Received 23 August 2023, accepted 3 October 2023, date of publication 5 October 2023, date of current version 24 October 2023.

Digital Object Identifier 10.1109/ACCESS.2023.3322369

Hybrid Metaheuristics With Machine Learning

Based Botnet Detection in Cloud Assisted
Internet of Things Environment
LATIFAH ALMUQREN 1 , HAMED ALQAHTANI2 , SUMAYH S. ALJAMEEL 3,

AHMED S. SALAMA4 , ISHFAQ YASEEN 5 , AND AMANI A. ALNEIL5

1 Department of Information Systems, College of Computer and Information Sciences, Princess Nourah bint Abdulrahman University, Riyadh 11671, Saudi Arabia
2 Department of Information Systems, College of Computer Science, Center of Artificial Intelligence, Unit of Cybersecurity, King Khalid University, Abha 62529,
Saudi Arabia
3 Saudi Aramco Cybersecurity Chair, Computer Science Department, College of Computer Science and Information Technology, Imam Abdulrahman Bin Faisal

University, Dammam 31441, Saudi Arabia

4 Department of Electrical Engineering, Faculty of Engineering and Technology, Future University in Egypt, New Cairo 11845, Egypt
5 Department of Computer and Self Development, Preparatory Year Deanship, Prince Sattam bin Abdulaziz University, Al-Kharj 16273, Saudi Arabia

Corresponding author: Ishfaq Yaseen ([email protected])

The authors extend their appreciation to the Deanship of Scientific Research at King Khalid University for funding this work through large
group Research Project under grant number (RGP2/159 /44). Princess Nourah bint Abdulrahman University Researchers Supporting
Project number (PNURSP2023R349), Princess Nourah bint Abdulrahman University, Riyadh, Saudi Arabia. We Would like to thank
SAUDI ARAMCO Cybersecurity Chair for funding this project. This study is supported via funding from Prince Sattam bin Abdulaziz
University project number (PSAU/2023/R/1444). This study is partially funded by the Future University in Egypt (FUE).

ABSTRACT Botnet detection in a cloud-aided Internet of Things (IoT) environment is a tedious process,
meanwhile, IoT gadgets are extremely vulnerable to attacks due to poor security practices and limited
computing resources. In the cloud-aided IoT environment, Botnet can be identified by monitoring network
traffic and analyzing it for signs of malicious activity. It can be performed by using intrusion detection
systems, machine learning (ML) algorithms, and other security tools that are devised for identifying known
botnet behaviors and signatures. Therefore, this study presents a Hybrid Metaheuristics with Machine
Learning based Botnet Detection (HMMLB-BND) method in the Cloud Aided IoT environment. The
projected HMMLB-BND technique focuses on the detection and classification of Botnet attacks in the
cloud-based IoT environment. In the presented HMMLB-BND technique, modified firefly optimization
(MFFO) algorithm for feature selection purposes. The HMMLB-BND algorithm uses a hybrid convolutional
neural network (CNN)-quasi-recurrent neural network (QRNN) module for botnet detection. For the optimal
hyperparameter tuning process, the chaotic butterfly optimization algorithm (CBOA) is employed. A series
of simulations were made on the N-BaIoT dataset and the experimental outcomes stated the significance of
the HMMLB-BND technique over other existing approaches.

INDEX TERMS Deep learning, cloud computing, Internet of Things, cybersecurity, botnet detection.

