Hybrid Deep Learning Model For Attack Detection in Internet of Things
Hybrid Deep Learning Model For Attack Detection in Internet of Things
https://doi.org/10.1007/s11761-022-00342-8
ORIGINAL RESEARCH
Received: 29 January 2022 / Revised: 9 June 2022 / Accepted: 19 June 2022 / Published online: 27 October 2022
© The Author(s), under exclusive licence to Springer-Verlag London Ltd., part of Springer Nature 2022
Abstract
Internet of things (IoT) provides a new application, which helps the existing networks communicate with smart technologies.
Things are now becoming increasingly connected to the Internet, and lots of new gadgets are being created at a faster rate.
Since these interconnected smart objects are capable of interacting with one another in undefended surroundings, the entire
communication ecology needs solutions related to security at various levels. Unlike the existing networks, IoT technology
has its own set of features, including various network protocol requirements and a variety of resource constraints. To launch
different attacks, the attacker takes many security vulnerabilities in the IoT system. The growth in cyber-attacks has rendered
it important to address the consequences implied in the IoT. This paper intends to introduce a novel attack detection model.
Originally, the input data are preprocessed, from which the most relevant features are extracted that include raw features,
statistical features, and higher-order statistical features. The extracted features are subjected to the classification process. More
importantly, the extracted raw features are directly given to the long short-term memory (LSTM), and the extracted statistical
and higher-order statistical features are subjected to the deep reinforcement learning (DRL) for the classification process.
Then, the average of both LSTM and DRL provides the detected output in an effective manner. To improve the performance
of detection results, the weight of LSTM is optimized by the self-improved battle royale optimization (SIBRO) algorithm. At
the end, the performance of the presented scheme is compared to the existing approaches in terms of different metrics like
“F-measure, specificity, NPV, accuracy, FNR, sensitivity, precision, FPR, and MCC,” respectively.
123
294 Service Oriented Computing and Applications (2022) 16:293–312
MOPSO Multi-objective particle swarm opti- • In the detection phase, an optimization-assisted hybrid
mization LSTM and DRL model is introduced for identifying the
NIDS Network-based IDS presence of attacks in IoT.
NPV Net predictive value • To make the detection more accurate, a self-improved bat-
PDE Perceptron detection with enhancement tle royale optimization (SIBRO) algorithm is proposed for
PDF Probability density function tuning the weight parameter of LSTM.
RF Random forest • The proposed SIBRO is an enhanced version of the classic
SDN Software-defined network BRO algorithm.
SLnO Sea lion optimization
SVM Support vector machine The organization of the study is as follows: The reviews
on attack detection in IoT are described in Sect. 2. Section 3
depicts the adopted attack detection paradigm in the Internet
of things, as well as the comprehensive method. Section 4
shows the outcomes as well as discussion. Section 5 presents
1 Introduction the conclusion of this work.
123
Service Oriented Computing and Applications (2022) 16:293–312 295
Samy et al. [24] LSTM DL method Higher rate of detection The proposed work was not contrasted
Increased recall with RL as well as unsupervised DL
approaches
Mahmudul et al. [25] LR-SVM-DT-RF-ANN Maximum accuracy The adopted model does not guarantee
Higher precision other unknown problems and the big
Improved recall data
Better F1-score
Ravi et al. [26] LEDEM method High accuracy The proposed model has planned to
Increased throughput probe into other ML approaches
Improved recall
Better F-measure
Bhayo et al. [27] C-DAD model Decreased throughput The adopted work has not worked with
Low attack detection time multiple IoT networks in
Increased CPU utilization heterogeneous environments
Khan et al. [28] AI technique Low computational overhead Need to develop the proposed model
Less false positives with attack prevention from insider
Enhanced attack detection attacks and better accuracy
accuracy
Vu et al. [29] DTL method Improved accuracy The proposed work needs larger time
Better predicting time for training the approach
High AUC score
Improved effectiveness
Zuchao et al. [30] DCONST approach Higher detection accuracy Need to optimize the parameters of
Increased attack probability DCONST for handling the different
network conditions
Zubair et al. [31] A1DE and A2DE techniques Higher accuracy Different aspects required intensive
Maximum precision investigation like scalability, traffic
Better recall density, diversity, etc., to enhance the
Improved F-score detection performance
comparison with other traditional models, the experimen- distance measuring approach with AI-based solution had the
tal results showed an increased accuracy rate of 96.28% in greatest accuracy than any classic models.
