Service Oriented Computing and Applications (2022) 16:293–312

https://doi.org/10.1007/s11761-022-00342-8

ORIGINAL RESEARCH

Hybrid deep learning model for attack detection in internet of things

H. Rekha1 · M. Siddappa1

Received: 29 January 2022 / Revised: 9 June 2022 / Accepted: 19 June 2022 / Published online: 27 October 2022
© The Author(s), under exclusive licence to Springer-Verlag London Ltd., part of Springer Nature 2022

Abstract
Internet of things (IoT) provides a new application, which helps the existing networks communicate with smart technologies.
Things are now becoming increasingly connected to the Internet, and lots of new gadgets are being created at a faster rate.
Since these interconnected smart objects are capable of interacting with one another in undefended surroundings, the entire
communication ecology needs solutions related to security at various levels. Unlike the existing networks, IoT technology
has its own set of features, including various network protocol requirements and a variety of resource constraints. To launch
different attacks, the attacker takes many security vulnerabilities in the IoT system. The growth in cyber-attacks has rendered
it important to address the consequences implied in the IoT. This paper intends to introduce a novel attack detection model.
Originally, the input data are preprocessed, from which the most relevant features are extracted that include raw features,
statistical features, and higher-order statistical features. The extracted features are subjected to the classification process. More
importantly, the extracted raw features are directly given to the long short-term memory (LSTM), and the extracted statistical
and higher-order statistical features are subjected to the deep reinforcement learning (DRL) for the classification process.
Then, the average of both LSTM and DRL provides the detected output in an effective manner. To improve the performance
of detection results, the weight of LSTM is optimized by the self-improved battle royale optimization (SIBRO) algorithm. At
the end, the performance of the presented scheme is compared to the existing approaches in terms of different metrics like
“F-measure, specificity, NPV, accuracy, FNR, sensitivity, precision, FPR, and MCC,” respectively.

Keywords Attack detection · Internet of things · Feature extraction · Detection · Optimization

Abbreviations DRL Deep reinforcement learning

DQN Deep Q-network
AI Artificial intelligence DT Decision tree
AEs Autoencoders DTL Deep transfer learning
ANN Artificial neural network FNR False negative rate
A1DE and A2DE Averaged one-dependence and two- FPR False positive rate
dependence GOA Grasshopper optimization algorithm
BI-LSTM Bidirectional long short-term memory HD Hard detection
BRO Battle royale optimization HIDS Host-based IDS
C-DAD Counter-based DDos attack detection IDS Intrusion detection system
CNN Convolutional neural network IoT Internet of things
DCONST Distributed consensus-based trust model LEDEM Learning-driven detection and mitiga-
DL Deep learning tion
DoS Denial of service LR Logistic regression
DR Detection rate LSTM Long short-term memory
MCC Matthews correlation coefficient
B H. Rekha MFO Moth flame optimization
[email protected] ML Machine learning
1 Computer Science and Engineering, Sri Siddhartha Institute ML-F Metaheuristic lion optimization algo-
of Technology, Sri Siddhartha Academy of Higher Education, rithm and firefly optimization algorithm
Agalakote, B.H. Road, Tumkur 572107, Karnataka, India

123
294
MOPSO Multi-objective particle swarm opti-
mization
NIDS Network-based IDS
NPV Net predictive value
PDE Perceptron detection with enhancement
PDF Probability density function
RF Random forest
SDN Software-defined network
SLnO Sea lion optimization
SVM Support vector machine
1 Introduction
IoT seems to be the fast evolving technology, which has been
tremendously progressed in numerous technical sectors in
the last few years. Hundred billions of devices from systems
like the Internet, smart grids, smart homes, smart automo-
biles, and smart health care have merged with IoT [1, 2].
IoT combines the digital world with the real environment
[3], and this convergence on IoT devices may allow different
cyber-attacks. Due to the obvious heterogeneity of IoT sys-
tems, limited hardware resources, worldwide accessibility,
and huge scale, the security in IoT devices is a challenging
one [4–6]. The number of devices, the purpose of use, and
the physical condition of the devices are the main differences
in IoT security compared to traditional IT security. Further-
more, the common IoT security challenges are insecure com-
munications, data leaks from IoT systems, malware risks,
cyber-attacks, secure networks, and secure data. As a result,
designing an efficient security method to identify the critical
malicious nodes in the networks is the great deal in IoT.
Several IDS for IoT [7, 8] employ the deep learning con-
cept. In fact, DL is a strong tool for evaluating large traffic
volumes and appropriate distinguishing of aberrant and nor-
mal behavior of various systems from raw data. The direct
determination of complicated DL techniques on IoT devices
[9–11] is undesirable. DL has been utilized by many research
works to identify the cyber-attacks in IoT [12]. However,
the application of these power-intensive and computational
frameworks with low-capacity sensors are yet to be described
[13–16].
The multiple processing layers of computational meth-
ods could be used to represent the data in DL. Owing to its
multilayer structure, DL might give a deeper raw data repre-
sentation and categories or predict data more correctly than
ML [17, 18]. However, due to the energy capabilities, stor-
age, and restricted processing capabilities of IoT devices, the
direct execution of sophisticated DL approaches [19–21] on
IoT devices is difficult [7, 8, 12, 22, 23]. The following are
the key contributions of the accepted model:
123
Service Oriented Computing and Applications (2022) 16:293–312
• In the detection phase, an optimization-assisted hybrid
LSTM and DRL model is introduced for identifying the
presence of attacks in IoT.
• To make the detection more accurate, a self-improved bat-
tle royale optimization (SIBRO) algorithm is proposed for
tuning the weight parameter of LSTM.
• The proposed SIBRO is an enhanced version of the classic
BRO algorithm.
The organization of the study is as follows: The reviews
on attack detection in IoT are described in Sect. 2. Section 3
depicts the adopted attack detection paradigm in the Internet
of things, as well as the comprehensive method. Section 4
shows the outcomes as well as discussion. Section 5 presents
the conclusion of this work.
2 Literature review
2.1 Related works
In 2020, Samy et al. [24] implemented a complete attack
detection system with a large detection rate, distribution, and
robustness to identify specific cyber-attacks in IoT via DL.
Because of its proximity to edge devices, dispersed nature,
and high computing capability, the adopted framework on fog
nodes has implemented an attack detector. Six DL models
were evaluated to find the best performing DL model. The
LSTM model has proven better performance than the other
methods with respect to detection rate as well as detection
accuracy in both multi-class and binary classification.
In 2019, Mahmudul et al. [25] determined an attack as well
as anomaly detection using ML approaches in IoT sensors.
ANN, DT, SVM, RF, and LR were utilized in the adopted
research. Numerous optimization approaches were used with
different classifiers. Coordinate descent was utilized in logis-
tic regression. Traditional gradient descent was utilized by
ANN and SVM. In the case of RF and DT, the optimizer was
not used because they were nonparametric methods. Preci-
sion, accuracy, area under the ROC curve, recall, and F1 score
were the assessment measures utilized to compare the per-
formance. Compared to the previous models, the suggested
system achieved better accuracy for ANN, DT, and RF.
In 2020, Ravi et al. [26] has adopted LEDEM for DDoS
attack via SDN–cloud framework in IoT. The suggested
approach focused on preventing the DDoS attacks in IoT
servers. For mitigating the DDoS attacks on IoT servers,
the security strategy makes use of the SDN and cloud
paradigms. LEDEM was a new methodology that utilizes
a semi-supervised ML method to find as well as mitigate
DDoS attacks. Moreover, the LEDEM was truly tested in
an emulated topology and test bed, and the findings were
evaluated to those obtained using standard techniques. In
Service Oriented Computing and Applications (2022) 16:293–312 295

