The proposed framework is
composed of two phase which are the feature extraction phase
using CNN model and the selection of most important fea-
tures using the developed TSODE algorithm. The developed
TSODE, depends on improving the behavior of traditional
TSO using the operators of DE, as shown in Figure 1. DE is
applied to enhance the process of balancing between explo-
ration and exploitation during the search for the feasible
region and best solution. This will be reflected in the quality
of the final solution that will use an optimal subset of features
which lead to increasing the prediction of intrusion detection
in the IoT environment. In the following sections a detailed
explanation of the framework will be given.
A. REPRESENTATION OF COLLECT IoT DATASET
In this section, the basic representation of traffic data of the
IoT that will be used as input to the next stage of the devel-
oped method is given. Consider TS represents the sample of
the traffic of IoT, and it formulated as:
tf11 tf12 . . . tf1d
 
 tf21 tf22 . . . tf2d 
TS =   ... (8)
... ... ... 

tfn1 tfn2 . . . tfnd
DNn1 DNn2 . . . DNnd
These normalized samples are used as input to the DL
model to extract the features from it. This DL is discussed
in the following stage.
B. CONVOLUTIONAL NEURAL NETWORK FOR
FEATURE EXTRACTION
Nowadays, structured and unstructured data forms (audio,
image, and text) are modeled using DL techniques which
employes supervised (discriminative learning) and unsuper-
vised strategies (generative learning) [41]–[43]. These strate-
gies can help the DL model to learn and extract complex
representations and features. The type of layers can differ-
entiate DL models and the learning mechanism [44], [45].
This section introduces an overview of a simple yet effective
convolutional neural network (CNN) model used in the exper-
iments to extract relevant features from the exploited data.
The CNN models have flexible architectures and are well-
known feature extractors used in various applications and
tasks. The main characteristic of these models is the shared
weight strategy among multiple computation layers [46].
A basic CNN architecture can contain convolutional, activa-
tion, pooling, and fully connected layers stacked in a specific
topology. Based on the depth of the topology, the model,
the extracted features can range from low-level features to
more complex features.
As shown in Fig. 2, the proposed CNN architecture that
acts as a feature extractor contains two convolution blocks
separated with a pooling layer. In addition, the model uses
four fully connected layers for feature extraction and predic-
tion task. The input data (NTS) is fed to the CNN block with a
1D convolution operation that produces activation maps when
applying a fixed kernel of 1 × 3.
A Rectified Linear Unit (ReLU) [47] is used as the con-
volution activation function to learn more complex patterns

VOLUME 9, 2021 123451


FIGURE 1. Steps of developed model for IoT security.
FIGURE 2. Proposed CNN architecture for feature extraction.
which is defined as in in Eq. (11).
zlj = ReLU (Zjl )
where zlj represents the output activation map of the l layer
and j channel. Zjl can be obtained as in Eq. (12).
X the features to be used in the feature selection phase. The
Zjl = zl−1 l
j kij + bj
l
(12)
i∈Mj
where yl−1
j is the previous output activation map of precedent
layer. The convolution kernel weights and the bias value are
defined as kijl and blj , respectively.
The ReLU activation function in the CNN block is fol-
lowed by dropout to overcome the overfitting problem. The
output of the CNN blocks is downsampled using pooling
layers of types max-pooling and adaptive average pooling
layer [48]. The downsampling operation helps the model train
123452
A. Fatani et al.: IoT IDS Using DL and Enhanced TSO
faster by minimizing the number of training parameters and
paying attention to the most relevant features.
(11)
Three fully connected layer (FC1 − 128) → (FC2 −
128) → (FC3 − 64) are used for feature extraction followed
by batch normalization (BN). FC3 layer is used to extract
extracted features are the automatically learned features by
the CNN (on raw data/samples) at the third fully connect layer
after training the network on the dataset with the aim of max-
imizing the attack classification accuracy. It is like converting
the raw data/samples representations to more meaningful and
manageable representations with lower dimension. A soft-
max layer for prediction follows the last fully-connected layer
(FC4) of size 64. BN is used to speed up the model’s con-
vergence, whereas the softmax activation function is used in
the output layer to predict the class (attack type) normalized
probability for each sample.
VOLUME 9, 2021
A. Fatani et al.: IoT IDS Using DL and Enhanced TSO