identifying DDoS attacks. In 2020, Vu et al. [29] suggested a DTL system, which
In 2020, Bhayo et al. [27] suggested an SD–IoT-based allows data from many IoT devices that could be used
platform for IoT security services. The C-DAD program was for learning. A DTL model was characterized by two
created using counter values for several network character- AEs particularly. Additionally, the outcomes of the adopted
istics that aid in the effective detection of DDoS attacks. The scheme were examined by extensive tests on 9 current IoT
IoT devices, IoT controller, SDNWISE controller, and SOPS datasets. When compared to the current DTL schemes and
comprised up the framework. Different counter-based func- the baseline DL method, the simulation results demonstrated
tionalities were incorporated in the suggested framework’s that the chosen DTL scheme greatly improved the accuracy
sub-modules like flow monitor and analyzer to identify the in identifying IoT attacks.
DDoS attacks in the SD–IoT network. Through SDN, the In 2020, Zuchao et al. [30] have investigated a method
algorithm achieved improved performance. called DCONST that could be used to assess the trust-
In 2020, Khan et al. [28] established a method for mon- worthiness of IoT nodes by providing specific information.
itoring harmful insider attacks in IoT environments using Furthermore, the proposed strategy has been classified as
distance measuring techniques with AI characteristics. It con- a kind of multiple-mix-attack which mixes three common
tains a comprehensive review of conventional systems for attacks—drop, tamper, and replay—with an unknown prob-
recognizing harmful attacks in the IoT context. To protect the ability. DCONST was able to detect hostile nodes and
security in the IoT environment with sensitive and important evaluate their specific attack patterns using K-means clus-
data of sensors/devices, the Levenshtein distance measuring tering techniques. Particularly, the DCONST-Normal and
technique was employed in the suggested system for recog- DCONST-Proactive might enhance detection rates by 5–20%
nizing the hostile attacks. The findings revealed that the LV as compared to DCONST-Light.
123
296 Service Oriented Computing and Applications (2022) 16:293–312
Normal data
exchange
IoT servers
In 2019, Zubair et al. [31] presented a DoS detection and better accuracy. Next, the DTL method was imple-
framework that includes module for creation and feature mented in [29] that provides an improved accuracy, better
ranking, testing, data production, and training. To recognize predicting time, high AUC score, and improved effective-
the DoS attacks, the A1DE and A2DE methods were rede- ness. Still, the proposed work requires more time to train the
fined and implemented in IoT networks. The development of model. DCONST approach [30] provides higher detection
voting schemes and multi-scheme for DoS attack detection rate, higher detection accuracy, and increased attack proba-
in IoT has used an integration of A2DE and A1DE. Further- bility. However, there is a need to optimize the parameters
more, the conventional approaches and the adopted system of DCONST for handling the different network condi-
were sorely tested in real-world IoT attack situations, and the tions. Finally, the A1DE and A2DE techniques [31] provide
results have proven the efficiency of the proposed work. improved F-score, precision, recall, as well as accuracy, but
the different aspects required intensive investigation like scal-
2.2 Summary ability, traffic density, diversity, etc., to enhance the detection
performance. Thus, these challenges need to be considered
Table 1 represents the review on attack detection in IoT. At on the basis of attack detection in IoT of this research suc-
first, the LSTM DL approach [24] provides maximum detec- cessfully.
tion rate, improved precision, increased recall, and maximum
detection accuracy; however, the proposed work was not con- 2.3 General attack detection framework in IoT
trasted with RL as well as unsupervised DL approaches.