I. INTRODUCTION earthquake command system [2]. Various design objectives

Nowadays, cloud computing (CC) has grabbed the attention which include energy consumption, fairness, reliability and
of the research community [1]. Its role in offering on-demand fault tolerance are regarded in the model of the CC system.
resources and services has unlocked its way into various tech- But security is considered to be the critical design objective in
nological atmospheres such as data centers, power systems this domain. IoT often appears in the CC ecosystem [3]. This
and intelligent transportation, video delivery system, and technology compiles geographically dispersed cyber-enabled
systems or cyber-physical devices to offer strategic services.
The associate editor coordinating the review of this manuscript and Similar to the case of CC [4], security becomes the significant
approving it for publication was Sangsoon Lim . goal in the model of the IoT platform. Cyber threats targeting
2023 The Authors. This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.
For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
115668 VOLUME 11, 2023
L. Almuqren et al.: HMMLB-BND in Cloud Assisted Internet of Things Environment
IoT gadgets found to be rising with the development of IoT
[5]. Many IoT gadgets are linked to the internet, allowing
a lack of security control abuse [6]. Several security threats
are aimed at the IoT, which includes several susceptibilities.
As the IoT is prone to various attacks, it is significant to cate-
gorize the attacks and appropriate vulnerabilities to study the
IoT. Through certain research, it is established that routing,
jamming, sinkhole, DoS, wormhole, a man in the middle,
worm attacks [7], flooding, and virus probably occur in an
IoT system. To be specific, DoS attacks and flooding take
place in production IoT platforms [8].
Botnet attack is now increasingly gaining popularity [9].
Service disruption and resource depletion are some of the
damages caused by the botnet. AI is commonly utilized to
find such IoT attacks [10]. The intrusion detection system
(IDS) is an application that can be used to oversee net-
work traffic actions to detect malicious actions. The IDS
are classified into two categories per the detection system
named anomaly-based and signature-based detection systems
[11]. The first one is to use the network behaviours from
established baselines. This method will be suited to detect
unknown and known malicious events. The next one applies
particular patterns from the network (e.g., a sequence of
bytes). And later it compares these sequences with current
signature databases [12]. Compared to traditional ML meth-
ods, the current study noted that the deep learning (DL)
method finds IoT assaults fruitfully. But the cloud layer only
has the resource to run these algorithms [13]. On top of
that, these methods are not active in some cases, like remote
live functioning, since the system has been assumed to form
realistic decisions faster.
The convergence of IoT devices and cloud services poses
several complexities because of huge scale, heterogeneity,
and dynamic nature of the ecosystem. The sheer volume
of different IoT devices, each with distinct communication
protocols and abilities, makes it difficult to devise univer-
sal detection methods. Encrypted communication among the
devices and cloud services further complicate the examina-
tion of network traffic for signs of botnet activity. The limited
resources of IoT devices obstruct the design of resource-
intensive detection approaches, requiring the design of
lightweight yet effective approaches. The distributed nature
of botnets and its capability to mimic legitimate device behav-
ior make pinpointing malicious activities and command-and-
control nodes challenging. Rapid development of the attack
approaches, integrated with the absence of uniform security
standards across IoT devices, exacerbate the difficulty of
botnet detection.
To resolve these issues, this study designs a Hybrid Meta-
heuristics with Machine Learning based Botnet Detection
(HMMLB-BND) method in the Cloud Assisted IoT envi-
ronment. In the presented HMMLB-BND approach, the
modified firefly optimization (MFFO) technique is used for
feature selection (FS) purposes. For botnet detection, the
HMMLB-BND technique uses a hybrid convolutional neu-
ral network (CNN)-quasi-recurrent neural network (QRNN)
VOLUME 11, 2023
model. For the optimal hyperparameter tuning process, the
chaotic butterfly optimization algorithm (CBOA) is applied.
To demonstrate the enhanced performance of the HMMLB-
BND technique, a series of simulations were made on the
N-BaIoT dataset. In short, the key contributions are listed as
follows.
• Develop a new HMMLB-BND technique comprising
MFFO based feature subset selection, CNN-QRNN
classification, and CBOA based hyperparameter tuning
for botnet detection has been developed. To the best
of our knowledge, the HMMLB-BND technique never
existed in the literature.
• Present MFFO algorithm for the feature selection pro-
cess, which resolves the ineffective exploration ability
and local optima problem.
• Hyperparameter tuning of the CNN-QRNN model
using CBOA helps to improve the overall predictive
performance on unseen training data.
II. RELATED WORKS
Vinayakumar et al. [14] based on a two-level DL structure,
a botnet detection system is presented for semantically deter-
mining Botnet and legal activities at the application layer
of the domain name system (DNS). A primary first level of
structure, with the use of a Siamese network, depends on
a pre-defined threshold, the measure of similarity of DNS
queries will be predicted to opt the frequent DNS data across
an Ethernet connection. In Shorman et al. [15], an innova-
tive unsupervised evolutionary IoT botnet recognition algo-
rithm was devised. The algorithm mainly detects IoT botnet
attacks in IoT devices using the effectiveness of a recent SI
method named GWO for optimizing the hyperparameter of
the OCSVM and concurrently recognising the attributes that
define the IoT botnet issue optimally.
The authors [16] introduced a potential DL-based Botnet
attack-detecting approach that can deal with vastly imbal-
anced network traffic datasets. To be Specific, to achieve
class balance, SMOTE makes more minority samples, while
DRNN learned hierarchical feature representation in bal-
anced network traffic datasets for effectuating discriminative
classifying procedure. The authors in [17] devise a botnet
detection method utilizing the barnacle’s mating optimizer
including ML (BND-BMOML) for the IoT platform. This
proposed method has focused on the recognition and identi-
fication of botnets in IoT platforms. Initially, a data standard-
ization method is followed by the BND-BMOML algorithm
follows for effectuating this. In the above-mentioned method,
for opting for a valuable feature set, the BMO approach was
used. To detect botnets, this study uses the BND-BMOML
method in an Elman NN (ENN) method.
In [18], ML approaches were utilized to support the preven-
tion and detection of bot attacks. In this study for the selec-
tion of the best features, An Ensemble Classifier Algorithm
includes Stacking Process (ECASP) was devised that is given
as input to the ML classifiers for forecasting the performance
of botnet identification. Catillo et al. [19] modelled a new
115669
 L. Almuqren et al.: HMMLB-BND in Cloud Assisted Internet of Things Environment

