The Journal of Supercomputing

https://doi.org/10.1007/s11227-024-06409-x

A hybrid approach for efficient feature selection in anomaly

intrusion detection for IoT networks

Aya G. Ayad1 · Nehal A. Sakr1 · Noha A. Hikal1

Accepted: 30 July 2024

© The Author(s) 2024

Abstract
The exponential growth of Internet of Things (IoT) devices underscores the need for
robust security measures against cyber-attacks. Extensive research in the IoT secu-
rity community has centered on effective traffic detection models, with a particu-
lar focus on anomaly intrusion detection systems (AIDS). This paper specifically
addresses the preprocessing stage for IoT datasets and feature selection approaches
to reduce the complexity of the data. The goal is to develop an efficient AIDS
that strikes a balance between high accuracy and low detection time. To achieve
this goal, we propose a hybrid feature selection approach that combines filter and
wrapper methods. This approach is integrated into a two-level anomaly intrusion
detection system. At level 1, our approach classifies network packets into normal
or attack, with level 2 further classifying the attack to determine its specific cat-
egory. One critical aspect we consider is the imbalance in these datasets, which is
addressed using the Synthetic Minority Over-sampling Technique (SMOTE). To
evaluate how the selected features affect the performance of the machine learning
model across different algorithms, namely Decision Tree, Random Forest, Gauss-
ian Naive Bayes, and k-Nearest Neighbor, we employ benchmark datasets: BoT-IoT,
TON-IoT, and CIC-DDoS2019. Evaluation metrics encompass detection accuracy,
precision, recall, and F1-score. Results indicate that the decision tree achieves high
detection accuracy, ranging between 99.82 and 100%, with short detection times
ranging between 0.02 and 0.15 s, outperforming existing AIDS architectures for IoT
networks and establishing its superiority in achieving both accuracy and efficient
detection times.

Keywords Internet of Things · Intrusion detection system · Machine learning · Real-

time · Feature selection

Extended author information available on the last page of the article

Vol.:(0123456789)

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

1 Introduction

The Internet of Things (IoT) encompasses a wide range of objects integrated

with sensors and triggers that collect, process, and share data with other objects,
software, and platforms. This groundbreaking technology trend is spurring an
unprecedented information revolution, making it one of the most disruptive tech-
nologies in recent history, capturing the attention of society and academia [1].
IoT networks consist of everyday objects like smart converters, lamps, ovens,
and refrigerators, as well as temperature sensors, IP cameras, smoke detectors,
and even more advanced devices like RFID, heartbeat detectors, and parking sen-
sors [2, 3]. However, building robust IoT networks presents numerous challenges,
including limited resources, low energy efficiency, device heterogeneity, handling
massive amounts of data, ensuring high-bandwidth data transport, scalability, and
most importantly, the security of user data and privacy [4]. This paper aims to
detect and mitigate potential threats, unauthorized access, and other anomalous
activities within IoT networks, ultimately enhancing their security and protecting
the integrity of data [5].
The Intrusion Detection System (IDS) is a prominent system that is constantly
proposed to defend networks. An IDS is a software program that supervises a
network or system to detect anomalous traffic or policy deviations [6]. IDS can
be classified according to different aspects, like scope and detection approach.
Regarding its scope, there are Host-Intrusion Detection Systems (HIDS) and Net-
work-Intrusion Detection Systems (NIDS). The IDS in the HIDS resides on each
host in the network, employing its resources, whereas the IDS in the NIDS exists
on the server or network tape at the network layer to handle device communica-
tions. According to its detection approach, there is a Signature-based Intrusion
Detection System (SIDS) also called Misuse Detection System, and an Anomaly-
based Intrusion Detection System (AIDS) [7]. SIDS can detect attacks by match-
ing the attack pattern with previously stored patterns in the database. It is highly
effective at identifying known attacks by matching patterns with pre-defined sig-
natures stored in a database [8] which leads to generating fewer false positives.
However, it is ineffective against new, unknown attacks or zero-day exploits, as
they rely on existing signatures. In addition, the utilized database of attack signa-
tures must be regularly updated to include new attack patterns, requiring continu-
ous maintenance and attackers can modify known attack patterns slightly to avoid
detection by SIDS.
On the other hand, AIDS is based on a set of rule-based mechanisms rather
than pattern recognition. AIDS aims to identify any deviation from normal sys-
tem operation by monitoring system activity and categorizing it as either nor-
mal or abnormal. Detecting attack traffic requires AIDS to be trained to recognize
abnormal activity. AIDS operates in two stages: training and testing [8]. During
the training stage, the system learns from a dataset to discern the normal and
abnormal patterns of network traffic based on distinct features. Subsequently, the
testing stage solely focuses on evaluating the system’s ability to classify current
traffic based on what it learned during the training phase. Anomalies are typically

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

identified through various techniques, with artificial intelligence techniques being

the most common approach. In particular, machine learning techniques have the
most significant potential for detecting anonymous anomalous behavior [9].
So, these features make AIDS effective against zero-day exploits that are not
covered by SIDS. Additionally, AIDS can adjust to evolving network environ-
ments over time, continuously learning and improving its detection capabilities
and the use of machine learning and Artificial Intelligent (AI) techniques can
enhance the accuracy and efficiency of anomaly detection. However, AIDS can
generate a significant number of false positives, as any deviation from the norm is
flagged as a potential threat, which can overwhelm administrators. Besides, AIDS
requires a training phase to learn normal behavior patterns, which can be time-
consuming and resource-intensive.
In this paper, we address several key challenges in enhancing the effectiveness
of AIDS for IoT networks. One significant hurdle in developing efficient AIDS
for IoT networks is the high consumption of IoT resources and the need to sup-
port real-time applications. Proper preprocessing and feature selection are crucial
for reducing data complexity, facilitating faster training, and improving detec-
tion efficiency. These steps enhance the performance of machine learning mod-
els and accelerate the anomaly detection process. We propose a hybrid feature
selection approach that combines filter and wrapper methods to identify the most
relevant features. IoT datasets often suffer from class imbalance, where the num-
ber of normal instances significantly outweighs the number of attack instances.
This imbalance can adversely affect the performance of machine learning mod-
els. To address this, we employ the Synthetic Minority Over-sampling Technique
(SMOTE) to generate synthetic samples for the minority class, thereby balancing
the dataset. Our proposed system is structured into two levels. At level 1, the sys-
tem classifies network packets as normal or attack. At level 2, the system further
classifies the detected attack to determine its specific category. This hierarchi-
cal approach improves the accuracy and specificity in identifying attack catego-
ries. We evaluate the performance of our proposed feature selection and anomaly
detection approach using multiple machine learning algorithms, including Deci-
sion Tree, Random Forest, Gaussian Naive Bayes, and k-Nearest Neighbor. This
comprehensive evaluation allows us to identify the most effective algorithm for
our proposed system. We use three benchmark datasets such as BoT-IoT, TON-
IoT, and CIC-DDoS2019 to evaluate our system.
The main contributions of this paper are as follows:

• Propose a lightweight model that results in a significant reduction in detection

time.
• Propose a hybrid feature selection method aimed at enhancing the efficiency of
IDS by selecting the relevant features.
• Propose a two-level real-time AIDS model for comprehensive attack detection.
• Handle unbalanced datasets problem by SMOTE for effectively tackling data
imbalance.
• Assess the proposed model’s robustness using three benchmark datasets, ensur-
ing its performance generalizes effectively across diverse scenarios.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

The paper is structured as follows: Sect. 2 offers a synopsis of recent relevant works.
Section 3 discusses our proposed model. Section 4 discusses the comprehensive
tests and findings, while Sect. 5 outlines the discussion. Finally, Sect. 6 proposes a
conclusion and future work.

2 Related work

In this section, we discuss related work in the field of attack detection and feature
selection, providing an overview of existing research on developing AIDS models
for IoT networks and analyzing their methodologies, strengths, and drawbacks. To
conclude this section, a summary of these methods is presented in Table 1.
Habeeb and Babu [10] employed a two-step approach for feature selection. First,
they calculated the correlation between features to identify potential redundancies.
Second, they utilized a hybrid optimization algorithm, combining the Whale Opti-
mization Algorithm (WOA) with a Genetic Algorithm (GA), resulting in a final set
of 32 features. They trained their model using K-Nearest Neighbors (K-NN) on the
BoT-IoT dataset, achieving an accuracy of 99.5%.
Sun et al. [11] address the limitations in the Internet of Medical Things (IOMT)
by proposing an IDS. Their approach leverages Particle Swarm Optimization (PSO)
to select the most relevant features from the data and then utilizes the AdaBoost
algorithm to classify potential attacks. This model is evaluated on the NSL-KDD
dataset and achieved an accuracy of 98.5% with 12 selected features.
Dey et al. [12] introduced a hybrid feature selection approach that combines sta-
tistical test-based filter methods, such as Chi-Square, Pearson’s Correlation Coef-
ficient (PCC), and Mutual Information (MI), with a metaheuristic technique called
Non-Dominated Sorting Genetic Algorithm (NSGA-II) for feature optimization. The
effectiveness of the approach was assessed using the TON-IoT dataset and evaluated
with a Support Vector Machine (SVM). By utilizing 13 features from 43, the model
achieved accuracy up to 99.48%. Mohy-eddine et al. [13] employed a combination
of univariate statistical tests, principal component analysis (PCA), and genetic algo-
rithms (GA) to select the most relevant features for their model that resulted in ten
features. Their model is evaluated by K-NN using the BoT-IoT dataset, achieving an
accuracy, precision, recall, and F1-score of 99.99%, with 57.73 s in the detection.
Azar et al. [14] proposed four hybrid IDS for satellite-terrestrial systems using
Random Forest (RF) and Sequential Forward Feature Selection (SFS). The systems
include RF-SFS, RF-SFS-ANN (RF-SFS with Artificial Neural Network), RF-SFS-
LSTM (RF-SFS with Long Short-Term Memory), and RF-SFS-GRU (RF-SFS with
Gated Recurrent Unit). Evaluated on the STIN dataset, RF-SFS achieved 90.5%
accuracy, and RF-SFS-GRU reached 87%. On the UNSW-NB15 dataset, RF-SFS
obtained 78.52% accuracy, while RF-SFS-GRU achieved 79.00%.
Sharma et al. [15] also proposed the Deep Neural Network (DNN) as a detec-
tion classifier, where it was trained with UNSW-NB15. They selected the best-
related features with PCC. They applied Generative Adversarial Networks
(GANs) to address class imbalance problems within the dataset. The model
achieved a 91.00% accuracy rate. Dina et al. [16] addressed this problem of data

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 Table 1  An overview of the assessed anomaly-based intrusion detection systems for Internet of Things networks
Study Methodology Results Strengths Limitations
Classifier Feature Selection Dataset Accuracy (%) Detection time (s)

Habeeb and Babu KNN Corr,WOA, GA BoT-IoT 99.50 N/A 1- GA enhanced 1- Model is trained
[10] the model on one dataset.
2- A high number
of features can
lead to increased
computational
complexity dur-
ing the training
process, resulting
in slower training
times.
Sun et al. [11] AdaBoost PSO NSL-KDD 98.50 N/A 1- A low number 1- Only one dataset
of feature. used.
2- High Accuracy 2- The dataset is
A hybrid approach for efficient feature selection in anomaly…

general not spe-

cific about IOMT.
Dey et al. [12] SVM filter approach TON-IoT 99.48 N/A 1-Hybrid between 1-Only accuracy
filter approaches metric used.
(Chi-Square, 2-Only one dataset
Pearson’s used
Correlation
Coefficient, and
Mutual Informa-
tion) and Genetic
Algorithm
(Non-Dominated
Sorting).