Moreover, the LR-SVM-DT-RF-ANN method [25] provides IoT is an important component of new information technol-
maximum accuracy, improved recall, higher precision, and ogy in the information age. The IoT server is in charge of the
better F1-score. Nevertheless, the adopted model does not critical functions of terminal sensor processing, data collect-
guarantee other unknown problems and the big data. LEDEM ing, and processing result return. Because of the increasing
method [26] offers high accuracy, increased throughput, expansion of IoT technologies, security is even more vital
improved recall, and better F-measure, but the proposed in the cyber-world. IDS can also be used to protect Internet
model has planned to probe into other ML approaches. Like- servers. Numerous IoT servers and devices are immediately
wise, the C-DAD model [27] offers decreased throughput, accessible to the public Internet due to sophisticated remote
low attack detection time, and increased CPU utilization. control capabilities. IDS is essential for guarding and iden-
However, the adopted work has not worked with multiple tifying harmful attacks on IoT servers. The IDS observes
IoT networks in heterogeneous environments. AI technique the operations of a host or network and notifies the system
was exploited in [28] that has reduced the computational administrator whenever it identifies a security violation. Gen-
overhead, minimized false positives, and improved attack erally, NIDS attached to one or more network segments as
detection accuracy; however, there is a need to develop the well as observes network traffic for malicious activities. The
proposed model with attack prevention from insider attacks HIDS is connected to a computer device as well as observes
123
Service Oriented Computing and Applications (2022) 16:293–312 297
Data Pre-processing
Feature Extraction
Classification
Optimal
weights
LSTM Deep
Reinforcement
Learning
Proposed SIBRO
Algorithm Average
Output
123
298 Service Oriented Computing and Applications (2022) 16:293–312
malicious activity within the system. Unlike NIDS, the HIDS Table 2 Flow features
examines system calls, running processes, file system modi-
S. No Features Description
fications, inter-process communication, and application logs
in addition to network traffic [32]. Therefore, the use of IDS 1 Dstip Destination IP address
would protect both terminal users and service providers from 2 Dsport Destination port number
Internet threats.
3 Scrip Source IP address
Moreover, security safeguards are not fully attained in the
4 Sport Source port number
IoT application because the attack plane is limited. The goal
5 Proto Protocol type (UDP, Tc)
of this paper is to offer a unique deep learning-based attack
detection system for the IoT, as depicted in Fig. 1.The imple-
mented approach deals with the behavior of attackers in the
network via standard datasets. a given feature in the feature space Y.
ym − min (ym )
yNORM (a − b) (1)
max (ym ) − min (ym )
3 Description of the suggested attack
detection approach in IoT
123
Service Oriented Computing and Applications (2022) 16:293–312 299
Features Description
123
300 Service Oriented Computing and Applications (2022) 16:293–312
Features Definitions
Mean “The process in which the sum of all values divided by the sum of number of values is known to be mean value [36]. Here, the
mean is denoted as Z . In the following equation, Z represents the observed value and m indicates the number of values.”
m
Z m1 Zq
q1
Median “Median [36] is the process, in which the middle values in a dataset are organized in an ascending order. If the dataset contains 2
values in middle, then the mean of 2 middle values is regarded as the median of the data. The median is indicated as S F1 . In the
following equation, m represents the number of values and Z denotes the ordered list of values in dataset.”
⎛⎧ m ⎞
⎪
⎪ Z if m is odd
⎜ ⎨ 2 ⎟
SF1 ⎜ ⎝ ⎪ Z m−1 + Z m+1
⎟
⎠
⎪
⎩ 2 2
if m is even
2
Mode “Mode is the most frequent value present in the database. It is one among the major central tendency metrics, that is used with
normal data that have completely subjective class assignments. The mode is represented as SF2 . The mode is the value in a series
of observation that occurs with higher frequency.”
