0% found this document useful (0 votes)
39 views20 pages

Hybrid Deep Learning Model For Attack Detection in Internet of Things

Uploaded by

electro-ub ub
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
39 views20 pages

Hybrid Deep Learning Model For Attack Detection in Internet of Things

Uploaded by

electro-ub ub
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Service Oriented Computing and Applications (2022) 16:293–312

https://doi.org/10.1007/s11761-022-00342-8

ORIGINAL RESEARCH

Hybrid deep learning model for attack detection in internet of things


H. Rekha1 · M. Siddappa1

Received: 29 January 2022 / Revised: 9 June 2022 / Accepted: 19 June 2022 / Published online: 27 October 2022
© The Author(s), under exclusive licence to Springer-Verlag London Ltd., part of Springer Nature 2022

Abstract
Internet of things (IoT) provides a new application, which helps the existing networks communicate with smart technologies.
Things are now becoming increasingly connected to the Internet, and lots of new gadgets are being created at a faster rate.
Since these interconnected smart objects are capable of interacting with one another in undefended surroundings, the entire
communication ecology needs solutions related to security at various levels. Unlike the existing networks, IoT technology
has its own set of features, including various network protocol requirements and a variety of resource constraints. To launch
different attacks, the attacker takes many security vulnerabilities in the IoT system. The growth in cyber-attacks has rendered
it important to address the consequences implied in the IoT. This paper intends to introduce a novel attack detection model.
Originally, the input data are preprocessed, from which the most relevant features are extracted that include raw features,
statistical features, and higher-order statistical features. The extracted features are subjected to the classification process. More
importantly, the extracted raw features are directly given to the long short-term memory (LSTM), and the extracted statistical
and higher-order statistical features are subjected to the deep reinforcement learning (DRL) for the classification process.
Then, the average of both LSTM and DRL provides the detected output in an effective manner. To improve the performance
of detection results, the weight of LSTM is optimized by the self-improved battle royale optimization (SIBRO) algorithm. At
the end, the performance of the presented scheme is compared to the existing approaches in terms of different metrics like
“F-measure, specificity, NPV, accuracy, FNR, sensitivity, precision, FPR, and MCC,” respectively.

Keywords Attack detection · Internet of things · Feature extraction · Detection · Optimization

Abbreviations DRL Deep reinforcement learning


DQN Deep Q-network
AI Artificial intelligence DT Decision tree
AEs Autoencoders DTL Deep transfer learning
ANN Artificial neural network FNR False negative rate
A1DE and A2DE Averaged one-dependence and two- FPR False positive rate
dependence GOA Grasshopper optimization algorithm
BI-LSTM Bidirectional long short-term memory HD Hard detection
BRO Battle royale optimization HIDS Host-based IDS
C-DAD Counter-based DDos attack detection IDS Intrusion detection system
CNN Convolutional neural network IoT Internet of things
DCONST Distributed consensus-based trust model LEDEM Learning-driven detection and mitiga-
DL Deep learning tion
DoS Denial of service LR Logistic regression
DR Detection rate LSTM Long short-term memory
MCC Matthews correlation coefficient
B H. Rekha MFO Moth flame optimization
[email protected] ML Machine learning
1 Computer Science and Engineering, Sri Siddhartha Institute ML-F Metaheuristic lion optimization algo-
of Technology, Sri Siddhartha Academy of Higher Education, rithm and firefly optimization algorithm
Agalakote, B.H. Road, Tumkur 572107, Karnataka, India

123
294 Service Oriented Computing and Applications (2022) 16:293–312

MOPSO Multi-objective particle swarm opti- • In the detection phase, an optimization-assisted hybrid
mization LSTM and DRL model is introduced for identifying the
NIDS Network-based IDS presence of attacks in IoT.
NPV Net predictive value • To make the detection more accurate, a self-improved bat-
PDE Perceptron detection with enhancement tle royale optimization (SIBRO) algorithm is proposed for
PDF Probability density function tuning the weight parameter of LSTM.
RF Random forest • The proposed SIBRO is an enhanced version of the classic
SDN Software-defined network BRO algorithm.
SLnO Sea lion optimization
SVM Support vector machine The organization of the study is as follows: The reviews
on attack detection in IoT are described in Sect. 2. Section 3
depicts the adopted attack detection paradigm in the Internet
of things, as well as the comprehensive method. Section 4
shows the outcomes as well as discussion. Section 5 presents
1 Introduction the conclusion of this work.

IoT seems to be the fast evolving technology, which has been


tremendously progressed in numerous technical sectors in 2 Literature review
the last few years. Hundred billions of devices from systems
like the Internet, smart grids, smart homes, smart automo- 2.1 Related works
biles, and smart health care have merged with IoT [1, 2].
IoT combines the digital world with the real environment In 2020, Samy et al. [24] implemented a complete attack
[3], and this convergence on IoT devices may allow different detection system with a large detection rate, distribution, and
cyber-attacks. Due to the obvious heterogeneity of IoT sys- robustness to identify specific cyber-attacks in IoT via DL.
tems, limited hardware resources, worldwide accessibility, Because of its proximity to edge devices, dispersed nature,
and huge scale, the security in IoT devices is a challenging and high computing capability, the adopted framework on fog
one [4–6]. The number of devices, the purpose of use, and nodes has implemented an attack detector. Six DL models
the physical condition of the devices are the main differences were evaluated to find the best performing DL model. The
in IoT security compared to traditional IT security. Further- LSTM model has proven better performance than the other
more, the common IoT security challenges are insecure com- methods with respect to detection rate as well as detection
munications, data leaks from IoT systems, malware risks, accuracy in both multi-class and binary classification.
cyber-attacks, secure networks, and secure data. As a result, In 2019, Mahmudul et al. [25] determined an attack as well
designing an efficient security method to identify the critical as anomaly detection using ML approaches in IoT sensors.
malicious nodes in the networks is the great deal in IoT. ANN, DT, SVM, RF, and LR were utilized in the adopted
Several IDS for IoT [7, 8] employ the deep learning con- research. Numerous optimization approaches were used with
cept. In fact, DL is a strong tool for evaluating large traffic different classifiers. Coordinate descent was utilized in logis-
volumes and appropriate distinguishing of aberrant and nor- tic regression. Traditional gradient descent was utilized by
mal behavior of various systems from raw data. The direct ANN and SVM. In the case of RF and DT, the optimizer was
determination of complicated DL techniques on IoT devices not used because they were nonparametric methods. Preci-
[9–11] is undesirable. DL has been utilized by many research sion, accuracy, area under the ROC curve, recall, and F1 score
works to identify the cyber-attacks in IoT [12]. However, were the assessment measures utilized to compare the per-
the application of these power-intensive and computational formance. Compared to the previous models, the suggested
frameworks with low-capacity sensors are yet to be described system achieved better accuracy for ANN, DT, and RF.
[13–16]. In 2020, Ravi et al. [26] has adopted LEDEM for DDoS
The multiple processing layers of computational meth- attack via SDN–cloud framework in IoT. The suggested
ods could be used to represent the data in DL. Owing to its approach focused on preventing the DDoS attacks in IoT
multilayer structure, DL might give a deeper raw data repre- servers. For mitigating the DDoS attacks on IoT servers,
sentation and categories or predict data more correctly than the security strategy makes use of the SDN and cloud
ML [17, 18]. However, due to the energy capabilities, stor- paradigms. LEDEM was a new methodology that utilizes
age, and restricted processing capabilities of IoT devices, the a semi-supervised ML method to find as well as mitigate
direct execution of sophisticated DL approaches [19–21] on DDoS attacks. Moreover, the LEDEM was truly tested in
IoT devices is difficult [7, 8, 12, 22, 23]. The following are an emulated topology and test bed, and the findings were
the key contributions of the accepted model: evaluated to those obtained using standard techniques. In