IoT-driven cross-device approach, which permits learning

single IDSs rather than several separate methods atop the
traffic of various IoT gadgets. Because of its extensive appli-
cability for unanticipated attacks, a semi-supervised method
was implemented. The solution relies upon deep AE, which
has trained a single DNN with the normal traffic from many
IoT gadgets. Habibi et al. [20] apply the CTGAN method, and
the existing GAN approaches in tabular data modelling and
generation to solve the limitations. Khan et al. [21] offered a
robust and lightweight DL structure for detecting intrusions
that has the computation ability to be gradually reduced
and installed as a localized threat identification within IoT
gadgets. Also, the presented Hybrid method was compared
against a benchmark ANN method.
Banati and Bajaj [22] examine a novel FS method, which
integrates the RST with a nature-simulated ‘firefly’ tech-
nique. This technique inspires the attraction method of real
fireflies that guides the FS method. Coelho et al. [23]
establish an enhanced FA system integrated with chaotic
sequences (FAC) executed to reliability-redundancy opti-
mizer. Alzahrani and Bamhdi [24] introduce a robust model FIGURE 1. Overall process of the HMMLB-BND system.
specifically to support identifying botnet attacks on IoT
devices. It is done by newly integrating the model of CNN
with LSMT (CNN-LSTM) methodology for detecting 2 gen- A. FEATURE SELECTION USING MFFO ALGORITHM
eral and serious IoT attacks (BASHLITE and Mirai) on Firstly, the MFFO algorithm is used for the optimal selection
4 kinds of security cameras. of feature subsets. The FFO is a nature-inspired optimizer
Bhayo et al. [25] examine a ML-based system for detecting technique motivated by the flashing behaviors of fireflies
DDoS attacks from SDN-WISE IoT controller. The authors [28]. It claims that the flash pattern produced by every firefly
are combined a ML-based detection element as to controller exists naturally via a unique bioluminescence method. The
and set up a testbed platform for simulating DDoS attack significant function of flashing generated by the biolumines-
traffic generation. The traffic can captured by a logging sys- cence process is the mating partner and attracting the prey.
tem along with the SDN-WISE controller that writes net- The succeeding four assumptions have been made to simplify
work logs into log file that is pre-processing and converting the FFO: (i) each firefly is considered to be unisex, (ii) bright
into database. Siddiqui et al. [26] offers a widespread sur- firefly attracts those with lesser brightness, (iii) the prey
vey analysis the published studies on SDN-based structures movement was assumed to be random if there is relatively no
for addressing IoT management problems in the sizes of brighter firefly, and (iv) luminousness value is considered that
fault tolerance, scalability, load balancing, energy manage- main function that assists in simplifying the maximization
ment, and security service provisioning in the IoT networks. problem. The FFO algorithm has two main challenges: attrac-
Khalid et al. [27] purposes to solve the intricacy of policies tiveness formulation and light intensity variation. There-
management, forged policy, dissemination, central manage- fore, it is presumed that firefly brightness analyses its
ment, automation, and tracking of access control policies of attractiveness.
IoT nodes and offers a trackable and auditable access con- Is
trol policy management system which prevent forged policy I (r) = 2 (1)
r
dissemination by executing SDN and BC technology in IoT
In Eq. (1) Is signifies fixed intensity. Consider a medium
platform.
that has a fixed light absorption coefficient and Io original
III. THE PROPOSED MODEL luminous intensity, then the light intensity is modelled by:
In this study, we have established a novel HMMLB-BND 2
I = Io e−γ r (2)
approach in the Cloud Aided IoT environment. The projected
HMMLB-BND technique focuses on the detection and clas- Eqs. (1) and (2) are used to present a Gaussian form of
sification of Botnet attacks from the cloud-based IoT environ- luminous intensity that is given below:
ment. In the presented HMMLB-BND approach, the MFFO
Io
algorithm for FS purposes is applied. To detect and classify I (r) = + γ r2 (3)
botnets properly the CBOA with CNN-QRNN model is used. 1
Fig. 1 defines the overall process of the HMMLB-BND The firefly attractiveness as a function of luminous inten-
method. sity can be defined by the modification of fireflies that can be

115670 VOLUME 11, 2023

L. Almuqren et al.: HMMLB-BND in Cloud Assisted Internet of Things Environment

formulated by:
−γ r 2
β (r) = β0 e
In 2D space, the distance between two fireflies is
determined by the Cartesian distance:
q from zero to one.
rij̇ = xi − xj = (xi − xj )2 +(yi − yj )2 (5)
As we discussed, the brighter firefly attracts the spe-
cific, less bright one. Therefore, ith firefly movement can be
mathematically formulated by:
2 search ability whereas the neighboring fireflies are not notice-
xj = xj + β0 e−γ rij xj − xj + α (rand−0.50)