C. FEATURE SELECTION with the operators of TSO and DE. This process is performed
In this stage of the developed FS model as shown in Figure 1, by giving these operators the ability to work in a compet-
the relevant features are selected according to their quality itive manner, which leads to maintaining the agents’ diver-
to improve intrusion detection in IoT. This is achieved by sity. The updating process is conducted using the following
using a modified version of TSO based on the operator of equation.
DE that used a local optimizer technique. The developed (
FS method, named TSODE, starts by constructing the initial Use Eq. (1) if p1 < 0.5
Xi = (16)
population X , which contains N agents. Then converting each Use Eqs. (7) − (5) otherwise
agent into its binary form and reduce the training set by
removing the features that correspond to zeros inside this where p1 is random probability used to balance between the
binary form. The next process is to compute the performance operators of TSO and DE.
of the selected feature using the error classification of the
KNN classifier. After that, the best agent that has the best 3) TERMINAL CONDITIONS FOR LEARNING STAGE
fitness value is allocated. According to this best agent and the In this stage, the stopping conditions are checked, and in case
operators of TSO and DE, the agents inside the current pop- they are not met. Then the updating stage is performed again.
ulation are updated until they reached the optimal solution. Otherwise, the Xb is returned, which is used in the next stage
to reduce the testing set.
1) CONSTRUCTING INITIAL POPULATION
The developed TSODE starts by dividing the dataset into 80% 4) EVALUATION USING TESTING SET
and 20% from the total samples of datasets which represents To assess the ability of the developed TSODE as an FS
training and testing sets, respectively. Then TSODE uses method, the best agent Xb is used to remove the irrele-
Eq. (13) to form the initial value for a set of N agents X , which vant features from the testing set, then computing the qual-
represents the initial population. ity of the classification process using different performance
Xi = LB + rand(1, D) × (UB − LB) (13) metrics based on the reduced features. The full steps of
the developed IoT model to detect the intrusion are given
where D is the number of extracted features, and it represents in Algorithm 2.
the dimension of each agent. rand(1, D) denotes random D
values generated from [0, 1]. LB and UB refer to the limits of Algorithm 2 Developed Feature Selection for Security of IoT
the search domain.
1: Input: tmax : maximum number of iterations, and N : num-
ber of solutions.
2) UPDATING POPULATION
2: Normalized the input dataset using Eq. (9).
This stage begins by converting each agent Xi into its Boolean 3: Extract the features using proposed CNN model as in
form BXi using Eq. (14). described in section IV-B.
(
1 if Xij > 0.5 4: Divide the dataset based on extracted features into train-
BXij = (14) ing and testing set.
0 otherwise
5: Construct initial population X using Eq. (13).
According to Eq. (14), the number of features inside the 6: Set t = 1.
training set is decreased by removing those features corre- 7: while t <= tmax do
sponding to zeros; then computing the fitness value for each 8: Use Eq. (14) to obtain Boolean form for each
agent Xi using the following equation. agent Xi .
|BXi | 9: Apply Eq. (15) to compute the fitness value Fiti for
Fiti = λ × γi + (1 − λ) × ( ) (15) each Xi .
D
In Eq. (15), γi denotes the error of classification that cal- 10: Allocate the best agent Xb .
culated using KNN classifier based on training set. λ ∈ [0, 1] 11: Update the value of p1 .
is random weights used to balance between the error of 12: if p1 < 0.5 then
classification and the ratio of relevant features ( |BXi| 13: Update Xi using Eq. (1).
D ). 14: else
For clarity Eqs. (14)-(15), consider the current agent Xi
has seven features (dimension) is representing as U 1i = 15: Update Xi using Eqs. (5)-(7).
[0.0975, 0.2785, 0.5469, 0.9575, 0.9649, 0.1576, 0.9706]. 16: end if
By applying Eq. (14) then BXi = [0, 0, 1, 1, 1, 0, 1]. This 17: t = t + 1.
18: end while
means that the third, fourth, fifth, and seven features are
19: Reduce the testing set using the relevant feature (corre-
chosen as relevant features and used to reduce the training
set and using Eq. (15) to assess this selecting features. sponding to ones) inside Xb .
20: Output: Return by Xb and the value of performance
The next step is to find the best agent Xb which has the best
fitness value Fitb , then using Xb to update the current agents metrics.

VOLUME 9, 2021 123453

 A. Fatani et al.: IoT IDS Using DL and Enhanced TSO

FIGURE 3. The proposed TSODE as FS method.

TABLE 1. Confusion matrix. • Average Recall (AVSens ): It is also named as true positive
rate (TPR), which denotes the percentage of predicting
positive intrusion, and it is given as:
Nr
1 X TP
AVSens = SenskBest , SensBest =
Nr TP + FN
k=1
V. EXPERIMENT RESULTS AND DISCUSSION (18)
A. PERFORMANCE MEASURES
To assess the ability of the developed method to detect the • Average Precision (AVPrec ): This shows the percentage
intrusion in IoT environment, a set of performance measures of truly positive out of all the positive predicted samples,
is used. For example, accuracy, sensitivity, specificity, and which is given as:
F-measure, and each of them depends on the confusion matrix Nr
1 X TP
defined in Table 1. The definition of each measure is formu- AVPrec = PreckBest , PrecBest =
lated as: Nr FP + TP
k=1
• Average Accuracy (AVAcc ): The accuracy metric repre- (19)
sents the rate of correct detection of the intrusion, and it
• Performance Improvement Rate (PIR): It is used to mea-
is formulated as:
sure the improvement rate achieved by the developed
Nr
1 X method and it is defined as:
AVAcc = AcckBest ,
Nr MTSODE − MAlg
k=1 PIR = × 100 (20)
TP + TN MTSODE
AccBest = (17)
TP + FN + FP + TN where MTSODE represent the performance measure value
where Nr = 30 denotes the number of runs. (i.e., Accuracy, Recall, Precision, and F1-measure)

123454 VOLUME 9, 2021

A. Fatani et al.: IoT IDS Using DL and Enhanced TSO

TABLE 2. Selected CNN architecture hyper-parameters. TABLE 3. Description of KDDCup-99 and NSL-KDD datasets (10%).

TABLE 4. Description of Bot-IoT dataset (5%).

of the developed TSODE and compared algorithm,

respectively.
TABLE 5. Description of CICIDS-2017 dataset.