123
Service Oriented Computing and Applications (2022) 16:293–312 295

Table 1 Review on extant techniques: advantages and challenges

Author Method Advantages Challenges

Samy et al. [24] LSTM DL method Higher rate of detection The proposed work was not contrasted
Increased recall with RL as well as unsupervised DL
approaches
Mahmudul et al. [25] LR-SVM-DT-RF-ANN Maximum accuracy The adopted model does not guarantee
Higher precision other unknown problems and the big
Improved recall data
Better F1-score
Ravi et al. [26] LEDEM method High accuracy The proposed model has planned to
Increased throughput probe into other ML approaches
Improved recall
Better F-measure
Bhayo et al. [27] C-DAD model Decreased throughput The adopted work has not worked with
Low attack detection time multiple IoT networks in
Increased CPU utilization heterogeneous environments
Khan et al. [28] AI technique Low computational overhead Need to develop the proposed model
Less false positives with attack prevention from insider
Enhanced attack detection attacks and better accuracy
accuracy
Vu et al. [29] DTL method Improved accuracy The proposed work needs larger time
Better predicting time for training the approach
High AUC score
Improved effectiveness
Zuchao et al. [30] DCONST approach Higher detection accuracy Need to optimize the parameters of
Increased attack probability DCONST for handling the different
network conditions
Zubair et al. [31] A1DE and A2DE techniques Higher accuracy Different aspects required intensive
Maximum precision investigation like scalability, traffic
Better recall density, diversity, etc., to enhance the
Improved F-score detection performance

comparison with other traditional models, the experimen- distance measuring approach with AI-based solution had the
tal results showed an increased accuracy rate of 96.28% in greatest accuracy than any classic models.
identifying DDoS attacks. In 2020, Vu et al. [29] suggested a DTL system, which
In 2020, Bhayo et al. [27] suggested an SD–IoT-based allows data from many IoT devices that could be used
platform for IoT security services. The C-DAD program was for learning. A DTL model was characterized by two
created using counter values for several network character- AEs particularly. Additionally, the outcomes of the adopted
istics that aid in the effective detection of DDoS attacks. The scheme were examined by extensive tests on 9 current IoT
IoT devices, IoT controller, SDNWISE controller, and SOPS datasets. When compared to the current DTL schemes and
comprised up the framework. Different counter-based func- the baseline DL method, the simulation results demonstrated
tionalities were incorporated in the suggested framework’s that the chosen DTL scheme greatly improved the accuracy
sub-modules like flow monitor and analyzer to identify the in identifying IoT attacks.
DDoS attacks in the SD–IoT network. Through SDN, the In 2020, Zuchao et al. [30] have investigated a method
algorithm achieved improved performance. called DCONST that could be used to assess the trust-
In 2020, Khan et al. [28] established a method for mon- worthiness of IoT nodes by providing specific information.
itoring harmful insider attacks in IoT environments using Furthermore, the proposed strategy has been classified as
distance measuring techniques with AI characteristics. It con- a kind of multiple-mix-attack which mixes three common
tains a comprehensive review of conventional systems for attacks—drop, tamper, and replay—with an unknown prob-
recognizing harmful attacks in the IoT context. To protect the ability. DCONST was able to detect hostile nodes and
security in the IoT environment with sensitive and important evaluate their specific attack patterns using K-means clus-
data of sensors/devices, the Levenshtein distance measuring tering techniques. Particularly, the DCONST-Normal and
technique was employed in the suggested system for recog- DCONST-Proactive might enhance detection rates by 5–20%
nizing the hostile attacks. The findings revealed that the LV as compared to DCONST-Light.

123
296 Service Oriented Computing and Applications (2022) 16:293–312

Fig. 1 General design of IoT Attackers


platform
IoT Devices

Normal data
exchange

IoT servers

Intrusion Detection System

In 2019, Zubair et al. [31] presented a DoS detection and better accuracy. Next, the DTL method was imple-
framework that includes module for creation and feature mented in [29] that provides an improved accuracy, better
ranking, testing, data production, and training. To recognize predicting time, high AUC score, and improved effective-
the DoS attacks, the A1DE and A2DE methods were rede- ness. Still, the proposed work requires more time to train the
fined and implemented in IoT networks. The development of model. DCONST approach [30] provides higher detection
voting schemes and multi-scheme for DoS attack detection rate, higher detection accuracy, and increased attack proba-
in IoT has used an integration of A2DE and A1DE. Further- bility. However, there is a need to optimize the parameters
more, the conventional approaches and the adopted system of DCONST for handling the different network condi-
were sorely tested in real-world IoT attack situations, and the tions. Finally, the A1DE and A2DE techniques [31] provide
results have proven the efficiency of the proposed work. improved F-score, precision, recall, as well as accuracy, but
the different aspects required intensive investigation like scal-
2.2 Summary ability, traffic density, diversity, etc., to enhance the detection
performance. Thus, these challenges need to be considered
Table 1 represents the review on attack detection in IoT. At on the basis of attack detection in IoT of this research suc-
first, the LSTM DL approach [24] provides maximum detec- cessfully.
tion rate, improved precision, increased recall, and maximum
detection accuracy; however, the proposed work was not con- 2.3 General attack detection framework in IoT
trasted with RL as well as unsupervised DL approaches.
Moreover, the LR-SVM-DT-RF-ANN method [25] provides IoT is an important component of new information technol-
maximum accuracy, improved recall, higher precision, and ogy in the information age. The IoT server is in charge of the
better F1-score. Nevertheless, the adopted model does not critical functions of terminal sensor processing, data collect-
guarantee other unknown problems and the big data. LEDEM ing, and processing result return. Because of the increasing
method [26] offers high accuracy, increased throughput, expansion of IoT technologies, security is even more vital
improved recall, and better F-measure, but the proposed in the cyber-world. IDS can also be used to protect Internet
model has planned to probe into other ML approaches. Like- servers. Numerous IoT servers and devices are immediately
wise, the C-DAD model [27] offers decreased throughput, accessible to the public Internet due to sophisticated remote
low attack detection time, and increased CPU utilization. control capabilities. IDS is essential for guarding and iden-
However, the adopted work has not worked with multiple tifying harmful attacks on IoT servers. The IDS observes
IoT networks in heterogeneous environments. AI technique the operations of a host or network and notifies the system
was exploited in [28] that has reduced the computational administrator whenever it identifies a security violation. Gen-
overhead, minimized false positives, and improved attack erally, NIDS attached to one or more network segments as
detection accuracy; however, there is a need to develop the well as observes network traffic for malicious activities. The
proposed model with attack prevention from insider attacks HIDS is connected to a computer device as well as observes

123
Service Oriented Computing and Applications (2022) 16:293–312 297

Fig. 2 Overall architecture of the


implemented technique Input Data

Data Pre-processing

Feature Extraction

Raw features Statistical and higher order


statistical features
Flow based features, and raw
parameters Mean, Median, Mode, SD,
Skewness, Kurtosis, Percentile,
Angular Second moment,
Entropy, and Homogeneity

Classification

Optimal
weights

LSTM Deep
Reinforcement
Learning

Proposed SIBRO
Algorithm Average

Output

123
298 Service Oriented Computing and Applications (2022) 16:293–312

malicious activity within the system. Unlike NIDS, the HIDS Table 2 Flow features
examines system calls, running processes, file system modi-
S. No Features Description
fications, inter-process communication, and application logs
in addition to network traffic [32]. Therefore, the use of IDS 1 Dstip Destination IP address
would protect both terminal users and service providers from 2 Dsport Destination port number
Internet threats.
3 Scrip Source IP address
Moreover, security safeguards are not fully attained in the
4 Sport Source port number
IoT application because the attack plane is limited. The goal
5 Proto Protocol type (UDP, Tc)
of this paper is to offer a unique deep learning-based attack
detection system for the IoT, as depicted in Fig. 1.The imple-
mented approach deals with the behavior of attackers in the
network via standard datasets. a given feature in the feature space Y.

ym − min (ym )
yNORM  (a − b) (1)
max (ym ) − min (ym )
3 Description of the suggested attack
detection approach in IoT

This paper aims to implement a unique attack detection


3.2 Feature extraction
approach that contains three phases such as (i) preprocess-
The preprocessed information is given in this step and the
ing, (ii) feature extraction, and (iii) detection/classification.
raw features, statistical and higher-order statistical features
Figure 2 illustrates the overall framework of the proposed
are retrieved.
approach. The following steps are involved in this work as
follows.
3.2.1 (A) Raw features
• At first, the input data are loaded into the preprocessing
phase and each dataset is cleaned and normalized. In the raw features, flow-based features and raw parameters
• Further, the preprocessed data are used for retrieving the are extracted.
features, in which they extract the raw features, statisti-
cal features, and higher-order statistical features. The raw (i) Flow-based features Further, the flow-based features
features include flow-based features and raw parameters. [35] are described in Table 2 and it is represented as FF.
The statistical and higher-order statistical features include (ii) Raw parameters The raw parameters contain basic fea-
“mean, median, mode, SD, skewness, kurtosis, percentile, tures, time features, and content features, as well as
angular second moment, homogeneity, and entropy.” additional generated features are considered as the raw
• In the detection phase, the extracted raw features are parameters RP [35]. The raw parameter details are given
directly given to the LSTM, and the extracted statistical in Table 3.
and higher-order statistical features are directly subjected
to the DRL. To provide the accurate results, weight of Moreover, the raw features are represented as per Eq. (2):
LSTM is optimized using a SIBRO algorithm. Therefore,
the average of both LSTM and DRL provides the detected RF  FF + RP (2)
output in an efficient way.