(6)
where α signifies the randomization parameter, and rand sig-
nifies a uniformly distributed random number within [0, 1].
The FFO technique is a powerful optimization technique uti-
lized in an optimization problem. But, it has poor search capa-
bility and suffers from the local optima problem. An adapted
version of the FFO is established, namely the MFFO algo-
rithm by presenting the subsequent modification in the FFO
algorithm: search capability is enhanced, and the local opti-
mal problems can be solved. A comprehensive explanation is
shown in the following.
The poor search capability and trapped in local optima
are solved by presenting two modifications in the FFO,
named MFFO technique: (1) the overall population of fire-
flies is stimulated towards the direction of global optimal
or best solution; (2) population diversity can be enhanced
by presenting two mutation operations and three crossover
operations. Correspondingly, the entire firefly population
can be enhanced in every iteration by presenting certain
assumptions. The comprehensive overview is given below:
itr denotes the best individual, and X itr
Consider that Xbest worst
denotes the worse individual in the firefly population at every
iteration. During the firefly population for ith firefly, three
more fireflies are selected randomly as Xq1 , Xq2 , and Xq3 so
that q1 ̸ =q2 ̸ = q3 ̸ =i. The two newly generated individuals are
given as follows:
(
xmute1,j if k5 ≤ k4
ximprove4,j = (12)
xmute2,j if k5 > k4
(4)
ximprove5,j = ψ × Xworst + ζ (Xbest − Xworst ) (13)
F k1 : k5 , ψ, and ζ characterize random variable ranges
For each firefly, the objective function can be defined, and
the ith firefly will be replaced by the firefly having the smaller
objective function. When the ith firefly has a main function
small than the optimally attained firefly, then the replacement
cannot be done. The α random parameter controls the random
able to the selected firefly. The α monitor and control the
movements of every firefly selected randomly amongst [0, 1].
The value of α through the global search space leads to an
optimum solution, whereas the smaller value of α promotes
local search. Thereby, an optimum value of α fulfils the bal-
ance of local and global searching. A novel adaptive control
mechanism can be devised for improving the search ability
(global and local) to accomplish this balance. Moreover, the
process runs for multiple epochs, and the heuristic function
for every epoch is attained by the following:
αitr+1 = (1/2kmax )1/kmax αitr (14)
where itr signifies iteration value ranges from 1 to kmax .
The fitness function of the MFFO algorithm is intended
to have a balance between the classification performance
(highest) and the count of features selected in every solution
(lowest) attained by the features selected, Eq. (15) signifies
the fitness function to estimate the solution.
|R|
Fitness = αγR (D) + β (15)
|C|
where the two parameters respective to the importance of
classification quality and subset length are α and β, γR (D)
characterizes the classification error rate. |R| denotes the
cardinality of the selected subset and |C| shows the overall
amount of features in the dataset. ∈ [1,0] and β = 1 − α.

Xmutate1 = Xq1 + 1 × (q2 − q3 ) B. BOTNET DETECTION USING CNN-QRNN MODEL

Xmutate2 = Xmutate1 + 1(Xbest
itr itr
− Xworst ) (7) For botnet detection and classification, the CNN-QRNN
model is used. The CNN-QRNN architecture comprises FC
Now 1 denotes a randomly generated value within [0, 1]. layers, a1D convolution layer, and a QRNN [29]. Initially,
By using Xmutate1 and Xmutate2 , the five fireflies are created by the 1D convolution layer chooses the spatial feature and gen-
the following: erates feature maps that can be treated by using the activation
Xbest1 = xbest1 , xbest2 , . . . ,xbestd
 
(8) function. Due to its fast convergence of the GD model, the
( ReLu function is applied in the convolutional layer, making it
xmute1,j if k1 ≤ k2 a better option for the CNN-QRNN method. Next, the feature
ximprove1,j = (9)
xbest1,j if k1 > k2 maps can be processed using the second layer that exploits
( the Maxpooling function. The pooling layer removes irrele-
xmute1,j if k3 ≤ k2 vant features and decreases dimensionality. In both layers of
ximprove2,j = (10)
xj if k3 > k2 QRNN, the hidden size characterizes the output dimension
( and count of hidden modules. The major problem of NN is
xbest1,j if k4 ≤ k3 over-fitting which implies a model learns the data effectively.
ximprove3,j = (11)
xj if k4 > k3 As a result, the model cannot find variants in novel datasets.

VOLUME 11, 2023 115671

 L. Almuqren et al.: HMMLB-BND in Cloud Assisted Internet of Things Environment
Thus, to prevent overfitting, we added a dropout layer. Fig. 2
illustrates the architecture of the CNN-QRNN technique.
FIGURE 2. Structure of CNN-QRNN.
Next, max-pooling and 1D convolutional layers are used
for extracting spatiotemporal features. The outcome of CNN
is fed into Flatten layer the FC input layer converts the
outcome of pooling layers into a single vector that is input
for the following layers. Lastly, the dense layer, also known as
the FC layer, with SoftMax function was utilized to categorize
the threat by computing the probability for all the classes.
C. PARAMETER TUNING USING CBOA
The utilization of the CBOA model for hyperparameter tun-
ing helps in attaining improved performance on botnet attack
detection. The learning rate is the hyperparameter tuned by
the CBOA. The BOA is a swarm-based metaheuristic algo-
rithm based on the information-sharing and foraging behav-
ior of butterflies (BFs) [30]. Due to its performance, BOA
was used in different fields of optimization problems. The
magnitude of BF produces an odor smell with intensity once
it moves. The other BFs attracted towards BF based on the
magnitude of fragrances. The fragrance of all the BFs is
illustrated in Eq. (16).
pfi = cI a (16)
where c and a parameters are a power exponent that signifies
the degree of fragrance absorption and the sensor modality
correspondingly. pfi signifies the perceived magnitude of
fragrances, and I represent the fragrance intensity.
Butterflies movement: The movement of BFs can be
dependent upon 3 stages as follow.
-Global searching stage. All the BFs emit fragrance once
it moves and other BFs take with it based on their magnitude
of fragrances. This procedure is termed global searching and
is determined as:
 