Table 1 Review on extant techniques: advantages and challenges

Author Method Advantages Challenges

Samy et al. [24] LSTM DL method Higher rate of detection
Increased recall
Mahmudul et al. [25] LR-SVM-DT-RF-ANN Maximum accuracy
Higher precision
Improved recall
Better F1-score
Ravi et al. [26] LEDEM method High accuracy
Increased throughput
Improved recall
Better F-measure
Bhayo et al. [27] C-DAD model Decreased throughput
Low attack detection time
Increased CPU utilization
Khan et al. [28] AI technique Low computational overhead
Less false positives
Enhanced attack detection
accuracy
Vu et al. [29] DTL method Improved accuracy
Better predicting time
High AUC score
Improved effectiveness
Zuchao et al. [30] DCONST approach Higher detection accuracy
Increased attack probability
Zubair et al. [31] A1DE and A2DE techniques Higher accuracy
Maximum precision
Better recall
Improved F-score
The proposed work was not contrasted
with RL as well as unsupervised DL
approaches
The adopted model does not guarantee
other unknown problems and the big
data
The proposed model has planned to
probe into other ML approaches
The adopted work has not worked with
multiple IoT networks in
heterogeneous environments
Need to develop the proposed model
with attack prevention from insider
attacks and better accuracy
The proposed work needs larger time
for training the approach
Need to optimize the parameters of
DCONST for handling the different
network conditions
Different aspects required intensive
investigation like scalability, traffic
density, diversity, etc., to enhance the
detection performance

comparison with other traditional models, the experimen-
tal results showed an increased accuracy rate of 96.28% in
identifying DDoS attacks.
In 2020, Bhayo et al. [27] suggested an SD–IoT-based
platform for IoT security services. The C-DAD program was
created using counter values for several network character-
istics that aid in the effective detection of DDoS attacks. The
IoT devices, IoT controller, SDNWISE controller, and SOPS
comprised up the framework. Different counter-based func-
tionalities were incorporated in the suggested framework’s
sub-modules like flow monitor and analyzer to identify the
DDoS attacks in the SD–IoT network. Through SDN, the
algorithm achieved improved performance.
In 2020, Khan et al. [28] established a method for mon-
itoring harmful insider attacks in IoT environments using
distance measuring techniques with AI characteristics. It con-
tains a comprehensive review of conventional systems for
recognizing harmful attacks in the IoT context. To protect the
security in the IoT environment with sensitive and important
data of sensors/devices, the Levenshtein distance measuring
technique was employed in the suggested system for recog-
nizing the hostile attacks. The findings revealed that the LV
distance measuring approach with AI-based solution had the
greatest accuracy than any classic models.
In 2020, Vu et al. [29] suggested a DTL system, which
allows data from many IoT devices that could be used
for learning. A DTL model was characterized by two
AEs particularly. Additionally, the outcomes of the adopted
scheme were examined by extensive tests on 9 current IoT
datasets. When compared to the current DTL schemes and
the baseline DL method, the simulation results demonstrated
that the chosen DTL scheme greatly improved the accuracy
in identifying IoT attacks.
In 2020, Zuchao et al. [30] have investigated a method
called DCONST that could be used to assess the trust-
worthiness of IoT nodes by providing specific information.
Furthermore, the proposed strategy has been classified as
a kind of multiple-mix-attack which mixes three common
attacks—drop, tamper, and replay—with an unknown prob-
ability. DCONST was able to detect hostile nodes and
evaluate their specific attack patterns using K-means clus-
tering techniques. Particularly, the DCONST-Normal and
DCONST-Proactive might enhance detection rates by 5–20%
as compared to DCONST-Light.

123
296
Fig. 1 General design of IoT
platform
IoT Devices
Intrusion Detection System
In 2019, Zubair et al. [31] presented a DoS detection
framework that includes module for creation and feature
ranking, testing, data production, and training. To recognize
the DoS attacks, the A1DE and A2DE methods were rede-
fined and implemented in IoT networks. The development of
voting schemes and multi-scheme for DoS attack detection
in IoT has used an integration of A2DE and A1DE. Further-
more, the conventional approaches and the adopted system
were sorely tested in real-world IoT attack situations, and the
results have proven the efficiency of the proposed work.
2.2 Summary
Table 1 represents the review on attack detection in IoT. At
first, the LSTM DL approach [24] provides maximum detec-
tion rate, improved precision, increased recall, and maximum
detection accuracy; however, the proposed work was not con-
trasted with RL as well as unsupervised DL approaches.
Moreover, the LR-SVM-DT-RF-ANN method [25] provides
maximum accuracy, improved recall, higher precision, and
better F1-score. Nevertheless, the adopted model does not
guarantee other unknown problems and the big data. LEDEM
method [26] offers high accuracy, increased throughput,
improved recall, and better F-measure, but the proposed
model has planned to probe into other ML approaches. Like-
wise, the C-DAD model [27] offers decreased throughput,
low attack detection time, and increased CPU utilization.
However, the adopted work has not worked with multiple
IoT networks in heterogeneous environments. AI technique
was exploited in [28] that has reduced the computational
overhead, minimized false positives, and improved attack
detection accuracy; however, there is a need to develop the
proposed model with attack prevention from insider attacks
123
Service Oriented Computing and Applications (2022) 16:293–312
Attackers
Normal data
exchange
IoT servers
and better accuracy. Next, the DTL method was imple-
mented in [29] that provides an improved accuracy, better
predicting time, high AUC score, and improved effective-
ness. Still, the proposed work requires more time to train the
model. DCONST approach [30] provides higher detection
rate, higher detection accuracy, and increased attack proba-
bility. However, there is a need to optimize the parameters
of DCONST for handling the different network condi-
tions. Finally, the A1DE and A2DE techniques [31] provide
improved F-score, precision, recall, as well as accuracy, but
the different aspects required intensive investigation like scal-
ability, traffic density, diversity, etc., to enhance the detection
performance. Thus, these challenges need to be considered
on the basis of attack detection in IoT of this research suc-
cessfully.
2.3 General attack detection framework in IoT
IoT is an important component of new information technol-
ogy in the information age. The IoT server is in charge of the
critical functions of terminal sensor processing, data collect-
ing, and processing result return. Because of the increasing
expansion of IoT technologies, security is even more vital
in the cyber-world. IDS can also be used to protect Internet
servers. Numerous IoT servers and devices are immediately
accessible to the public Internet due to sophisticated remote
control capabilities. IDS is essential for guarding and iden-
tifying harmful attacks on IoT servers. The IDS observes
the operations of a host or network and notifies the system
administrator whenever it identifies a security violation. Gen-
erally, NIDS attached to one or more network segments as
well as observes network traffic for malicious activities. The
HIDS is connected to a computer device as well as observes
Service Oriented Computing and Applications (2022) 16:293–312 297

Fig. 2 Overall architecture of the

implemented technique Input Data

Data Pre-processing

Feature Extraction

Raw features Statistical and higher order

statistical features
Flow based features, and raw
parameters Mean, Median, Mode, SD,
Skewness, Kurtosis, Percentile,
Angular Second moment,
Entropy, and Homogeneity

Classification

Optimal
weights

LSTM Deep
Reinforcement
Learning

Proposed SIBRO
Algorithm Average

Output

123
298 Service Oriented Computing and Applications (2022) 16:293–312

malicious activity within the system. Unlike NIDS, the HIDS Table 2 Flow features
examines system calls, running processes, file system modi-
S. No Features Description
fications, inter-process communication, and application logs
in addition to network traffic [32]. Therefore, the use of IDS 1 Dstip Destination IP address
would protect both terminal users and service providers from 2 Dsport Destination port number
Internet threats.
3 Scrip Source IP address
Moreover, security safeguards are not fully attained in the
4 Sport Source port number
IoT application because the attack plane is limited. The goal
5 Proto Protocol type (UDP, Tc)
of this paper is to offer a unique deep learning-based attack
detection system for the IoT, as depicted in Fig. 1.The imple-
mented approach deals with the behavior of attackers in the
network via standard datasets. a given feature in the feature space Y.

ym − min (ym )
yNORM  (a − b) (1)
max (ym ) − min (ym )
3 Description of the suggested attack
detection approach in IoT

This paper aims to implement a unique attack detection

approach that contains three phases such as (i) preprocess-
ing, (ii) feature extraction, and (iii) detection/classification.
Figure 2 illustrates the overall framework of the proposed
approach. The following steps are involved in this work as
follows.
• At first, the input data are loaded into the preprocessing
phase and each dataset is cleaned and normalized.
• Further, the preprocessed data are used for retrieving the
features, in which they extract the raw features, statisti-
cal features, and higher-order statistical features. The raw
features include flow-based features and raw parameters.
The statistical and higher-order statistical features include
“mean, median, mode, SD, skewness, kurtosis, percentile,
angular second moment, homogeneity, and entropy.”
• In the detection phase, the extracted raw features are
directly given to the LSTM, and the extracted statistical
and higher-order statistical features are directly subjected
to the DRL. To provide the accurate results, weight of
LSTM is optimized using a SIBRO algorithm. Therefore,
the average of both LSTM and DRL provides the detected
output in an efficient way.
3.2 Feature extraction
The preprocessed information is given in this step and the
raw features, statistical and higher-order statistical features
are retrieved.
3.2.1 (A) Raw features
In the raw features, flow-based features and raw parameters
are extracted.
(i) Flow-based features Further, the flow-based features
[35] are described in Table 2 and it is represented as FF.
(ii) Raw parameters The raw parameters contain basic fea-
tures, time features, and content features, as well as
additional generated features are considered as the raw
parameters RP [35]. The raw parameter details are given
in Table 3.
Moreover, the raw features are represented as per Eq. (2):
RF  FF + RP (2)

3.2.2 (B) Statistical features

3.1 Data preprocessing
The cleaning as well as data normalization steps are impor-
tant in preprocessing step. Data cleaning ensures the data
utilized to produce the models are of higher quality. Dupli-
cates were removed, missing data were replaced, structural
errors were fixed, as well as unnecessary (possibly noisy)
observations were removed as part of the data cleaning pro-
cess [33]. After the data cleaning, it requires normalization.
In this study, Min–Max scaling model [34] is used for data
normalization and it is described in Eq. (1). Here, y denotes
The statistical features include “mean median, mode, and
standard deviation”. The detailed explanation of the features
is shown in Table 4.
3.2.3 (C) Higher-order statistical features
The higher-order statistical features include “skewness, kur-
tosis, percentile, entropy, angular second moment, and homo-
geneity” features. Table 5 depicts the definitions of these
features.