3.2.2 (B) Statistical features


3.1 Data preprocessing
The statistical features include “mean median, mode, and
The cleaning as well as data normalization steps are impor- standard deviation”. The detailed explanation of the features
tant in preprocessing step. Data cleaning ensures the data is shown in Table 4.
utilized to produce the models are of higher quality. Dupli-
cates were removed, missing data were replaced, structural 3.2.3 (C) Higher-order statistical features
errors were fixed, as well as unnecessary (possibly noisy)
observations were removed as part of the data cleaning pro- The higher-order statistical features include “skewness, kur-
cess [33]. After the data cleaning, it requires normalization. tosis, percentile, entropy, angular second moment, and homo-
In this study, Min–Max scaling model [34] is used for data geneity” features. Table 5 depicts the definitions of these
normalization and it is described in Eq. (1). Here, y denotes features.

123
Service Oriented Computing and Applications (2022) 16:293–312 299

Table 3 Raw parameters

Features Description

dur Total duration of the record


state State and its dependent protocol
sttl Source to destination time to live
dbytes Destination to source bytes
ct_src_dport_ltm Number of records of the same srcip (1) and the dsport (4) in 100 records based on the ltime (26)
sbytes Source to destination bytes
Sload Source bits/second
dload Destination packets retransmitted/dropped
sloss Source packets retransmitted/dropped
dttl Destination to source time to live
dloss Destination packets retransmitted or dropped
is_sm_ips_ports If srcip (1) is equal to dstip (3) and sport (2) is equal to dsport (4), this variable assigns to 1 otherwise 0
swin Source TCP window advertisement value
dwin Destination TCP window advertisement value
ct_ftp_cmd No. of flows that has a command in ftp session
dpkts Destination to source packet count
spkts Source to destination packet count
res_bdy_len The data transferred from the server’s http service’s actual uncompressed content size
stcpb Source TCP base sequence number
smeansz Mean of the flow packet size transmitted by the src
ct_srv_src Number of records that include the same service (14) as well as srcip (1) in 100 records based on the ltime (26)
dintpkt Destination interpacket arrival time (mSec)
ct_dst_ltm Number of records of the same dstip (3) in 100 records based on the ltime (26)
dtcpb Destination TCP base sequence number
service Like http, ftp, smtp, ssh, dns, and ftp-data
dmeansz Mean of the flow packet size transmitted via the dst
sjit Source jitter (mSec)
trans_depth Defines the depth of the http request/response transaction’s pipelined connection
is_ftp_login If the ftp session is entranced via user as well as password, then 1 else 0
ltime Record last time
djit Destination jitter (mSec)
ct_flw_http_mthd The number of flows in the http service that have methods like Get and Post
stime Record start time
ct_src_ ltm Number of records of the srcip (1) in 100 records based on the ltime (26)
sintpkt Source interpacket arrival time (mSec)
tcprtt TCP connection setup round-trip time, the sum of “synack” and “ackdat”
ct_dst_src_ltm Number of records of the same srcip (1) and the dstip (3) in 100 records based on the ltime (26)
synack TCP connection setup time, the time among the SYN and SYN_ACK packets
ct_dst_sport_ltm No. of records of the same dstip (3) as well as the sport (2) in 100 records based on the ltime (26)
ackdat TCP connection setup time, the time among the SYN_ACK and ACK packets
ct_srv_dst Number of records which include the same service (14) and dstip (3) in 100 records based on the ltime (26)
ct_state_ttl Number for each state (6) based on a given range of sttl (10) and dttl (11) values

123
300 Service Oriented Computing and Applications (2022) 16:293–312

Table 4 Statistical features

Features Definitions

Mean “The process in which the sum of all values divided by the sum of number of values is known to be mean value [36]. Here, the
mean is denoted as Z . In the following equation, Z represents the observed value and m indicates the number of values.”

m
Z  m1 Zq
q1

Median “Median [36] is the process, in which the middle values in a dataset are organized in an ascending order. If the dataset contains 2
values in middle, then the mean of 2 middle values is regarded as the median of the data. The median is indicated as S F1 . In the
following equation, m represents the number of values and Z denotes the ordered list of values in dataset.”
⎛⎧ m ⎞

⎪ Z if m is odd
⎜ ⎨ 2 ⎟
SF1  ⎜ ⎝ ⎪ Z m−1 + Z m+1



⎩ 2 2
if m is even
2
Mode “Mode is the most frequent value present in the database. It is one among the major central tendency metrics, that is used with
normal data that have completely subjective class assignments. The mode is represented as SF2 . The mode is the value in a series
of observation that occurs with higher frequency.”
SD “SD is a measure of set of a dispersion values or amount of variation. The lower SD [37] denotes the values that tend to be nearer to
the mean value, whereas a larger SD denotes the extended values over a larger range. The SD is represented as SF3 , and it is given
in Eq. (3). Here, Z indicates the symbol of sample mean.”

1 
m 2
SF3  m−1 Zq − Z
q1

Finally, the statistical and higher-order statistical features cell state and hidden state. (h t , Ct ) and (Yt , Ct−1 , h t−1 )
are represented by S F, as well as it is given in Eq. (3): are the output and input layers, respectively. At time t, the
output and input gates and the forget gate are indicated by
SF  Z + SF1 + SF2 + SF3 + SF4 + SF5 + SF6 + SF7 + SF8 + SF9 Ot , It , G t correspondingly. The LSTM cell uses G t to filter
(3) the data, and it is shown in Eq. (4):

G t  κ(W L Yt + K L + W J h t−1 + K J ) (4)


3.3 Attack detection by proposed Hybrid classifier

For the classification process (multi-classification of attack where (W J , K J ) and (W L , K L ) specify the weight matrix
types), the raw features RF are given as the input to LSTM. and bias term mapping hidden layer as well as input layer
The retrieved statistical and higher-order statistical features to the forget gate. The activation function of gate ( κ) is
SF are subjected to DRL. Both classifiers are run simulta- selected as sigmoid operation. Based on Eqs. (5), (6), and
neously, as well as the results are averaged to get the final (7), the LSTM cell makes use of the input gate to coordinate
classification outcomes. the proper data evaluated, where (W X , K X ) and (W E , K E )
are the weight matrices as well as bias parameters that map
3.3.1 LSTM the input and hidden layers to cell gate. W Q , K Q and
W p , K p are the weight and bias parameters that map the
The LSTM is given the retrieved raw characteristics (RF). input as well as hidden layers to It .
The LSTM network uses a linear connection as well as gate
control unit to solve gradient desertion problems. The high
reliance of time-series data is captured by the LSTM network. Ut  tanh(W E Yt + K E + W X h t−1 + K X ) (5)
The LSTM [42] architecture includes the sequences of
continuous LSTM cells. In the LSTM cells, the output gate,
input gate, and forget gate were all made up of three units. It  κ W Q Yt + K Q + W p h t−1 + K p (6)
Figure 3 depicts the construction of an LSTM cell. The LSTM
memory cells may save and suggest information for a long
time because of this characteristic. Consider C and h as the Ct  G t Ct−1 + It Ut (7)

123
Service Oriented Computing and Applications (2022) 16:293–312 301

Table 5 Higher-order statistical features

Features Definitions

Skewness “Skewness is a symmetry measure or the lack of symmetry exactly. A data set or distribution is symmetric
only if it is similar to the right and left of the center point [38]. The mathematical expression of skewness
S F4 is given below. Here, Z q  Z 1 ,Z 2 , …, Z m , Z indicates the mean value, σ denotes the SD, and m
refers to the number of data points. Further, σ indicates the SD and it is calculated with m present in the
denominator rather than m − 1 while computing the skewness.”
m 3
Z q −Z /m
S F4  q1
σ3
Kurtosis “Kurtosis is a measure that identifies whether the data are light-tailed or heavy-tailed and related to the
normal distribution [38]. The mathematical formula of kurtosis S F5 for univariate data such as Z 1 ,Z 2 , …,
Z m is expressed as follows.”
m 4
Z q −Z /m
S F5  q1
σ4
Percentile “In statistics, a percentile is a score below at or below or a score in which a provided percentage falls in its
frequency distribution [39]. It provides an idea of spreading data values from the lower value to the higher
value over the interval. About Q percentage of data values comes under Q th percentile, and around
100 − Q percentage of data values exceeds J th percentile.” This feature is represented as S F6
Angular second-order moment “It is the instant of probability distribution with the arbitrary variable in probability theory and statistics
[40]. The moments with higher order are relating to the shape and spread distribution of the location. The
m th moment related to the central moment of a real-valued random variable Z is the quantity
 
Z m  E (Z − E[Z ]m ) , where E denotes the expectation operator. The m th moment about the mean Z
is determined for a continuous univariate probability distribution with f (q) PDF.” The moment S F7 is
depicted as follows:
  −∞ m

S F7  E Z − E[Z ]m  +∞ q − Z f (q)dq‘

Entropy “The entropy [41] is known as the average level of surprise, uncertainty, or information inbuilt in the
variable’s feasible resultant of the data theory. The conception of information entropy is sometimes
known as the Shannon entropy.” The entropy is represented as S F8
m
− q1 [ Z q ] log[ Z q ]
S F8  length ( Z q )

Homogeneity “Homogeneity is a measure of the overall smoothness.” This feature is denoted by S F9 , in which P is the
probability

S F9  1
2 Pi, j
1+(i− j)
i j

Fig. 3 Architecture of LSTM cell

× +

tanh

× ×

tanh

123
302 Service Oriented Computing and Applications (2022) 16:293–312

Agent rewards and the immediate reward as per Eq. (11).