xit+1 = xit + r 2 × g∗ − xit ×fi (17)
In which xit defines the vector that signifies the BF (solu-
tion) at iteration t, g∗ signifies the entire better results, r
stands for the random number in 0 and 1, and fi denotes the
fragrance of it h BF. During this stage, the g primary value
is the location of the minimal fitness of every solution and it
is computed by allocating a fitness value to all the solutions
and determining the minimal fitness afterwards upgrading
115672
the g (position) based on the minimal fitness. Besides, ther
value could not be utilized for calculating fitness, it can be
managed by the p (switching probability) value and primary
value of p = 0.8. The r value has been related to the p-value
for controlling the BF but moving to a better solution with
minimal fitness from local/global searching.
-Local searching stage. If the BFs lose the sense of the
fragrance of other BFs, they can be moved arbitrarily from
the searching space. The procedure is termed local searching
and it could be determined as:
 
xit+1 = xit + r 2 × xjt − xkt ×fi (18)
whereas xjt , xk t implies the 2 vectors that signify 2 various
BFs from a similar population. -Solution estimation. The fra-
grance intensity of BFs defines their main function. The BF
attract the other BFs based on their magnitude of fragrances.
The projected CBOA technique depends upon the combi-
nation of chaotic maps from the typical BOA. Essential stages
of the presented CBOA are given in the following. Appeal
the chaotic maps to upgrade BF places rather than utilizing
random variables so as far as will enhance the performance
of CBOA. Eqs. (2) and (3) are altered by exchanging r 2 by
Cj as follows:
xit+1 = xit + Cj ×g∗ − xit ×fi


(19)
t+1 t t


xi = xi + Cj ×xjt − xk ×fi (20)
whereas Cj denotes the chaotic map and j = 1, 2, . . . , 10.
Noticeably the Cj values can be chaotic, created utilizing
10 chaotic maps that can be exchanged with r value for
obtaining best outcomes and minimal fitness than novel
technique utilize random value.
Fitness selection is a key factor in the CBOA system.
Solution encoding is used to evaluate the goodness of the
solution candidate. Then, the accuracy value is the primary
condition exploited for devising a fitness function.
Fitness = max (P) (21)
TP
P= (22)
TP + FP
where TP represent the true positive and FP symbolizes the
false positive value.
IV. RESULTS AND DISCUSSION
In this work, the botnet detection results of the HMMLB-
BND method are studied on the N-BaIoT [31] Dataset.
It includes 17001 instances with three class labels as given
in Table 1. The proposed model is simulated using Python
3.6.5 tool on PC i5-8600k, GeForce 1050Ti 4GB, 16GB
RAM, 250GB SSD, and 1TB HDD. The parameter settings
are given as follows: learning rate: 0.01, dropout: 0.5, batch
size: 5, epoch count: 50, and activation: ReLU.
Fig. 3 represents the confusion matrices of the HMMLB-
BND method tested under distinct sizes of the TRP and
TSP. The results denote that the HMMLB-BND system has
identified the botnets proficiently under all TRP and TSP.
VOLUME 11, 2023
L. Almuqren et al.: HMMLB-BND in Cloud Assisted Internet of Things Environment

Algorithm 1 Pseudocode of BOA

Fixed the primary values of population size n(BFs), switch
probability ρz, c sensory modality, parameters az(power
exponent), and maximal count of iterations Maxitr .
Set t:= 0.
for (i = 1 :i ≤ n) d
Make a primary population (BFs) xit arbitrarily.
Measured the fitness function of all the BFs
(solutions)(xit )z.
Compute the fragrance for xit as in Eq. (16).
Allocate the entire optimum BF (solution) g∗ .
end for
repeat
Set t = t+1.
for (i= 1 :i ≤ n)do
Make random numbers r, r ∈ [0, 1].
if (r < ρ)z then
Move BFs nearby the better BF g∗ as in Eq. (17).
else
Move BFs arbitrarily.
endif
Estimate the fitness function of all the BFs (solutions)
FIGURE 3. Confusion matrices of HMMLB-BND method (a-b) TRP/TSP of
(xit )z. 80:20 and (c-d) TRP/TSP of 70:30.
Allocate the entire optimum solution
g∗ .
TABLE 2. Botnet classifier outcome of HMMLB-BND method on 80:20 of
end for TRP/TSP.
Upgrade the value of parameters c= [0.01, 0.25].
until (t > Maxitr ).
Display the optimum solution
g∗ .

TABLE 1. Details of database.