B. EXPERIMENTAL SETUP
In our experiments, the CNN setup used Adam [49] with a
learning rate equal to 0.005 is selected as the network opti-
mizer over a batch size equal to 2024 and 100 epochs. Table 2
lists the network topology and parameters. In addition,
the performance of developed TSODE as feature selection
is compared with other MH techniques including particle
swarm optimization (PSO) [50], multiverse optimization
algorithm (MVO) [51], Grey wolf optimizer (GWO) [52],
moth flame optimization (MFO) [53], whale optimiza-
tion algorithm (WOA) [54], Firefly algorithm (FFA) [55],
Bat algorithm [56], and traditional TSO. The parameters
of these MH methods are set according to the original
implementation. for the ID (MADMAID) framework. We used 10%
of the full KDDCup-99 dataset in our experiments,
C. DATASET DESCRIPTION and the connection records were normalized. As shown
Three datasets, namely KDDCup-99, NSL-KDD, and in Table 3, KDDCup-99 contains of 5 attack types and
BoT-IoT were used to evaluate the proposed model in 41 features. The features are grouped into three main
binary classifications. Most researchers regularly utilize categories, including basic features, which contain the
these datasets to benchmark the performance of their network packet capture (Pcap) files, content features that con-
intrusion models. The challenge was to classify the connec- tain the full payload of TCP/IP packets information,
tion records as either attack (intrusion) or benign. and time-based traffic features with 2 seconds overlap-
1) KDDCup-99: The dataset was collected from the ping window.
1998 DARPA intrusion detection challenge dataset cre- 2) NSL-KDD: A refined version from KDDCup-99 after
ated by the MIT Lincon laboratory. A set of 1000’s removing redundant connection records. In addition,
UNIX machines and 100’s users were used for ten The CSV format of the dataset with 41 features and five
weeks to capture the network traffic data. The cap- attack types. Table 3 report the detailed statistics of the
tured data was stored in tcpdump format to create dataset.
the KDDCup 1998 dataset. A feature extraction oper- 3) BoT-IoT: Industrial IoT (IIoT) smart home appli-
ation has been conducted on the processed tcpdump ances were used to collect IIoT traffic samples
data using the mining audit data for automated models to create the Bot-IoT dataset [57] in the Cyber

VOLUME 9, 2021 123455

 A. Fatani et al.: IoT IDS Using DL and Enhanced TSO

FIGURE 4. Percentage difference between developed method and other MH techniques over the tested datasets in binary and multi classification.

Range Lab of The center of UNSW Canberra Cyber.
Smart IIoT devices including thermostats, motion-
controlled lights, remotely controlled garage, fridges
and freezers, and weather monitoring systems. The
data is presented in two versions, including the full
version, which contains over 72 million records, and
the 10%, which consists of approximately 3.6 million
records. We decide to experiment with the proposed
model on the 5% of the entire dataset with a group of
best ten features. Table 4 lists the train and test sets

123456 VOLUME 9, 2021

A. Fatani et al.: IoT IDS Using DL and Enhanced TSO
FIGURE 5. Average of performance measures overall the four datasets.
records of the IIoT traffic categorized into five main
classes.
4) CICIDS-2017: The intrusion detection dataset
CICIDS-2017 [58] was collected at the Canadian
Institute for Cybersecurity (CIC), University of New
Brunswick, Canada. The CICIDS-2017 consists of
many records, which are over 1.5 million, which sim-
ulate true real-world data (PCAPs). The dataset covers
various attack types, including scan attacks, brute force,
DoS, DDoS, infiltration, heart-bleed, bot, and Web-
based. The dataset PCAP traffic files have been used to
build the CSV files using the resulted network traffic
analysis by CICFlowMeter. The CICFlowMeter soft-
ware analyzes different connection protocols (HTTP,
FTP, SSH, and email protocols) of 25 user behaviors.
The overall dataset saved in CSV files contains 80 net-
work traffic features and flows labels. To train and eval-
uate our proposed framework, we have selected four
CSV files to build the used dataset in our experiment:
VOLUME 9, 2021
Tuesday-WorkingHours, Thursday-WorkingHours-
Morning-WebAttacks Friday-WorkingHours-After
noon-PortScan, and Friday-WorkingHours-Afternoon-
DDos. The combined files resulted in a total of
1,127,683 records distributed over benign and seven
attack types. Table 5 lists the train and test sets records
and attack types used in our experiments.
D. RESULTS AND DISCUSSION
In this section, the comparison results between the devel-
oped TSODE and the other MH techniques are discussed.
Tables 6-8 show the average of different metrics for the tested
dataset used in our comparison (i.e., BoT-IoT, KDDCup-99,
and NSL-KDD). It can be observed in the case of Multi-
classification of BoT-IoT as given in Table 6 that most
of the MH techniques nearly have the same perfor-
mance during the training stage. However, PSO provides
high performance measures. In addition, the developed
123457
 A. Fatani et al.: IoT IDS Using DL and Enhanced TSO

TABLE 6. Comparison results of developed method using Bot-IoT dataset.

TABLE 7. Comparison results of developed method using KDDCup-99 dataset.