State Reward Action
gT  μl r T +l with μ (11)
l0
Environment
In Eq. (11), discount factor is μ∈[0, 1] . The agent
learned
 an optimal  behavior χ ∗ from its interactions
Fig. 4 Architecture of DRL ST , aT , r T , ST +1 with the environment throughout the train-
ing episodes in reinforcement learning. It would identify the
best possible action for each situation. The agent determines
Lastly, the LSTM receives hidden layer (output) from out- the expected return gT depending on its policy χ and obtained
put gate by Eqs. (8) and (9). from state S through opening the game, an action a is selected
and it follows the policy χ . It is the action value function
Vt  κ(W B Yt + K B + W M h t−1 + K M ) (8) known as the Q-function as per Eq. (12).

Q χ (S, a)  Fχ [gT |ST  S, aT  a ] (12)


h t  Vt tanh(Ct ) (9)
 
Q χ (S, a)  Fχ r T + μQ χ (ST +1 , aT +1 )|ST  S, aT  a
where (W M , K M ) and (W B , K B ) are the weight and bias
(13)
parameters for mapping the hidden and input layers to Vt .
In this work, to design the LSTM network, 64 LSTM cells Here, aT +1 ∼ χ (.|ST +1 ). For a given policy χ , the Q-
are used and for activation sigmoid function is utilized. The function was indicated in a particular state O only it selects
LSTM output is represented by CLLSTM . an action a with best consequence in the subsequent steps
through higher rewards or not. The Q-function denotes the
3.3.2 DRL action is the optimal choice for making the two actions a1
and a2 . If Q χ (S, a1 ) > Q χ (S, a2 ), then action a1 is a good
In this research, the extracted statistical and higher-order choice for making when the agent is in state S than action
statistical features S F are subjected to DRL. The DNN is a2 .
integrated to reinforcement learning for improving the effi- The objective of the reinforcement learning issues is to
ciency, and this integrated field is known as DRL [41]. identify the optimal policy χ ∗ ; the agent must follow to attain
Reinforcement learning It is one of the active research the highest rewards gT . For achieving an optimal policy χ ∗ ,
fields on taking decisions. Moreover, it is utilized for training the optimal Q-function Q ∗ must be found . The optimal policy
the agents that interact with surroundings like AI, in which could be inferred naturally from it only if the optimal Q
the video games are playing. Moreover, the agents are trained function is recognized as taking the action maximizing Q ∗
though playing what’s known as “episodes.” The architecture as per Eq. (14).
diagram of DRL is shown in Fig. 4.

The agent receives an observation of its initial state S1 at 1 i f a  arg max Q ∗ (S, a)

an episode beginning. Once it obtains an observation ST at χ (a|S )  a
(14)
0 else
each time step T , the agent takes an action aT . Further, the
surroundings provide a feedback to the agent, i.e., a reward
DQN Model It intends the optimal  Q function Q ∗ at
r T and a novel observation ST +1 . These interactions are con-
approximating from interactions ST , aT , r T , ST +1 among
tinued till the agent reached a terminal state, and it leads to
its environment and an agent. It approximated the function
the conclusion of the present episode and started a novel one.
Q ∗ through a DNN Q(S, a, ) with parameters , also
Further, the agent is determined through the policy χ mod-
known as the DQN.
eling regarding the actions picked. Moreover, the policy χ
Starting with random parameter 1 , the agent modified
is a behavior function as given in Eq. (10) that returned the
the  parameters of its function approximate Q(S, a, ) for
picking probability action in a particular state S.
obtaining an accurate approximation of the true Q-function
during episodes of training. Therefore, it altered its policy χ
χ (a|S )  P[aT  a|ST  S|] (10) through acting over
 its Q function as  per Eq. (20). Following
each interaction ST , aT , r T , ST +1 , it repeats the following
The major aim of the agent is to obtain the greatest sum scheme. The agent stores its interaction on its replay memory
discounted reward gT that indicates the future discounted A, and it allows reusing this experience later. Moreover, it

123
Service Oriented Computing and Applications (2022) 16:293–312 303

Furthermore, BRO starts with a random population that is


W1 W2 …… WN equally distributed in the difficult area. After that, each indi-
R
vidual attempts to harm the neighboring soldier via firing a
weapon. As a consequence, a soldier in an improved position
Fig. 5 Solution Encoding
causes damage to their neighbors. As the soldier is offended
by another, the damage level is maximized by 1.
 
 The proposed concept deploys the quasi-opposition point.
sampled a lower batch of transitions S, a, r , S randomly Let R (R1 , R2 ,…Rn ) be the point and R̃b be the opposition
from A and performed a footstep on the DQN in terms of the point of R, and Rb ∈ [wb , z b ], b  1, 2, ...., n. Here, n is
loss function as per Eq. (15). the count of dimensions. The quasi-opposition point of R is
given in Eq. (18), where yb and z b indicate the upper and
 2
  −
lower boundary of the basic point.
LFT (ψT )  r + μ max

Q S , a ,  T − Q(S, a,  T )
a yb + z b
(15) R̃qi  c , R̃b (18)
2

Here, t− indicates the previous fixed version of the DQN. These BRO interactions are given as Rb .damage 
The agent progressively estimates the relationships among Rb .damage + 1, in which Rb .damage indicates the bth soldier
the state ST , selects an action aT , and obtains future rewards of the damage level between the population. Additionally,
gT . soldiers seek to alter their positions as soon as they are dam-
The output of DRL is represented by CLDRL . The final aged, allowing them to attack enemies from the opposite side.
classification output is (Out) formulated as per Eq. (16). During exploitation, the soldiers damaged are migrated to a
  place among the best position discovered and the previous
CLLSTM + CLDRL position. These interactions are determined as per Eq. (19).
Out  (16)
2
Rdam, x  Rdam, x + c Rbest, x − Rdam, x (19)

3.4 LSTM weight optimization by SIBRO algorithm where c indicates a randomly generated number that is dis-
tributed uniformly within [0, 1] and Rdam, x denotes the
3.4.1 Solution encoding and objective function damaged soldier position in dimension x. Rb .damage is reset
to 0 as the damaged soldiers harm their enemy in the upcom-
The suggested SIBRO approach optimizes the weights of the ing iteration.
LSTM. The input solution to the proposed SIBRO algorithm If a damage level of soldiers goes beyond a specified
is depicted in Fig. 5. The total count of weights in LSTM is threshold value during exploration, the soldier died and
N . The objective function or fitness function of the suggested respawned randomly from the possible issue space with the
method is evaluated as per Eq. (17), in which err indicates Rb .damage restored to 0. The value of threshold  3 was
the error value of LSTM acceptable throughout mistake and trial. It allows for further
exploration and prevents premature convergence. In Eq. (20),
Obj  min (err) (17) a soldier returns after killed to the issue space.