123
Service Oriented Computing and Applications (2022) 16:293–312 299

Table 3 Raw parameters

Features Description

dur Total duration of the record

state State and its dependent protocol
sttl Source to destination time to live
dbytes Destination to source bytes
ct_src_dport_ltm Number of records of the same srcip (1) and the dsport (4) in 100 records based on the ltime (26)
sbytes Source to destination bytes
Sload Source bits/second
dload Destination packets retransmitted/dropped
sloss Source packets retransmitted/dropped
dttl Destination to source time to live
dloss Destination packets retransmitted or dropped
is_sm_ips_ports If srcip (1) is equal to dstip (3) and sport (2) is equal to dsport (4), this variable assigns to 1 otherwise 0
swin Source TCP window advertisement value
dwin Destination TCP window advertisement value
ct_ftp_cmd No. of flows that has a command in ftp session
dpkts Destination to source packet count
spkts Source to destination packet count
res_bdy_len The data transferred from the server’s http service’s actual uncompressed content size
stcpb Source TCP base sequence number
smeansz Mean of the flow packet size transmitted by the src
ct_srv_src Number of records that include the same service (14) as well as srcip (1) in 100 records based on the ltime (26)
dintpkt Destination interpacket arrival time (mSec)
ct_dst_ltm Number of records of the same dstip (3) in 100 records based on the ltime (26)
dtcpb Destination TCP base sequence number
service Like http, ftp, smtp, ssh, dns, and ftp-data
dmeansz Mean of the flow packet size transmitted via the dst
sjit Source jitter (mSec)
trans_depth Defines the depth of the http request/response transaction’s pipelined connection
is_ftp_login If the ftp session is entranced via user as well as password, then 1 else 0
ltime Record last time
djit Destination jitter (mSec)
ct_flw_http_mthd The number of flows in the http service that have methods like Get and Post
stime Record start time
ct_src_ ltm Number of records of the srcip (1) in 100 records based on the ltime (26)
sintpkt Source interpacket arrival time (mSec)
tcprtt TCP connection setup round-trip time, the sum of “synack” and “ackdat”
ct_dst_src_ltm Number of records of the same srcip (1) and the dstip (3) in 100 records based on the ltime (26)
synack TCP connection setup time, the time among the SYN and SYN_ACK packets
ct_dst_sport_ltm No. of records of the same dstip (3) as well as the sport (2) in 100 records based on the ltime (26)
ackdat TCP connection setup time, the time among the SYN_ACK and ACK packets
ct_srv_dst Number of records which include the same service (14) and dstip (3) in 100 records based on the ltime (26)
ct_state_ttl Number for each state (6) based on a given range of sttl (10) and dttl (11) values

123
300 Service Oriented Computing and Applications (2022) 16:293–312

Table 4 Statistical features

Features Definitions

Mean “The process in which the sum of all values divided by the sum of number of values is known to be mean value [36]. Here, the
mean is denoted as Z . In the following equation, Z represents the observed value and m indicates the number of values.”

m
Z  m1 Zq
q1

Median “Median [36] is the process, in which the middle values in a dataset are organized in an ascending order. If the dataset contains 2
values in middle, then the mean of 2 middle values is regarded as the median of the data. The median is indicated as S F1 . In the
following equation, m represents the number of values and Z denotes the ordered list of values in dataset.”
⎛⎧ m ⎞
⎪
⎪ Z if m is odd
⎜ ⎨ 2 ⎟
SF1  ⎜ ⎝ ⎪ Z m−1 + Z m+1
⎟
⎠
⎪
⎩ 2 2
if m is even
2
Mode “Mode is the most frequent value present in the database. It is one among the major central tendency metrics, that is used with
normal data that have completely subjective class assignments. The mode is represented as SF2 . The mode is the value in a series
of observation that occurs with higher frequency.”
SD “SD is a measure of set of a dispersion values or amount of variation. The lower SD [37] denotes the values that tend to be nearer to
the mean value, whereas a larger SD denotes the extended values over a larger range. The SD is represented as SF3 , and it is given
in Eq. (3). Here, Z indicates the symbol of sample mean.”

1 
m 2
SF3  m−1 Zq − Z
q1

Finally, the statistical and higher-order statistical features
are represented by S F, as well as it is given in Eq. (3):
SF  Z + SF1 + SF2 + SF3 + SF4 + SF5 + SF6 + SF7 + SF8 + SF9
(3)
cell state and hidden state. (h t , Ct ) and (Yt , Ct−1 , h t−1 )
are the output and input layers, respectively. At time t, the
output and input gates and the forget gate are indicated by
Ot , It , G t correspondingly. The LSTM cell uses G t to filter
the data, and it is shown in Eq. (4):

G t  κ(W L Yt + K L + W J h t−1 + K J ) (4)

3.3 Attack detection by proposed Hybrid classifier

For the classification process (multi-classification of attack
types), the raw features RF are given as the input to LSTM.
The retrieved statistical and higher-order statistical features
SF are subjected to DRL. Both classifiers are run simulta-
neously, as well as the results are averaged to get the final
classification outcomes.
3.3.1 LSTM
The LSTM is given the retrieved raw characteristics (RF).
The LSTM network uses a linear connection as well as gate
control unit to solve gradient desertion problems. The high
reliance of time-series data is captured by the LSTM network.
The LSTM [42] architecture includes the sequences of
continuous LSTM cells. In the LSTM cells, the output gate,
input gate, and forget gate were all made up of three units.
Figure 3 depicts the construction of an LSTM cell. The LSTM
memory cells may save and suggest information for a long
time because of this characteristic. Consider C and h as the
where (W J , K J ) and (W L , K L ) specify the weight matrix
and bias term mapping hidden layer as well as input layer
to the forget gate. The activation function of gate ( κ) is
selected as sigmoid operation. Based on Eqs. (5), (6), and
(7), the LSTM cell makes use of the input gate to coordinate
the proper data evaluated, where (W X , K X ) and (W E , K E )
are the weight matrices as well as bias parameters that map
the input and hidden layers to cell gate. W Q , K Q and
W p , K p are the weight and bias parameters that map the
input as well as hidden layers to It .
Ut  tanh(W E Yt + K E + W X h t−1 + K X ) (5)
It  κ W Q Yt + K Q + W p h t−1 + K p (6)
Ct  G t Ct−1 + It Ut (7)

123
Service Oriented Computing and Applications (2022) 16:293–312 301

Table 5 Higher-order statistical features

Features Definitions

Skewness “Skewness is a symmetry measure or the lack of symmetry exactly. A data set or distribution is symmetric
only if it is similar to the right and left of the center point [38]. The mathematical expression of skewness
S F4 is given below. Here, Z q  Z 1 ,Z 2 , …, Z m , Z indicates the mean value, σ denotes the SD, and m
refers to the number of data points. Further, σ indicates the SD and it is calculated with m present in the
denominator rather than m − 1 while computing the skewness.”
m 3
Z q −Z /m
S F4  q1
σ3
Kurtosis “Kurtosis is a measure that identifies whether the data are light-tailed or heavy-tailed and related to the
normal distribution [38]. The mathematical formula of kurtosis S F5 for univariate data such as Z 1 ,Z 2 , …,
Z m is expressed as follows.”
m 4
Z q −Z /m
S F5  q1
σ4
Percentile “In statistics, a percentile is a score below at or below or a score in which a provided percentage falls in its
frequency distribution [39]. It provides an idea of spreading data values from the lower value to the higher
value over the interval. About Q percentage of data values comes under Q th percentile, and around
100 − Q percentage of data values exceeds J th percentile.” This feature is represented as S F6
Angular second-order moment “It is the instant of probability distribution with the arbitrary variable in probability theory and statistics
[40]. The moments with higher order are relating to the shape and spread distribution of the location. The
m th moment related to the central moment of a real-valued random variable Z is the quantity
 