TSODE has the best accuracy, specificity, and sensitivity, better results in training and testing set in terms of all
and F1-measure. In the binary case of Bot-IoT dataset, performance measures. Whereas, Figure 4(a)-4(b) depict
it can be noticed that the developed TSODE has provided the performance improvement rate (PIR) of the developed

123458 VOLUME 9, 2021

A. Fatani et al.: IoT IDS Using DL and Enhanced TSO
TABLE 8. Comparison results of developed method using NSL-KDD.
TSODE method and other MH techniques. It can be
seen, PIR in multi-classification variants from 0.011 to
0.101 in terms of accuracy and 0.0212 to 0.084 in terms
of Recall. Whereas, 0.028 to 0.1021 and 0.0214 to 0.1021,
respectively for Precision and F-measure. Also, for the
binary classification the 0.0037 to 0.0946, 0.0168 to
0.0753, 0.0226 to 0.0955, and 0.0142 to 0.0955, respec-
tively, in terms of Accuracy, Recall, Precision, and
F-measure.
The comparison results between the developed method
and other MH method using NSL-KDD dataset are given
in Table 8 and Figure 4(c)-4(d). It can be seen from these
results the superiority of developed TSODE over the other
MH techniques when applied to either multi and binary clas-
sification of intrusion using NSL-KDD. The behavior of the
developed TSODE in the learning stage is better than other
models, as can be concluded from performance measures;
the same can be noticed from the results of the testing set.
In addition, the developed TSODE provides accuracy better
than MVO with a difference nearly 0.528% and with a dif-
ference between it and PSO nearly 9%. In terms of Recall,
Precision and F-measure, the developed TSODE is better than
other models with difference variants from 1.840%, 2.866%,
and 1.744% to 7.816%, 10.075%, and 9.752%, respectively.
This can be noticed from Figure 4(c)-4(d).
Table 8 and Figure 4(g)-4(h) depict the comparison results
between the developed TSODE and other MH models for
KDDCup-99. From these results, one can be seen that the
developed TSODE has better results in terms of all metrics
VOLUME 9, 2021
when the training set of KDDCup-99 in case of multi-
classification. However, when the testing set is applied,
the BAT and FFA provide results better than other models
in terms of F1-measure and Precision, respectively. While
TSODE still provides better results in terms of accuracy, with
a 0.4 difference between it and MVO. Moreover, in the case
of binary KDDCup-99, the superiority of TSODE is observed
from the comparison results in terms of all performance
metrics over training and testing sets. Figure 5 shows the
average of results in terms of metrics for overall the test
datasets for each algorithm. It can be shown the high ability
of the developed model to improve the detection of intrusion
in both cases (i.e., multi and binary) of classification.
The comparative results of the developed method and other
methods when applied to the CICIDS-2017 datasets are given
In Table 9. It can be noticed that in both cases binary and
multi-classification the developed method has better perfor-
mance (nearly in all metrics) than other model, especially in
the testing set. However, in general, the behaviour of most
competitive FS methods is nearly the same in case of training
set. In addition, the
Figure 6 shows that many of the misclassifications are
due to the low frequent training samples provided to the
CNN like U2R and R2L. Contrary, classes having a large
number of training samples were well classified. In some
cases, attacks such as PROBE were classified as Normal.
This may be attributed to the difficulty of extracting char-
acterized features by the CNN network for this attack type.
Same observations can be noticed in Figure 7 where the CNN
123459

TABLE 9. Comparison results of developed method using CICIDS-2017 dataset.
FIGURE 6. KDDCup99 dataset confusion matrix.
model was confused between three classes DOS, PROBE,
and Normal, thus learning similar features as Normal class.
The CNN models show better performance on the KDD-
Cup99 dataset than the distilled NSL-KDD dataset, which
helps to reduce the number of misclassifications in DOS.
Likewise, the confusion matrix shown in Figure 9 for Bot-
IoT dataset shows that Normal and Theft connection records
were completely misclassified. This is due to the small size
of the training connection records fed to the CNN network.
The CNN model shows excellent ability to correctly classify
attack types with significant training records such as DDoS,
DoS, and Reconnaissance.
123460
A. Fatani et al.: IoT IDS Using DL and Enhanced TSO
FIGURE 7. NSL-KDD dataset confusion matrix.
In addition, the performance of the developed method and
other methods in terms of false positive rate (FPR) is given
in Table 10. From these results it can be seen that the values
of FPR for the TSODE are better than other algorithms in
the binary and multi-class classification cases among all the
tested four datasets (i.e., KDDCup-99, NSL-KDD, BoT-IOT,
and CICIDS-2017). This indicate that the selected features
using the proposed TSODE improve the detection perfor-
mance of the classifier on each class comparing to other
methods.
Table 11 shows the average of CPU time(s) for each algo-
rithm among the tested set of each dataset in both cases
VOLUME 9, 2021
A. Fatani et al.: IoT IDS Using DL and Enhanced TSO
TABLE 10. The FPR of the developed method and other methods overall the tested datasets.
FIGURE 8. BoT-IoT dataset confusion matrix.
FIGURE 9. CICIDS-2017 dataset confusion matrix.
(i.e., binary and multi-classification). One can observed from
these results that the developed TSODE has smallest CPU
time(s) at three and two datasets in case of binary and multi-
classification, respectively. In addition, the average of tradi-
tional TSO overall the tested datasets in both cases is better
than other MH techniques.
VOLUME 9, 2021
TABLE 11. CPU time(s) for each algorithm among the tested dataset.
To further analyze the results, a non-parametric test named
Friedman test is applied to determine if there is a significant
difference between the developed method and others [59].
In this test, there are two hypothesises; the first hypothesis,
called null hypothesises, which assumed there is no differ-
ence between the compared algorithms and we accept it
when the P-value is greater than 0.05. Otherwise, we accept
the second hypothesises, named alternative hypothesises, that
assumed there is a significant difference between methods.
Table 12 shows the mean rank of each method for the
three tested datasets in two cases (i.e., binary and multi-
classification). From those results, it can be noticed that in
both cases of multi-classification, the developed TSODE has
the highest mean rank in terms of all performance metrics.
In addition, there is a significant difference between TSODE
and other methods.
Moreover, the developed method is compared with the
results of other methods collected from literature. We use
123461