Table 2 reports the overall outcomes of the HMMLB-BND

method on 80:20 and 70:20 of TRS/TSS. In Fig. 4, the botnet
classification outcome of the HMMLB-BND technique can
be examined on 80% of TRP. The outcomes represented that
the HMMLB-BND system recognizes the botnets effectually
under all classes. In addition, it is noticed that the HMMLB-
BND method obtains an average accuy of 98.20%, precn of
97.14%, recal of 97.08%, Fscore of 97.10%, and AUCscore
of 97.87%.
In Fig. 5, the botnet classification performance of the
HMMLB-BND system can be examined on 20% of TSP.
The outcomes signified that the HMMLB-BND technique
recognizes the botnets effectually under all classes. Besides,
it can be noticed that the HMMLB-BND system attains an
average accuy of 97.96%, precn of 96.79%, recal of 96.75%,
Fscore of 96.77%, and AUCscore of 97.62%.
In Fig. 6, the botnet classification result of the HMMLB-
BND technique can be examined on 70% of TRP. The results
inferred that the HMMLB-BND system recognizes the bot-
nets effectively under all classes. Moreover, it is clear that the
HMMLB-BND method gains an average accuy of 99.43%,
precn of 99.13%, recal of 99.12%, Fscore of 99.13%, and
AUCscore of 99.35%.
In Fig. 7, the botnet classification outcome of the
HMMLB-BND method can be examined on 30% of TSP.
The result stated that the HMMLB-BND technique