Rdam, x  c(u x − vx ) + vx (20)


3.4.2 Proposed SIBRO algorithm
In Eq. (20), u x and vx indicate the upper and lower bounds
Even though the conventional BRO [43] model solves the of dimension x. Then, the possible search space of the issue
challenging complex problems in various areas and provides starts to shrink down to the best solution at iteration . The
better convergence, still BRO would not rank 1st in runtime as initial value is   log10 (MC) but    + r ound 2 .
it constantly gives swift outcomes. In this paper, the SIBRO Here, MC indicates the maximum number of generations.
algorithm is offered as a solution to this issue. In general, Moreover, these interactions are contributed to the exploita-
self-enhancement has been demonstrated to be feasible in tion and exploration. Equations (21) and (22) specify the
extant optimization procedures [44–48]. updated lower and upper bound.
Battle royal video games are competitive, last-man-
standing games that were inspired via the battle royal, vx  Rbest, x − d Rx (21)
a Japanese film. Players in certain battle royale games
parachute down onto the map after jumping out of a plane. u x  Rbest, x − d Rx (22)

123
304 Service Oriented Computing and Applications (2022) 16:293–312

Here, Rbest, x refers to the position of the best solution, and The suggested hybrid classifier + SIBRO technique per-
d Rx indicates the SD of entire population in dimension x. formance is compared with the traditional techniques like
If vx /u x go beyond the original bound, it puts to the normal LSTM [24], LR-SVM-DT-RF-ANN [25], BI-LSTM [42],
vx /u x . CNN [49], SVM [50], DRL [41], Hybrid classifier +
If c<Rdam.damage , it performs the condition Rb .damage < MFO [51], Hybrid classifier + GOA [52], Hybrid clas-
Threshold. Otherwise, based on the suggested SIBRO sifier + SLnO [53], Hybrid classifier + BRO [43], ML-
approach, the positions are updated as per Eq. (23), where F [54], and MOPSO [33] correspondingly. Furthermore,
Levy(β) indicates the proposed levy update in BRO. the achievement was compared via changing the learning
percentage (60, 70, 80, and 90) for diverse performance
Rdam, x  Rdam, d + c Rbest, x − Rdam, x + Levy(β) (23) measures such as “accuracy, sensitivity, specificity, preci-
sion, FNR, FPR, F-measure, NPV, and MCC,” correspond-
The pseudo-code of suggested SIBRO model is given ingly.
below.
4.1 Dataset description

In this work, two types of datasets are used, namely UNSW-


NB_15 [55] and TON-IOT [56]. For experimentation, dataset
UNSW-NB_15 is named as dataset 1 and dataset TON-IOT
is named as dataset 2, correspondingly. The brief details of
datasets are given as follows.

4.1.1 (i) The UNSW-NB_15 dataset

This dataset includes the total count of records in 2 million


and 540,044 are collected in the 4 CSV files, such as UNSW-
NB15_1.csv, UNSW-NB15_2.csv, UNSW-NB15_3.csv, and
UNSW-NB15_4.csv. Furthermore, the ground truth table is
referred as UNSW-NB15_GT.csv as well as the event file list
was known as UNSW-NB15_LIST_EVENTS.csv. A train-
ing set and a testing set were created from this dataset, named
UNSW-NB_15 training-set.csv and UNSW NB_15 testing-
set.csv. The training set contained 175,341 records, whereas
the testing set contained 82,332 records of various categories,
including attack as well as normal.

4.1.2 (ii) The TON-IoT dataset

This dataset contains fresh generations of Industry 4.0/IoT


and Industrial IoT datasets for evaluating the fidelity as well
as efficiency of numerous cybersecurity applications employ-
ing AI, ML, or DL algorithms. It includes CSV examples
of the four datasets chosen for calculating the efficacy as
well as fidelity of new cyber-security application on the
basis of AI and ML algorithms. The quantity of records
for training and testing the algorithms, including normal and
attack types, is displayed in the “Description_stats_datasets”
folder.

4.2 Performance analysis


4 Results and discussion
The implemented technique performance is compared
For simulation, the suggested research was implemented with the extant techniques with respect to certain met-
in PYTHON as well as the resultants were validated. rics for dataset 1, as well as it is shown in Figs. 6,

123
Service Oriented Computing and Applications (2022) 16:293–312 305

Fig. 6 Performance analysis of the proposed model over the extant approaches for a sensitivity b accuracy c precision d specificity for dataset 1

Fig. 7 Performance analysis of the proposed model over the extant approaches for a FNR b FPR for dataset 1

7, and 8. Similarly, the implemented hybrid classifier + 17.74%, 17.73%, 14.63%, 11.22%, 15.02%, and 12.80%
SIBRO technique achieves greater accuracy (~ 0.9) for superior to the extant LSTM, LR-SVM-DT-RF-ANN, BI-
training percentage 90 than the extant LSTM, LR-SVM- LSTM, CNN, SVM, DRL, Hybrid classifier + MFO, Hybrid
DT-RF-ANN, BI-LSTM, CNN, SVM, Hybrid classifier classifier + GOA, Hybrid classifier + SLnO, Hybrid classifier
+ MFO, Hybrid classifier + GOA, Hybrid classifier + + BRO, ML-F, and MOPSO techniques for dataset 1 as shown
SLnO, and Hybrid classifier + BRO approaches as shown in Fig. 6(d). As a result, identical performance is found when
in Fig. 6(b). The specificity of the implemented hybrid other metrics, such as precision, are used. The influences of
classifier + SIBRO technique for training percentage 70 hybrid classifiers that are trained with the proper features are
is 32.87%, 22.13%, 30.22%, 33.57%, 34.09%, 30.24%, demonstrated in this assessment. Further, because the LSTM

123
306 Service Oriented Computing and Applications (2022) 16:293–312

Fig. 8 Performance analysis of the proposed model over the extant models for a NPV b FMS c MCC for dataset 1

weights were set to perfection, the implemented methodol- classifier + MFO, Hybrid classifier + GOA, Hybrid classi-
ogy enabled higher detection outcomes while minimizing fier + SLnO, Hybrid classifier + BRO, ML-F, and MOPSO
errors. approaches attain smaller values. Similarly, the suggested
The negative measures such as “FPR and FNR” of the hybrid classifier + IBRO approach reaches higher MCC (~
suggested approach over other extant LSTM, LR-SVM-DT- 0.94) for training percentage 70 when compared to the train-
RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier + ing percentage 90 in Fig. 8(c). As a result, the performance
MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO, of the provided hybrid classifier + IBRO model outperforms
Hybrid classifier + BRO, ML-F, and MOPSO approaches are standard approaches.
shown in Fig. 7. The suggested hybrid classifier + SIBRO In addition, the overall performance analysis of the imple-
approach has shown lower FPR value with better perfor- mented and the standard approaches is depicted in Tables 6
mance than the standard approaches for training percentage and 7. From Table 6, the precision of the suggested hybrid
90 in Fig. 7(b). Thus, it shows that the approach with optimal classifier + SIBRO model is 17.10%, 77.04%, 23.61%,
weights ensures less error through the proposed optimization 6.03%, 8.34%, 27.13%, 6.69%, 6.03%, 6.11%, 6.10%,
algorithm. 26.47%, and 26.99% better than other extant LSTM, LR-
Figure 8 indicates the “MCC, NPV, and F-measure” met- SVM-DT-RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid
rics analysis of the suggested hybrid classifier + SIBRO classifier + MFO, Hybrid classifier + GOA, Hybrid classi-
model than other existing models. On observing the figure, fier + SLnO, Hybrid classifier + BRO, ML-F, and MOPSO
it is shown that the NPV of the suggested hybrid classi- approaches. The suggested hybrid classifier + SIBRO model
fier + SIBRO approach achieves a greater value (~ 0.95) for reaches greater accuracy values (~ 0.927) than other stan-
training percentage 90, but the compared extant LSTM, LR- dard techniques for dataset 1. The adopted hybrid clas-
SVM-DT-RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid sifier + SIBRO technique holds smaller FNR value, and
it is 94.86%, 96.05%, 93.08%, 95.04%, 95.16%, 93.08%,

123
Service Oriented Computing and Applications (2022) 16:293–312 307

Table 6 Overall performance analysis of the implemented and extant approaches for dataset 1