TABLE 12. Mean rank of each method using Friedman test in binary and
multi classification.
KDDCup-99, as an example, in our comparison with
BARF [60], Ref [61], Ref [62], Ref [63], Ref [64], and
Ref [65] which have accuracy rates of 96.42, 95.21, 94.56,
93.36, 92.42, and 90.27, respectively.
VI. CONCLUSION
In this study, an intrusion detection system (IDS) for IoT
systems was proposed using the advantages of deep learning
and metaheuristic (MH) optimization algorithms. The devel-
oped system uses a Convolutional neural network (CNN)
as a feature extractor technique to obtain relevant features
from the input data. More so, we developed a new fea-
ture selection method using a new variant of the transient
search optimization (TSO) algorithm using the deferential
evolution (DE) algorithm. The DE operators are employed
to boost the search process of the traditional TSD algorithm,
as well as avoiding its shortcomings, such as trapping at
local optima. We implemented extensive evaluation experi-
ments to evaluate the developed method using three IoT IDS
datasets, KDDCup-99, NSL-KDD, and BoT-IoT. Addition-
ally, we compare the developed FS method, TSODE, to the
traditional TSO and several well-known MH optimization
methods. The outcome verified the prominent performance
of the proposed method using different evaluation measures.
We conclude that the proposed TSODE is significantly out-
performed the traditional TSO since the application of the
DE operators has improved the exploitation and exploration
phases of the traditional TSO. More so, we conclude that
the developed IDS scheme based on CNN and TSODE is
significantly enhanced classification accuracy.
For future work, different MH optimizer will be considered
for IDS with different datasets. Additionally, the performance
of the TSODE makes a capability to use it in other opti-
mization tasks, such as image processing, cloud and fog
computing scheduling, parameter estimations, and others.
REFERENCES
[1] I. Lee, ‘‘The Internet of Things for enterprises: An ecosystem, architecture,
and IoT service business model,’’ Internet Things, vol. 7, Sep. 2019,
Art. no. 100078.
[2] I. Lee, ‘‘Internet of Things (IoT) cybersecurity: Literature review and IoT
cyber risk management,’’ Future Internet, vol. 12, no. 9, p. 157, Sep. 2020.
123462
A. Fatani et al.: IoT IDS Using DL and Enhanced TSO
[3] G. S. Kushwah and V. Ranga, ‘‘Voting extreme learning machine based
distributed denial of service attack detection in cloud computing,’’ J. Inf.
Secur. Appl., vol. 53, Aug. 2020, Art. no. 102532.
[4] P. Louvieris, N. Clewley, and X. Liu, ‘‘Effects-based feature identifica-
tion for network intrusion detection,’’ Neurocomputing, vol. 121, no. 18,
pp. 265–273, 2013.
[5] P. Mishra, E. S. Pilli, V. Varadharajan, and U. Tupakula, ‘‘Intrusion detec-
tion techniques in cloud environment: A survey,’’ J. Netw. Comput. Appl.,
vol. 77, pp. 18–47, Jan. 2017.
[6] J. Wei, C. Long, J. Li, and J. Zhao, ‘‘An intrusion detection algorithm
based on bag representation with ensemble support vector machine in
cloud computing,’’ Concurrency Comput., Pract. Exper., vol. 32, no. 24,
p. e5922, Dec. 2020.
[7] Q. Schueller, K. Basu, M. Younas, M. Patel, and F. Ball, ‘‘A hierarchical
intrusion detection system using support vector machine for SDN network
in cloud data center,’’ in Proc. 28th Int. Telecommun. Netw. Appl. Conf.
(ITNAC), Nov. 2018, pp. 1–6.
[8] P. Ghosh, A. K. Mandal, and R. Kumar, ‘‘An efficient cloud network
intrusion detection system,’’ in Information Systems Design and Intelligent
Applications. New Delhi, India: Springer, 2015, pp. 91–99.
[9] P. Deshpande, S. C. Sharma, S. K. Peddoju, and S. Junaid, ‘‘HIDS: A host
based intrusion detection system for cloud computing environment,’’ Int.
J. Syst. Assurance Eng. Manage., vol. 9, no. 3, pp. 567–576, Jun. 2018.
[10] C. Modi, D. Patel, B. Borisanya, A. Patel, and M. Rajarajan, ‘‘A novel
framework for intrusion detection in cloud,’’ in Proc. 5th Int. Conf. Secur.
Inf. Netw., 2012, pp. 67–74.
[11] K. Peng, V. C. M. Leung, L. Zheng, S. Wang, C. Huang, and T. Lin,
‘‘Intrusion detection system based on decision tree over big data in fog
environment,’’ Wireless Commun. Mobile Comput., vol. 2018, Mar. 2018,
Art. no. 4680867.
[12] X. Zhao and W. Zhang, ‘‘An anomaly intrusion detection method based on
improved K-means of cloud computing,’’ in Proc. 6th Int. Conf. Instrum.
Meas., Comput., Commun. Control (IMCCC), Jul. 2016, pp. 284–288.
[13] G. R. Kumar, N. Mangathayaru, and G. Narasimha, ‘‘An improved
K-means Clustering algorithm for intrusion detection using Gaussian func-
tion,’’ in Proc. Int. Conf. Eng., 2015, pp. 1–7.
[14] C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel, and M. Rajarajan,
‘‘A survey of intrusion detection techniques in cloud,’’ J. Netw. Comput.
Appl., vol. 36, no. 1, pp. 42–57, 2013.
[15] K. A. P. da Costa, J. P. Papa, C. O. Lisboa, R. Munoz, and
V. H. C. de Albuquerque, ‘‘Internet of Things: A survey on machine
learning-based intrusion detection approaches,’’ Comput. Netw., vol. 151,
pp. 147–157, Mar. 2019.
[16] H. Liu and B. Lang, ‘‘Machine learning and deep learning methods for
intrusion detection systems: A survey,’’ Appl. Sci., vol. 9, no. 20, p. 4396,
Oct. 2019.
[17] M. Almiani, A. AbuGhazleh, A. Al-Rahayfeh, S. Atiewi, and A. Razaque,