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 Table 1  (continued)
Study Methodology Results Strengths Limitations
Classifier Feature Selection Dataset Accuracy (%) Detection time (s)

Mohy-eddine et al. KNN PCA BoT-IoT 99.99 57.73 1- The primary 1- Only one dataset
[13] univariate statisti- objective is to was used.
cal tests improve the 2- long detection
GA accuracy and time.
detection rate of
the IDS.
2- The researchers
adopt a holistic
approach to
selecting fea-
tures.
Azar et al. [14] RF SFS STIN (90.5, 87.00, 71.47, N/A 1- Evaluation done 1-Low accuracy
GRU​ UNSW-NB15 86.00) by two distinct results.
ANN (78.52, 79.00, domains of
LSTM 78.23, 78.00) dataset.
2-Four hybrid IDS
for satellite-
terrestrial
communication
systems.
Sharma et al. [15] DNN PCC UNSW-NB15 91.00 N/A 1-Solved imbal- 1- only one dataset
ance problem was used.
using GAN. 2- Features extracted
through one
direction, which is
statistics.
A. G. Ayad et al.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 Table 1  (continued)
Study Methodology Results Strengths Limitations
Classifier Feature Selection Dataset Accuracy (%) Detection time (s)

Dina et al. [16] CNN N/A Bot-IoT (86.77, 98.21) N/A 1-Using focal loss 1- F1_score
FNN WUSTL-IIoT-2021 (93.08, 91.55) to solve imbal- was low when
WUSTL- (98.95, 93.26) ance problem. using WUSTL-
EHMS-2020 2- Distinct domains IIoT-2021.
of used datasets.
Kareem et al. [17] K-NN GTO NSL-KDD K-NN with CIC- K-NN with BoT- 1- Working across 1- Long detection
BSA CICIDS-2017 IDS-2017= 98.79 IoT= 145.5s multiple datasets. time.
UNSW-NB15 K-NN with BoT-
BoT-IoT IoT= 99.28
Sharma et al. [18] DNN Correlation KDDCUP99 98.25 N/A 1-Applying L2 1- Only one dataset
regularization was used.
technique
Adeniyi et al. [19] DFFNN DAE NF-ToN-IoT 89.00 N/A 1- The proposed 1- Low accuracy
A hybrid approach for efficient feature selection in anomaly…

model was tested results.

using a recently
introduced data-
set of IoT/IIoT
systems.
Hikal and Elgayar DT, SVM, RF, PCC, SCC, Generated 99.70 30–80 s 1- Pay attention 1-High detection
[20] BPNN Jaccard index to the detection time.
time.
Ullah and DT at the binary Flow features BoT-IoT Binary level=99.99 N/A 1-Two consecutive 1-Only one used
Mahmoud [21] level Multi level= levels. dataset.
RF at the multi- 99.68%
label level

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

imbalance from a focal loss function. Focal loss is used to train Convolutional
Neural Network(CNN) and Feed-forward Neural Network (FNN) instead of
cross-entropy. To assess the effectiveness of their model, they utilized datasets
Bot-IoT, WUSTL-IIoT-2021, and WUSTL-EHMS-2020. When CNN trained on
these datasets, it achieved accuracy up to 86.77%, 98.21%, and 93.08%, respec-
tively. When FNN trained on these datasets, it achieved accuracy up to 91.55%,
98.95%, and 93.26%, respectively.
Kareem et al. [17] introduced a feature selection method that improved upon the
Gorilla Troops Optimizer (GTO) with the integration of the Bird Swarm Algorithm
(BSA). They evaluated their approach by applying the K-NN classifier to four data-
sets: NSL-KDD, UNSW-NB15, CICIDS-2017, and BoT-IoT. The results indicated
that the K-NN classifier achieved high detection accuracy and specificity in the CIC-
IDS-2017 dataset, with values of 98.79% and 99.68%, respectively. The BoT-IoT
dataset yielded a sensitivity of 99.28% and a detection time of 145.75 s. Sharma
et al. [18] conducted a study where they computed the correlation between fea-
tures and removed highly correlated ones. In their evaluation, they utilized a DNN
classifier and employed the KDDCUP99 dataset. They achieved a detection rate of
98.25%.
Adeniyi et al. [19] implemented deep feedforward neural networks (DFFNN) to
detect the attacks and deep autoencoder (DAE) to reduce dimensions. They evalu-
ated their model using NF-ToN-IoT, and then, the model achieved 89.00% accuracy.
Hikal and Elgayar [20] proposed a lightweight model for botnet attack detec-
tion using RF, Decision Tree (DT), SVM, and Back-propagation Neural Networks
(BPNN). Their study utilized a dataset collected from three types of IoT cameras
connected via Wi-Fi. The authors selected the most relevant and important features
using the PCC, Spearman Correlation Coefficient (SCC), and Jaccard Index. The
proposed framework achieved detection times of 30–80 s with a detection accuracy
of 99.70%.
Ullah and Mahmoud [21] proposed a binary and multi-classification model that
was based on flow features extracted from the BoT-IoT dataset. The model leveraged
a DT at the first level and an RF at the second level. DT achieved an accuracy of up
to 99.99% at the first level, while RF achieved an accuracy of up to 99.68% at the
second level.
In the realm of IoT systems, researchers have extensively investigated machine
learning and deep learning methods to enhance intrusion detection capabilities.
These efforts have led to notable advancements, including enhanced accuracy,
reduced false alarms, and improved detection of IoT-related attacks. However, some
current methods exhibit several limitations, including high Computational Complex-
ity such as WOA combined with GA [10], involving high computational overhead,
making them impractical for real-time applications. Several studies utilized a single
dataset for evaluation including those by Sun et al. [11], Mohy-eddine et al. [22] and
Ullah and Mahmoud [21] evaluate their models on a single dataset, limiting the gen-
eralizability of their results. Methods such as those proposed by Sharma et al. [15]
and Dina et al. [16] have tackled class imbalance issues, but there is still room for
improvement in the effectiveness of these solutions. Methods like Dey et al. [12] and

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

Azar et al. [14] utilize advanced feature selection techniques, but they suffer from
low accuracy in certain contexts.
To address these issues, this study introduces a unified IDS targeting real-time
applications. It comprises a hybrid feature selection technique that blends speed,
simplicity, and quality through a fusion of filter and wrapper techniques. The pro-
posed method is evaluated using state-of-the-art machine learning algorithms and
the latest datasets through multilevel detection and by addressing the imbalance
problem, aiming to overcome the aforementioned limitations.

3 The proposed model

This study aims to create an efficient Anomaly Intrusion Detection System

(AIDS) specifically designed for IoT networks. The system aims to achieve high
detection accuracy and efficiency while being able to run in real-time by integrat-
ing advanced feature selection techniques with robust classification algorithms.
This necessitates the application of suitable preprocessing and feature selection
approaches to address challenges specific to IoT networks, as mentioned in recent
literature. Figure 1 illustrates the main stages of the proposed approach: (1) IoT
dataset, (2) data preprocessing, (3) hybrid feature selection, and (4) multi-level
detection. A comprehensive discussion of each of these stages is elaborated upon
in the subsequent subsections.

3.1 Data pre‑processing

In general, data preprocessing or data engineering is usually the first step in any
experiment. The process of feeding the raw data to the classification model before
solving its constraints might result in misleading predictions [23]. The data pre-
processing stage involves data cleaning, categorical feature encoding, the bal-
ance of the dataset, and feature normalization. These steps are summarized in
Algorithm 1.

Fig. 1  Architecture of the proposed model

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Algorithm 1  Data preprocessing

3.1.1 Data cleaning

Data cleaning is a critical preprocessing step that ensures the integrity and reliability
of the dataset used for building an IDS in IoT environments. This process involves
several technical procedures aimed at refining the raw data to enhance the perfor-
mance and accuracy of the IDS. The primary steps include:

• Duplicate row removal: Each entry in the dataset must be unique to avoid
redundant information, which can bias the model. This can be achieved using

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

comparison-based methods to detect and remove identical rows across the data-
set.
• Handling missing values: Preventing skewed analysis and model predictions
involves addressing incomplete data entries. Strategies such as imputation,
where missing values are filled with the mean, median, or mode of the respective
feature, are employed. In cases where missing values are significant, rows with
missing values beyond a certain threshold can be excluded.
• Outlier detection and exclusion: Identifying and managing data points that
deviate significantly from the remain of the data is crucial, as these could indi-
cate noise or rare events. Outliers may be excluded or flagged for further investi-
gation.

3.1.2 Feature encoding

To effectively apply feature selection and classification models, it is essential to

convert categorical features into numerical data. This conversion process, known
as feature encoding, ensures that categorical features are represented by their cor-
responding numerical values. To accomplish this, the Label Encoder is utilized,
which assigns a unique integer number to each categorical feature based on their
alphabetical order. By converting categorical features into numerical values, we
enable the feature selection and classification models to process the data effi-
ciently [24].

