Journal of Network and Computer Applications 230 (2024) 103980

Contents lists available at ScienceDirect

Journal of Network and Computer Applications

journal homepage: www.elsevier.com/locate/jnca

Research paper

A lightweight SEL for attack detection in IoT/IIoT networks

Sulyman Age Abdulkareem a ,∗, Chuan Heng Foh a , François Carrez a , Klaus Moessner a,b
a
5GIC & 6GIC, Institute for Communication Systems, University of Surrey, Guildford, GU2 7XH, UK
b
Faculty of Electronics and Information Technology, Technical University Chemnitz, Germany

ARTICLE INFO ABSTRACT

Keywords: Intrusion detection systems (IDSs) that continuously monitor data flow and take swift action when attacks
Network intrusion detection (NID) are identified safeguard networks. Conventional IDS exhibit limitations, such as reduced detection rates and
Machine learning (ML) increased computational complexity, attributed to the redundancy and substantial correlation of network data.
Ensemble learning (EL)
Ensemble learning (EL) is effective for detecting network attacks. Nonetheless, network traffic data and memory
Internet-of-Things (IoT)
space requirements are typically significant. Therefore, deploying the EL approach on Internet-of-Things (IoT)
Industrial-Internet-of-Things (IIoT)
Feature importance (FI)
devices with limited memory is challenging. In this paper, we use feature importance (FI), a filter-based feature
Stack ensemble learner (SEL) selection technique for feature dimensionality reduction, to reduce the feature dimensions of an IoT/IIoT
network traffic dataset. We also employ lightweight stacking ensemble learning (SEL) to appropriately identify
network traffic records and analyse the reduced features after applying FI to the dataset. Extensive experiments
use the Edge-IIoTset dataset containing IoT and IIoT network records. We show that FI reduces the storage
space needed to store comprehensive network traffic data by 86.9%, leading to a significant decrease in
training and testing time. Regarding accuracy, precision, recall, training and test time, our classifier that
utilised the eight best dataset features recorded 87.37%, 90.65%, 77.73%, 80.88%, 16.18 s and 0.10 s for
its overall performance. Despite the reduced features, our proposed SEL classifier shows insignificant accuracy
compromise. Finally, we pioneered the explanation of SEL by using a decision tree to analyse its performance
gain against single learners.

1. Introduction
The continual growth of the Internet of Things (IoT) industry glob-
ally can be primarily attributed to the rising number of Internet-
connected devices. Technology such as processors, sensors, and com-
munication devices gather, communicate, and act on information about
their environs. However, the expansion and adoption of IoT have
highlighted security concerns, notably with the protection of data and
linked devices in IoT environments. Concerns about security in the IoT
have inspired the development of some security solutions. The solu-
tions encompass various tactics that preserve confidentiality, integrity,
and data authentication and control IoT network access, privacy, and
user-device trust (Santos et al., 2018).
However, the IoT network remains susceptible to intrusion even
with these frameworks. Incorporating a number of IoT-focused net-
work intrusion detection systems (NIDS) into the IoT network is a
consequence of these concerns. The Industrial Internet of Things (IIoT)
is a subset of the broader IoT, predominantly employed within lim-
ited industrial environments. With the help of the IIoT, businesses
have been able to save money and boost output without sacrificing
quality (Zolanvari et al., 2019). Industry 4.0, known as the ‘‘fourth
industrial revolution’’, heavily relies on IIoT (Moustafa et al., 2020).
According to Newman (2020), more than 8 billion devices are con-
nected to the IoT, which is expected to increase to 41 billion by 2027.
Industry leaders in the IoT space include the automotive, smart home,
manufacturing, energy, healthcare, transportation, logistics, and media
sectors, and their combined market size is expected to grow from an
estimated $380 billion in 2021 to more than $1.8 trillion by 2028 at a
compound annual growth rate (CAGR) of 25.4% (Newman, 2020). The
cybersecurity community has invested considerable efforts in devising
advanced security measures and strategies to safeguard users and data
within conventional IT systems. However, IoT/IIoT-based systems can-
not immediately adopt these safeguards. The insufficiency of contem-
porary practises in addressing emerging threats that may jeopardise IoT
networks necessitates a greater emphasis on advanced forensic method-
ologies for identifying and investigating malicious actions (Koroniotis
et al., 2019). To deal with limiting factors like reduced performance,
low power, and lightweight network protocols, IoT/IIoT systems need