VOLUME 11, 2023 115673

 L. Almuqren et al.: HMMLB-BND in Cloud Assisted Internet of Things Environment
FIGURE 4. Average outcome of HMMLB-BND approach on 80% of TRP.
FIGURE 5. Average outcome of HMMLB-BND approach on 20% of TSP.
FIGURE 6. Average outcome of HMMLB-BND approach on 70% of TRP.
recognizes the botnets effectually under all classes. Further-
more, it can be evident that the HMMLB-BND technique
115674
obtains an average accuy of 99.41%, precn of 99.12%, recal
of 99.09%, Fscore of 99.11%, and AUCscore of 99.32%.
The TACY and VACY of the HMMLB-BND system are
investigated on Botnet recognition performance in Fig. 8. The
figure referred that the HMMLB-BND method has displayed
better results with enhanced values of TACY and VACY. It is
clear that the HMMLB-BND algorithm has accomplished the
highest TACY outcomes.
FIGURE 7. Average outcome of HMMLB-BND approach on 30% of TSP.
FIGURE 8. TACY and VACY outcomes of the HMMLB-BND method.
The TLOS and VLOS of the HMMLB-BND system are
tested on Botnet recognition performance in Fig. 9. The fig-
ure stated that the HMMLB-BND methodology has exposed
superior performance with lesser values of TLOS and VLOS.
The HMMLB-BND technique has resulted in minimal VLOS
outcomes.
An evident precision-recall study of the HMMLB-BND
technique in the test database is exposed in Fig. 10. The figure
referred that the HMMLB-BND method has led to better
values of precision-recall values in three classes.
To assure the improvised performance of the HMMLB-
BND technique, a brief comparison study with recent
approaches was made in Table 3 and Fig. 11 [17]. The results
VOLUME 11, 2023
L. Almuqren et al.: HMMLB-BND in Cloud Assisted Internet of Things Environment
FIGURE 9. TLOS and VLOS outcomes of the HMMLB-BND approach.
FIGURE 10. Precision-recall outcome of HMMLB-BND approach.
imply improvements in the HMMLB-BND technique in
terms of several measures. The outcomes stated that the
LSTM and CNN-RNN approaches reach the least outcomes
while the DNN-LSTM, LSTM-CNN, and DNN models
accomplish nearer classification performance.
TABLE 3. Comparative outcome of HMMLB-BND method with existing
algorithms.
Next, the BND-BMODL model results in considerable
outcomes with accuy , precn , recal , and Fscore of 99.04%,
98.67%, 98.66%, and 98.70% respectively. But the HMMLB-
BND technique reaches maximum performance with accuy ,
precn , recal , and Fscore of 99.43%, 99.13%, 99.12%, and
VOLUME 11, 2023
FIGURE 11. Comparative outcome of HMMLB-BND approach with recent
algorithms.
99.13% correspondingly. These outcomes demonstrate the
superior performance of the HMMLB-BND technique in the
botnet detection process.
V. CONCLUSION
In this study, we have established a novel HMMLB-BND
method in the Cloud Aided IoT environment. The projected
HMMLB-BND technique focuses on the detection and clas-
sification of botnet attacks in the cloud-based IoT platform.
In the presented HMMLB-BND technique, the MFFO algo-
rithm for FS purposes is applied. To detect and classify
botnets properly the CBOA with CNN-QRNN model is
used. The utilization of the CBOA model helps in attaining
improved performance on botnet attack detection. A series
of simulations were made on the N-BaIoT dataset to demon-
strate the higher performance of the HMMLB-BND tech-
nique. The experimental outcomes stated the significance of
the HMMLB-BND technique over other existing approaches.
In the future, ensemble deep-learning classifiers can extend
the performance of the HMMLB-BND algorithm. Besides,
future work can investigate the computation complexity of the
proposed model. In addition, class imbalance data handing
problem will be addressed in future.
ACKNOWLEDGMENT
The authors extend their appreciation to the Deanship
of Scientific Research at King Khalid University for
funding this work through large group Research Project
under grant number (RGP2/159 /44). Princess Nourah bint
Abdulrahman University Researchers Supporting Project
number (PNURSP2023R349), Princess Nourah bint Abdul-
rahman University, Riyadh, Saudi Arabia. We Would like
to thank SAUDI ARAMCO Cybersecurity Chair for fund-
ing this project. This study is supported via funding from
Prince Sattam bin Abdulaziz University project number
(PSAU/2023/R/1444). This study is partially funded by the
Future University in Egypt (FUE).
115675
 L. Almuqren et al.: HMMLB-BND in Cloud Assisted Internet of Things Environment
REFERENCES
[1] Z. Chen, ‘‘Research on internet security situation awareness prediction
technology based on improved RBF neural network algorithm,’’ J. Comput.
Cogn. Eng., vol. 1, no. 3, pp. 103–108, Mar. 2022.
[2] K. Shinan, K. Alsubhi, A. Alzahrani, and M. U. Ashraf, ‘‘Machine
learning-based botnet detection in software-defined network: A systematic
review,’’ Symmetry, vol. 13, no. 5, p. 866, May 2021.
[3] S. Namasudra, R. G. Crespo, and S. Kumar, ‘‘Introduction to the special
section on advances of machine learning in cybersecurity (VSI-mlsec),’’
Comput. Electr. Eng., vol. 100, May 2022, Art. no. 108048.
[4] A. Gutub, ‘‘Boosting image watermarking authenticity spreading secrecy
from counting-based secret-sharing,’’ CAAI Trans. Intell. Technol., vol. 8,
no. 2, pp. 440–452, 2023.
[5] S. Das and S. Namasudra, ‘‘Multiauthority CP-ABE-based access control
model for IoT-enabled healthcare infrastructure,’’ IEEE Trans. Ind. Infor-
mat., vol. 19, no. 1, pp. 821–829, Jan. 2023.
[6] A. A. Laghari, A. A. Khan, R. Alkanhel, H. Elmannai, and S. Bourouis,
‘‘Lightweight-BIoV: Blockchain distributed ledger technology (BDLT) for
Internet of Vehicles (IoVs),’’ Electronics, vol. 12, no. 3, p. 677, Jan. 2023.