3.1.3 Balancing the dataset

Address class imbalance which is common in IDS datasets can affect prediction
quality [25]. In this situation, it is challenging to maintain good generalization
for the minor classes. To achieve balance in these datasets, there are two main
techniques: oversampling and undersampling. Oversampling techniques tend to
increase the number of samples in the minor class, while undersampling tech-
niques tend to decrease the number of samples in the majority class until they
equal the samples in other classes. Because the used datasets suffer from a large
difference between the number of samples in the classes, it was better to use over-
sampling techniques to increase the number of samples in the minor class rather
than decreasing the number of samples in the majority class. To mitigate these
issues, we applied the Synthetic Minority Over-sampling Technique (SMOTE)
[26] as introduced in Algorithm 2 proposed by Chawla et al. [27]. SMOTE gener-
ates new samples rather than replicating existing ones, which helps in maintain-
ing a larger and more balanced dataset.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Algorithm 2  SMOTE

3.1.4 Feature normalization

Some datasets’ features have significantly varying magnitudes, ranges, and units.
Because the datasets are so diverse, feature scaling is frequently employed to stand-
ardize the range of independent variables and to ensure they contribute equally to
the model. A Min–Max normalization is used to normalize the data in the range [0,
1]. Equation (1) shows the mathematical equation needed to calculate the Min–Max
normalization [28].
x − xmin
X̄ = (1)
xmax − xmin

where X̄ is the normalized value, x is an original feature value, and xmax and xmin are
the maximum and minimum values of this feature.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

3.2 Feature selection

The dataset comprises numerous features, some relevant and others irrelevant.
The objective at this stage is to select a subset of features to reduce the com-
plexity of the dataset. Feature selection techniques fall into three categories: fil-
ter, wrapper, and embedded. Filters, being statistical methods, evaluate feature
relevance based on characteristics like correlation or information gain. Features
are selected depending on their correlation with the target variable. Correlation
analysis is employed to determine whether features exhibit positive or negative
correlations with the target variable. While computationally efficient, they may
overlook relevant feature combinations due to a lack of consideration for feature
interaction [29].
Conversely, wrapper methods assess feature subset quality by evaluating spe-
cific classification model performance, aiming to maximize classification accu-
racy while considering feature interaction [30]. However, they can be computa-
tionally expensive and prone to overfitting [31]. Embedded techniques blend the
benefits of filter and wrapper methods, incorporating feature interactions while
maintaining low computational costs, resulting in superior performance com-
pared to other techniques [32].
This paper proposes a hybrid approach that combines filter and wrapper meth-
ods for feature selection. Previous research has predominantly focused on either
filters or wrappers individually. By merging these approaches, we aim to enhance
feature selection efficiency, simplicity, and effectiveness.
Initially, a correlation analysis is conducted to assess linear relationships
between features. The Pearson Correlation Coefficient (PCC) [33] and Spear-
man Correlation Coefficient (SCC) [34] are suitable for numerical datasets. PCC
measures linear relationships, while SCC assesses nonlinear ones. The correla-
tion analysis helps identify highly correlated features, indicating potential redun-
dancy. In such cases, only one of the highly correlated features needs inclusion
in the model. Correlation between features is calculated using the PCC and SCC
Eqs. (2) and (3), respectively.
∑n ̄ ̄
i=1 (fxi − fx )(fyi − fy )
Cfx fy = � �∑ (2)
∑n n
(f − f̄x )2
i=1 xi
(f − f̄y )2
i=1 yi

∑n
6 (f − fy )2
i=1 x
Rs =1 − (3)
n(n2 − 1)
where fx and fy are the feature values, n is the number of features, and f̄x is the mean
value of the feature.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Next, the Recursive Feature Elimination (RFE) method is applied as described

in Algorithm 3. This method leverages a classifier to predict the importance of
each feature. By iteratively eliminating less important features, RFE selects the
top-ranked essential features based on their accuracy [35]. To ensure robustness,
RFE is trained using two different classifiers: Decision Tree (DT) and Random
Forest (RF). This approach ensures that the selected features are consistently
important across multiple classification models.
To illustrate the process, let’s consider an example where we have features
labeled as f1, f2, f3, f4, and so on. After applying the correlation analysis, let’s
assume that f1 and f2 are highly correlated, as well as f4 and f5. In this case, we
can choose either f1 or f2 and either f4 or f5, but not both from each pair. This
selection serves to reduce redundancy and simplify the feature set.
Next, we take the shared features or intersection between the output obtained from the
PCC and SCC analysis, denoted as S1. The intersection between two filter feature selec-
tion techniques offers several advantages in identifying shared and strong features. By
combining the strengths of multiple techniques, this approach increases the likelihood of
capturing feature sets that are rich in information and relevant. This can lead to improved
model accuracy, generalization capability, and robustness. Moreover, this hybrid approach
allows for a more comprehensive analysis of the input feature space, reducing the risk
of missing important variables and structures within the data. Harnessing the power of
shared strong features from multiple filter methods, this technique enhances the overall
effectiveness of feature selection.
We then train the RFE method using both DT and RF classifiers. Based on the
accuracy of these classifiers, the RFE method predicts the importance of each fea-
ture. We select the top-ranked essential features, as determined by RFE, for further
analysis. Following this, we find the shared features between the RFE-DT and RFE-
RF sets, denoted as S2. After using filter and wrapper feature selection methods to
obtain different subsets, we combine them to form the set S by taking their distinct
features through the union operation. This allows us to gather unique features from
each subset. The feature selection approach steps are described in Algorithm 4.

Algorithm 3  Recursive Feature Elimination

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

Algorithm 4  The proposed FS Model

3.3 Multi‑level detection

While anomaly detection is effective at identifying deviations from normal patterns,

it does not provide detailed information about the type of anomaly. Knowing the
specific type of attack is critical for implementing appropriate countermeasures. Our
approach ensures not only that anomalies are detected but also that they are accu-
rately classified into specific categories, enhancing the overall security posture of
the network.
The flowchart of the detection process is shown in Fig. 2. Our detection process oper-
ates on two levels. First Level (Anomaly Detection): This level ensures the accurate iden-
tification of normal packets within the network, distinguishing them from attack pack-
ets. It serves as an initial filter to separate anomalies from normal behavior. Second Level
(Anomaly Category Detection or Multi-class Classification): the second level focuses on
the packets flagged as attacks by the first level. Here, we classify these attacks into spe-
cific types. This step is crucial because identifying the exact nature of the attack allows
for more precise and effective responses. Additionally, if any normal packet is initially
misclassified as an attack resulting in a False Positive (FP), the second level of detec-
tion reassesses and correctly classifies it as normal. To implement this process, we for-
warded the selected features to a variety of state-of-the-art machine learning algorithms.
We implemented Decision Tree (DT), Random Forest (RF), K-Nearest Neighbor (K-NN),
and Gaussian Naive Bayes (GNB).

4 Experimental evaluation and results

This section describes the implementation and evaluation of the proposed model.
The upcoming subsections cover the datasets used, the methodological implementa-
tion, the experimental settings, and the performance evaluation. This is followed by

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Fig. 2  Flowchart of multi-level detection

a discussion of the experimental findings and a comparative study. Finally, the time
complexity of the proposed feature selection model is discussed.

4.1 Dataset specification

In order to improve the capability of the supervised models, labeled network traffic
datasets are used. This is accomplished by providing the essential information to

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

efficiently train AIDS for exceptional accuracy and reliability in detecting as many
network attacks as possible. Due to the diversity and differences in IoT devices and
their daily increase, vast amounts of unstructured data are produced. To build our
proposed model to work efficiently in real-time, we used a dataset that was produced
from a realistic environment. This dataset contains a variety of attacks, ensuring that
our model can accurately detect and classify different types of intrusions. By utiliz-
ing this dataset, we can train our model to effectively identify patterns and character-
istics of network traffic data in real-time scenarios. There are many new flow-based
benchmark datasets, such as BoT-IoT [36], TON-IoT [37], and CIC-DDoS2019 [38],
that have lately become available. We use these datasets as recent and realistic net-
work traffic data for efficient anomaly-based network intrusion detection. Table 2
describes some of the main characteristics of these datasets.

4.1.1 BoT‑IoT dataset

BoT-IoT dataset [36] was established by building a realistic network environment

in the Cyber Range Lab at UNSW Canberra. This included data from various smart
home devices such as refrigerators, garage doors, thermostats, lights, and weather
monitoring systems. Out of the total dataset of 72 million records, 5% (3.6 million
records) were used in the experiments as described in Table 2.

4.1.2 TON‑IoT dataset

TON-IOT dataset [37] was created from a realistic and enormous-scope network
constructed at UNSW Canberra’s Cyber IoT Lab. It consists of telemetry data
from IoT services, operating system logs, and network traffic from IoT networks.
For our experiments, the network traffic data were used. The TON-IoT dataset con-
tains 22,339,021 records, and 7% (3 million records) of the dataset were used in the
experiments. Some attacks that did not affect the IoT network were excluded from
the analysis, as described in Table 2.

Table 2  Description of BoT-IoT, TON-IoT, and CIC-DDoS2019 datasets

Datasets No. of features Size Attack label
Normal Attack

Bot-IoT [36] 46 features 477 3,668,045 DoSHTTP, DoSTCP, DoSUDP,

DDoSHTTP, DDoSTCP, DDo-
SUDP, OS_Fingerprint, Service
scan, Data Exfiltration, Theft
Keylogging
TON-IoT [37] 45 features 500,000 2,500,000 DoS, DDoS, MITM, Scanning, XSS
CIC-DDoS2019 [38] 79 features 94,568 331,354 NTP, DNS, LDAP, MSSQL, Net-
BIOS, SNMP, UDP, UDP-Lag,
WebDDoS, SYN, TFTP, Portmap

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

4.1.3 CIC‑DDoS2019 dataset

CIC-DDoS dataset [38] provided by the Canadian Institute for Cybersecurity, pro-
vides a comprehensive collection of different DDoS attacks. It was collected on two
separate days for training and testing purposes. The training set, captured on Janu-
ary 12th, 2019, includes 12 different types of DDoS attacks. These attacks include
Network Time Protocol (NTP), Lightweight Directory Access Protocol (LDAP),
Domain Name System (DNS), Microsoft SQL Server (MSSQL), Simple Network
Management Protocol (SNMP), Network Basic Input Output System (NetBIOS),
User Datagram Protocol (UDP), SYN, UDP-Lag, WebDDoS, and TFTP. On the
other hand, the test dataset consists of seven attacks, namely NetBIOS, MSSQL,
PortScan, LDAP, UDP-Lag, UDP, and SYN.

4.2 Methodological implementation

The practical implementation of each stage is depicted in Fig. 3.