Z m  E (Z − E[Z ]m ) , where E denotes the expectation operator. The m th moment about the mean Z
is determined for a continuous univariate probability distribution with f (q) PDF.” The moment S F7 is
depicted as follows:
  −∞ m

S F7  E Z − E[Z ]m  +∞ q − Z f (q)dq‘

Entropy “The entropy [41] is known as the average level of surprise, uncertainty, or information inbuilt in the
variable’s feasible resultant of the data theory. The conception of information entropy is sometimes
known as the Shannon entropy.” The entropy is represented as S F8
m
− q1 [ Z q ] log[ Z q ]
S F8  length ( Z q )

Homogeneity “Homogeneity is a measure of the overall smoothness.” This feature is denoted by S F9 , in which P is the
probability

S F9  1
2 Pi, j
1+(i− j)
i j

Fig. 3 Architecture of LSTM cell

× +

tanh

× ×

tanh

123
302
Agent
State Reward Action
Environment
Fig. 4 Architecture of DRL
Lastly, the LSTM receives hidden layer (output) from out-
put gate by Eqs. (8) and (9).
Vt  κ(W B Yt + K B + W M h t−1 + K M ) (8)
h t  Vt tanh(Ct ) (9)
where (W M , K M ) and (W B , K B ) are the weight and bias
parameters for mapping the hidden and input layers to Vt .
In this work, to design the LSTM network, 64 LSTM cells
are used and for activation sigmoid function is utilized. The
LSTM output is represented by CLLSTM .
3.3.2 DRL
In this research, the extracted statistical and higher-order
statistical features S F are subjected to DRL. The DNN is
integrated to reinforcement learning for improving the effi-
ciency, and this integrated field is known as DRL [41].
Reinforcement learning It is one of the active research
fields on taking decisions. Moreover, it is utilized for training
the agents that interact with surroundings like AI, in which
the video games are playing. Moreover, the agents are trained
though playing what’s known as “episodes.” The architecture
diagram of DRL is shown in Fig. 4.
The agent receives an observation of its initial state S1 at
an episode beginning. Once it obtains an observation ST at
each time step T , the agent takes an action aT . Further, the
surroundings provide a feedback to the agent, i.e., a reward
r T and a novel observation ST +1 . These interactions are con-
tinued till the agent reached a terminal state, and it leads to
the conclusion of the present episode and started a novel one.
Further, the agent is determined through the policy χ mod-
eling regarding the actions picked. Moreover, the policy χ
is a behavior function as given in Eq. (10) that returned the
picking probability action in a particular state S.
χ (a|S )  P[aT  a|ST  S|] (10)
The major aim of the agent is to obtain the greatest sum
discounted reward gT that indicates the future discounted
123
Service Oriented Computing and Applications (2022) 16:293–312
rewards and the immediate reward as per Eq. (11).
∞

gT  μl r T +l with μ (11)
l0
In Eq. (11), discount factor is μ∈[0, 1] . The agent
learned
 an optimal  behavior χ ∗ from its interactions
ST , aT , r T , ST +1 with the environment throughout the train-
ing episodes in reinforcement learning. It would identify the
best possible action for each situation. The agent determines
the expected return gT depending on its policy χ and obtained
from state S through opening the game, an action a is selected
and it follows the policy χ . It is the action value function
known as the Q-function as per Eq. (12).
Q χ (S, a)  Fχ [gT |ST  S, aT  a ] (12)
 
Q χ (S, a)  Fχ r T + μQ χ (ST +1 , aT +1 )|ST  S, aT  a
(13)
Here, aT +1 ∼ χ (.|ST +1 ). For a given policy χ , the Q-
function was indicated in a particular state O only it selects
an action a with best consequence in the subsequent steps
through higher rewards or not. The Q-function denotes the
action is the optimal choice for making the two actions a1
and a2 . If Q χ (S, a1 ) > Q χ (S, a2 ), then action a1 is a good
choice for making when the agent is in state S than action
a2 .
The objective of the reinforcement learning issues is to
identify the optimal policy χ ∗ ; the agent must follow to attain
the highest rewards gT . For achieving an optimal policy χ ∗ ,
the optimal Q-function Q ∗ must be found . The optimal policy
could be inferred naturally from it only if the optimal Q
function is recognized as taking the action maximizing Q ∗
as per Eq. (14).

1 i f a  arg max Q ∗ (S, a)
∗
χ (a|S )  a
(14)
0 else
DQN Model It intends the optimal  Q function Q ∗ at
approximating from interactions ST , aT , r T , ST +1 among
its environment and an agent. It approximated the function
Q ∗ through a DNN Q(S, a, ) with parameters , also
known as the DQN.
Starting with random parameter 1 , the agent modified
the  parameters of its function approximate Q(S, a, ) for
obtaining an accurate approximation of the true Q-function
during episodes of training. Therefore, it altered its policy χ
through acting over
 its Q function as  per Eq. (20). Following
each interaction ST , aT , r T , ST +1 , it repeats the following
scheme. The agent stores its interaction on its replay memory
A, and it allows reusing this experience later. Moreover, it
Service Oriented Computing and Applications (2022) 16:293–312
W1 W2 …… WN
R
Fig. 5 Solution Encoding
 

sampled a lower batch of transitions S, a, r , S randomly
from A and performed a footstep on the DQN in terms of the
loss function as per Eq. (15).
 2
  −
LFT (ψT )  r + μ max

Q S , a ,  T − Q(S, a,  T )
a yb + z b
Here, t− indicates the previous fixed version of the DQN.
The agent progressively estimates the relationships among
the state ST , selects an action aT , and obtains future rewards
gT .
The output of DRL is represented by CLDRL . The final
classification output is (Out) formulated as per Eq. (16).
 