SD “SD is a measure of set of a dispersion values or amount of variation. The lower SD [37] denotes the values that tend to be nearer to
the mean value, whereas a larger SD denotes the extended values over a larger range. The SD is represented as SF3 , and it is given
in Eq. (3). Here, Z indicates the symbol of sample mean.”
1
m 2
SF3 m−1 Zq − Z
q1
Finally, the statistical and higher-order statistical features cell state and hidden state. (h t , Ct ) and (Yt , Ct−1 , h t−1 )
are represented by S F, as well as it is given in Eq. (3): are the output and input layers, respectively. At time t, the
output and input gates and the forget gate are indicated by
SF Z + SF1 + SF2 + SF3 + SF4 + SF5 + SF6 + SF7 + SF8 + SF9 Ot , It , G t correspondingly. The LSTM cell uses G t to filter
(3) the data, and it is shown in Eq. (4):
For the classification process (multi-classification of attack where (W J , K J ) and (W L , K L ) specify the weight matrix
types), the raw features RF are given as the input to LSTM. and bias term mapping hidden layer as well as input layer
The retrieved statistical and higher-order statistical features to the forget gate. The activation function of gate ( κ) is
SF are subjected to DRL. Both classifiers are run simulta- selected as sigmoid operation. Based on Eqs. (5), (6), and
neously, as well as the results are averaged to get the final (7), the LSTM cell makes use of the input gate to coordinate
classification outcomes. the proper data evaluated, where (W X , K X ) and (W E , K E )
are the weight matrices as well as bias parameters that map
3.3.1 LSTM the input and hidden layers to cell gate. W Q , K Q and
W p , K p are the weight and bias parameters that map the
The LSTM is given the retrieved raw characteristics (RF). input as well as hidden layers to It .
The LSTM network uses a linear connection as well as gate
control unit to solve gradient desertion problems. The high
reliance of time-series data is captured by the LSTM network. Ut tanh(W E Yt + K E + W X h t−1 + K X ) (5)
The LSTM [42] architecture includes the sequences of
continuous LSTM cells. In the LSTM cells, the output gate,
input gate, and forget gate were all made up of three units. It κ W Q Yt + K Q + W p h t−1 + K p (6)
Figure 3 depicts the construction of an LSTM cell. The LSTM
memory cells may save and suggest information for a long
time because of this characteristic. Consider C and h as the Ct G t Ct−1 + It Ut (7)
123
Service Oriented Computing and Applications (2022) 16:293–312 301
Features Definitions
Skewness “Skewness is a symmetry measure or the lack of symmetry exactly. A data set or distribution is symmetric
only if it is similar to the right and left of the center point [38]. The mathematical expression of skewness
S F4 is given below. Here, Z q Z 1 ,Z 2 , …, Z m , Z indicates the mean value, σ denotes the SD, and m
refers to the number of data points. Further, σ indicates the SD and it is calculated with m present in the
denominator rather than m − 1 while computing the skewness.”
m 3
Z q −Z /m
S F4 q1
σ3
Kurtosis “Kurtosis is a measure that identifies whether the data are light-tailed or heavy-tailed and related to the
normal distribution [38]. The mathematical formula of kurtosis S F5 for univariate data such as Z 1 ,Z 2 , …,
Z m is expressed as follows.”