Initially, the datasets, BoT-IoT and TON-IOT, are obtained in CSV format from
their respective websites. These datasets consist of multiple files which are merged
into a single CSV file. Subsequently, during the data cleaning stage, it is observed
that the BoT-IoT dataset is well-structured with no duplicate rows or null values.
However, from its visualization, we noticed it contains a notable outlier: the Data_
Exfiltration attack, which is underrepresented compared to other attack types. To
mitigate its disproportionate impact during preprocessing, these instances are
removed to ensure efficiency in time and resource utilization. Conversely, both the
TON-IOT and CIC-DDoS2019 datasets exhibit duplicate rows, which are conse-
quently eliminated. However, they do not contain null values or significant outliers.
Categorical features, such as "protocol type" are encoded using label encoding (e.g.,
assigning ["TCP", "UDP", "ICMP"] to [0, 1, 2]).
Upon analyzing the data, an imbalance issue is identified, and to address this imbal-
ance, SMOTE is employed. It is important to ensure that there is no redundancy in
the new samples and that these samples are reasonable representations of the original
dataset, following the same distribution. Figure 4 consists of histograms comparing the
original data distribution to the data distribution after applying SMOTE. The original
histograms, represented by the three upper histograms, display significant skewness
and imbalance, particularly toward zero, indicating an imbalanced dataset. In contrast,
the post-SMOTE histograms exhibit a more uniform distribution of feature values com-
pared to the original skewed distribution. This indicates that the synthetic samples are

Fig. 3  The main steps for practical implementation of the proposed model

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

Fig. 4  Data distribution before and after applying SMOTE (original data on top and synthetic data on
bottom)

effectively filling in the gaps and balancing the dataset, resulting in a varied and repre-
sentative dataset. The absence of sharp peaks in the post-SMOTE histograms, which
were present in the original data, further supports that SMOTE creates new data points
instead of duplicating existing ones.
Following data balancing, features undergo min–max normalization to standardize
their values within a uniform range of 0 to 1. A hybrid feature selection model is sub-
sequently applied to select features. Table 3 details the selected features post-selection,
revealing significant reductions in feature counts across datasets (BoT-IoT: 46 to 12,
TON-IoT: 45 to 15, CIC-DDoS2019: 79 to 35).
The processed features are then utilized in a multilevel detection approach. Input
features and targets are defined for each level, and parameters of machine learning clas-
sifiers are selected, as detailed in Table 4.

4.3 Experimental settings

The experiments were conducted on an HP notebook with Windows 10 Pro Enter-

prise 64-bit, an Intel(R) Core(TM) i7-5500 CPU with two cores and four logical

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Table 3  The selected features from the datasets

Datasets Features Names

BoT-IoT {Proto_number, State_number, Bytes, AR_P_Proto_P_SrcIP, Seq, Flgs_number,

Saddr, Dport, Dur, Sport,Daddr, N_IN_Conn_P_DstIP}
TON-IoT {ts, Src_ip, Src_port, Dst_ip, Dst_port, proto, duration, Src_bytes, Dst_bytes, Conn_
State, Missed_bytes, Src_pkts, Src_ip_bytes, Dst_pkts,Dst_ip_bytes}
CIC-DDoS2019 {URG Flag Count, SYN Flag Count, PSH Flag Count, Fwd URG Flags, Fwd Packet
Length Max, Bwd IAT Min, Bwd Packet Length Max, Total Backward Packets,
Bwd Packets/s, Bwd Avg Bulk Rate, Fwd Avg Bytes/Bulk, Bwd URG Flags, Bwd
Avg Bytes/Bulk, ECE Flag Count, Flow Duration, Flow IAT Min, Fwd Packets
Length Total, Bwd Header Length, Protocol, Fwd Packet Length Std, Fwd Header
Length, FIN Flag Count, Fwd PSH Flags, Init Bwd Win Bytes, Fwd Avg Bulk
Rate, Flow Bytes/s, Active Mean, Init Fwd Win Bytes, Down/Up Ratio, Bwd Avg
Packets/Bulk, Total Fwd Packets, Bwd Packet Length Min, Bwd PSH Flags, Active
Std, Fwd Avg Packets/Bulk }

Table 4  The training parameters for used datasets using ML classifiers

ML-Classifier Parameters values for binary and multi-classification
BoT-IoT TON-IoT CIC-DDoS2019

DT criterion=”entropy” criterion=”entropy” criterion=”entropy”

RF n_estimators=10,criteri n_estimators=5,criterion=’gini’ n_estimators=5,crit
on=’gini’ erion=’entropy’
K-NN n_neighbors=5 n_neighbors=7 n_neighbors=3
GNB No tunning needed No tunning needed No tunning needed

processors, 16 GB of RAM, and 14.6 GB of virtual memory. The experiments used

the PyCharm editor version 2022.2 and the Python programming language ver-
sion 3.10. Data preprocessing utilized the Pandas and NumPy frameworks, while
machine learning algorithms were implemented using the Scikit-Learn software ver-
sion 1.1.1.

4.4 Performance evaluation metrics

For evaluation, the K-fold cross-validation method with random training/testing

splits was applied. The K-fold-cross-validation approach is commonly used to vali-
date models and prevent overfitting. It involves shuffling and dividing the dataset
into k-folds, where onefold is used as the test set while the others are used for train-
ing [39]. By averaging the evaluation results of each fold, an accuracy value can be
obtained [40]. To implement a stratified k-fold, we ensure that each fold has an equal
number of samples for each class [41]. This helps maintain the balance of class rep-
resentation throughout the training and testing process.
In terms of measuring the impact of the proposed model on network resources
in IoT networks, it is understandable that specific details about device structure,

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

such as battery, energy, and bandwidth, may not be available in the datasets
used. One measurable resource that we mentioned is the detection time, which
is indeed valuable information. A shorter detection time implies a reduction in
the consumption of other resources, which is a positive outcome. Regarding the
flexibility of the model, it is great that it can handle large datasets and different
types of IoT devices that are shown in the description of the used datasets. Hav-
ing a model that can adapt to various input data is crucial when dealing with the
diverse range of devices in IoT networks.
To assess the performance of the classifiers, we utilized the standard perfor-
mance evaluation metrics of Accuracy [42, 43], Precision, Recall, and F1-Score
[42], as detailed below and specified in Eqs. (4):(7). In our evaluation, True
Positive (TP) is the number of attack instances correctly classified as attack,
True Negative (TN) is the number of normal instances correctly classified as
normal, False Positive (FP) is the number of normal instances incorrectly classi-
fied as attack, and False Negative (FN) is the number of attack instances incor-
rectly classified as normal [42]. In addition, detection time(D_Time) is cal-
culated using Eq. (8). It represents the time taken by AIDS to classify a test
sample as either normal or an intrusion, including its specific class type.
(TP + TN)
Accuracy = (4)
(TP + TN + FP + FN)

TP
Precision = (5)
(TP + FP)

TP
Recall = (6)
(TP + FN)

(Precision ∗ Recall)
F1-score = 2 ∗ ( (7)
(Precision + Recall)

D_Time = end-start (8)

4.5 Experimental evaluation

To guarantee the effectiveness of our model, we conducted three experiments

using the BoT-IoT, TON-IoT, and CIC-DDoS2019 datasets. These experiments,
labeled Experiment I, Experiment II, and Experiment III, were each experiment
is split into two parts. Firstly, we trained the AIDS model using all features and
imbalanced data. Secondly, we trained the AIDS model using the proposed fea-
ture selection model combined with SMOTE.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

4.5.1 Experiment I: using the BoT‑IoT dataset

In order to assess how effective the proposed FS model is, we compare the experi-
mental results obtained by using the entire feature set to those obtained using the
proposed feature selection approach during the two-level classification.
Case1: AIDS based-all features and imbalanced data
Table 5 presents the performance of different machine learning models on all
features and unbalanced BoT-IoT dataset. In the Level-1 detection, all classifiers
achieved high accuracy, precision, recall, and F1-score values. The DT and RF
achieved almost perfect scores in all metrics, while the GNB obtained slightly lower
scores. The K-NN had excellent scores but took significantly longer detection time
compared to the other models.
Moving on to Level 2 of detection, the accuracy, precision, recall, and F1-score
values remained high for all models, demonstrating their effectiveness. However,
there was a slight decrease in these metrics compared to level 1. Notably, GNB
experienced a drop in accuracy, precision, recall, and F1-score, while DT, RF, and
K-NN maintained consistently high scores.
Regarding detection time, the models performed relatively faster in Level 2 com-
pared to Level 1, with GNB being the fastest and K-NN being the slowest. Spe-
cifically, in Level-1, DT takes 0.72 s, RF takes 2.10 s, GNB takes 2.18 s, and K-NN
takes a significantly longer time of 18628.84 s. In Level 2, the time decreased for all
models, with DT, RF, GNB, and K-NN are taking 0.17, 0.77, 0.60, and 40182.80 s,
respectively.
Overall, the results indicate that the DT and RF models consistently perform
exceptionally well, while GNB shows slightly lower performance in Level 2. Addi-
tionally, K-NN offers excellent scores but has a significantly longer detection time
compared to other models.
Case 2: AIDS based-selected features combined with SMOTE
The outcomes for Level 1 and Level 2 detection using the proposed model can be
viewed in Table 6. In Table 7, we implemented our proposed approach by selecting
features and solving the imbalance problem by SMOTE, and we observed that the
GNB classifier achieved impressive results compared to the previous case. More-
over, the DT and RF classifiers attained perfect results (100%) in the first level,
with the DT classifier consuming a detection time of 0.13 s. On the other hand, the
K-nearest neighbors (K-NN) classifier had the slowest detection time of 55.18 s. At
the second level of detection, the K-NN classifier continued to exhibit the slowest
detection time (41.04 s). In comparison, the DT classifier continued to maintain its
detection time (0.04 s).
This provides a clearer understanding of the effectiveness of SMOTE, particu-
larly in showing the false positive rate in detail. However, models trained on datasets
with all features and imbalance may exhibit higher metrics such as accuracy, but this
can be misleading as they are often biased toward the majority class. When compar-
ing the confusion matrix in the first level shown in Fig. 5, it is evident that DT, when
using selected features, correctly detected three attack samples, as did RF. However,
the impact of our proposed feature selection technique with SMOTE was more pro-
nounced in GNB, which successfully reduced false negatives from 271 to 242.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 Table 5  Performance of various machine learning models using unbalanced data and all features on the BoT-IoT dataset
Classifier Level-1 of detection Level-2 of detection
Accuracy Precision Recall F1-score D_Time Accuracy Precision Recall F1-score D_Time

DT 99.99 100 100 99.99 0.72 99.99 99.90 98.15 98.94 0.17
A hybrid approach for efficient feature selection in anomaly…