[7] M. Waqas, K. Kumar, A. A. Laghari, U. Saeed, M. M. Rind, A. A. Shaikh,
F. Hussain, A. Rai, and A. Q. Qazi, ‘‘Botnet attack detection in Internet
of Things devices over cloud environment via machine learning,’’ Concur-
rency Comput., Pract. Exp., vol. 34, no. 4, Feb. 2022, Art. no. e6662.
[8] A. A. Laghari, X. Zhang, Z. A. Shaikh, A. Khan, V. V. Estrela, and S. Izadi,
‘‘A review on quality of experience (QoE) in cloud computing,’’ J. Reliable
Intell. Environ., pp. 1–15, Jun. 2023.
[9] M. Alauthman, N. Aslam, M. Al-kasassbeh, S. Khan, A. Al-Qerem, and
K.-K. Raymond Choo, ‘‘An efficient reinforcement learning-based bot-
net detection approach,’’ J. Netw. Comput. Appl., vol. 150, Jan. 2020,
Art. no. 102479.
[10] S. Sarkar, K. Saha, S. Namasudra, and P. Roy, ‘‘An efficient and time saving
web service based Android application,’’ SSRG Int. J. Comput. Sci. Eng.,
vol. 2, no. 8, pp. 18–21, 2015.
[11] A. Wani, S. Revathi, and R. Khaliq, ‘‘SDN-based intrusion detection
system for IoT using deep learning classifier (IDSIoT-SDL),’’ CAAI Trans.
Intell. Technol., vol. 6, no. 3, pp. 281–290, Sep. 2021.
[12] F. Sattari, A. H. Farooqi, Z. Qadir, B. Raza, H. Nazari, and M. Almutiry,
‘‘A hybrid deep learning approach for bottleneck detection in IoT,’’ IEEE
Access, vol. 10, pp. 77039–77053, 2022.
[13] M. Habib, I. Aljarah, H. Faris, and S. Mirjalili, ‘‘Multi-objective parti-
cle swarm optimization for botnet detection in Internet of Things,’’ in
Evolutionary Machine Learning Techniques. Singapore: Springer, 2020,
pp. 203–229.
[14] R. Vinayakumar, M. Alazab, S. Srinivasan, Q.-V. Pham, S. K. Padannayil,
and K. Simran, ‘‘A visualized botnet detection system based deep learning
for the Internet of Things networks of smart cities,’’ IEEE Trans. Ind. Appl.,
vol. 56, no. 4, pp. 4436–4456, Jul. 2020.
[15] A. Al Shorman, H. Faris, and I. Aljarah, ‘‘Unsupervised intelligent system
based on one class support vector machine and grey wolf optimization for
IoT botnet detection,’’ J. Ambient Intell. Hum. Comput., vol. 11, no. 7,
pp. 2809–2825, Jul. 2020.
[16] S. I. Popoola, B. Adebisi, R. Ande, M. Hammoudeh, K. Anoh, and
A. A. Atayero, ‘‘SMOTE-DRNN: A deep learning algorithm for botnet
detection in the Internet-of-Things networks,’’ Sensors, vol. 21, no. 9,
p. 2985, Apr. 2021.
115676
[17] F. S. Alrayes, M. Maray, A. Gaddah, A. Yafoz, R. Alsini, O. Alghushairy,
H. Mohsen, and A. Motwakel, ‘‘Modeling of botnet detection using barna-
cles mating optimizer with machine learning model for Internet of Things
environment,’’ Electronics, vol. 11, no. 20, p. 3411, Oct. 2022.
[18] S. Srinivasan and P. Deepalakshmi, ‘‘Enhancing the security in
cyber-world by detecting the botnets using ensemble classification
based machine learning,’’ Meas., Sensors, vol. 25, Feb. 2023,
Art. no. 100624.
[19] M. Catillo, A. Pecchia, and U. Villano, ‘‘A deep learning method for
lightweight and cross-device IoT botnet detection,’’ Appl. Sci., vol. 13,
no. 2, p. 837, Jan. 2023.
[20] O. Habibi, M. Chemmakha, and M. Lazaar, ‘‘Imbalanced tabular data
modelization using CTGAN and machine learning to improve IoT bot-
net attacks detection,’’ Eng. Appl. Artif. Intell., vol. 118, Feb. 2023,
Art. no. 105669.
[21] S. Khan and A. B. Mailewa, ‘‘Discover botnets in IoT sensor net-
works: A lightweight deep learning framework with hybrid self-
organizing maps,’’ Microprocessors Microsyst., vol. 97, Mar. 2023,
Art. no. 104753.
[22] H. Banati and M. Bajaj, ‘‘Fire fly based feature selection approach,’’ Int.
J. Comput. Sci. Issues, vol. 8, no. 4, p. 473, 2011.
[23] L. D. S. Coelho, D. L. D. A. Bernert, and V. C. Mariani, ‘‘A chaotic firefly
algorithm applied to reliability-redundancy optimization,’’ in Proc. IEEE
Congr. Evol. Comput. (CEC), Jun. 2011, pp. 517–521.
[24] M. Y. Alzahrani and A. M. Bamhdi, ‘‘Hybrid deep-learning model to
detect botnet attacks over Internet of Things environments,’’ Soft Comput.,
vol. 26, no. 16, pp. 7721–7735, Aug. 2022.
[25] J. Bhayo, S. A. Shah, S. Hameed, A. Ahmed, J. Nasir, and D. Draheim,
‘‘Towards a machine learning-based framework for DDOS attack detection
in software-defined IoT (SD-IoT) networks,’’ Eng. Appl. Artif. Intell.,
vol. 123, Aug. 2023, Art. no. 106432.
[26] S. Siddiqui, S. Hameed, S. A. Shah, I. Ahmad, A. Aneiba, D. Draheim,
and S. Dustdar, ‘‘Toward software-defined networking-based
IoT frameworks: A systematic literature review, taxonomy, open
challenges and prospects,’’ IEEE Access, vol. 10, pp. 70850–70901,
2022.
[27] M. Khalid, S. Hameed, A. Qadir, S. A. Shah, and D. Draheim, ‘‘Towards
SDN-based smart contract solution for IoT access control,’’ Comput. Com-
mun., vol. 198, pp. 1–31, Jan. 2023.
[28] G. Hafeez, I. Khan, S. Jan, I. A. Shah, F. A. Khan, and A. Derhab, ‘‘A novel
hybrid load forecasting framework with intelligent feature engineering and
optimization algorithm in smart grid,’’ Appl. Energy, vol. 299, Oct. 2021,
Art. no. 117178.
[29] N. Al-Taleb and N. Saqib, ‘‘Towards a hybrid machine learning model for
intelligent cyber threat identification in smart city environments,’’ Appl.
Sci., vol. 12, no. 4, p. 1863, Feb. 2022.
[30] A. A. Awad, A. F. Ali, and T. Gaber, ‘‘Feature selection method based
on chaotic maps and butterfly optimization algorithm,’’ in Proc. Int. Conf.
Artif. Intell. Comput. Vis. (AICV). Cham, Switzerland: Springer, Mar. 2020,
pp. 159–169.
[31] Y. Meidan, M. Bohadana, Y. Mathov, Y. Mirsky, A. Shabtai,
D. Breitenbacher, and Y. Elovici, ‘‘N-BaIoT—Network-based detection
of IoT botnet attacks using deep autoencoders,’’ IEEE Pervasive Comput.,
vol. 17, no. 3, pp. 12–22, Jul. 2018.
VOLUME 11, 2023