∗ Corresponding author.
E-mail addresses: [email protected] (S.A. Abdulkareem), [email protected] (C.H. Foh), [email protected] (F. Carrez),
[email protected], [email protected] (K. Moessner).

https://doi.org/10.1016/j.jnca.2024.103980
Received 25 February 2024; Received in revised form 10 June 2024; Accepted 16 July 2024
Available online 25 July 2024
1084-8045/© 2024 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
S.A. Abdulkareem et al.
cybersecurity solutions designed specifically for them (Ferrag et al.,
2021; Hafeez et al., 2020).
NIDS is a feasible option because it can identify and oversee attacks
throughout their lifespan. This feature enables a prompt reaction to
sophisticated and persistent threats that circumvent traditional security
measures, as indicated by recent studies (Al-Hawawreh et al., 2021;
Verma et al., 2021). NIDSs, exemplified by the work of Ghafir et al.
(2018), have been devised utilising machine learning (ML) techniques
to safeguard interconnected IoT devices from intricate network-based
attacks. These NIDS can be strategically placed within an IoT/IIoT
network. Precisely, ensemble learning (EL), a highly advanced ML
technique, offers a one-of-a-kind capability for identifying attacks in
high-speed, extensive network data produced by interconnected, het-
erogeneous IoT devices. A type of EL is Stack Ensemble Learning
(SEL), which involves two levels of learning: base learning and meta-
learning. Base learning considers various weak learners trained using
the same input data set to produce classification outcomes. Meta-
learning then learns how to best combine the outcomes from the weak
learners to produce the final output. Utilising network intrusion de-
tection (NID) techniques commonly employed in traditional computer
networks may not be appropriate for detecting attacks in IoT devices
due to their significant computational and storage requirements, which
are constrained by the limited resources of IoT devices (Chaabouni
et al., 2019). To achieve optimal classification performance for attack
detection in IoT networks using ML techniques, obtaining substantial
network traffic data is imperative, as Wang et al. (2020) suggested in
their study for training and testing purposes.
Notwithstanding, the phenomenon known as the curse of dimen-
sionality, as explained by Bellman (1961), may manifest itself during
the processing and analysis of high-dimensional network traffic data.
Furthermore, the occurrence of Hughes phenomena (Wang et al., 2017)
is possible when developing ML classifiers utilising high-dimensional
data. Complexity, ample computational resources, and large amounts
of storage space are required for handling high-dimensional data (Luo
et al., 2018; Peng et al., 2018). The vast network traffic data needed
for SEL is sometimes too substantial to store on IoT devices. Thus,
there is a need for an SEL-based approach to detect attacks that can
efficiently detect advanced and contemporary IoT/IIoT attacks utilising
low-dimensional network traffic data, considering the current level of
advancement in the field. Anomaly-based and signature-based are the
two primary categories of NIDS. Like antivirus software, the signature-
based variety conducts thorough packet checks on the payload of
network packets to identify attacks. This IDS has a high detection rate
but has the significant drawback of not detecting zero-day attacks when
known signatures are tweaked. In opposition to the prior kind, the
anomaly-based type seeks out data patterns in networks that deviate
from the norm (Chandola et al., 2009). This form of IDS can spot day-
zero attacks in the network. Nevertheless, the approach exhibits certain
limitations, including a protracted duration for classifier training, an
elevated incidence of false positives, and a substantial consumption of
computational resources. After training with the network features, it
uses ML classifiers to distinguish between normal and attack network
packets. The final predictions made by ML classifiers rely on these
extracted features.
The Edge-IIoTset dataset, as presented by Ferrag et al. (2022), is a
novel, publicly accessible dataset that caters to the detection of attacks
in IoT/IIoT networks. This dataset is noteworthy for its ability to pro-
vide a wide range of IoT/IIoT network traffic records, comprehensive
network information, and intricate attack scenarios. Furthermore, it
was released in 2022 to address the limitations of previous IoT datasets.
One is that the previous datasets only had a singular IoT or IIoT traffic
type and not a combination of the two in a single dataset. Also, it pro-