RF 100 100 100 100 2.10 99.99 99.87 98.15 98.93 0.77
GNB 99.97 100 99.98 99.99 2.18 74.18 77.85 88.33 78.68 0.60
K-NN 99.99 100 99.99 99.99 18628.84 99.98 99.98 99.98 99.98 40182.80

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 Table 6  Performance of various machine learning models after applying feature selection and SMOTE on the BoT-IoT dataset
Classifier Level-1 of detection Level-2 of detection
Accuracy Precision Recall F1-score D_Time Accuracy Precision Recall F1-score D_Time

DT 100 100 100 100 0.13 99.99 99.99 99.99 99.99 0.04
RF 100 100 100 100 0.51 99.99 99.99 99.99 99.99 0.38
GNB 99.98 100 99.98 99.99 0.32 99.96 99.96 99.96 99.96 0.31
K-NN 99.99 100 99.99 99.99 55.18 99.99 99.99 99.99 99.99 41.04
A. G. Ayad et al.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

Fig. 5  Confusion matrices for various ML algorithms at the first level: comparison between unbalanced
data with all features and data with selected features after applying SMOTE on the BoT-IoT dataset

Furthermore, the impact of our proposed model is evident in the second level
across all models, as depicted in Fig. 6. This figure demonstrates there are 11
classes, 0: DDoSHTTP, 1: DDoSTCP, 2: DDoSUDP,3: DoSHTTP, 4: DoSTCP, 5:
DoSUDP, 6:OS Fingerprint, 7: Service scan, 8: Data Exfiltration, 9: Theft Keylog-
ging. Because all classifiers classify all normal correctly in the first level, it does not
appear in the second level. As shown the Decision Tree and Random Forest could
classify all attacks as true except classify one sample of DoSUDP as false. While
the Gaussian Naive Bayes has improved than using all features as it could enhance
the class DDoSTCP:2 from classifying 0 true to 113,966 samples true with 33 false
instead of 85218.

4.5.2 Experiment II: using the TON‑IoT dataset

In this section, we explore the experiments conducted to evaluate the model using
TON-IOT. The experimental setup follows the sequence established in the previous
section, that is, utilizing all features and employing the proposed feature selection.
Case 1: AIDS based-all features and imbalanced data
In Table 7, we can see that both the DT and the K-NN classifiers have a per-
formance of up to 100% in the first level. However, it is worth noting that K-NN
takes significantly more time, specifically 15506.95 s. In terms of time efficiency,
the DT classifier achieves a shorter detection time in both levels, with 0.31 and 0.03,
respectively. In the second level, all classifiers show acceptable results except for the
GNB, which did not achieve positive results. The GNB classifier has an accuracy of
19.97% and an F1-score of 22.24%.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Fig. 6  Confusion matrices for the machine learning algorithms at the second level based on BoT-IoT
dataset: comparison between unbalanced data with all features and data with selected features after
applying SMOTE

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 Table 7  Performance of various machine learning models using unbalanced data and all features on the TON-IoT dataset
Classifier Level-1 of Detection Level-2 of Detection
Accuracy Precision Recall F1-score D_Time Accuracy Precision Recall F1-score D_Time

DT 100 100 100 100 0.31 99.99 99.99 99.99 99.99 0.03
A hybrid approach for efficient feature selection in anomaly…

RF 99.99 100 99.99 99.99 0.60 99.99 99.99 99.99 99.99 0.11
GNB 99.99 99.99 100 99.99 1.007 19.97 53.33 33.35 22.24 0.22
K-NN 100 100 100 100 15506.95 99.98 99.98 99.98 99.98 578.17

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Case 2: AIDS based-selected features combined with SMOTE

Drawing upon the prior case, it can be deduced that each classifier exhibited com-
mendable performance. Our objective is achieving good results, even if they are not
identical. Furthermore, the selected features will help achieve this objective within
the shortest possible time.
In Table 8, the DT demonstrated exceptional results across all evaluation met-
rics, achieving a perfect score of 100% in each metric within 0.15 s at the first level.
Upon progressing to the second level, the DT model exhibited a slight decrease in
performance with a 99.99% accuracy rate and a detect time of 0.05 s.
However, the most noteworthy aspect of our proposed GNB model lies in its sig-
nificant improvement in the second level. Prior to our implementation, the GNB
model displayed only 22% accuracy at this stage. However, with our proposed modi-
fications, the GNB model achieved an impressive accuracy rate of 94.16% in the
second level. This improvement marks a tremendous leap in performance for our
proposed approach.
The preceding outcomes were generated from the given confusion matrix. As
illustrated in Fig. 7, the disparities among all classifiers are demonstrated in the first
category by considering all features without solving the imbalance problem. Addi-
tionally, the second category outlines AIDS detection determined by selected fea-
tures and SMOTE. It is worth noting that the RF classifier can correctly identify one
attack sample despite it being classified as negative when employing all features.
However, the K-NN classifier identifies one sample as negative when using the pro-
posed model. Furthermore, the GNB classifier, when utilizing selected features and
SMOTE, correctly identifies 27 normal samples but incorrectly classifies 31,274
attack samples as negative.
Examining the confusion matrix in Fig. 8, focusing on the confusion matrix at
the second level, we observe the presence of five different classes: 0: DDoS, 1:
DoS, 2: password, 3: scanning, and 4: XSS. These classes represent various types of
attacks. However, the GNB classifier presents an additional class, “Normal,” which
is encoded to 2 while simultaneously designating the “scanning” class with label 3.
This progression would persist for the remaining classes. This occurs because the
GNB classifier identifies some samples from the Normal class as attacks. Conse-
quently, these samples are included in the second-level analysis, unlike the other
classifiers.

4.5.3 Experiment III: using the CIC‑DDoS2019 dataset

Case 1: AIDS based-all features and imbalanced data

The results in Table 9 indicate that the DT and RF models perform consistently
well in both Level 1 and Level 2. They achieve high scores in Accuracy, Precision,
Recall, and F1-score while also having low detection times. These models seem to
be effective and efficient in detecting anomalies in the CIC-DDoS2019 dataset. On
the other hand, the GNB model has lower scores in most metrics, indicating that it
might struggle to classify instances in this dataset accurately. Similarly, the K-NN
model has a relatively lower Accuracy and Recall score in Level 1, although it

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 Table 8  Performance of various machine learning models after applying feature selection and SMOTE on the TON-IoT dataset
Classifier Level-1 of Detection Level-2 of Detection
Accuracy Precision Recall F1-score D_Time Accuracy Precision Recall F1-score D_Time

DT 100 100 100 100 0.15 99.99 99.99 99.99 99.99 0.05
A hybrid approach for efficient feature selection in anomaly…

RF 100 100 100 100 0.41 99.99 99.99 99.99 99.99 0.18
GNB 96.72 100 95.83 97.87 0.53 94.16 94.58 94.16 94.17 0.12
K-NN 99.99 100 99.99 99.99 22678.82 99.99 99.99 99.99 99.99 469.92

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Fig. 7  Confusion matrix to machine learning model in the first level based on unbalanced data with all
features and data with selected features after applying SMOTE on TON-IoT dataset

performs well in Level 2. Overall, the DT and RF models provide the best trade-off
between performance metrics and detection time in both levels of detection.
Case 2: AIDS based-selected features combined with SMOTE
Table 10 illustrates that, among the classifiers, the DT and RF show high accu-
racy and precision, with F1-scores close to 99.98%. Both classifiers have low detec-
tion time, 0.020, and 0.06 s, respectively. When compared to the previous case, the
accuracy of DT and RF increased from 99.94 to 99.97, with a decrease in the detec-
tion time. In the second level, the F1-score of DT and RF increased significantly
from 82.55 to 99.82 and from 67.05 to 96.25, respectively. On the other hand, the
GNB classifier performs more effectively than a prior case in two levels and up to
98% and 52.67%, respectively. The K-NN classifier has relatively good accuracy;
however, in the first level, it decreases in accuracy than the previous case. But in the
second level, f1-scores increased from 93.59 to 99.62 with 13.50 s.
In Fig. 9, the DT_All classifier initially misclassifies 42 normal samples as an
attack, but the DT_select classifier reduces this number to 14. Similarly, the mis-
classification of attack samples is reduced from 30 to 21 by the DT_select classi-
fier. As a result, the DT_select classifier performs better than the DT_All classi-
fier by reducing the number of false positives. Additionally, with the RF_All and
RF_select methods, the misclassification of normal and attack samples reduces from
26 to 7 and from 45 to 34, respectively. In general, the proposed model demonstrates
enhancements in GNB. Initially, all normal samples were misclassified as false due
to the model’s bias toward the majority class. However, upon implementing the
model, the samples were redistributed, resulting in 651 false positives out of all nor-
mal samples. Nonetheless, it should be noted that the model predicted 1482 attacks
as normal. Regarding K-NN, the model successfully decreased the count of false

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

positives from 6162 to 4322. However, this improvement was accompanied by an

increase in the number of false negatives.
When examining the confusion matrix in Fig. 10, with a focus on the second level
of the matrix, we can observe the presence of various classes such as 0: DNS, 1:
LDAP, 2: MSSQL, 3: NTP, 4: NetBIOS, 5: Normal, 6: Portmap, 7: SNMP, 8: SYN,
9: TFTP, 10: UDP, 11: UDP-Lag, and 12: WebDDoS. It seems that DT, RF, and
KNN algorithms perform better when using a proposed subset of features compared
to using all features across multiple classes. However, the proposed model has a sig-
nificant impact on the GNB algorithm, which predicts most of the classes incor-
rectly. But, when selected features are applied, AIDS detection improves.