CLLSTM + CLDRL
Out 
2
3.4 LSTM weight optimization by SIBRO algorithm
3.4.1 Solution encoding and objective function
The suggested SIBRO approach optimizes the weights of the
LSTM. The input solution to the proposed SIBRO algorithm
is depicted in Fig. 5. The total count of weights in LSTM is
N . The objective function or fitness function of the suggested
method is evaluated as per Eq. (17), in which err indicates
the error value of LSTM
Obj  min (err)
3.4.2 Proposed SIBRO algorithm
Even though the conventional BRO [43] model solves the
challenging complex problems in various areas and provides
better convergence, still BRO would not rank 1st in runtime as
it constantly gives swift outcomes. In this paper, the SIBRO
algorithm is offered as a solution to this issue. In general,
self-enhancement has been demonstrated to be feasible in
extant optimization procedures [44–48].
Battle royal video games are competitive, last-man-
standing games that were inspired via the battle royal,
a Japanese film. Players in certain battle royale games
parachute down onto the map after jumping out of a plane.
303
Furthermore, BRO starts with a random population that is
equally distributed in the difficult area. After that, each indi-
vidual attempts to harm the neighboring soldier via firing a
weapon. As a consequence, a soldier in an improved position
causes damage to their neighbors. As the soldier is offended
by another, the damage level is maximized by 1.
The proposed concept deploys the quasi-opposition point.
Let R (R1 , R2 ,…Rn ) be the point and R̃b be the opposition
point of R, and Rb ∈ [wb , z b ], b  1, 2, ...., n. Here, n is
the count of dimensions. The quasi-opposition point of R is
given in Eq. (18), where yb and z b indicate the upper and
lower boundary of the basic point.
(15) R̃qi  c , R̃b (18)
2
These BRO interactions are given as Rb .damage 
Rb .damage + 1, in which Rb .damage indicates the bth soldier
of the damage level between the population. Additionally,
soldiers seek to alter their positions as soon as they are dam-
aged, allowing them to attack enemies from the opposite side.
During exploitation, the soldiers damaged are migrated to a
place among the best position discovered and the previous
position. These interactions are determined as per Eq. (19).
(16)
Rdam, x  Rdam, x + c Rbest, x − Rdam, x (19)
where c indicates a randomly generated number that is dis-
tributed uniformly within [0, 1] and Rdam, x denotes the
damaged soldier position in dimension x. Rb .damage is reset
to 0 as the damaged soldiers harm their enemy in the upcom-
ing iteration.
If a damage level of soldiers goes beyond a specified
threshold value during exploration, the soldier died and
respawned randomly from the possible issue space with the
Rb .damage restored to 0. The value of threshold  3 was
acceptable throughout mistake and trial. It allows for further
exploration and prevents premature convergence. In Eq. (20),
(17) a soldier returns after killed to the issue space.
Rdam, x  c(u x − vx ) + vx (20)
In Eq. (20), u x and vx indicate the upper and lower bounds
of dimension x. Then, the possible search space of the issue
starts to shrink down to the best solution at iteration . The
initial value is   log10 (MC) but    + r ound 2 .
Here, MC indicates the maximum number of generations.
Moreover, these interactions are contributed to the exploita-
tion and exploration. Equations (21) and (22) specify the
updated lower and upper bound.
vx  Rbest, x − d Rx (21)
u x  Rbest, x − d Rx (22)
123
304
Here, Rbest, x refers to the position of the best solution, and
d Rx indicates the SD of entire population in dimension x.
If vx /u x go beyond the original bound, it puts to the normal
vx /u x .
If c<Rdam.damage , it performs the condition Rb .damage <
Threshold. Otherwise, based on the suggested SIBRO
approach, the positions are updated as per Eq. (23), where
Levy(β) indicates the proposed levy update in BRO.
Rdam, x  Rdam, d + c Rbest, x − Rdam, x + Levy(β) (23)
The pseudo-code of suggested SIBRO model is given
below.
4 Results and discussion
For simulation, the suggested research was implemented
in PYTHON as well as the resultants were validated.
123
Service Oriented Computing and Applications (2022) 16:293–312
The suggested hybrid classifier + SIBRO technique per-
formance is compared with the traditional techniques like
LSTM [24], LR-SVM-DT-RF-ANN [25], BI-LSTM [42],
CNN [49], SVM [50], DRL [41], Hybrid classifier +
MFO [51], Hybrid classifier + GOA [52], Hybrid clas-
sifier + SLnO [53], Hybrid classifier + BRO [43], ML-
F [54], and MOPSO [33] correspondingly. Furthermore,
the achievement was compared via changing the learning
percentage (60, 70, 80, and 90) for diverse performance
measures such as “accuracy, sensitivity, specificity, preci-
sion, FNR, FPR, F-measure, NPV, and MCC,” correspond-
ingly.
4.1 Dataset description
In this work, two types of datasets are used, namely UNSW-
NB_15 [55] and TON-IOT [56]. For experimentation, dataset
UNSW-NB_15 is named as dataset 1 and dataset TON-IOT
is named as dataset 2, correspondingly. The brief details of
datasets are given as follows.
4.1.1 (i) The UNSW-NB_15 dataset
This dataset includes the total count of records in 2 million
and 540,044 are collected in the 4 CSV files, such as UNSW-
NB15_1.csv, UNSW-NB15_2.csv, UNSW-NB15_3.csv, and
UNSW-NB15_4.csv. Furthermore, the ground truth table is
referred as UNSW-NB15_GT.csv as well as the event file list
was known as UNSW-NB15_LIST_EVENTS.csv. A train-
ing set and a testing set were created from this dataset, named
UNSW-NB_15 training-set.csv and UNSW NB_15 testing-
set.csv. The training set contained 175,341 records, whereas
the testing set contained 82,332 records of various categories,
including attack as well as normal.
4.1.2 (ii) The TON-IoT dataset
This dataset contains fresh generations of Industry 4.0/IoT
and Industrial IoT datasets for evaluating the fidelity as well
as efficiency of numerous cybersecurity applications employ-
ing AI, ML, or DL algorithms. It includes CSV examples
of the four datasets chosen for calculating the efficacy as
well as fidelity of new cyber-security application on the
basis of AI and ML algorithms. The quantity of records
for training and testing the algorithms, including normal and
attack types, is displayed in the “Description_stats_datasets”
folder.
4.2 Performance analysis
The implemented technique performance is compared
with the extant techniques with respect to certain met-
rics for dataset 1, as well as it is shown in Figs. 6,
Service Oriented Computing and Applications (2022) 16:293–312 305

Fig. 6 Performance analysis of the proposed model over the extant approaches for a sensitivity b accuracy c precision d specificity for dataset 1

Fig. 7 Performance analysis of the proposed model over the extant approaches for a FNR b FPR for dataset 1

7, and 8. Similarly, the implemented hybrid classifier +
SIBRO technique achieves greater accuracy (~ 0.9) for
training percentage 90 than the extant LSTM, LR-SVM-
DT-RF-ANN, BI-LSTM, CNN, SVM, Hybrid classifier
+ MFO, Hybrid classifier + GOA, Hybrid classifier +
SLnO, and Hybrid classifier + BRO approaches as shown
in Fig. 6(b). The specificity of the implemented hybrid
classifier + SIBRO technique for training percentage 70
is 32.87%, 22.13%, 30.22%, 33.57%, 34.09%, 30.24%,
17.74%, 17.73%, 14.63%, 11.22%, 15.02%, and 12.80%
superior to the extant LSTM, LR-SVM-DT-RF-ANN, BI-
LSTM, CNN, SVM, DRL, Hybrid classifier + MFO, Hybrid
classifier + GOA, Hybrid classifier + SLnO, Hybrid classifier
+ BRO, ML-F, and MOPSO techniques for dataset 1 as shown
in Fig. 6(d). As a result, identical performance is found when
other metrics, such as precision, are used. The influences of
hybrid classifiers that are trained with the proper features are
demonstrated in this assessment. Further, because the LSTM

123
306
Fig. 8 Performance analysis of the proposed model over the extant models for a NPV b FMS c MCC for dataset 1
weights were set to perfection, the implemented methodol-
ogy enabled higher detection outcomes while minimizing
errors.
The negative measures such as “FPR and FNR” of the
suggested approach over other extant LSTM, LR-SVM-DT-
RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier +
MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO,
Hybrid classifier + BRO, ML-F, and MOPSO approaches are
shown in Fig. 7. The suggested hybrid classifier + SIBRO
approach has shown lower FPR value with better perfor-
mance than the standard approaches for training percentage
90 in Fig. 7(b). Thus, it shows that the approach with optimal
weights ensures less error through the proposed optimization
algorithm.
Figure 8 indicates the “MCC, NPV, and F-measure” met-
rics analysis of the suggested hybrid classifier + SIBRO
model than other existing models. On observing the figure,
it is shown that the NPV of the suggested hybrid classi-
fier + SIBRO approach achieves a greater value (~ 0.95) for
training percentage 90, but the compared extant LSTM, LR-
SVM-DT-RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid
123
Service Oriented Computing and Applications (2022) 16:293–312
classifier + MFO, Hybrid classifier + GOA, Hybrid classi-
fier + SLnO, Hybrid classifier + BRO, ML-F, and MOPSO
approaches attain smaller values. Similarly, the suggested
hybrid classifier + IBRO approach reaches higher MCC (~
0.94) for training percentage 70 when compared to the train-
ing percentage 90 in Fig. 8(c). As a result, the performance
of the provided hybrid classifier + IBRO model outperforms
standard approaches.
In addition, the overall performance analysis of the imple-
mented and the standard approaches is depicted in Tables 6
and 7. From Table 6, the precision of the suggested hybrid
classifier + SIBRO model is 17.10%, 77.04%, 23.61%,
6.03%, 8.34%, 27.13%, 6.69%, 6.03%, 6.11%, 6.10%,
26.47%, and 26.99% better than other extant LSTM, LR-
SVM-DT-RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid
classifier + MFO, Hybrid classifier + GOA, Hybrid classi-
fier + SLnO, Hybrid classifier + BRO, ML-F, and MOPSO
approaches. The suggested hybrid classifier + SIBRO model
reaches greater accuracy values (~ 0.927) than other stan-
dard techniques for dataset 1. The adopted hybrid clas-
sifier + SIBRO technique holds smaller FNR value, and
it is 94.86%, 96.05%, 93.08%, 95.04%, 95.16%, 93.08%,
Service Oriented Computing and Applications (2022) 16:293–312 307

Table 6 Overall performance analysis of the implemented and extant approaches for dataset 1