vides precise and reliable ground truth labels and a substantial quantity
of labelled data for successfully implementing supervised ensemble
learning. The feature dimensionality of the dataset refers to the overall
count of network traffic features, which is precisely 61. The feature
2
Journal of Network and Computer Applications 230 (2024) 103980
dimensionality reduction methods utilised in IoT/IIoT datasets have de-
pended on other pre-existing dimensionality reduction methods. These
techniques include Critical Feature Selection (CFE) (Siddharthan and
Thangavel, 2023), Chi-square algorithm (Elsi et al., 2022), Princi-
pal Component Analysis (Dini et al., 2022), Multi-Dimensional Scal-
ing (Dini et al., 2022), and Feature Probability Estimation (FPE) (Prasad
et al., 2022).
In contrast, feature importance (FI) is a highly effective technique
that utilises the concept of importance generated by an extra tree
classifier (ETC) to identify and select a subset of features from a dataset,
resulting in a reduced-dimensional feature set. It employs ensemble
learning to fit numerous randomised decision trees to dataset sub-
samples. Each ETC decision tree is built from the original training
sample and receives a random sample of k features from the feature set
at each test node. This random feature sampling is a key aspect of ETC,
ensuring the decision trees are de-correlated. The tree then chooses
the best feature to split the data according to mathematical criteria
(typically the Entropy). All input features are scored to determine
their importance, with high scores indicating the features with a more
significant impact on the classifier. This technique is used to reduce the
feature dimension of the Edge-IIoTset dataset. In addition, SEL is an ML
technique comprised of aggregated single classifiers in two tiers: base
(first classification tier) and meta-learner (final classification tier). In
our design, the SEL technique is constructed using three single classi-
fiers, Decision Tree (DT), Naive Bayes (NB), and Logistic Regression
(LR), employed to learn the network traffic features. To reduce the
number of potential classifiers for our SEL, we analysed their efficacy
in relevant and contemporary NID investigations, such as Ahmed et al.
(2022), Abbas et al. (2022), Pai et al. (2021), Upadhyay (2021) and
Abdulkareem et al. (2022b). The three classifiers mentioned above
were utilised by Abbas et al. in Abbas et al. (2022) to construct an SEL
following an evaluation of their efficacy on the CICIDS2017 dataset,
which is not an IoT dataset. This paper proposes a novel lightweight
EL framework, namely FI-SEL, that utilises FI and the SEL classifier
for efficient attack detection in IoT/IIoT networks. The contributions
of this paper are given as follows.
(1) For feature dimension reduction, FI using an ETC is applied.
The application of this technique results in a reduction in the
dimensionality of high-volume Internet of Things network traffic
data. The process produces a reduced-dimensional depiction of
the original features while preserving crucial network data by
selecting only the most important features.
(2) We propose a SEL for network classification. This method learns
the reduced-dimensional feature sets generated by FI to differ-
entiate attack activity from normal traffic in the network.
(3) Using the Edge-IIoTset dataset, extensive tests are conducted
to evaluate the efficacy of FI-SEL in multiclass classification
instances. The study evaluated and contrasted the efficacy of
advanced optimisation classifiers to facilitate effective feature
selection, reduce dimensionality, and detect attacks in IoT/IIoT
networks.
(4) To understand the performance advantage of SEL, we analyse
the Decision Tree (DT) in SEL to explain how it improves perfor-
mance over single learners. The main benefit of this pioneering
approach is that it enables the visualisation of the decision nodes
involved in the classification process, promoting transparency
and explainability in decision-making.
More explicitly, the fourth contribution of this study comprehen-
sively examined the classification task performed by the DT classifier,
which serves as the meta-learner of the SEL classifier. In contrast to
the standalone utilisation of the DT, the decision tree of the SEL incor-
porates base learner classification outcomes into the training dataset
of the meta-learner (DT). These base learner outcomes can be seen as
expert opinions to the DT, which is the main reason behind the perfor-
mance gain of SEL. To illustrate this point, we analyse the DT outcomes
S.A. Abdulkareem et al. Journal of Network and Computer Applications 230 (2024) 103980