‘‘Deep recurrent neural network for IoT intrusion detection system,’’ Simul.
Model. Pract. Theory, vol. 101, May 2020, Art. no. 102031.
[18] E. Hodo, X. Bellekens, A. Hamilton, P.-L. Dubouilh, E. Iorkyase,
C. Tachtatzis, and R. Atkinson, ‘‘Threat analysis of IoT networks using
artificial neural network intrusion detection system,’’ in Proc. Int. Symp.
Netw., Comput. Commun. (ISNCC), May 2016, pp. 1–6.
[19] A. Dawoud, S. Shahristani, and C. Raun, ‘‘Deep learning and software-
defined networks: Towards secure IoT architecture,’’ Internet Things,
vols. 3–4, pp. 82–89, Oct. 2018.
[20] K. Wu, Z. Chen, and W. Li, ‘‘A novel intrusion detection model for
a massive network using convolutional neural networks,’’ IEEE Access,
vol. 6, pp. 50850–50859, 2018.
[21] O. Alkadi, N. Moustafa, B. Turnbull, and K.-K.-R. Choo, ‘‘A deep
blockchain framework-enabled collaborative intrusion detection for pro-
tecting IoT and cloud networks,’’ IEEE Internet Things J., vol. 8, no. 12,
pp. 9463–9472, Jun. 2021.
[22] Z. Cai, Z. Xiong, H. Xu, P. Wang, W. Li, and Y. Pan, ‘‘Generative adver-
sarial networks: A survey towards private and secure applications,’’ 2021,
arXiv:2106.03785. [Online]. Available: http://arxiv.org/abs/2106.03785
[23] M. T. Nguyen and K. Kim, ‘‘Genetic convolutional neural network for
intrusion detection systems,’’ Future Gener. Comput. Syst., vol. 113,
pp. 418–427, Dec. 2020.
[24] M. R. G. Raman, N. Somu, K. Kirthivasan, R. Liscano, and V. S. S. Sriram,
‘‘An efficient intrusion detection system based on hypergraph—Genetic
algorithm for parameter optimization and feature selection in support
vector machine,’’ Knowl.-Based Syst., vol. 134, pp. 1–12, Oct. 2017.
VOLUME 9, 2021
A. Fatani et al.: IoT IDS Using DL and Enhanced TSO
[25] S. Malhotra, V. Bali, and K. K. Paliwal, ‘‘Genetic programming and
K-nearest neighbour classifier based intrusion detection model,’’ in Proc.
7th Int. Conf. Cloud Comput., Data Sci. Eng., Jan. 2017, pp. 42–46.
[26] P. Ghosh, A. Karmakar, J. Sharma, and S. Phadikar, ‘‘CS-PSO based
intrusion detection system in cloud environment,’’ in Emerging Technolo-
gies in Data Mining and Information Security. Singapore: Springer, 2019,
pp. 261–269.
[27] J. K. Seth and S. Chandra, ‘‘MIDS: Metaheuristic based intrusion detection
system for cloud using k-NN and MGWO,’’ in Proc. Int. Conf. Adv.
Comput. Data Sci. Singapore: Springer, Apr. 2018, pp. 411–420.
[28] S. P. RM, P. K. R. Maddikunta, M. Parimala, S. Koppu, T. R. Gadekallu,
C. L. Chowdhary, and M. Alazab, ‘‘An effective feature engineering for
DNN using hybrid PCA-GWO for intrusion detection in IoMT architec-
ture,’’ Comput. Commun., vol. 160, pp. 139–149, Jul. 2020.
[29] M. Mayuranathan, M. Murugan, and V. Dhanakoti, ‘‘Best features based
intrusion detection system by RBM model for detecting DDoS in
cloud environment,’’ J. Ambient Intell. Hum. Comput., vol. 12, no. 3,
pp. 3609–3619, 2019.
[30] R. SaiSindhuTheja and G. K. Shyam, ‘‘An efficient Metaheuristic algo-
rithm based feature selection and recurrent neural network for DoS attack
detection in cloud computing environment,’’ Appl. Soft Comput., vol. 100,
Mar. 2021, Art. no. 106997.
[31] M. H. Qais, H. M. Hasanien, and S. Alghuwainem, ‘‘Transient search
optimization: A new meta-heuristic optimization algorithm,’’ Int. J. Speech
Technol., vol. 50, no. 11, pp. 3926–3941, Nov. 2020.
[32] W. Yang, K. Xia, T. Li, M. Xie, and Y. Zhao, ‘‘An improved transient
search optimization with neighborhood dimensional learning for global
optimization problems,’’ Symmetry, vol. 13, no. 2, p. 244, Feb. 2021.
[33] J. S. Bhadoriya and A. R. Gupta, ‘‘A novel transient search optimization for
optimal allocation of multiple distributed generator in the radial electrical
distribution network,’’ Int. J. Emerg. Electr. Power Syst., 2021.
[34] R. Storn and K. Price, ‘‘Differential evolution—A simple and efficient
heuristic for global optimization over continuous spaces,’’ J. Global
Optim., vol. 11, no. 4, pp. 341–359, 1997.
[35] A. Shokuh Saljoughi, M. Mehrvarz, and H. Mirvaziri, ‘‘Attacks and intru-
sion detection in cloud computing using neural networks and particle
swarm optimization algorithms,’’ Emerg. Sci. J., vol. 1, no. 4, pp. 179–191,
Jan. 2018.
[36] S. Sharma, A. Gupta, and S. Agrawal, ‘‘An intrusion detection system for
detecting denial-of-service attack in cloud using artificial bee colony,’’
in Proc. Int. Congr. Inf. Commun. Technol. Singapore: Springer, 2016,
pp. 137–145.
[37] T. Dash, ‘‘A study on intrusion detection using neural networks trained with
evolutionary algorithms,’’ Soft Comput., vol. 21, no. 10, pp. 2687–2700,
May 2017.
[38] A. Kannan, G. Q. Maguire, A. Sharma, and P. Schoo, ‘‘Genetic algo-
rithm based feature selection algorithm for effective intrusion detection in
cloud networks,’’ in Proc. IEEE 12th Int. Conf. Data Mining Workshops,
Dec. 2012, pp. 416–423.
[39] A. Nazir and R. A. Khan, ‘‘A novel combinatorial optimization based
feature selection method for network intrusion detection,’’ Comput. Secur.,
vol. 102, Mar. 2021, Art. no. 102164.
[40] A. Alsaedi, N. Moustafa, Z. Tari, A. Mahmood, and A. Anwar, ‘‘TON_IoT
telemetry dataset: A new generation dataset of IoT and IIoT for data-driven
intrusion detection systems,’’ IEEE Access, vol. 8, pp. 165130–165150,