m 4
Z q −Z /m
S F5 q1
σ4
Percentile “In statistics, a percentile is a score below at or below or a score in which a provided percentage falls in its
frequency distribution [39]. It provides an idea of spreading data values from the lower value to the higher
value over the interval. About Q percentage of data values comes under Q th percentile, and around
100 − Q percentage of data values exceeds J th percentile.” This feature is represented as S F6
Angular second-order moment “It is the instant of probability distribution with the arbitrary variable in probability theory and statistics
[40]. The moments with higher order are relating to the shape and spread distribution of the location. The
m th moment related to the central moment of a real-valued random variable Z is the quantity
Z m E (Z − E[Z ]m ) , where E denotes the expectation operator. The m th moment about the mean Z
is determined for a continuous univariate probability distribution with f (q) PDF.” The moment S F7 is
depicted as follows:
−∞ m
S F7 E Z − E[Z ]m +∞ q − Z f (q)dq‘
Entropy “The entropy [41] is known as the average level of surprise, uncertainty, or information inbuilt in the
variable’s feasible resultant of the data theory. The conception of information entropy is sometimes
known as the Shannon entropy.” The entropy is represented as S F8
m
− q1 [ Z q ] log[ Z q ]
S F8 length ( Z q )
Homogeneity “Homogeneity is a measure of the overall smoothness.” This feature is denoted by S F9 , in which P is the
probability
S F9 1
2 Pi, j
1+(i− j)
i j
× +
tanh
× ×
tanh
123
302 Service Oriented Computing and Applications (2022) 16:293–312
∞
State Reward Action
gT μl r T +l with μ (11)
l0
Environment
In Eq. (11), discount factor is μ∈[0, 1] . The agent
learned
an optimal behavior χ ∗ from its interactions
Fig. 4 Architecture of DRL ST , aT , r T , ST +1 with the environment throughout the train-
ing episodes in reinforcement learning. It would identify the
best possible action for each situation. The agent determines
Lastly, the LSTM receives hidden layer (output) from out- the expected return gT depending on its policy χ and obtained
put gate by Eqs. (8) and (9). from state S through opening the game, an action a is selected
and it follows the policy χ . It is the action value function
Vt κ(W B Yt + K B + W M h t−1 + K M ) (8) known as the Q-function as per Eq. (12).
123
Service Oriented Computing and Applications (2022) 16:293–312 303
Here, t− indicates the previous fixed version of the DQN. These BRO interactions are given as Rb .damage
The agent progressively estimates the relationships among Rb .damage + 1, in which Rb .damage indicates the bth soldier
the state ST , selects an action aT , and obtains future rewards of the damage level between the population. Additionally,
gT . soldiers seek to alter their positions as soon as they are dam-
The output of DRL is represented by CLDRL . The final aged, allowing them to attack enemies from the opposite side.
classification output is (Out) formulated as per Eq. (16). During exploitation, the soldiers damaged are migrated to a
place among the best position discovered and the previous
CLLSTM + CLDRL position. These interactions are determined as per Eq. (19).
Out (16)
2
Rdam, x Rdam, x + c Rbest, x − Rdam, x (19)
3.4 LSTM weight optimization by SIBRO algorithm where c indicates a randomly generated number that is dis-
tributed uniformly within [0, 1] and Rdam, x denotes the
3.4.1 Solution encoding and objective function damaged soldier position in dimension x. Rb .damage is reset
to 0 as the damaged soldiers harm their enemy in the upcom-
The suggested SIBRO approach optimizes the weights of the ing iteration.
LSTM. The input solution to the proposed SIBRO algorithm If a damage level of soldiers goes beyond a specified
is depicted in Fig. 5. The total count of weights in LSTM is threshold value during exploration, the soldier died and
N . The objective function or fitness function of the suggested respawned randomly from the possible issue space with the
method is evaluated as per Eq. (17), in which err indicates Rb .damage restored to 0. The value of threshold 3 was
the error value of LSTM acceptable throughout mistake and trial. It allows for further
exploration and prevents premature convergence. In Eq. (20),
Obj min (err) (17) a soldier returns after killed to the issue space.