4.6 Comparison with other approaches

We evaluate the proposed model’s robustness by comparing it with existing intrusion

detection models. These models can be categorized into machine learning-based and
deep learning-based approaches. Specifically, we refer to the studies conducted by
[13, 17, 21, 44–46] as representative machine learning-based solutions. On the other
hand, the deep learning-based approaches we consider include the works by [19,
47–50]. The comparison is presented in Table 11, where the results at two detec-
tion levels are summarized. At the first level of machine learning, our model dem-
onstrates comparable performance in metrics such as Accuracy, Precision, Recall,
and F1-Score with the works by [21, 44]. Additionally, our model outperforms the
work by [17] in terms of Accuracy and Recall. It is worth mentioning that the afore-
mentioned works utilized the K-NN algorithm, which is more time-consuming com-
pared to the decision tree algorithm employed in our proposed model. Mohy et al.
[13] also evaluated their model by K-NN and achieved accuracy up to 99.99% and a
detection time equal to 57.73 s. Rihan et al. [50] employed ensemble feature selec-
tion and deep learning (DL) models. Although the authors implemented individually
five filter selections and enhanced the output by RFE, however, their accuracy is less
than our proposed by around 2%.
Table 12 presents a comparison of the performance of our proposed model with
the current works [12, 19, 45, 46, 49, 53] using the TON-IoT dataset. We observed
a significant difference in [45] compared to our results. The proposed hybrid frame-
work in [12] achieved an accuracy of 99.48% by utilizing the hybrid NSGA-II tech-
nique for feature selection and SVM for detection. The accuracy is less than our
proposed model with 0.52%, but this dataset is highly imbalanced, and the authors
did not mention how to solve this problem. In addition, the proposed work is based
on one detection level. However, the authors have not discussed other metrics to
evaluate their model. El Hajla et al. [54] employed the voting and stacked concept to
improve prediction accuracy with correlation to select the features. However, their
results are lower than our proposed model, particularly in multiclass classification.
When evaluating the results based on deep learning, our proposed model outper-
formed [19] at the first level with 11% in accuracy and 10% in F1-Score. In the
second level, [53] is less than our proposed model by 9% and 11% in accuracy and
F1-Score, respectively.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Fig. 8  Confusion matrices for the machine learning algorithms at the second level based on TON-IoT- ▸
IoT dataset: comparison between unbalanced data with all features and data with selected features after
applying SMOTE

Table 13 demonstrates a comparison based on the CIC-DDoS2019 dataset.

Thiyam et al. [55] solved the imbalance, but our proposed model outperformed it
by 11% in accuracy and 18% in F1-score. Aktar et al. [56] introduced a one class
Deep Contractive Autoencoder (DCAE). In the realm of multi-classification, our
proposed model demonstrated superior accuracy compared to the model in [57],
which was trained using all features except for the timestamp feature and [58]
which employed the random feature selection and Optimization algorithm for
selecting features and Light Gradient Boosting Machine (LGBM) algorithm to
detect various attack classes. However, achieving high accuracy in binary classi-
fication, the CNN model [59] exhibits lower performance in multiclassification,
trailing the proposed model by 6.2%.
As detection time is an important measure, we compared the proposed model
across three experiments, summarizing the results in Fig. 11. For the BoT-IoT
dataset, Aldaej et al. [51] proposed a two-level approach to anomaly detection
that has a longer processing time of 1.23 s in multiclassification compared to
our method. Sarhan et al. [45] trained their model with all features, resulting
in a longer computation time compared to our proposed method. For the CIC-
DDoS2019 dataset, although Ramzan et al. [60] achieved comparable accuracy
to our results, our model demonstrated superiority in detection time.
The time complexity of our feature selection model involves several key fac-
tors, each affecting the overall computational load.

4.7 Time complexity of the proposed feature selection model

The time complexity of our feature selection model comprises several criti-
cal components, each contributing to the overall computational demand. Ini-
tially, feature selection utilizes both the PCC and SCC. Calculating the PCC
for m features involves O(n ⋅ m) , where n denotes the number of samples [61,
62], while computing the SCC, which involves sorting, carries a complexity of
O(m ⋅ n log n) [62, 63]. Next, the time complexity of RFE is calculated, where
RFE has a complexity of O(T ⋅ P) , with T being the complexity of training the
model and P the number of features eliminated [64]. For a DT, the complex-
ity is O(m ⋅ n log n) [65] and training an RF involving k decision trees results
in O(k ⋅ TDT ) , simplifying to O(k ⋅ m ⋅ n log n) . Additionally, the model requires
two intersections and one union operation, each with O(m) complexity. Com-
bining these components, the final complexity of the feature selection model
is O(n ⋅ m) + O(m ⋅ n log n) + O(P ⋅ m ⋅ n log n) + O(P ⋅ k ⋅ m ⋅ n log n) + O(m) ,
which simplifies to O(P ⋅ k ⋅ m ⋅ n log n) , capturing the overall computational
complexity.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 Table 9  Performance of various machine learning models using unbalanced data and all features on the CIC-DDoS2019 dataset
Classifier Level-1 of Detection Level-2 of Detection
Accuracy Precision Recall F1-score D_Time Accuracy Precision Recall F1-score D_Time

DT 99.94 99.96 99.97 99.96 0.03 98.74 86.59 82.65 82.55 0.006
RF 99.94 99.97 99.95 99.96 0.056 96.69 71.41 77.03 67.05 0.016
GNB 77.47 77.47 100 87.30 0.12 22.86 1.76 7.70 2.86 0.16
K-NN 93.53 93.97 97.93 95.91 195.57 99.17 95.45 92.09 93.59 28.77
A. G. Ayad et al.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 Table 10  The performance of different machine learning models after applying feature selection and SMOTE on the CIC-DDoS2019 dataset
Classifier Level-1 of Detection Level-2 of Detection
Accuracy Precision Recall F1-score D_Time Accuracy Precision Recall F1-score D_Time

DT 99.97 99.99 99.98 99.98 0.020 99.82 99.82 99.82 99.82 0.004
A hybrid approach for efficient feature selection in anomaly…

RF 99.97 99.99 99.97 99.98 0.06 96.14 96.57 96.14 96.25 0.018
GNB 98.32 99.33 98.48 98.91 0.068 52.67 46.87 52.68 43.36 0.034
K-NN 88.85 95.33 90.01 92.60 174.25 99.61 99.64 99.61 99.62 13.50

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Fig. 9  Confusion matrices for various ML algorithms at the first level: comparison between unbalanced
data with all features and data with selected features after applying SMOTE on the CIC-DDoS2019 data-
set

5 Discussion

The choice of the best model depends on the specific requirements of the intru-
sion detection system, considering factors such as accuracy, computational effi-
ciency, and the acceptable trade-offs for IoT. The Decision Tree, in particular,
performs well while consuming less time than the Random Forest. This effi-
ciency can be attributed to the simplicity of Decision Trees and their faster test-
ing times compared to the ensemble nature of Random Forest. The behavior of
the K-NN algorithm relies on computing distances between data points during
both the training and testing phases. The time complexity of K-NN grows with
the size of the dataset, making it computationally expensive for larger IoT data-
sets. The simplicity of the GNB assumption and the independence assumption
among features contribute to its computational efficiency. However, the mod-
el’s accuracy may be compromised in scenarios where the features are not truly
independent, as in our proposed features. Therefore, we used the Decision Tree
as a model to compare our proposed model with other recent works. Our pro-
posed model addresses several limitations found in related works by employing
a unified approach that effectively balances accuracy and detection time, mak-
ing it suitable for real-time applications through its faster data processing capa-
bilities and feasible for deployment in resource-constrained IoT environments.
It overcomes the issue of class imbalance, which many state-of-the-art meth-
ods struggle with. Additionally, by utilizing hybrid feature selection techniques,
our model can select important features and reduce data dimensionality, thereby

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

Fig. 10  Confusion matrices for the machine learning algorithms at the second level based on CIC-
DDoS2019 dataset: comparison between unbalanced data with all features and data with selected fea-
tures after applying SMOTE

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Table 11  Comparison with other models based on BoT-IoT dataset

Ref &year Type of Level-1 of Detection (Binary Clas- Level-2 of Detection (Multi-Classifi-
classi- sification) cation)
fier
Accuracy Precision Recall F1-score Accuracy Precision Recall F1-score

[21][2020] ML 99.99 99.99 99.99 99.99 99.68 99.70 99.67 99.69

[44][2021] 99.99 99.99 99.99 99.99 98.923 98.91 98.90 98.90
[17][2022] 94.85 99.28 96.23 99.99 – – – –
[13][2023] 99.99 99.99 99.99 99.99 – – – –
[10][2024] 99.50 – – – – – – –
[51][2024] – – – – 99.00 99.04 – –
[48][2021] DL 94.00 95.00 93.00 94.00 – – – –
[47][2022] 92.85 – – – 95.55 – – –
[50][2023] 97.37 97.32 99.52 98.62 – – – –
[52][2024] 99.68 99.30 99.11 99.21 – – – –
Proposed 100 100 100 100 99.99 99.99 99.99 99.99

Bold values highlight the results of the proposed model

Table 12  Comparison with other models based on TON-IoT dataset

Ref Type of Level-1 of Detection (Binary Classifica- Level-2 of Detection (Multi-Classifi-
&year Classi- tion) cation)
fier
Accuracy Precision Recall F1-score Accuracy Precision Recall F1-score

[46] ML 98.20 98.90 95.90 97.40 97.80 97.80 97.80 97.80

[2021]
[45] 97.86 – – 99.00 98.05 – – 98.00
[2022]
[12] 99.48 – – – – – – –
[2023]
[54] 94.488 88.960 97.131 92.866 96.321 93.119 84.555 88.631
[2024]
[54] 97.313 95.804 96.988 96.393 95.757 98.199 86.515 87.836
[2024]
[49] DL – – – – 99.47 – – 99.00
[2021]
[19] 89.00 91.00 90.00 90.00 – – – –
[2022]
[53] – – – – 90.57 89.59 – 88.87
[2023]
Proposed 100 100 100 100 99.99 99.99 99.99 99.99

Bold values highlight the results of the proposed model

reducing resource consumption and processing time. Also, it focuses on not only
detecting the attack but also on detecting the type of attack that is important for
the administration to take suitable measurements.

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

Table 13  Comparison with other models based on CIC-DDoS2019 dataset

Ref &year Type of Level-1 of Detection (Binary Classifica- Level-2 of Detection (Multi-Classifi-
classi- tion) cation)
fier
Accuracy Precision Recall F1-score Accuracy Precision Recall F1-score

[57] ML – – – – 68.90 – – –
[2023]
[55] 99.86 99.78 99.81 99.80 – – – –
[2023]
[58] – – – – 99.7 – – –
[2024]
[60] DL 99.99 99.99 99.99 99.99 99.54 98.00 99.00 98.00
[2022]
[56] 93.41− – – – – – – –
[2023] 97.58
[59] 99.99 – – – 93.62 – – –
[2024]
Proposed 99.97 99.99 99.98 99.98 99.82 99.82 99.82 99.82

Bold values highlight the results of the proposed model

Fig. 11  Comparison with other models based on Detection Time

6 Conclusion

This paper presents the design and development of an Anomaly Intrusion Detection
System (AIDS) that boasts high efficiency and minimal detection time, making it an
ideal solution for real-time applications. To achieve that, this research proposed a
unified model. It follows the four main steps: data acquisition, preprocessing, feature
selection, and classification. To ensure efficient preprocessing, the BoT-IoT, TON-
IoT, and CIC-DDoS2019 datasets undergo a thorough preparation process. Subse-
quently, a filter-wrapper hybridization approach is applied to select the features and
optimize resource usage for IoT devices. In the classification stage, attacks are cate-
gorized into two levels: the first level determines whether the packet is normal or an
attack, while the second level identifies the type of the detected attack. To achieve
accurate classification, state-of-the-art machine learning classifiers such as Decision

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

Tree, Random Forest, K-Nearest Neighbor, and Gaussian Naive Bayes are imple-
mented. The proposed model’s effectiveness is validated using a tenfold stratified
K-fold cross-validation method, which demonstrates its high accuracy within a short
time. While the proposed approach has shown promising results, there exists ample
opportunity for enhancement through the exploration and evaluation of dimension-
ality reduction techniques. Additionally, the exploration of deep learning-based
approaches will be a key area of investigation, leveraging their capability to extract
high-level discriminating features. These endeavors aim to refine and advance the
model, ensuring its adaptability to evolving threats and strengthening its overall per-
formance in IoT network security.