Table 1
Dimensionality reduction of network traffic features.
Dataset Ref. Initial features Reduction method New features Classifier Classification outcomes
Shone et al. (2018) 41 Stack deep autoencoder 28 RF Binary & multiclass
Dawoud et al. (2019) 41 Autoencoder – k-means Binary
KDD99 Schuartz et al. (2020) 41 Stacked autoencoder 5, 13 DT Binary
Wang and Wang (2017) 41 Autoencoder 18 k-means Multiclass
Shone et al. (2018) 41 Stack deep autoencoder 28 RF Binary & multiclass
Subba et al. (2016) 41 PCA 17 SVM Binary & multiclass
NLS-KDD
Gurung et al. (2019) 115 Stacked sparse autoencoder 10 LR Binary & multiclass
Rashid et al. (2022) 41 SelectKbest 20 Stacking Binary
Rashid et al. (2022) 42 SelectKbest 20 Stacking Binary
UNSW-15
Rashid et al. (2020) 42 Information gain 25 Stacking Binary & multiclass
Rashid et al. (2020) 78 Information gain 25 Stacking Binary & multiclass
CICIDS2017
Abdulhammed et al. (2019) 81 Stack sparse autoencoder 64 RF Binary & multiclass
Edge-IIoTset This paper 42 FI 8 SEL Multiclass