Methods Sensitivity Specificity Accuracy Precision F-Measure

LSTM [24] 0.6863 0.72147 0.70016 0.7912 0.73503


LR-SVM-DT-RF-ANN [25] 0.49589 0.75181 0.72029 0.21914 0.30396
BI-LSTM [42] 0.60836 0.64673 0.62333 0.72903 0.66325
CNN [49] 0.83379 0.85572 0.84255 0.89679 0.86415
SVM [50] 0.83397 0.8266 0.83096 0.87475 0.85387
DRL [41] 0.568632 0.609248 0.584442 0.695419 0.625667
Hybrid classifier + MFO [51] 0.82448 0.84762 0.83372 0.89054 0.85624
Hybrid classifier + GOA [52] 0.83388 0.85579 0.84263 0.89685 0.86422
Hybrid classifier + SLnO [53] 0.83265 0.85472 0.84147 0.89602 0.86317
Hybrid classifier + BRO [43] 0.83283 0.85488 0.84164 0.89615 0.86333
ML-F [54] 0.875916 0.616229 0.768051 0.701762 0.779227
MOPSO [57] 0.873306 0.610716 0.743581 0.696755 0.785104
Proposed Hybrid classifier + SIBRO model 0.92351 0.93453 0.92795 0.95436 0.93868
Methods MCC NPV FPR FNR
LSTM [24] 0.39903 0.59928 0.27853 0.3137
LR-SVM-DT-RF-ANN [25] 0.18155 0.91393 0.24819 0.50411
BI-LSTM [42] 0.24891 0.51384 0.35327 0.39164
CNN [49] 0.68008 0.77398 0.14428 0.16621
SVM [50] 0.65472 0.77419 0.1734 0.16603
DRL [41] 0.173462 0.473736 0.390752 0.431368
Hybrid classifier + MFO [51] 0.66252 0.76255 0.15239 0.17552
Hybrid classifier + GOA [52] 0.68023 0.77408 0.14421 0.16613
Hybrid classifier + SLnO [53] 0.67791 0.77256 0.14528 0.16735
Hybrid classifier + BRO [43] 0.67826 0.77279 0.14512 0.16717
ML-F [54] 0.510653 0.828095 0.383771 0.124084
MOPSO [57] 0.502418 0.84476 0.389284 0.126694
Proposed Hybrid classifier + SIBRO model 0.85208 0.8918 0.06547 0.07649

93.57%, 93.55%, 89.28%, 82.49%, 83.96%, and 77.18% 4.3 Statistical analysis
superior to the traditional models like LSTM, LR-SVM-DT-
RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier + In Tables 8 and 9, the statistical analysis of the provided
MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO, model is compared to the previous systems. In this work, the
Hybrid classifier + BRO, ML-F, and MOPSO, respectively, statistical analysis is evaluated based on accuracy. The mean
for dataset 2. The implemented approach F-measure in value of the suggested approach provides superior results,
dataset 2 is 38.38%, 68.76%, 32.16%, 9.84%, 40.93%, and it is 22.69%, 22.54%, 34.60%, 7.88%, 9.75%, 35.93%,
32.19%, 36.25%, 36.17%, 21.64%, 12.55%, 19.92%, and 9.28%, 8.69%, 9.11%, 8.39%, 18.61%, and 18.82% better
13.72% superior to the extant LSTM, LR-SVM-DT-RF- than other traditional models like LSTM, LR-SVM-DT-RF-
ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier + ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier +
MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO, MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO,
Hybrid classifier + BRO, ML-F, and MOPSO techniques. Hybrid classifier + BRO, ML-F, and MOPSO for dataset 1.
The results have summarized that the implemented hybrid Moreover, the best value of the implemented work (~ 0.972)
classifier + SIBRO scheme performance is developed over is 34.99%, 25.67%, 27.39%, 15.41%, 36.19%, 27.47%,
the standard methods. 13.93%, 13.64%, 15.64%, 5.83%, 3.73%, and 9.89% better
than the other traditional LSTM, LR-SVM-DT-RF-ANN, BI-
LSTM, CNN, SVM, DRL, Hybrid classifier + MFO, Hybrid

123
308 Service Oriented Computing and Applications (2022) 16:293–312

Table 7 Overall performance analysis of the implemented and extant approaches for dataset 2

Methods Sensitivity Specificity Accuracy Precision F-Measure

LSTM [24] 0.61301 0.64815 0.63237 0.58665 0.59954


LR-SVM-DT-RF-ANN [25] 0.49589 0.75181 0.72029 0.21914 0.30396
BI-LSTM [42] 0.71247 0.67368 0.69007 0.6149 0.6601
CNN [49] 0.59899 0.64134 0.6225 0.57234 0.58536
SVM [50] 0.58845 0.63637 0.6152 0.56161 0.57472
DRL [41] 0.712221 0.673544 0.689878 0.614615 0.659828
Hybrid classifier + MFO [51] 0.69052 0.79419 0.76543 0.56297 0.62026
Hybrid classifier + GOA [52] 0.69122 0.79431 0.76567 0.56378 0.62103
Hybrid classifier + SLnO [53] 0.81425 0.82417 0.82066 0.71678 0.76241
Hybrid classifier + BRO [43] 0.88629 0.85714 0.8694 0.81818 0.85088
ML-F [54] 0.875895 0.820414 0.838468 0.701721 0.779193
MOPSO [57] 0.912769 0.841905 0.868593 0.777181 0.839535
Proposed Hybrid classifier + SIBRO model 0.98009 0.96546 0.97278 0.96602 0.973
Methods MCC NPV FPR FNR
LSTM [24] 0.26029 0.67278 0.35185 0.38699
LR-SVM-DT-RF-ANN [25] 0.18155 0.91393 0.24819 0.50411
BI-LSTM [42] 0.38156 0.76212 0.32632 0.28753
CNN [49] 0.23944 0.6662 0.35866 0.40101
SVM [50] 0.22391 0.66139 0.36363 0.41155
DRL [41] 0.381165 0.762005 0.326456 0.287779
Hybrid classifier + MFO [51] 0.45803 0.86985 0.20581 0.30948
Hybrid classifier + GOA [52] 0.45889 0.86994 0.20569 0.30878
Hybrid classifier + SLnO [53] 0.62257 0.89033 0.17583 0.18575
Hybrid classifier + BRO [43] 0.73689 0.91222 0.14286 0.11371
ML-F [54] 0.664277 0.931997 0.179586 0.124105
MOPSO [57] 0.736249 0.941093 0.158095 0.087231
Proposed Hybrid classifier + SIBRO model 0.94566 0.97976 0.03454 0.01991

Table 8 Statistical analysis of the implemented and extant approaches for dataset 1

Approach Mean Median STD Worst Best

LSTM [24] 0.71447 0.71378 0.01858 0.6927 0.73759


LR-SVM-DT-RF-ANN [25] 0.71585 0.72035 0.00914 0.7001 0.72261
BI-LSTM [42] 0.60435 0.61271 0.02208 0.56866 0.62333
CNN [49] 0.85134 0.84918 0.01468 0.83407 0.87293
SVM [50] 0.83403 0.8359 0.00812 0.82215 0.84219
DRL [41] 0.592072 0.595267 0.01686 0.568118 0.609636
Hybrid classifier + MFO [51] 0.83839 0.84063 0.01021 0.82388 0.84841
Hybrid classifier + GOA [52] 0.84386 0.8468 0.00927 0.8292 0.85263
Hybrid classifier + SLnO [53] 0.8399 0.83798 0.0066 0.83361 0.85004
Hybrid classifier + BRO [43] 0.84658 0.84669 0.00544 0.84068 0.85227
ML-F [54] 0.752184 0.753301 0.00849 0.740385 0.761747
MOPSO [57] 0.750197 0.749991 0.00883 0.739689 0.761115
Proposed Hybrid classifier + SIBRO model 0.92413 0.92587 0.00617 0.91429 0.93051

123
Service Oriented Computing and Applications (2022) 16:293–312 309

Table 9 Statistical analysis of the implemented and extant approaches for dataset 2

Approach Mean Median STD Worst Best

LSTM [24] 0.61751 0.61938 0.01331 0.59892 0.63237


LR-SVM-DT-RF-ANN [25] 0.7216 0.72151 0.00126 0.72029 0.72308
BI-LSTM [42] 0.69336 0.69092 0.00789 0.68522 0.70637
CNN [49] 0.73171 0.74072 0.07762 0.6225 0.82291
SVM [50] 0.61149 0.61318 0.00801 0.59892 0.62069
DRL [41] 0.692794 0.690422 0.007702 0.684817 0.705514
Hybrid classifier + MFO [51] 0.78212 0.76468 0.03184 0.7619 0.83723
Hybrid classifier + GOA [52] 0.77954 0.76385 0.03539 0.7504 0.84006
Hybrid classifier + SLnO [53] 0.77781 0.76423 0.02475 0.76212 0.82066
Hybrid classifier + BRO [43] 0.8277 0.81628 0.06708 0.76221 0.91604
ML-F [54] 0.86502 0.856439 0.04702 0.81074 0.936463
MOPSO [57] 0.850554 0.867 0.034233 0.791677 0.876537
Proposed Hybrid classifier + SIBRO model 0.93161 0.92413 0.02806 0.90538 0.97278