Author contributions Conceptualization was done by A.G.A., N.A.H, and N.A.S.; Formal analysis was
done by N.A.H; Investigation, N.A.H; Methodology was done by A.G.A., N.A.H, and N.A.S.; Project
administration was done by N.A.H, and N.A.S.; Supervision was done by N.A.H, and N.A.S; Validation
was done by N.A.H, and N.A.S.; Visualization was done by A.G.A., and N.A.S.; Writing—original draft
was done by A.G.A., N.A.H, and N.A.S.; Writing—review and editing was done by A.G.A., N.A.H, and
N.A.S. All authors have read and agreed to the published version of the manuscript.

Funding Open access funding provided by The Science, Technology & Innovation Funding Authority
(STDF) in cooperation with The Egyptian Knowledge Bank (EKB).

Data availability BoT-IoT: https://​cloud​stor.​aarnet.​edu.​au/​plus/s/​umT99​Tnxvb​pkkoE

TON-IoT: https://​cloud​stor.​aarnet.​edu.​au/​plus/s/​ds5zW​91vdg​jEj9i
CIC-DDoS2019: https://​data.​mende​ley.​com/​datas​ets/​ssnc7​4xm6r/1.

Code availability https://​github.​com/​AYAD-​AYA/​Hybrid-​Featu​re-​Selec​tion.​git.

Declarations
Conflict of interest The authors declare no conflict of interest.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License,
which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long
as you give appropriate credit to the original author(s) and the source, provide a link to the Creative
Commons licence, and indicate if changes were made. The images or other third party material in this
article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line
to the material. If material is not included in the article’s Creative Commons licence and your intended
use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permis-
sion directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/
licenses/by/4.0/.

References
1. Koohang A, Sargent CS, Nord JH, Paliszkiewicz J (2022) Internet of things (iot): from awareness to
continued use. Int J Inf Manag 62:102442. https://​doi.​org/​10.​1016/j.​ijinf​omgt.​2021.​102442
2. Hussain F (2017) Internet of things: building blocks and business models, vol 978–3. Springer,
Berlin
3. Hussain F, Hussain R, Hassan SA, Hossain E (2020) Machine learning in iot security: current solu-
tions and future challenges. IEEE Commun Surv Tutor 22(3):1686–1721. https://​doi.​org/​10.​1109/​
COMST.​2020.​29864​44

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

4. Ali O, Ishak MK, Bhatti MKL (2021) Emerging iot domains, current standings and open research
challenges: a review. PeerJ Comput Sci 7:659. https://​doi.​org/​10.​7717/​peerj-​cs.​659
5. Jeyanthi D, Indrani B (2022) Intrusion detection system intensive on securing iot networking envi-
ronment based on machine learning strategy. In: Intelligent Data Communication Technologies and
Internet of Things. Springer, pp 139–157. https://​doi.​org/​10.​1007/​978-​981-​16-​7610-9_​11
6. Panigrahi R, Borah S, Bhoi AK, Mallick PK (2020) Intrusion detection systems (ids)–san overview
with a generalized framework. In: Cognitive Informatics and Soft Computing, pp 107–117. https://​
doi.​org/​10.​1007/​978-​981-​15-​1451-7_​11
7. Khraisat A, Gondal I, Vamplew P, Kamruzzaman J (2019) Survey of intrusion detection sys-
tems: techniques, datasets and challenges. Cybersecurity 2(1):1–22. https://​doi.​org/​10.​1186/​
s42400-​019-​0038-7
8. Thakkar A, Lohiya R (2021) A review on machine learning and deep learning perspectives of ids for
iot: recent updates, security issues, and challenges. Arch Comput Methods Eng 28(4):3211–3243.
https://​doi.​org/​10.​1007/​s11831-​020-​09496-0
9. Lin K, Xu X, Xiao F (2022) Mffusion: a multi-level features fusion model for malicious traffic
detection based on deep learning. Comput Netw 202:108658. https://​doi.​org/​10.​1016/j.​comnet.​
2021.​108658
10. Habeeb MS, Babu TR (2024) Coarse and fine feature selection for network intrusion detection sys-
tems (ids) in iot networks. Trans Emerg Telecommun Technol 35(4):4961
11. Sun Z, An G, Yang Y, Liu Y (2024) Optimized machine learning enabled intrusion detection 2 sys-
tem for internet of medical things. Frankl Open 6:100056
12. Dey AK, Gupta GP, Sahu SP (2023) Hybrid meta-heuristic based feature selection mechanism for
cyber-attack detection in iot-enabled networks. Procedia Comput Sci 218:318–327
13. Mohy-eddine M, Guezzaz A, Benkirane S, Azrour M (2023) An efficient network intrusion detec-
tion model for iot security using k-nn classifier and feature selection. Multimed Tools Appl 82:1–19
14. Azar AT, Shehab E, Mattar AM, Hameed IA, Elsaid SA (2023) Deep learning based hybrid intru-
sion detection systems to protect satellite networks. J Netw Syst Manag 31(4):82
15. Sharma B, Sharma L, Lal C, Roy S (2023) Anomaly based network intrusion detection for iot
attacks using deep learning technique. Comput Electr Eng 107:108626
16. Dina AS, Siddique A, Manivannan D (2023) A deep learning approach for intrusion detection in
internet of things using focal loss function. Internet Things 22:100699
17. Kareem SS, Mostafa RR, Hashim FA, El-Bakry HM (2022) An effective feature selection model
using hybrid metaheuristic algorithms for iot intrusion detection. Sensors 22(4):1396. https://​doi.​
org/​10.​3390/​s2204​1396
18. Sharma B, Sharma L, Lal C (2022) Feature selection and deep learning technique for intrusion
detection system in iot. In: Proceedings of International Conference on Computational Intelligence.
Springer, pp 253–261. https://​doi.​org/​10.​1007/​978-​981-​16-​3802-2_​21
19. Adeniyi EA, Folorunso SO, Jimoh RG (2022) A deep learning-based intrusion detection technique
for a secured iomt system. In: Informatics and Intelligent Applications: First International Confer-
ence, ICIIA 2021, Ota, Nigeria, November 25–27, 2021: Revised Selected Papers. Springer Nature,
p 50 (2022). https://​doi.​org/​10.​1007/​978-3-​030-​95630-1_4
20. Hikal NA, Elgayar M (2020) Enhancing iot botnets attack detection using machine learning-ids and
ensemble data preprocessing technique. In: Internet of Things—Applications and Future. Springer,
pp 89–102. https://​doi.​org/​10.​1007/​978-​981-​15-​3075-3_6
21. Ullah I, Mahmoud QH (2020) A two-level flow-based anomalous activity detection system for iot
networks. Electronics 9(3):530. https://​doi.​org/​10.​3390/​elect​ronic​s9030​530
22. Mohy-eddine M, Guezzaz A, Benkirane S, Azrour M (2024) Malicious detection model with artifi-
cial neural network in iot-based smart farming security. Cluster Comput 2024:1–16
23. Disha RA, Waheed S (2022) Performance analysis of machine learning models for intrusion detec-
tion system using gini impurity-based weighted random forest (giwrf) feature selection technique.
Cybersecurity 5(1):1–22. https://​doi.​org/​10.​1186/​s42400-​021-​00103-8
24. Bisong E (2019) Building machine learning and deep learning models on google cloud platform.
Springer, Berlin. https://​doi.​org/​10.​1007/​978-1-​4842-​4470-8
25. Dutta V, Choraś M, Pawlicki M, Kozik R (2020) A deep learning ensemble for network anomaly
and cyber-attack detection. Sensors 20(16):4583. https://​doi.​org/​10.​3390/​s2016​4583
26. Dablain D, Krawczyk B, Chawla NV (2022) Deepsmote: Fusing deep learning and smote for imbal-
anced data. IEEE Trans Neural Netw Learn Syst. https://​doi.​org/​10.​1109/​TNNLS.​2021.​31365​03

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A. G. Ayad et al.