Methods Sensitivity Specificity Accuracy Precision F-Measure

LSTM [24] 0.6863 0.72147 0.70016 0.7912 0.73503

LR-SVM-DT-RF-ANN [25] 0.49589 0.75181 0.72029 0.21914 0.30396
BI-LSTM [42] 0.60836 0.64673 0.62333 0.72903 0.66325
CNN [49] 0.83379 0.85572 0.84255 0.89679 0.86415
SVM [50] 0.83397 0.8266 0.83096 0.87475 0.85387
DRL [41] 0.568632 0.609248 0.584442 0.695419 0.625667
Hybrid classifier + MFO [51] 0.82448 0.84762 0.83372 0.89054 0.85624
Hybrid classifier + GOA [52] 0.83388 0.85579 0.84263 0.89685 0.86422
Hybrid classifier + SLnO [53] 0.83265 0.85472 0.84147 0.89602 0.86317
Hybrid classifier + BRO [43] 0.83283 0.85488 0.84164 0.89615 0.86333
ML-F [54] 0.875916 0.616229 0.768051 0.701762 0.779227
MOPSO [57] 0.873306 0.610716 0.743581 0.696755 0.785104
Proposed Hybrid classifier + SIBRO model 0.92351 0.93453 0.92795 0.95436 0.93868
Methods MCC NPV FPR FNR
LSTM [24] 0.39903 0.59928 0.27853 0.3137
LR-SVM-DT-RF-ANN [25] 0.18155 0.91393 0.24819 0.50411
BI-LSTM [42] 0.24891 0.51384 0.35327 0.39164
CNN [49] 0.68008 0.77398 0.14428 0.16621
SVM [50] 0.65472 0.77419 0.1734 0.16603
DRL [41] 0.173462 0.473736 0.390752 0.431368
Hybrid classifier + MFO [51] 0.66252 0.76255 0.15239 0.17552
Hybrid classifier + GOA [52] 0.68023 0.77408 0.14421 0.16613
Hybrid classifier + SLnO [53] 0.67791 0.77256 0.14528 0.16735
Hybrid classifier + BRO [43] 0.67826 0.77279 0.14512 0.16717
ML-F [54] 0.510653 0.828095 0.383771 0.124084
MOPSO [57] 0.502418 0.84476 0.389284 0.126694
Proposed Hybrid classifier + SIBRO model 0.85208 0.8918 0.06547 0.07649

93.57%, 93.55%, 89.28%, 82.49%, 83.96%, and 77.18%
superior to the traditional models like LSTM, LR-SVM-DT-
RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier +
MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO,
Hybrid classifier + BRO, ML-F, and MOPSO, respectively,
for dataset 2. The implemented approach F-measure in
dataset 2 is 38.38%, 68.76%, 32.16%, 9.84%, 40.93%,
32.19%, 36.25%, 36.17%, 21.64%, 12.55%, 19.92%, and
13.72% superior to the extant LSTM, LR-SVM-DT-RF-
ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier +
MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO,
Hybrid classifier + BRO, ML-F, and MOPSO techniques.
The results have summarized that the implemented hybrid
classifier + SIBRO scheme performance is developed over
the standard methods.
4.3 Statistical analysis
In Tables 8 and 9, the statistical analysis of the provided
model is compared to the previous systems. In this work, the
statistical analysis is evaluated based on accuracy. The mean
value of the suggested approach provides superior results,
and it is 22.69%, 22.54%, 34.60%, 7.88%, 9.75%, 35.93%,
9.28%, 8.69%, 9.11%, 8.39%, 18.61%, and 18.82% better
than other traditional models like LSTM, LR-SVM-DT-RF-
ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier +
MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO,
Hybrid classifier + BRO, ML-F, and MOPSO for dataset 1.
Moreover, the best value of the implemented work (~ 0.972)
is 34.99%, 25.67%, 27.39%, 15.41%, 36.19%, 27.47%,
13.93%, 13.64%, 15.64%, 5.83%, 3.73%, and 9.89% better
than the other traditional LSTM, LR-SVM-DT-RF-ANN, BI-
LSTM, CNN, SVM, DRL, Hybrid classifier + MFO, Hybrid

123
308 Service Oriented Computing and Applications (2022) 16:293–312

Table 7 Overall performance analysis of the implemented and extant approaches for dataset 2

Methods Sensitivity Specificity Accuracy Precision F-Measure

LSTM [24] 0.61301 0.64815 0.63237 0.58665 0.59954

LR-SVM-DT-RF-ANN [25] 0.49589 0.75181 0.72029 0.21914 0.30396
BI-LSTM [42] 0.71247 0.67368 0.69007 0.6149 0.6601
CNN [49] 0.59899 0.64134 0.6225 0.57234 0.58536
SVM [50] 0.58845 0.63637 0.6152 0.56161 0.57472
DRL [41] 0.712221 0.673544 0.689878 0.614615 0.659828
Hybrid classifier + MFO [51] 0.69052 0.79419 0.76543 0.56297 0.62026
Hybrid classifier + GOA [52] 0.69122 0.79431 0.76567 0.56378 0.62103
Hybrid classifier + SLnO [53] 0.81425 0.82417 0.82066 0.71678 0.76241
Hybrid classifier + BRO [43] 0.88629 0.85714 0.8694 0.81818 0.85088
ML-F [54] 0.875895 0.820414 0.838468 0.701721 0.779193
MOPSO [57] 0.912769 0.841905 0.868593 0.777181 0.839535
Proposed Hybrid classifier + SIBRO model 0.98009 0.96546 0.97278 0.96602 0.973
Methods MCC NPV FPR FNR
LSTM [24] 0.26029 0.67278 0.35185 0.38699
LR-SVM-DT-RF-ANN [25] 0.18155 0.91393 0.24819 0.50411
BI-LSTM [42] 0.38156 0.76212 0.32632 0.28753
CNN [49] 0.23944 0.6662 0.35866 0.40101
SVM [50] 0.22391 0.66139 0.36363 0.41155
DRL [41] 0.381165 0.762005 0.326456 0.287779
Hybrid classifier + MFO [51] 0.45803 0.86985 0.20581 0.30948
Hybrid classifier + GOA [52] 0.45889 0.86994 0.20569 0.30878
Hybrid classifier + SLnO [53] 0.62257 0.89033 0.17583 0.18575
Hybrid classifier + BRO [43] 0.73689 0.91222 0.14286 0.11371
ML-F [54] 0.664277 0.931997 0.179586 0.124105
MOPSO [57] 0.736249 0.941093 0.158095 0.087231
Proposed Hybrid classifier + SIBRO model 0.94566 0.97976 0.03454 0.01991

Table 8 Statistical analysis of the implemented and extant approaches for dataset 1

Approach Mean Median STD Worst Best

LSTM [24] 0.71447 0.71378 0.01858 0.6927 0.73759

LR-SVM-DT-RF-ANN [25] 0.71585 0.72035 0.00914 0.7001 0.72261
BI-LSTM [42] 0.60435 0.61271 0.02208 0.56866 0.62333
CNN [49] 0.85134 0.84918 0.01468 0.83407 0.87293
SVM [50] 0.83403 0.8359 0.00812 0.82215 0.84219
DRL [41] 0.592072 0.595267 0.01686 0.568118 0.609636
Hybrid classifier + MFO [51] 0.83839 0.84063 0.01021 0.82388 0.84841
Hybrid classifier + GOA [52] 0.84386 0.8468 0.00927 0.8292 0.85263
Hybrid classifier + SLnO [53] 0.8399 0.83798 0.0066 0.83361 0.85004
Hybrid classifier + BRO [43] 0.84658 0.84669 0.00544 0.84068 0.85227
ML-F [54] 0.752184 0.753301 0.00849 0.740385 0.761747
MOPSO [57] 0.750197 0.749991 0.00883 0.739689 0.761115
Proposed Hybrid classifier + SIBRO model 0.92413 0.92587 0.00617 0.91429 0.93051

123
Service Oriented Computing and Applications (2022) 16:293–312 309

Table 9 Statistical analysis of the implemented and extant approaches for dataset 2

Approach Mean Median STD Worst Best

LSTM [24] 0.61751 0.61938 0.01331 0.59892 0.63237

LR-SVM-DT-RF-ANN [25] 0.7216 0.72151 0.00126 0.72029 0.72308
BI-LSTM [42] 0.69336 0.69092 0.00789 0.68522 0.70637
CNN [49] 0.73171 0.74072 0.07762 0.6225 0.82291
SVM [50] 0.61149 0.61318 0.00801 0.59892 0.62069
DRL [41] 0.692794 0.690422 0.007702 0.684817 0.705514
Hybrid classifier + MFO [51] 0.78212 0.76468 0.03184 0.7619 0.83723
Hybrid classifier + GOA [52] 0.77954 0.76385 0.03539 0.7504 0.84006
Hybrid classifier + SLnO [53] 0.77781 0.76423 0.02475 0.76212 0.82066
Hybrid classifier + BRO [43] 0.8277 0.81628 0.06708 0.76221 0.91604
ML-F [54] 0.86502 0.856439 0.04702 0.81074 0.936463
MOPSO [57] 0.850554 0.867 0.034233 0.791677 0.876537
Proposed Hybrid classifier + SIBRO model 0.93161 0.92413 0.02806 0.90538 0.97278