classifier + GOA, Hybrid classifier + SLnO, Hybrid clas- 5 Conclusion


sifier + BRO, ML-F, and MOPSO models for dataset 2.
The outcomes of the proposed hybrid classifier + SIBRO This research has provided a unique attack detection tech-
approach have proved its improvement by detecting the exact nique. In the detection phase, the average of both LSTM and
attacks in IoT virtually in all test instances. As a result, the DRL classifiers is utilized. To improve the performance of
proposed strategy has been improved in a successful man- detection results, the weight of LSTM was optimized via the
ner. SIBRO algorithm. Lastly, the performance of the suggested
technique was compared to the extant techniques. Particu-
4.4 Analysis based on features larly, the specificity of the suggested technique for training
percentage 70 is 32.87%, 22.13%, 30.22%, 33.57%, 34.09%,
The analysis of the proposed work on the basis of features 30.24%, 17.74%, 17.73%, 14.63%, 11.22%, 15.02%, and
for different training percentages is illustrated in Tables 10 12.80% better than the extant LSTM, LR-SVM-DT-RF-
and 11. Moreover, the features include raw features + LSTM ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier +
+ DRL + SIBRO model, and statistical features + LSTM + MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO,
DRL + SIBRO model. On observing the table, the raw fea- Hybrid classifier + BRO, ML-F, and MOPSO techniques
tures + LSTM + DRL + SIBRO model attains maximum for dataset 1. In statistical analysis, the best case demon-
sensitivity values (~ 0.834) for training percentage 60 when strates an enhancement of suggested work (~ 0.972) with
compared to the training percentage 90 for dataset 1. In addi- accurate results and it is 34.99%, 25.67%, 27.39%, 15.41%,
tion, the statistical features + LSTM + DRL + SIBRO model 36.19%, 27.47%, 13.93%, 13.64%, 15.64%, 5.83%, 3.73%,
holds better MCC for training percentage 60 than the raw and 9.89% better than the other traditional LSTM, LR-
features + LSTM + DRL + SIBRO model. Moreover, the SVM-DT-RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid
performance difference has attained with respect to the vari- classifier + MFO, Hybrid classifier + GOA, Hybrid classi-
ation of learning percentage. Further, the accuracy of the fier + SLnO, Hybrid classifier + BRO, ML-F, and MOPSO
raw features + LSTM + DRL + SIBRO model has shown models for dataset 2. Thus, the efficiency of the implemented
(~ 0.01) difference than the statistical features + LSTM + technique is validated. In future research, we utilized other
DRL + SIBRO model for training percentage 60 on dataset deep learning networks to enhance the performance of attack
1. detection as well as implement in real-IoT networks.

123
310 Service Oriented Computing and Applications (2022) 16:293–312

Table 10 Analysis of the suggested work with various feature combi- Table 11 Analysis of the suggested work with various feature combi-
nations on dataset 1 nations on dataset 2

Metrics Raw features + LSTM + Statistical features + Metrics Raw features + LSTM + Statistical features +
DRL + SIBRO model LSTM + DRL + DRL + SIBRO model LSTM + DRL +
SIBRO model SIBRO model

Training Percentage 60 Training Percentage 60


Precision 0.744873 0.750009 Precision 0.728241 0.787558
Sensitivity 0.834899 0.838616 Sensitivity 0.82274 0.865247
Accuracy 0.756846 0.761775 Accuracy 0.797142 0.805008
Specificity 0.665561 0.67146 Specificity 0.77869 0.737173
MCC 0.510135 0.519815 MCC 0.594314 0.609593
F-measure 0.787321 0.791841 F-measure 0.772612 0.824577
FPR 0.334439 0.32854 FPR 0.22131 0.262827
NPV 0.775125 0.779731 NPV 0.859042 0.829294
FNR 0.165101 0.161384 FNR 0.17726 0.134753
Training Percentage 70 Training Percentage 70
Precision 0.733312 0.732846 Precision 0.733491 0.510056
Sensitivity 0.826468 0.826126 Sensitivity 0.826599 0.643258
Accuracy 0.745747 0.745299 Accuracy 0.800245 0.567347
Specificity 0.652393 0.651864 Specificity 0.781031 0.506749
MCC 0.488366 0.487487 MCC 0.600866 0.15014
F-measure 0.777109 0.776695 F-measure 0.777267 0.568965
FPR 0.347607 0.348136 FPR 0.218969 0.493251
NPV 0.764746 0.764327 NPV 0.860685 0.640217
FNR 0.173532 0.173874 FNR 0.173401 0.356742
Training Percentage 80 Training Percentage 80
Precision 0.732564 0.743636 Precision 0.739194 0.68299
Sensitivity 0.825919 0.834002 Sensitivity 0.830769 0.788657
Accuracy 0.745028 0.755659 Accuracy 0.803645 0.713286
Specificity 0.651545 0.664145 Specificity 0.783623 0.638943
MCC 0.486957 0.507806 MCC 0.60801 0.432272
F-measure 0.776446 0.786231 F-measure 0.782311 0.73203
FPR 0.348455 0.335855 FPR 0.216377 0.361057
NPV 0.764074 0.774016 NPV 0.8625 0.754005
FNR 0.174081 0.165998 FNR 0.169231 0.211343
Training percentage 90 Training percentage 90
Precision 0.723066 0.727574 Precision 0.751 0.705
Sensitivity 0.818917 0.822248 Sensitivity 0.839 0.806
Accuracy 0.735904 0.740235 Accuracy 0.810 0.733
Specificity 0.640846 0.645911 Specificity 0.789 0.659
MCC 0.469086 0.477566 MCC 0.623 0.470
F-measure 0.768012 0.772019 F-measure 0.793 0.752
FPR 0.359154 0.354089 FPR 0.210 0.340
NPV 0.755533 0.759588 NPV 0.866 0.770
FNR 0.181083 0.177752 FNR 0.160 0.193