Table 2
Edge-IIoTset dimensionality reduction of network features.
Ref. Method No. of Features Classifier Outcomes
Ferrag et al. (2022) RF Varied DT, RF, SVM, kNN & DNN Binary & multiclass
Thiyam and Dey (2023) Feature shuffling & RF 15 RF Binary
Hazman et al. (2022) DEIGASe – XGBoost Binary
This paper FI 8 SEL Multiclass

by visualising and comparing the standalone DT with the SEL, which
uses expert opinions. Our examination provides clear evidence and
explains how SEL can achieve performance gain. Our work that uses
machine learning-based intrusion detection systems (IDSs) employing
decision trees for analysing IoT network data has not only yielded
significant advancements in classification accuracy but also led to the
explainability of the model, contributing to the enhancement of human
comprehension of the classifier.
The remaining sections of this paper are structured as follows:
Section 2 delves into current methods for reducing the number of
feature dimensions and classifying network traffic. Section 3 describes
the proposed lightweight EL framework (FI-SEL) for IoT/IIoT network
attack detection. In Section 4, comprehensive investigations are con-
ducted to evaluate the efficacy of FI-SEL. Section 5 provides an analysis
and interpretation of the experimental results, including explaining
the internal working mechanism of the SEL classifier using the DT.
Section 6 presents the conclusion and future work.
2. Related works
Most publicly accessible intrusion detection datasets contain several
record instances with numerous feature spaces. Excluding the desired
outcome, the dimension of the dataset is the number of feature spaces.
Despite various datasets for detecting network intrusions, they are as-
sociated with several limitations, including unreliable labelling, limited
attack variety, superfluous network traffic, and the lack of a definitive
standard. The KDD99 and NSL-KDD datasets are commonly employed
in research; however, they are deemed obsolete and inadequate in
capturing current normal and attack network scenarios, as evidenced by
prior scholarly investigations (Tavallaee et al., 2009; Sharafaldin et al.,
2018).
Also, as explained in the previous section, the feature dimension-
ality reduction process is pivotal in mitigating the challenges posed
by the ‘‘curse of dimensionality’’. Reducing feature dimensionality can
enhance or sustain comparable levels of classification efficacy while
mitigating the time complexity of ML classifiers. This process aims to
reduce the dimensionality of the dataset by eliminating redundant or
less significant features that make little to no contribution towards
accurate classification. Various methodologies, such as Correlation-
based Feature Selection (CFS) and Principal Component Analysis (PCA),
have been utilised in contemporary studies.
Varghese and Muniyal (2017) conducted a study using CFS and PCA
techniques to assess the efficacy of ML classifiers. PCA demonstrated
superior performance and computational efficiency compared to CFS.
Subba et al. (2016) also employed PCA for dimensionality reduction,
which resulted in lower processing resources. Eesa et al. (2015) used
the Cuttlefish Algorithm (CFA) and DT for feature selection. The three
studies utilised the KDD99 and NSL-KDD datasets for their experiment
evaluations. Both datasets are conventional and have several limita-
tions, as earlier stated. Nonetheless, the datasets do not encompass
contemporary networks or IoT traces.
In other efforts to evaluate the performance of different feature
dimensionality reduction techniques on network datasets with ensem-
ble learners, Tengl et al. (2018) proposed a collaborative intrusion
detection model using a Genetic Algorithm (GA) ensemble classifier
with optimal weighting. Zhou et al. (2020) utilised the Bat algorithm
and CFS for feature dimensionality reduction in their ensemble-based
IDS. Rajagopal et al. (2020) used SVM as the meta-classifier and applied
an entropy-based technique for feature selection, while Mehmod and
Rais (2016) used the Ant Colony Optimisation (ACO) strategy in their
investigation. The datasets utilised in the studies are NSL-KDD, AWID,
and CIC-IDS2017. Although the performance recorded by the classifiers
used in evaluating the reduced feature dimensions of the datasets
recorded optimal results, all lacked IoT traces. Also, some studies
utilised multiple datasets to assess their investigations further.
Rashid et al. (2020) evaluated ML classifiers in combination with
feature dimensionality reduction for IoT-based smart city applications.
Although the work claimed to be IoT-based, the datasets they utilised
(UNSW-NB15 and CICIDS2017) lack IoT traces. Kang and Kim (2016)
proposed a local search approach for classifying network traffic. Jiang
and Xu (2021) employed CFS and PCA methods for preprocessing net-
work traffic data. A different study by Rashid et al. (2022) introduced a
stacking ensemble method based on trees and evaluated its efficacy on
intrusion datasets. Still, none of the datasets used had IoT traces. The
significant surge in IoT-connected devices necessitates implementing
suitable security and privacy techniques to mitigate potential vulner-
abilities and attacks. Therefore, specifically trained and tested NIDSs
are urgently needed to use network traffic-capturing IoT traces. Using
ML classifiers that lack prior training with IoT traces reduces detection
efficiency within an IoT network setting. This is primarily due to a high
false alarm rate, which stems from the substantial misclassification of
network records.