2020.
[41] K. Kumar, R. Kumar, T. de Boissiere, L. Gestin, W. Z. Teoh, J. Sotelo,
A. de Brébisson, Y. Bengio, and A. C. Courville, ‘‘MelGAN: Generative
adversarial networks for conditional waveform synthesis,’’ in Proc. Adv.
Neural Inf. Process. Syst., 2019, pp. 14910–14921.
[42] A. Howard, M. Sandler, B. Chen, W. Wang, L.-C. Chen, M. Tan, G. Chu,
V. Vasudevan, Y. Zhu, R. Pang, H. Adam, and Q. Le, ‘‘Searching for
MobileNetV3,’’ in Proc. IEEE/CVF Int. Conf. Comput. Vis. (ICCV),
Oct. 2019, pp. 1314–1324.
[43] J. Angel, S. T. Aroyehun, A. Tamayo, and A. Gelbukh, ‘‘NLP-CIC at
SemEval-2020 Task 9: Analysing sentiment in code-switching language
using a simple deep-learning classifier,’’ in Proc. 14th Workshop Semantic
Eval., Barcelona, Spain, Dec. 2020, pp. 957–962. [Online]. Available:
https://www.aclweb.org/anthology/2020.semeval-1.123
[44] S. Merity, ‘‘Single headed attention RNN: Stop thinking with your
head,’’ 2019, arXiv:1911.11423. [Online]. Available: http://arxiv.org/abs/
1911.11423
[45] A. Ororbia, A. ElSaid, and T. Desell, ‘‘Investigating recurrent neural
network memory structures using neuro-evolution,’’ in Proc. Genetic Evol.
Comput. Conf., Jul. 2019, pp. 446–455.
VOLUME 9, 2021
[46] A. Bochkovskiy, C.-Y. Wang, and H.-Y. Mark Liao, ‘‘YOLOv4: Opti-
mal speed and accuracy of object detection,’’ 2020, arXiv:2004.10934.
[Online]. Available: http://arxiv.org/abs/2004.10934
[47] V. Nair and G. E. Hinton, ‘‘Rectified linear units improve restricted
Boltzmann machines,’’ in Proc. 27th Int. Conf. Mach. Learn. (ICML),
2010, pp. 807–814.
[48] B. McFee, J. Salamon, and J. P. Bello, ‘‘Adaptive pooling operators for
weakly labeled sound event detection,’’ IEEE/ACM Trans. Audio, Speech,
Lang. Process., vol. 26, no. 11, pp. 2180–2193, Nov. 2018.
[49] D. P. Kingma and J. Ba, ‘‘Adam: A method for stochastic opti-
mization,’’ 2014, arXiv:1412.6980. [Online]. Available: http://arxiv.
org/abs/1412.6980
[50] J. Kennedy and R. Eberhart, ‘‘Particle swarm optimization,’’ in Proc. IEEE
ICNN, vol. 4, Nov./Dec. 1995, pp. 1942–1948.
[51] S. Mirjalili, S. M. Mirjalili, and A. Hatamlou, ‘‘Multi-verse optimizer:
A nature-inspired algorithm for global optimization,’’ Neural Comput.
Appl., vol. 27, no. 2, pp. 495–513, 2016.
[52] S. Mirjalili, S. M. Mirjalili, and A. Lewis, ‘‘Grey wolf optimizer,’’ Adv.
Eng. Softw., vol. 69, pp. 46–61, Mar. 2014.
[53] S. Mirjalili, ‘‘Moth-flame optimization algorithm: A novel nature-
inspired heuristic paradigm,’’ Knowl.-Based Syst., vol. 89, pp. 228–249,
Nov. 2015.
[54] S. Mirjalili and A. Lewis, ‘‘The whale optimization algorithm,’’ Adv. Eng.
Softw., vol. 95, pp. 51–67, May 2016.
[55] X.-S. Yang and X. He, ‘‘Firefly algorithm: Recent advances and applica-
tions,’’ Int. J. Swarm Intell., vol. 1, no. 1, pp. 36–50, 2013.
[56] X. S. Yang, ‘‘A new metaheuristic bat-inspired algorithm,’’ in Nature
Inspired Cooperative Strategies for Optimization. Berlin, Germany:
Springer, 2010, pp. 65–74.
[57] N. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull, ‘‘Towards the
development of realistic botnet dataset in the Internet of Things for network
forensic analytics: Bot-IoT dataset,’’ Future Gener. Comput. Syst., vol. 100,
pp. 779–796, Nov. 2019.
[58] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, ‘‘Toward generat-
ing a new intrusion detection dataset and intrusion traffic characteriza-
tion,’’ in Proc. 4th Int. Conf. Inf. Syst. Secur. Privacy, vol. 1, Jan. 2018,
pp. 108–116.
[59] M. Friedman, ‘‘A comparison of alternative tests of significance for the
problem of m rankings,’’ Ann. Math. Statist., vol. 11, no. 1, pp. 86–92,
1940.
[60] J. Li, Z. Zhao, R. Li, H. Zhang, and T. Zhang, ‘‘Ai-based two-stage intru-
sion detection for software defined IoT networks,’’ IEEE Internet Things
J., vol. 6, no. 2, pp. 2093–2102, Nov. 2018.
[61] J. Li, Z. Zhao, and R. Li, ‘‘A machine learning based intrusion detec-
tion system for software defined 5G network,’’ 2017, arXiv:1708.04571.
[Online]. Available: http://arxiv.org/abs/1708.04571
[62] A. S. da Silva, J. A. Wickboldt, L. Z. Granville, and A. Schaeffer-Filho,
‘‘ATLANTIC: A framework for anomaly traffic detection, classification,
and mitigation in SDN,’’ in Proc. IEEE/IFIP Netw. Oper. Manage. Symp.,
Apr. 2016, pp. 27–35.
[63] X. Ye, X. Chen, H. Wang, X. Zeng, and G. Shao, ‘‘An anomalous behavior
detection model in cloud computing,’’ Tsinghua Sci. Technol., vol. 21,
no. 3, pp. 322–332, Jun. 2016.
[64] P. Wang, K.-M. Chao, H.-C. Lin, W.-H. Lin, and C.-C. Lo, ‘‘An efficient
flow control approach for SDN-based network threat detection and migra-
tion using support vector machine,’’ in Proc. IEEE 13th Int. Conf. E-Bus.
Eng. (ICEBE), Nov. 2016, pp. 56–63.
[65] A. Le, P. Dinh, H. Le, and N. C. Tran, ‘‘Flexible network-based intrusion
detection and prevention system on software-defined networks,’’ in Proc.
Int. Conf. Adv. Comput. Appl. (ACOMP), Nov. 2015, pp. 106–111.
ABDULAZIZ FATANI received the B.S. degree
in computer sciences from Umm Alqura Univer-
sity, Makkah, Saudi Arabia, in 2009, and the M.S.
degree in computer sciences from Huazhong Uni-
versity of Science and Technology, Wuhan, China,
in 2015, where he is currently pursuing the Ph.D.
degree in computer sciences. In 2010, he worked
at Umm Alqura University.
123463