classifier + GOA, Hybrid classifier + SLnO, Hybrid clas- 5 Conclusion

sifier + BRO, ML-F, and MOPSO models for dataset 2.
The outcomes of the proposed hybrid classifier + SIBRO
approach have proved its improvement by detecting the exact
attacks in IoT virtually in all test instances. As a result, the
proposed strategy has been improved in a successful man-
ner.
4.4 Analysis based on features
The analysis of the proposed work on the basis of features
for different training percentages is illustrated in Tables 10
and 11. Moreover, the features include raw features + LSTM
+ DRL + SIBRO model, and statistical features + LSTM +
DRL + SIBRO model. On observing the table, the raw fea-
tures + LSTM + DRL + SIBRO model attains maximum
sensitivity values (~ 0.834) for training percentage 60 when
compared to the training percentage 90 for dataset 1. In addi-
tion, the statistical features + LSTM + DRL + SIBRO model
holds better MCC for training percentage 60 than the raw
features + LSTM + DRL + SIBRO model. Moreover, the
performance difference has attained with respect to the vari-
ation of learning percentage. Further, the accuracy of the
raw features + LSTM + DRL + SIBRO model has shown
(~ 0.01) difference than the statistical features + LSTM +
DRL + SIBRO model for training percentage 60 on dataset
1.
This research has provided a unique attack detection tech-
nique. In the detection phase, the average of both LSTM and
DRL classifiers is utilized. To improve the performance of
detection results, the weight of LSTM was optimized via the
SIBRO algorithm. Lastly, the performance of the suggested
technique was compared to the extant techniques. Particu-
larly, the specificity of the suggested technique for training
percentage 70 is 32.87%, 22.13%, 30.22%, 33.57%, 34.09%,
30.24%, 17.74%, 17.73%, 14.63%, 11.22%, 15.02%, and
12.80% better than the extant LSTM, LR-SVM-DT-RF-
ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier +
MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO,
Hybrid classifier + BRO, ML-F, and MOPSO techniques
for dataset 1. In statistical analysis, the best case demon-
strates an enhancement of suggested work (~ 0.972) with
accurate results and it is 34.99%, 25.67%, 27.39%, 15.41%,
36.19%, 27.47%, 13.93%, 13.64%, 15.64%, 5.83%, 3.73%,
and 9.89% better than the other traditional LSTM, LR-
SVM-DT-RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid
classifier + MFO, Hybrid classifier + GOA, Hybrid classi-
fier + SLnO, Hybrid classifier + BRO, ML-F, and MOPSO
models for dataset 2. Thus, the efficiency of the implemented
technique is validated. In future research, we utilized other
deep learning networks to enhance the performance of attack
detection as well as implement in real-IoT networks.

123
310 Service Oriented Computing and Applications (2022) 16:293–312

Table 10 Analysis of the suggested work with various feature combi- Table 11 Analysis of the suggested work with various feature combi-
nations on dataset 1 nations on dataset 2

Metrics Raw features + LSTM + Statistical features + Metrics Raw features + LSTM + Statistical features +
DRL + SIBRO model LSTM + DRL + DRL + SIBRO model LSTM + DRL +
SIBRO model SIBRO model

Training Percentage 60 Training Percentage 60

Precision 0.744873 0.750009 Precision 0.728241 0.787558
Sensitivity 0.834899 0.838616 Sensitivity 0.82274 0.865247
Accuracy 0.756846 0.761775 Accuracy 0.797142 0.805008
Specificity 0.665561 0.67146 Specificity 0.77869 0.737173
MCC 0.510135 0.519815 MCC 0.594314 0.609593
F-measure 0.787321 0.791841 F-measure 0.772612 0.824577
FPR 0.334439 0.32854 FPR 0.22131 0.262827
NPV 0.775125 0.779731 NPV 0.859042 0.829294
FNR 0.165101 0.161384 FNR 0.17726 0.134753
Training Percentage 70 Training Percentage 70
Precision 0.733312 0.732846 Precision 0.733491 0.510056
Sensitivity 0.826468 0.826126 Sensitivity 0.826599 0.643258
Accuracy 0.745747 0.745299 Accuracy 0.800245 0.567347
Specificity 0.652393 0.651864 Specificity 0.781031 0.506749
MCC 0.488366 0.487487 MCC 0.600866 0.15014
F-measure 0.777109 0.776695 F-measure 0.777267 0.568965
FPR 0.347607 0.348136 FPR 0.218969 0.493251
NPV 0.764746 0.764327 NPV 0.860685 0.640217
FNR 0.173532 0.173874 FNR 0.173401 0.356742
Training Percentage 80 Training Percentage 80
Precision 0.732564 0.743636 Precision 0.739194 0.68299
Sensitivity 0.825919 0.834002 Sensitivity 0.830769 0.788657
Accuracy 0.745028 0.755659 Accuracy 0.803645 0.713286
Specificity 0.651545 0.664145 Specificity 0.783623 0.638943
MCC 0.486957 0.507806 MCC 0.60801 0.432272
F-measure 0.776446 0.786231 F-measure 0.782311 0.73203
FPR 0.348455 0.335855 FPR 0.216377 0.361057
NPV 0.764074 0.774016 NPV 0.8625 0.754005
FNR 0.174081 0.165998 FNR 0.169231 0.211343
Training percentage 90 Training percentage 90
Precision 0.723066 0.727574 Precision 0.751 0.705
Sensitivity 0.818917 0.822248 Sensitivity 0.839 0.806
Accuracy 0.735904 0.740235 Accuracy 0.810 0.733
Specificity 0.640846 0.645911 Specificity 0.789 0.659
MCC 0.469086 0.477566 MCC 0.623 0.470
F-measure 0.768012 0.772019 F-measure 0.793 0.752
FPR 0.359154 0.354089 FPR 0.210 0.340
NPV 0.755533 0.759588 NPV 0.866 0.770
FNR 0.181083 0.177752 FNR 0.160 0.193