3
S.A. Abdulkareem et al.
Kamaldeep et al. (2023) conducted a study on feature engineering
using ML classifiers for DDoS (Distributed Denial of Service) attack
detection in the IoT network. RF demonstrated superior performance
and computational time compared to other classifiers (LR, SVM, DT,
and MLP). Fadhilla et al. (2022) also conducted an IoT-related study
based on botnet attack detection using an SEL on three datasets. The
SEL demonstrated consistently high accuracy with a low false positive
rate and maintained reasonable training and test times. Zhao et al.
(2021) employed the PCA for feature dimensionality reduction with
the neural network (NN) on two datasets for an IoT-based study. The
three studies utilised the KDD99, UNSW-NB15, IoT-CIDDS, Aposemat
IoT-23, ToN_IoT, and Bot-IoT datasets for their experiment evaluations.
Excellent performances were reported in all the studies. However,
some datasets are conventional and have several limitations, as stated
earlier. In addition, none of the IoT datasets have traces captured in
the industrial network environment.
In Samdekar et al. (2021), Samdekar et al. employed feature dimen-
sionality reduction with Chi-Square, ExtraTree, PCA, and the Firefly
Algorithm (FA) to improve ML-based IDS. The study uses a range of
datasets in the investigation, one of which is the Bot-IoT dataset (Ko-
roniotis et al., 2019) that captures IoT traffic characteristics. Other
datasets used in the study include NSL-KDD, UNSW-NB15, and CI-
CIDS2017. The main objective of the study is to evaluate the perfor-
mance behaviour of different feature dimensionality reduction tech-
niques. Similar to previous works, most datasets used in the studies
lack IoT traces. Hence, this work is needed as we investigate the
performance of ML on a dataset with IoT traces.
While these studies reported promising results, it is essential to note
that the datasets used in most of them lack IoT traces, which is the
basis of our investigation. Also, many studies utilised single classifiers
instead of EL classifiers, which often give better classification perfor-
mance. The continuous growth in the IoT industry and the increase
in internet-connected devices necessitate an IoT-focused investigation
with ensemble learning. Some examples of feature dimensionality re-
duction techniques from the literature are shown in Table 1. We
presented the original feature dimensions, the technique for reducing
the feature dimensions, the resulting feature dimensions, the classifier,
and the classification scenarios. However, the Edge-IIoTset dataset was
not used to implement or test any dimensionality reduction techniques
presented in the table. Diverse methods for reducing the dimensionality
of network traffic features within the Edge-IIoTset dataset have been
proposed. Table 2 summarises contemporary feature reduction methods
relevant to this paper. Ferrag et al. (2022) employed the Random Forest
(RF) method, Thiyam and Dey (2023) used feature shuffling (FS) and
RF, and Hazman et al. (2022) introduced a novel anomaly detection
classifier, DEIGASe, using a stacked autoencoder and Information gain
(IG) with Genetic Algorithms (GA). However, the research authors
did not specify how many reduced features were employed to record
optimal performance.
In summary, the most advanced techniques discussed in the litera-
ture review were directed towards datasets not associated with IoT/IIoT
and ensemble learning. In contrast, the ones that employed the Edge-
IIoTset dataset in their work have used other dimensionality reduction
approaches. Therefore, there is a need to investigate the performance of
a feature dimensionality reduction technique on an IoT dataset with an
ensemble learning classifier. Furthermore, the approach for reducing
features and the required computational resources vary for different
reduction dimensionality techniques. This is essential as the IoT/IIoT
devices have limited computational resources. Using only the most im-
portant features during the classifier training is essential; hence, there
is a need for a lightweight ML classifier. The proposed feature dimen-
sionality reduction technique for the IoT/IIoT dataset involves using the
FI technique to retain only highly correlated features with the target
labels. Combining the feature dimensionality reduction technique with
the SEL classifier aims to minimise the computational requirements
for the proposed solution. This reduces the feature dimensionality to
4
Journal of Network and Computer Applications 230 (2024) 103980
only the most important features. In addition, many literature studies
utilised single classifiers in their work. There is a need to assess the
performance of SEL classifiers on IoT network data to determine their
classification efficacy and, more importantly, investigate and explain
how the SEL classifier gains performance improvements.
3. IoT/IIoT attack detection based on the SEL
This section presents FI-SEL, a lightweight EL framework designed
to detect attacks efficiently in IoT/IIoT networks. We then describe the
FI and SEL methods separately.
3.1. FI dimensionality reduction technique
Handling high-dimensional data, commonly known as the curse of