123
304 Service Oriented Computing and Applications (2022) 16:293–312
Here, Rbest, x refers to the position of the best solution, and The suggested hybrid classifier + SIBRO technique per-
d Rx indicates the SD of entire population in dimension x. formance is compared with the traditional techniques like
If vx /u x go beyond the original bound, it puts to the normal LSTM [24], LR-SVM-DT-RF-ANN [25], BI-LSTM [42],
vx /u x . CNN [49], SVM [50], DRL [41], Hybrid classifier +
If c<Rdam.damage , it performs the condition Rb .damage < MFO [51], Hybrid classifier + GOA [52], Hybrid clas-
Threshold. Otherwise, based on the suggested SIBRO sifier + SLnO [53], Hybrid classifier + BRO [43], ML-
approach, the positions are updated as per Eq. (23), where F [54], and MOPSO [33] correspondingly. Furthermore,
Levy(β) indicates the proposed levy update in BRO. the achievement was compared via changing the learning
percentage (60, 70, 80, and 90) for diverse performance
Rdam, x Rdam, d + c Rbest, x − Rdam, x + Levy(β) (23) measures such as “accuracy, sensitivity, specificity, preci-
sion, FNR, FPR, F-measure, NPV, and MCC,” correspond-
The pseudo-code of suggested SIBRO model is given ingly.
below.
4.1 Dataset description
123
Service Oriented Computing and Applications (2022) 16:293–312 305
Fig. 6 Performance analysis of the proposed model over the extant approaches for a sensitivity b accuracy c precision d specificity for dataset 1
Fig. 7 Performance analysis of the proposed model over the extant approaches for a FNR b FPR for dataset 1
7, and 8. Similarly, the implemented hybrid classifier + 17.74%, 17.73%, 14.63%, 11.22%, 15.02%, and 12.80%
SIBRO technique achieves greater accuracy (~ 0.9) for superior to the extant LSTM, LR-SVM-DT-RF-ANN, BI-
training percentage 90 than the extant LSTM, LR-SVM- LSTM, CNN, SVM, DRL, Hybrid classifier + MFO, Hybrid
DT-RF-ANN, BI-LSTM, CNN, SVM, Hybrid classifier classifier + GOA, Hybrid classifier + SLnO, Hybrid classifier
+ MFO, Hybrid classifier + GOA, Hybrid classifier + + BRO, ML-F, and MOPSO techniques for dataset 1 as shown
SLnO, and Hybrid classifier + BRO approaches as shown in Fig. 6(d). As a result, identical performance is found when
in Fig. 6(b). The specificity of the implemented hybrid other metrics, such as precision, are used. The influences of
classifier + SIBRO technique for training percentage 70 hybrid classifiers that are trained with the proper features are
is 32.87%, 22.13%, 30.22%, 33.57%, 34.09%, 30.24%, demonstrated in this assessment. Further, because the LSTM
123
306 Service Oriented Computing and Applications (2022) 16:293–312
Fig. 8 Performance analysis of the proposed model over the extant models for a NPV b FMS c MCC for dataset 1
weights were set to perfection, the implemented methodol- classifier + MFO, Hybrid classifier + GOA, Hybrid classi-
ogy enabled higher detection outcomes while minimizing fier + SLnO, Hybrid classifier + BRO, ML-F, and MOPSO
errors. approaches attain smaller values. Similarly, the suggested
The negative measures such as “FPR and FNR” of the hybrid classifier + IBRO approach reaches higher MCC (~
suggested approach over other extant LSTM, LR-SVM-DT- 0.94) for training percentage 70 when compared to the train-
RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier + ing percentage 90 in Fig. 8(c). As a result, the performance
MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO, of the provided hybrid classifier + IBRO model outperforms
Hybrid classifier + BRO, ML-F, and MOPSO approaches are standard approaches.