123
Service Oriented Computing and Applications (2022) 16:293–312
Declarations
Conflict of interest The authors declare no conflict of interest.
References
1. Kaliyar P, Jaballah WB, Lal C (2020) LiDL: localization with early
detection of sybil and wormhole attacks in IoT networks. Comput
Secur 94:101849
2. Liu L, Ma Z, Meng W (2019) Detection of multiple-mix-attack
malicious nodes using perceptron-based trust in IoT networks.
Future Gener Comput Syst 101:865–879
3. Rathore S, Park JH (2018) Semi-supervised learning based dis-
tributed attack detection framework for IoT. Appl Soft Comput
72:79–89
4. Rahman MA, Asyhari AT, Zolkipli MF (2020) Scalable machine
learning-based intrusion detection system for IoT-enabled smart
cities. Sustain Cities Soc 61:102324. https://doi.org/10.1016/j.scs.
2020.102324
5. Kore A, Patil S (2020) IC-MADS: IoT enabled cross layer
man-in-middle attack detection system for smart healthcare appli-
cation. Wireless Pers Commun 113:727–746. https://doi.org/10.
1007/s11277-020-07250-0
6. Nweke HF, Teh YW, Mujtaba G et al (2019) Multi-sensor fusion
based on multiple classifier systems for human activity identifi-
cation. Hum Cent Comput Inf Sci 9:34. https://doi.org/10.1186/
s13673-019-0194-5
7. Wang N, Li W, Alipour-Fanid A, Dabaghchian M, Zeng K
(2020) Compressed-sensing-based pilot contamination attack
detection for NOMA-IoT communications. IEEE Internet Things
J 7(8):7764–7772. https://doi.org/10.1109/JIOT.2020.2991956
8. Al-Hamadi H, Chen I-R, Wang D-C, Almashan M (2020) Attack
and defense strategies for intrusion detection in autonomous dis-
tributed IoT systems. IEEE Access 8:168994–169009. https://doi.
org/10.1109/ACCESS.2020.3023616
9. Roy RG, Ghoshal D (2020) Search and rescue optimization algo-
rithm - second order sliding mode control: AUV error tracking. J
Comput Mech Power Syst Control 3:10–20
10. Anand S (2020) Intrusion detection system for wireless mesh net-
works via improved whale optimization. J Netw Commun Syst
3:9–16
11. Rajeyyagari S (2020) Automatic speaker diarization using deep
LSTM in audio lecturing of e-Khool platform. J Netw Commun
Syst 3:17–25
12. Chakkaravarthy SS, Sangeetha D, Cruz MV, Vaidehi V,
Raman B (2020) Design of intrusion detection honeypot
using social leopard algorithm to detect IoT ransomware
attacks. IEEE Access 8:169944–169956. https://doi.org/10.1109/
ACCESS.2020.3023764
13. Kponyo JJ, Agyemang JO, Boateng JO (2020) Lightweight
and host-based denial of service (DoS) detection and defense
mechanism for resource-constrained IoT devices. Internet Things
12:100319
14. Mirsky Y, Golomb T, Elovici Y (2020) Lightweight collaborative
anomaly detection for the IoT using blockchain. J Parallel Distrib
Comput 145:75–97
15. Roldán J, Boubeta-Puig J, Ortiz G (2020) Integrating complex
event processing and machine learning: an intelligent architecture
for detecting IoT security attacks. Expert Syst Appl 149:113251
16. Almiani M, AbuGhazleh A, Razaque A (2020) Deep recurrent neu-
ral network for IoT intrusion detection system. Simul Model Pract
Theory 101:102031
311
17. Zhou M, Han L, Lu H et al (2020) Intrusion detection system for
IoT heterogeneous perceptual network. Mobile Netw Appl. https://
doi.org/10.1007/s11036-019-01483-5
18. Kumar P, Gupta GP, Tripathi R (2020) A distributed ensemble
design based intrusion detection system using fog computing to
protect the internet of things networks. J Ambient Intell Human
Comput. https://doi.org/10.1007/s12652-020-02696-3
19. Shirsat P (2020) Developing deep neural network for learner perfor-
mance prediction in EKhool online learning platform. Multimedia
Res 3:24–31
20. Cristin R, Raj VC, Marimuthu R (2019) Face image forgery detec-
tion by weight optimized neural network model. Multimedia Res
2:19–27
21. Shaik JB, Ganesh V (2020) Deep neural network and social ski-
driver optimization algorithm for power system restoration with
VSC - HVDC technology. J Comput Mech Power Syst Control
3:1–9
22. Babu MJ, Reddy AR (2020) SH-IDS: specification heuristics
based intrusion detection system for IoT networks. Wireless
Pers Commun 112:2023–2045. https://doi.org/10.1007/s11277-
020-07137-0
23. Elrawy M, Awad A, Hamed H (2018) Intrusion detection systems
for IoT-based smart environments: a survey. J Cloud Comp. https://
doi.org/10.1186/s13677-018-0123-6
24. Samy A, Yu H, Zhang H (2020) Fog-based attack detection frame-
work for internet of things using deep learning. IEEE Access
8:74571–74585. https://doi.org/10.1109/ACCESS.2020.2988854
25. Hasan M, Islam MM, Hashem MM (2019) Attack and anomaly
detection in IoT sensors in IoT sites using machine learning
approaches. Int Things 7:100059
26. Ravi N, Shalinie SM (2020) Learning-driven detection and mitiga-
tion of ddos attack in iot via sdn-cloud architecture. IEEE Int Things
J 7(4):3559–3570. https://doi.org/10.1109/JIOT.2020.2973176
27. Bhayo J, Hameed S, Shah SA (2020) An efficient counter-based
DDoS attack detection framework leveraging software defined
ioT (SD-IoT). IEEE Access 8:221612–221631. https://doi.org/10.
1109/ACCESS.2020.3043082
28. Khan AY, Latif R, Latif S, Tahir S, Batool G, Saba T (2020)
Malicious insider attack detection in IoTs using data analytics.
IEEE Access 8:11743–11753. https://doi.org/10.1109/ACCESS.
2019.2959047
29. Vu L, Nguyen QU, Nguyen DN, Hoang DT, Dutkiewicz
E (2020) Deep transfer learning for IoT attack detec-
tion. IEEE Access 8:107335–107344. https://doi.org/10.1109/
ACCESS.2020.3000476
30. Ma Z, Liu L, Meng W (2020) Towards multiple-mix-attack detec-
tion via consensus-based trust management in IoT networks.
Comput Secur 96:101898
31. Baig ZA, Sanguanpong S, So-In C (2020) Averaged dependence
estimators for DoS attack detection in IoT networks. Future Gener
Comput Sys 102:198–209
32. Zarpelão BB, Miani RS, Kawakani CT, de Alvarenga SC (2017) A
survey of intrusion detection in Internet of Things. J Netw Comput
Appl 84:25–37
33. Kasongo SM (2021) An advanced intrusion detection system
for IIoT based on GA and tree based algorithms. IEEE Access
9:113199–113212
34. Liu Z (2011) A method of SVM with normalization in intrusion
detection. Procedia Environ Sci 11:256–262
35. Moustafa N, Slay J (2016) The evaluation of network anomaly
detection systems: statistical analysis of the UNSW-NB15 data
set and the comparison with the KDD99 data set. Inform
Secur J A Global Perspect 25(1–3):18–31. https://doi.org/10.1080/
19393555.2015.1125974
36. https://en.wikipedia.org/wiki/Statistic.
37. https://en.wikipedia.org/wiki/Standard_deviation
123
312 Service Oriented Computing and Applications (2022) 16:293–312

38. https://www.itl.nist.gov/div898/handbook/eda/section3/eda35b. 49. LeCun Y, Kavukvuoglu K, Farabet C (2010) Convolutional net-

htm#:~:text=Skewness%20is%20a%20measure%20of,relative% works and applications in vision. In Circuits and Systems, Interna-
20to%20a%20normal%20distribution. tional Symposium on, 253–256
39. https://en.wikipedia.org/wiki/Percentile 50. Avci E (2009) A new intelligent diagnosis system for the heart
40. https://en.wikipedia.org/wiki/Central_moment#:~:text=In% valve diseases by using genetic-SVM classifier. Expert Syst Appl
20probability%20theory%20and%20statistics,random% 36:10618–10626
20variable%20from%20the%20mean. 51. Mirjalili S (2015) Moth-flame optimization algorithm: a Novel
41. Martinez C, Perrin G, Ramasso E, Rombaut M (2018) A deep rein- nature-inspired heuristic paradigm. Knowledge Based Syst
forcement learning approach for early classification of time series. 89:228–249
2018 26th Eur Signal Process Conf (EUSIPCO), pp 2030–2034. 52. Saremi S, Mirjalili S, Lewis A (2017) Grasshopper optimisation
https://doi.org/10.23919/eusipco.2018.8553544 algorithm: theory and application. Adv Eng Softw 105:30–47
42. Zhou X, Lin J, Zhang Z, Shao Z, Liu H (2019) Improved itracker 53. Masadeh R, Mahafzah B, Sharieh A (2019) Sea Lion Optimization
combined with bidirectional long short-term memory for 3D gaze Algorithm. Int J Adv Comput Sci Appl 10:388–395
estimation using appearance cues. Neuro Comput 390:217–225 54. Krishna ES, Thangavelu A (2021) Attack detection in IoT devices
43. Rahkar Farshi T (2021) Battle royale optimization algorithm. using hybrid metaheuristic lion optimization algorithm and firefly
Neural Comput Appl 33(4):1139–1157. https://doi.org/10.1007/ optimization algorithm. Int J Syst Assurance Eng Manag 1-14.
s00521-020-05004-4 https://doi.org/10.1007/s13198-021-01150-7
44. Rajakumar BR (2013) Impact of static and adaptive mutation 55. The UNSW-NB15 Dataset. https://research.unsw.edu.au/projects/
techniques on genetic algorithm. Int J Hybrid Intelligent Sys unsw-nb15-dataset
10(1):11–22. https://doi.org/10.3233/HIS-120161 56. https://research.unsw.edu.au/projects/toniot-datasets
45. Rajakumar BR (2013) Static and adaptive mutation techniques for 57. Habib M, Aljarah I, Faris H, Mirjalili S (2020) Multi-objective par-
genetic algorithm: a systematic comparative analysis. Int J Com- ticle swarm optimization for botnet detection in internet of things,
put Sci Eng 8(2):180–193. https://doi.org/10.1504/IJCSE.2013. In: Evolutionary machine learning techniques, Springer publisher,
053087 Singapore, pp. 203–229
46. Swamy SM, Rajakumar BR, Valarmathi IR (2013) Design of
hybrid wind and photovoltaic power system using opposition-based
genetic algorithm with cauchy mutation. IET Chennai fourth inter-
Publisher’s Note Springer Nature remains neutral with regard to juris-
national conference on sustainable energy and intelligent systems
dictional claims in published maps and institutional affiliations.
(Seiscon 2013), chennai, India, Dec 2013, Doi: https://doi.org/10.
1049/ic.2013.0361
47. George A, Rajakumar BR (2013) APOGA: an adaptive popula-
tion pool size based genetic algorithm. AASRI Procedia - 2013
AASRI conference on intelligent systems and control (ISC 2013).
Am Appl Sci Res Inst 4:288–296. https://doi.org/10.1016/j.aasri.
2013.10.043
48. Rajakumar BR, George A (2012) A new adaptive mutation tech-
nique for genetic algorithm. In: proceedings of IEEE international
conference on computational intelligence and computing research
(ICCIC), pp. 1–7, Dec 18–20, Coimbatore, India, Doi: https://doi.
org/10.1109/ICCIC.2012.6510293

123