dimensionality, is difficult in practice. If the dimensionality of the input
dataset increases, any ML classifier will become more complex. As the
number of features increases, the chance of overfitting also increases.
Hence, reducing the number of features is often required, which can
be done with dimensionality reduction. Feature Importance (FI) is a
variant of the filter-based dimensionality reduction technique. It uses
Extra Tree Classifier (ETC) to aggregate feature classification outcomes
from multiple de-correlated decision trees derived from a forest. The
decision tree construction process employed by the ETC utilises the
entirety of the original features of the dataset. The tree received by each
test node comprises a randomly selected subset of features from a more
extensive feature set. Each decision tree selects the optimum feature for
data partitioning based on the Information Gain and Entropy formulas
(1) and (2). Fig. 1 illustrates the dataset features and their importance
scores.
∑ |𝐸𝑣|
𝐺𝑎𝑖𝑛(𝐸, 𝐴) = 𝐸𝑛𝑡𝑟𝑜𝑝𝑦 (𝐸) − 𝐸𝑛𝑡𝑟𝑜𝑝𝑦 (𝐸𝑣) (1)
𝑣∈𝑉 𝑎𝑙𝑢𝑒𝑠(𝐴)
𝐸
and
∑
𝑐
( )
𝐸𝑛𝑡𝑟𝑜𝑝𝑦 (𝐸) = 𝑝𝑖 𝑙𝑜𝑔 2 𝑝𝑖 (2)
𝑖=1
where 𝐸 is the entropy value, and 𝐴 is the dataset feature. The
quantity 𝑐 represents the number of category labels, and 𝑝𝑖 signifies
the proportion of samples within category 𝑖.
3.2. Ensemble learning
An SEL classifier can be developed using the same (homogeneous)
or dissimilar (heterogeneous) base and meta-learning classifiers. The
fundamental distinction between stacking and other ensembles is that
the final classification is based on meta-level learning. The basic prin-
ciple of an ensemble learning classifier is to amalgamate multiple weak
learners to construct a single robust learner (Bagui and Li, 2021). The
SEL framework utilises a hierarchical system of classification, where the
initial classification of instances is performed using base learners at the
first tier. Once the outputs of the base learners have been predicted, the
meta-learner learns them during its training process. Upon rectifying
the losses incurred by the base learners, the final classification is
generated by the second-tier classifier (meta-learner) (Qaddoura et al.,
2021). In SEL, meta-learning classifies using the default dataset fea-
tures and the predictions of the base learners. One can view the base
learner as an expert. Then, the meta-learning will have the advantage
of accessing expert opinions in its learning process, which is the critical
factor leading to its more optimal performance. The SEL classifier can
be built by implementing the following procedure:
• The whole Edge-IIoTset dataset is split into training and test sets.
• Using the training set, train 𝑘 number of base learners 𝑊 𝐶. Upon
completion of the training cycle, 𝑘 additional features will be
incorporated into the training dataset to denote the classification
predictions of the 𝑘 base learners (i.e., expert opinions).
S.A. Abdulkareem et al.
Fig. 1. IoT/IIoT attack detection architecture.
• The process of generating optimal final predictions on test data
involves the meta-learner utilising the Level 1 prediction and
learning insight on the most effective approach to combine the
predictions of the base classifiers that underlie it.
Fig. 1 depicts the IoT/IIoT network intrusion detection architecture
of our work, while Algorithm 1 illustrates the general SEL algorithm.
Algorithm 1 Stack Ensemble Learning
⊳ Base-Learning Step
{ }𝑁
Input: The Whole Dataset 𝐷 = x𝑖 , 𝑦𝑖 𝑖=1 x𝑖 ∈ 𝑋, 𝑦𝑖 ∈ 𝑌
Output: The labels (WL) predicted by the weak classifiers
The dataset 𝐷 should be split into two distinct sets, namely, a training set 𝑆1 and a test
set 𝑆2 , with sizes of 80% and 20%, respectively.
Step one: Utilise base-learning classifiers
for 𝑘 ← 1 𝑡𝑜 𝑚 do
Train base learners (expert opinions) 𝑊 𝐶𝑘 dependent on 𝑆1
Test base learners (expert opinions) 𝑊 𝐶𝑘 using 𝑆2 and get the predictions 𝑊 𝐿𝑘
end for
⊳ Meta-Learning Step
Input: The labels (WL) predicted by the ensemble classifiers
Output: The final labels (EL) predicted by the weak classifiers
for 𝑖 = 1 do
′
Create an ensemble dataset 𝐷 = 𝐹 ∪ 𝑊 𝐿
Utilise a meta-learning classifier
Train meta-learner 𝐸𝐶 dependent on 𝐷
′ from diverse origins, including notifications, computational resources,
Test meta-learner 𝐸𝐶 using 𝑆2 and get the predictions 𝐸𝐿
Calculate the accuracy and other metrics of the Ensemble Learner
end for
4. Network traffic classification and dimensionality reduction
To determine how well the lightweight SEL framework mentioned
in Section 3 (FI-SEL) works at detecting attacks in IoT/IIoT networks,
we present the implementation in this section and conduct extensive
5
Journal of Network and Computer Applications 230 (2024) 103980
experiments with the Edge-IIoTset (Ferrag et al., 2022) to evaluate its
efficacy for detecting attacks in IoT/IIoT networks. All experimental
simulations were executed on a 64-bit Windows 11-powered computer
running the Python programming language.
4.1. The datasets and preprocessing
In 2022, Ferrag et al. (2022) created a cyber security dataset
for IoT and IIoT applications, named Edge-IIoTset, which is compre-
hensive, realistic, and designed for machine learning-based intrusion
detection. Specifically, the dataset was developed with a purpose-built