123
Service Oriented Computing and Applications (2022) 16:293–312 311

Declarations 17. Zhou M, Han L, Lu H et al (2020) Intrusion detection system for


IoT heterogeneous perceptual network. Mobile Netw Appl. https://
Conflict of interest The authors declare no conflict of interest. doi.org/10.1007/s11036-019-01483-5
18. Kumar P, Gupta GP, Tripathi R (2020) A distributed ensemble
design based intrusion detection system using fog computing to
protect the internet of things networks. J Ambient Intell Human
Comput. https://doi.org/10.1007/s12652-020-02696-3
19. Shirsat P (2020) Developing deep neural network for learner perfor-
References mance prediction in EKhool online learning platform. Multimedia
Res 3:24–31
1. Kaliyar P, Jaballah WB, Lal C (2020) LiDL: localization with early 20. Cristin R, Raj VC, Marimuthu R (2019) Face image forgery detec-
detection of sybil and wormhole attacks in IoT networks. Comput tion by weight optimized neural network model. Multimedia Res
Secur 94:101849 2:19–27
2. Liu L, Ma Z, Meng W (2019) Detection of multiple-mix-attack 21. Shaik JB, Ganesh V (2020) Deep neural network and social ski-
malicious nodes using perceptron-based trust in IoT networks. driver optimization algorithm for power system restoration with
Future Gener Comput Syst 101:865–879 VSC - HVDC technology. J Comput Mech Power Syst Control
3. Rathore S, Park JH (2018) Semi-supervised learning based dis- 3:1–9
tributed attack detection framework for IoT. Appl Soft Comput 22. Babu MJ, Reddy AR (2020) SH-IDS: specification heuristics
72:79–89 based intrusion detection system for IoT networks. Wireless
4. Rahman MA, Asyhari AT, Zolkipli MF (2020) Scalable machine Pers Commun 112:2023–2045. https://doi.org/10.1007/s11277-
learning-based intrusion detection system for IoT-enabled smart 020-07137-0
cities. Sustain Cities Soc 61:102324. https://doi.org/10.1016/j.scs. 23. Elrawy M, Awad A, Hamed H (2018) Intrusion detection systems
2020.102324 for IoT-based smart environments: a survey. J Cloud Comp. https://
5. Kore A, Patil S (2020) IC-MADS: IoT enabled cross layer doi.org/10.1186/s13677-018-0123-6
man-in-middle attack detection system for smart healthcare appli- 24. Samy A, Yu H, Zhang H (2020) Fog-based attack detection frame-
cation. Wireless Pers Commun 113:727–746. https://doi.org/10. work for internet of things using deep learning. IEEE Access
1007/s11277-020-07250-0 8:74571–74585. https://doi.org/10.1109/ACCESS.2020.2988854
6. Nweke HF, Teh YW, Mujtaba G et al (2019) Multi-sensor fusion 25. Hasan M, Islam MM, Hashem MM (2019) Attack and anomaly
based on multiple classifier systems for human activity identifi- detection in IoT sensors in IoT sites using machine learning
cation. Hum Cent Comput Inf Sci 9:34. https://doi.org/10.1186/ approaches. Int Things 7:100059
s13673-019-0194-5 26. Ravi N, Shalinie SM (2020) Learning-driven detection and mitiga-
7. Wang N, Li W, Alipour-Fanid A, Dabaghchian M, Zeng K tion of ddos attack in iot via sdn-cloud architecture. IEEE Int Things
(2020) Compressed-sensing-based pilot contamination attack J 7(4):3559–3570. https://doi.org/10.1109/JIOT.2020.2973176
detection for NOMA-IoT communications. IEEE Internet Things 27. Bhayo J, Hameed S, Shah SA (2020) An efficient counter-based
J 7(8):7764–7772. https://doi.org/10.1109/JIOT.2020.2991956 DDoS attack detection framework leveraging software defined
8. Al-Hamadi H, Chen I-R, Wang D-C, Almashan M (2020) Attack ioT (SD-IoT). IEEE Access 8:221612–221631. https://doi.org/10.
and defense strategies for intrusion detection in autonomous dis- 1109/ACCESS.2020.3043082
tributed IoT systems. IEEE Access 8:168994–169009. https://doi. 28. Khan AY, Latif R, Latif S, Tahir S, Batool G, Saba T (2020)
org/10.1109/ACCESS.2020.3023616 Malicious insider attack detection in IoTs using data analytics.
9. Roy RG, Ghoshal D (2020) Search and rescue optimization algo- IEEE Access 8:11743–11753. https://doi.org/10.1109/ACCESS.
rithm - second order sliding mode control: AUV error tracking. J 2019.2959047
Comput Mech Power Syst Control 3:10–20 29. Vu L, Nguyen QU, Nguyen DN, Hoang DT, Dutkiewicz
10. Anand S (2020) Intrusion detection system for wireless mesh net- E (2020) Deep transfer learning for IoT attack detec-
works via improved whale optimization. J Netw Commun Syst tion. IEEE Access 8:107335–107344. https://doi.org/10.1109/
3:9–16 ACCESS.2020.3000476
11. Rajeyyagari S (2020) Automatic speaker diarization using deep 30. Ma Z, Liu L, Meng W (2020) Towards multiple-mix-attack detec-
LSTM in audio lecturing of e-Khool platform. J Netw Commun tion via consensus-based trust management in IoT networks.
Syst 3:17–25 Comput Secur 96:101898
12. Chakkaravarthy SS, Sangeetha D, Cruz MV, Vaidehi V, 31. Baig ZA, Sanguanpong S, So-In C (2020) Averaged dependence
Raman B (2020) Design of intrusion detection honeypot estimators for DoS attack detection in IoT networks. Future Gener
using social leopard algorithm to detect IoT ransomware Comput Sys 102:198–209
attacks. IEEE Access 8:169944–169956. https://doi.org/10.1109/ 32. Zarpelão BB, Miani RS, Kawakani CT, de Alvarenga SC (2017) A
ACCESS.2020.3023764 survey of intrusion detection in Internet of Things. J Netw Comput
13. Kponyo JJ, Agyemang JO, Boateng JO (2020) Lightweight Appl 84:25–37
and host-based denial of service (DoS) detection and defense 33. Kasongo SM (2021) An advanced intrusion detection system
mechanism for resource-constrained IoT devices. Internet Things for IIoT based on GA and tree based algorithms. IEEE Access
12:100319 9:113199–113212
14. Mirsky Y, Golomb T, Elovici Y (2020) Lightweight collaborative 34. Liu Z (2011) A method of SVM with normalization in intrusion
anomaly detection for the IoT using blockchain. J Parallel Distrib detection. Procedia Environ Sci 11:256–262
Comput 145:75–97 35. Moustafa N, Slay J (2016) The evaluation of network anomaly
15. Roldán J, Boubeta-Puig J, Ortiz G (2020) Integrating complex detection systems: statistical analysis of the UNSW-NB15 data
event processing and machine learning: an intelligent architecture set and the comparison with the KDD99 data set. Inform
for detecting IoT security attacks. Expert Syst Appl 149:113251 Secur J A Global Perspect 25(1–3):18–31. https://doi.org/10.1080/
16. Almiani M, AbuGhazleh A, Razaque A (2020) Deep recurrent neu- 19393555.2015.1125974
ral network for IoT intrusion detection system. Simul Model Pract 36. https://en.wikipedia.org/wiki/Statistic.
Theory 101:102031 37. https://en.wikipedia.org/wiki/Standard_deviation

123
312 Service Oriented Computing and Applications (2022) 16:293–312

38. https://www.itl.nist.gov/div898/handbook/eda/section3/eda35b. 49. LeCun Y, Kavukvuoglu K, Farabet C (2010) Convolutional net-


htm#:~:text=Skewness%20is%20a%20measure%20of,relative% works and applications in vision. In Circuits and Systems, Interna-
20to%20a%20normal%20distribution. tional Symposium on, 253–256
39. https://en.wikipedia.org/wiki/Percentile 50. Avci E (2009) A new intelligent diagnosis system for the heart
40. https://en.wikipedia.org/wiki/Central_moment#:~:text=In% valve diseases by using genetic-SVM classifier. Expert Syst Appl
20probability%20theory%20and%20statistics,random% 36:10618–10626
20variable%20from%20the%20mean. 51. Mirjalili S (2015) Moth-flame optimization algorithm: a Novel
41. Martinez C, Perrin G, Ramasso E, Rombaut M (2018) A deep rein- nature-inspired heuristic paradigm. Knowledge Based Syst
forcement learning approach for early classification of time series. 89:228–249
2018 26th Eur Signal Process Conf (EUSIPCO), pp 2030–2034. 52. Saremi S, Mirjalili S, Lewis A (2017) Grasshopper optimisation
https://doi.org/10.23919/eusipco.2018.8553544 algorithm: theory and application. Adv Eng Softw 105:30–47
42. Zhou X, Lin J, Zhang Z, Shao Z, Liu H (2019) Improved itracker 53. Masadeh R, Mahafzah B, Sharieh A (2019) Sea Lion Optimization
combined with bidirectional long short-term memory for 3D gaze Algorithm. Int J Adv Comput Sci Appl 10:388–395
estimation using appearance cues. Neuro Comput 390:217–225 54. Krishna ES, Thangavelu A (2021) Attack detection in IoT devices
43. Rahkar Farshi T (2021) Battle royale optimization algorithm. using hybrid metaheuristic lion optimization algorithm and firefly
Neural Comput Appl 33(4):1139–1157. https://doi.org/10.1007/ optimization algorithm. Int J Syst Assurance Eng Manag 1-14.
s00521-020-05004-4 https://doi.org/10.1007/s13198-021-01150-7
44. Rajakumar BR (2013) Impact of static and adaptive mutation 55. The UNSW-NB15 Dataset. https://research.unsw.edu.au/projects/
techniques on genetic algorithm. Int J Hybrid Intelligent Sys unsw-nb15-dataset
10(1):11–22. https://doi.org/10.3233/HIS-120161 56. https://research.unsw.edu.au/projects/toniot-datasets
45. Rajakumar BR (2013) Static and adaptive mutation techniques for 57. Habib M, Aljarah I, Faris H, Mirjalili S (2020) Multi-objective par-
genetic algorithm: a systematic comparative analysis. Int J Com- ticle swarm optimization for botnet detection in internet of things,
put Sci Eng 8(2):180–193. https://doi.org/10.1504/IJCSE.2013. In: Evolutionary machine learning techniques, Springer publisher,
053087 Singapore, pp. 203–229
46. Swamy SM, Rajakumar BR, Valarmathi IR (2013) Design of
hybrid wind and photovoltaic power system using opposition-based
genetic algorithm with cauchy mutation. IET Chennai fourth inter-
Publisher’s Note Springer Nature remains neutral with regard to juris-
national conference on sustainable energy and intelligent systems
dictional claims in published maps and institutional affiliations.
(Seiscon 2013), chennai, India, Dec 2013, Doi: https://doi.org/10.
1049/ic.2013.0361
47. George A, Rajakumar BR (2013) APOGA: an adaptive popula-
tion pool size based genetic algorithm. AASRI Procedia - 2013
AASRI conference on intelligent systems and control (ISC 2013).
Am Appl Sci Res Inst 4:288–296. https://doi.org/10.1016/j.aasri.
2013.10.043
48. Rajakumar BR, George A (2012) A new adaptive mutation tech-
nique for genetic algorithm. In: proceedings of IEEE international
conference on computational intelligence and computing research
(ICCIC), pp. 1–7, Dec 18–20, Coimbatore, India, Doi: https://doi.
org/10.1109/ICCIC.2012.6510293

123

You might also like