27. Chawla NV, Bowyer KW, Hall LO, Kegelmeyer WP (2002) Smote: synthetic minority over-sam-
pling technique. J Artif Intell Res 16:321–357
28. Han J, Kamber M (2006) Data mining: concepts and techniques, 2nd edn. University of Illinois at
Urbana Champaign, Morgan Kaufmann, Urbana
29. Thakkar A, Lohiya R (2020) Role of swarm and evolutionary algorithms for intrusion detection sys-
tem: a survey. Swarm Evol Comput 53:100631. https://​doi.​org/​10.​1016/j.​swevo.​2019.​100631
30. Kumari, B., Swarnkar, T.: Filter versus wrapper feature subset selection in large dimensionality
micro array: a review. Int J Comput Sci Inf Technol (2011)
31. Thakkar A, Lohiya R (2021) Attack classification using feature selection techniques: a com-
parative study. J Ambient Intell Humaniz Comput 12(1):1249–1266. https://​doi.​org/​10.​1007/​
s12652-​020-​02167-9
32. Liu H, Zhou M, Liu Q (2019) An embedded feature selection method for imbalanced data clas-
sification. IEEE/CAA J Autom Sin 6(3):703–715. https://​doi.​org/​10.​1109/​JAS.​2019.​19114​47
33. Adler J, Parmryd I (2010) Quantifying colocalization by correlation: the Pearson correlation
coefficient is superior to the Mander’s overlap coefficient. Cytometry A 77(8):733–742. https://​
doi.​org/​10.​1002/​cyto.a.​20896
34. Zar JH (2005) Spearman rank correlation. Encyclop Biostat. https://​doi.​org/​10.​1002/​04700​
11815.​b2a15​150
35. Shi H, Pan Y, Yang F, Cao J, Tan X, Yuan B, Jiang J (2021) Nano-sar modeling for predicting
the cytotoxicity of metal oxide nanoparticles to paca2. Molecules 26(8):2188. https://​doi.​org/​10.​
3390/​molec​ules2​60821​88
36. Koroniotis N, Moustafa N, Sitnikova E, Turnbull B (2019) [dataset] towards the development of
realistic botnet dataset in the internet of things for network forensic analytics: Bot-iot dataset.
Future Gener Comput Syst 100:779–796. https://​doi.​org/​10.​1016/j.​future.​2019.​05.​041
37. Moustafa N (2021) [dataset] a new distributed architecture for evaluating ai-based security sys-
tems at the edge: Network ton_iot datasets. Sustain Cities Soc 72:102994. https://​doi.​org/​10.​
1016/j.​scs.​2021.​102994
38. Sharafaldin I, Lashkari AH, Hakak S, Ghorbani AA (2019) Developing realistic distributed
denial of service (ddos) attack dataset and taxonomy. In: 2019 International Carnahan Confer-
ence on Security Technology (ICCST). IEEE, pp 1–8
39. Refaeilzadeh P, Tang L, Liu H (2016) Cross-validation. Springer, New York, pp 1–7. https://​doi.​
org/​10.​1007/​978-1-​4899-​7993-3_​565-2
40. Pal, K., Patel, B.V.: Data classification with k-fold cross validation and holdout accuracy estima-
tion methods with 5 different machine learning techniques. In: 2020 Fourth International Con-
ference on Computing Methodologies and Communication (ICCMC). IEEE, pp 83–87 (2020).
https://​doi.​org/​10.​1109/​ICCMC​48092.​2020.​ICCMC-​00016
41. Olson DL, Delen D (2008) Advanced data mining techniques. Springer, Berlin
42. Hossin M, Sulaiman MN (2015) A review on evaluation metrics for data classification evalua-
tions. Int J Data Min Knowl Manag Process 5(2):1. https://​doi.​org/​10.​5121/​ijdkp.​2015.​5201
43. Huang J, Ling CX (2005) Using auc and accuracy in evaluating learning algorithms. IEEE Trans
Knowl Data Eng 17(3):299–310
44. Fatani A, Dahou A, Al-Qaness MA, Lu S, Elaziz MA (2021) Advanced feature extraction and
selection approach using deep learning and aquila optimizer for iot intrusion detection system.
Sensors 22(1):140. https://​doi.​org/​10.​3390/​s2201​0140
45. Sarhan M, Layeghy S, Portmann M (2022) Towards a standard feature set for network intru-
sion detection system datasets. Mobile Netw Appl 27(1):357–370. https://​doi.​org/​10.​1007/​
s11036-​021-​01843-0
46. Gad AR, Nashat AA, Barkat TM (2021) Intrusion detection system using machine learning for
vehicular ad hoc networks based on ton-iot dataset. IEEE Access 9:142206–142217. https://​doi.​
org/​10.​1109/​ACCESS.​2021.​31206​26
47. Saba T, Rehman A, Sadad T, Kolivand H, Bahaj SA (2022) Anomaly-based intrusion detection
system for iot networks through deep learning model. Comput Electr Eng 99:107810. https://​doi.​
org/​10.​1016/j.​compe​leceng.​2022.​107810
48. Shareena J, Ramdas A, Haripriya AP et al (2021) Intrusion detection system for iot botnet attacks
using deep learning. SN Comput Sci 2(3):1–8. https://​doi.​org/​10.​1007/​s42979-​021-​00516-9
49. Idrissi I, Azizi M, Moussaoui O (2021) Accelerating the update of a dl-based ids for iot using
deep transfer learning. Indones J Electr Eng Comput Sci 23(2):1059–1067. https://​doi.​org/​10.​
11591/​ijeecs.​v23.​i2.​pp1059-​1067

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

 A hybrid approach for efficient feature selection in anomaly…

50. Rihan SDA, Anbar M, Alabsi BA (2023) Approach for detecting attacks on iot networks based
on ensemble feature selection and deep learning models. Sensors 23(17):7342
51. Aldaej A, Ullah I, Ahanger TA, Atiquzzaman M (2024) Ensemble technique of intrusion detec-
tion for iot-edge platform. Sci Rep 14(1):11703
52. Geetha R, Jegatheesan A, Dhanaraj RK, Vijayalakshmi K, Nayyar A, Arulkumar V, Velmurugan
J, Thavasimuthu R (2024) Cvs-fln: a novel iot-ids model based on metaheuristic feature selection
and neural network classification model. Multimed Tools Appl 2024:1–35
53. Ding W, Abdel-Basset M, Mohamed R (2023) Deepak-iot: an effective deep learning model for
cyberattack detection in iot networks. Inf Sci 634:157–171
54. El Hajla S, El Mahfoud Ennaji YM, Mounir S (2024) Enhancing iot network defense: advanced
intrusion detection via ensemble learning techniques. Indones J Electr Eng Comput Sci
35(3):2010–2020
55. Thiyam B, Dey S (2023) Efficient feature evaluation approach for a class-imbalanced dataset using
machine learning. Procedia Comput Sci 218:2520–2532
56. Aktar S, Nur AY (2023) Towards ddos attack detection using deep learning approach. Comput
Secur 129:103251
57. Hamarshe, A., Ashqar, H.I., Hamarsheh, M.: Detection of ddos attacks in software defined net-
working using machine learning models. In: International Conference on Advances in Computing
Research. Springer, pp 640–651 (2023)
58. Ramesh Kumar M, Sudhakaran P (2024) Securing iot networks: a robust intrusion detection system
leveraging feature selection and lgbm. Peer-to-Peer Netw Appl 2024:1–23
59. Anley MB, Genovese A, Agostinello D, Piuri V (2024) Robust ddos attack detection with adaptive
transfer learning. Comput Secur 144:103962
60. Ramzan M, Shoaib M, Altaf A, Arshad S, Iqbal F, Castilla ÁK, Ashraf I (2023) Distributed denial
of service attack detection in network traffic using deep learning algorithm. Sensors 23(20):8642
61. Xiao W (2017) An online algorithm for nonparametric correlations. arXiv preprint arXiv:​1712.​
01521
62. Choi D, Li L, Liu H, Zeng L (2020) A recursive partitioning approach for subgroup identification in
brain-behaviour correlation analysis. Pattern Anal Appl 23(1):161–177
63. Knight WR (1966) A computer method for calculating Kendall’s tau with ungrouped data. J Am
Stat Assoc 61(314):436–439
64. Huang X, Zhang L, Wang B, Li F, Zhang Z (2018) Feature clustering based support vector machine
recursive feature elimination for gene selection. Appl Intell 48:594–607
65. Sani HM, Lei C, Neagu D (2018) Computational complexity analysis of decision tree algorithms.
In: Artificial Intelligence XXXV: 38th SGAI International Conference on Artificial Intelligence, AI
2018, Cambridge, UK, December 11–13, 2018, Proceedings, vol 38. Springer, pp 191–197

Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published maps
and institutional affiliations.

Authors and Affiliations

Aya G. Ayad1 · Nehal A. Sakr1 · Noha A. Hikal1

* Aya G. Ayad
[email protected]
Nehal A. Sakr
[email protected]
Noha A. Hikal
[email protected]
1
Information Technology Department, Faculty of Computers and Information, Mansoura
University, Mansoura 35516, Egypt

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Terms and Conditions
Springer Nature journal content, brought to you courtesy of Springer Nature Customer Service Center
GmbH (“Springer Nature”).
Springer Nature supports a reasonable amount of sharing of research papers by authors, subscribers
and authorised users (“Users”), for small-scale personal, non-commercial use provided that all
copyright, trade and service marks and other proprietary notices are maintained. By accessing,
sharing, receiving or otherwise using the Springer Nature journal content you agree to these terms of
use (“Terms”). For these purposes, Springer Nature considers academic use (by researchers and
students) to be non-commercial.
These Terms are supplementary and will apply in addition to any applicable website terms and
conditions, a relevant site licence or a personal subscription. These Terms will prevail over any
conflict or ambiguity with regards to the relevant terms, a site licence or a personal subscription (to
the extent of the conflict or ambiguity only). For Creative Commons-licensed articles, the terms of
the Creative Commons license used will apply.
We collect and use personal data to provide access to the Springer Nature journal content. We may
also use these personal data internally within ResearchGate and Springer Nature and as agreed share
it, in an anonymised way, for purposes of tracking, analysis and reporting. We will not otherwise
disclose your personal data outside the ResearchGate or the Springer Nature group of companies
unless we have your permission as detailed in the Privacy Policy.
While Users may use the Springer Nature journal content for small scale, personal non-commercial
use, it is important to note that Users may not:

1. use such content for the purpose of providing other users with access on a regular or large scale
basis or as a means to circumvent access control;
2. use such content where to do so would be considered a criminal or statutory offence in any
jurisdiction, or gives rise to civil liability, or is otherwise unlawful;
3. falsely or misleadingly imply or suggest endorsement, approval , sponsorship, or association
unless explicitly agreed to by Springer Nature in writing;
4. use bots or other automated methods to access the content or redirect messages
5. override any security feature or exclusionary protocol; or
6. share the content in order to create substitute for Springer Nature products or services or a
systematic database of Springer Nature journal content.
In line with the restriction against commercial use, Springer Nature does not permit the creation of a
product or service that creates revenue, royalties, rent or income from our content or its inclusion as
part of a paid for service or for other commercial gain. Springer Nature journal content cannot be
used for inter-library loans and librarians may not upload Springer Nature journal content on a large
scale into their, or any other, institutional repository.
These terms of use are reviewed regularly and may be amended at any time. Springer Nature is not
obligated to publish any information or content on this website and may remove it or features or
functionality at our sole discretion, at any time with or without notice. Springer Nature may revoke
this licence to you at any time and remove access to any copies of the Springer Nature journal content
which have been saved.
To the fullest extent permitted by law, Springer Nature makes no warranties, representations or
guarantees to Users, either express or implied with respect to the Springer nature journal content and
all parties disclaim and waive any implied warranties or warranties imposed by law, including
merchantability or fitness for any particular purpose.
Please note that these rights do not automatically extend to content, data or other material published
by Springer Nature that may be licensed from third parties.
If you would like to use or distribute our Springer Nature journal content to a wider audience or on a
regular basis or in any other manner not expressly permitted by these Terms, please contact Springer
Nature at

[email protected]