shown in Fig. 7. The suggested hybrid classifier + SIBRO In addition, the overall performance analysis of the imple-
approach has shown lower FPR value with better perfor- mented and the standard approaches is depicted in Tables 6
mance than the standard approaches for training percentage and 7. From Table 6, the precision of the suggested hybrid
90 in Fig. 7(b). Thus, it shows that the approach with optimal classifier + SIBRO model is 17.10%, 77.04%, 23.61%,
weights ensures less error through the proposed optimization 6.03%, 8.34%, 27.13%, 6.69%, 6.03%, 6.11%, 6.10%,
algorithm. 26.47%, and 26.99% better than other extant LSTM, LR-
Figure 8 indicates the “MCC, NPV, and F-measure” met- SVM-DT-RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid
rics analysis of the suggested hybrid classifier + SIBRO classifier + MFO, Hybrid classifier + GOA, Hybrid classi-
model than other existing models. On observing the figure, fier + SLnO, Hybrid classifier + BRO, ML-F, and MOPSO
it is shown that the NPV of the suggested hybrid classi- approaches. The suggested hybrid classifier + SIBRO model
fier + SIBRO approach achieves a greater value (~ 0.95) for reaches greater accuracy values (~ 0.927) than other stan-
training percentage 90, but the compared extant LSTM, LR- dard techniques for dataset 1. The adopted hybrid clas-
SVM-DT-RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid sifier + SIBRO technique holds smaller FNR value, and
it is 94.86%, 96.05%, 93.08%, 95.04%, 95.16%, 93.08%,
123
Service Oriented Computing and Applications (2022) 16:293–312 307
Table 6 Overall performance analysis of the implemented and extant approaches for dataset 1
93.57%, 93.55%, 89.28%, 82.49%, 83.96%, and 77.18% 4.3 Statistical analysis
superior to the traditional models like LSTM, LR-SVM-DT-
RF-ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier + In Tables 8 and 9, the statistical analysis of the provided
MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO, model is compared to the previous systems. In this work, the
Hybrid classifier + BRO, ML-F, and MOPSO, respectively, statistical analysis is evaluated based on accuracy. The mean
for dataset 2. The implemented approach F-measure in value of the suggested approach provides superior results,
dataset 2 is 38.38%, 68.76%, 32.16%, 9.84%, 40.93%, and it is 22.69%, 22.54%, 34.60%, 7.88%, 9.75%, 35.93%,
32.19%, 36.25%, 36.17%, 21.64%, 12.55%, 19.92%, and 9.28%, 8.69%, 9.11%, 8.39%, 18.61%, and 18.82% better
13.72% superior to the extant LSTM, LR-SVM-DT-RF- than other traditional models like LSTM, LR-SVM-DT-RF-
ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier + ANN, BI-LSTM, CNN, SVM, DRL, Hybrid classifier +
MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO, MFO, Hybrid classifier + GOA, Hybrid classifier + SLnO,
Hybrid classifier + BRO, ML-F, and MOPSO techniques. Hybrid classifier + BRO, ML-F, and MOPSO for dataset 1.
The results have summarized that the implemented hybrid Moreover, the best value of the implemented work (~ 0.972)
classifier + SIBRO scheme performance is developed over is 34.99%, 25.67%, 27.39%, 15.41%, 36.19%, 27.47%,
the standard methods. 13.93%, 13.64%, 15.64%, 5.83%, 3.73%, and 9.89% better
than the other traditional LSTM, LR-SVM-DT-RF-ANN, BI-
LSTM, CNN, SVM, DRL, Hybrid classifier + MFO, Hybrid
123
308 Service Oriented Computing and Applications (2022) 16:293–312
Table 7 Overall performance analysis of the implemented and extant approaches for dataset 2
Table 8 Statistical analysis of the implemented and extant approaches for dataset 1
123
Service Oriented Computing and Applications (2022) 16:293–312 309
Table 9 Statistical analysis of the implemented and extant approaches for dataset 2
123
310 Service Oriented Computing and Applications (2022) 16:293–312
Table 10 Analysis of the suggested work with various feature combi- Table 11 Analysis of the suggested work with various feature combi-
nations on dataset 1 nations on dataset 2
Metrics Raw features + LSTM + Statistical features + Metrics Raw features + LSTM + Statistical features +
DRL + SIBRO model LSTM + DRL + DRL + SIBRO model LSTM + DRL +
SIBRO model SIBRO model
123
Service Oriented Computing and Applications (2022) 16:293–312 311
123
312 Service Oriented Computing and Applications (2022) 16:293–312
123