MOHAMED ABD ELAZIZ received the B.S. and
M.S. degrees in computer science and the Ph.D.
degree in mathematics and computer science from
Zagazig University, Egypt, in 2008, 2011, and
2014, respectively. From 2008 to 2011, he was an
Assistant Lecturer with the Department of Com-
puter Science. He is currently an Associate Pro-
fessor with Zagazig University. He is the author of
more than 190 articles. He is one of the 2% influ-
ential scholars, which depicts the 100,000 top-
scientists in the world. His research interests include metaheuristic technique,
security IoT, cloud computing, machine learning, signal processing, image
processing, and evolutionary algorithms.
ABDELGHANI DAHOU received the B.S. and
M.S. degrees in computer science and intelligent
systems from the University of Ahmad Draia,
Adrar, Algeria, in 2012 and 2014, respectively, and
the Ph.D. degree in computer science from Wuhan
University of Technology, Wuhan, Hubei, China,
in 2019. He is currently a Lecturer with the Faculty
of Science and Technology, University of Ahmad
Draia. His research interests include deep learning,
signal processing, data mining, neuro-evolution,
image processing, and natural language processing.
123464
A. Fatani et al.: IoT IDS Using DL and Enhanced TSO
MOHAMMED A. A. AL-QANESS received the
B.S., M.S., and Ph.D. degrees from Wuhan Uni-
versity of Technology, in 2010, 2014, and 2017,
respectively, all in information and communica-
tion engineering. He is currently an Assistant
Professor with the School of Computer Science,
Wuhan University, Wuhan, China. He is also a
Postdoctoral Follower with the State Key Labo-
ratory for Information Engineering in Surveying,
Mapping, and Remote Sensing, Wuhan University.
His current research interests include wireless sensing, mobile comput-
ing, machine learning, signal and image processing, and natural language
processing.
SONGFENG LU was born in 1968. He received
the Ph.D. degree in computer software and
theory from Huazhong University of Science
and Technology. He is currently a Professor of
Huazhong University of Science and Technol-
ogy. His research interests include artificial intel-
ligence, quantum computing, and information
security.
VOLUME 9, 2021