IoT/IIoT testbed containing many sample devices, sensors, protocols,
and cloud/edge setups. Over ten IoT devices (low-cost digital sensors
for measuring temperature and humidity, ultrasonic sensors, water
level detection sensors, pH sensor metres, soil moisture sensors, heart
rate sensors, and flame sensors) are responsible for generating IoT data.
Additionally, the authors discern and assess 14 instances of attacks on
communication protocols for IoT and IIoT, categorised into five distinct
types of threats: Distributed Denial of Service (DDoS) attacks, Informa-
tion gathering, Man-in-the-middle attacks, Injection attacks, and Mal-
ware attacks. Furthermore, the researchers derived 61 novel features
records, and network communication. During the data preprocessing,
we identified and removed 19 redundant features from this dataset
based on the original dataset paper (Ferrag et al., 2022): (1) frame.time;
(2) ip.src_host ; (3) ip.dst_host ; (4) arp.dst.proto_ipv4; (5) arp.src.proto_ipv4;
(6) http.file_data; (7) http.request.uri.query; (8) http.request.method; (9)
http.referer; (10) http.request.full_uri; (11) http.request.version; (12)
tcp.options; (13) tcp.payload; (14) tcp.srcport ; (15) dns.qry.name.len,
(16) mqtt.conack.flags; (17) mqtt.msg ; (18) mqtt.protoname, and (19)
mqtt.topic. A description of these features is given in the original
S.A. Abdulkareem et al.
Table 3
Instances of the Edge-IIoTset dataset.
IoT traffic Label name Instances
Normal Normal 24 301
DDoS 49 396
Information gathering 21 148
Attacks Man in the middle 1214
Injection 30 632
Malware 31 109
Normal: 24,301 (15.4%)
Class distribution
Attacks: 133,499 (84.6%)
Total number of all instances 157,800
paper (Ferrag et al., 2022). After removing these 19 features, the 42
remaining features are retained to depict a record sample of the net-
work traffic. The distribution of the dataset employed in our experiment
is presented in Table 3. Network traffic features are normalised using
the min–max normalisation scalar to mitigate potential bias towards
specific features. To ensure efficient training of our SEL classifier, the
remaining features were subjected to normalisation, resulting in their
values being scaled between 0 and 1. In addition, the dataset was
split into two, with 80% used for training and 20% for testing the
classifiers, similar to the work of Li et al. (2022). Furthermore, we only
consider the multiclass categories Attack_type labels of the dataset as our
classification target. The labels are converted into a range of 0 to 5 for
all six network record types.
4.2. Feature dimension reduction with FI
The FI technique is used to reduce the feature dimensionality and
data size of Original-F to enable the storage of network traffic data
within the constrained memory capacity of IoT devices. In Section 3.1,
we covered the fundamental premise of the operation. We examined
and compared the performance of the FI technique to those of three
state-of-the-art feature dimensionality reduction methods: RF (Ferrag
et al., 2022), Feature shuffling (FS) & RF (Thiyam and Dey, 2023),
and DEIGASe (Hazman et al., 2022). The feature dimensionality reduc-
tion outcomes generated by the FI, RF (Ferrag et al., 2022), Feature
shuffling & RF (Thiyam and Dey, 2023), and DEIGASe (Hazman et al.,
2022) methods are referred to as RF-F, FS & RF-F, and DEIGASe-F,
respectively.
4.3. IoT/IIoT network classification using SEL
Using the IoT/IIoT dataset and the low-dimensional feature set, FI-F,
multiclass lightweight SEL, was devised to detect normal network and
attack traffic accurately. The SEL was constructed using homogeneous
and heterogeneous base learners. Sollich and Krogh’s research (Sollich
and Krogh, 1995) stated that implementing ensemble learners can yield
better outcomes in cases with considerable diversity among the base
learners. Similar to previous works (Abbas et al., 2022; Abdulkareem
et al., 2022a), we employed three established single classifiers to
develop the heterogeneous SEL classifier: LR, NB, and DT. These three
classifiers were selected based on our literature review, which revealed
that DL and NN necessitate significant computational resources due to
their use of numerous hidden layers. Furthermore, increasing the hid-
den layers in DL may yield superior outcomes. However, it is essential
to note that DL is inherently complex. Hence, the reason for adopting
these single learners was mentioned earlier.
In addition, the performance of the lightweight SEL classifier on the
dataset was analysed to determine how well it detects IoT/IIoT network
intrusions. Consequently, we compared its classification performance
to other single and SEL classifiers and deduced that it outperformed
them. We also examined and compared its performance when a reduced
number of features were applied to classify network traffic efficiently.
6
Journal of Network and Computer Applications 230 (2024) 103980
Table 4
Performance metrics used for evaluation.
Metric Equation
Accuracy (𝑇 𝑃 + 𝑇 𝑁)∕(𝑇 𝑃 + 𝐹 𝑃 + 𝑇 𝑁 + 𝐹 𝑁)
Precision (𝑇 𝑃 ∕(𝑇 𝑃 + 𝐹 𝑃 ))
Recall (𝑇 𝑃 ∕(𝑇 𝑃 + 𝐹 𝑁))
F1-score (2 ∗ 𝑃 𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 ∗ 𝑅𝑒𝑐𝑎𝑙𝑙)∕(𝑃 𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 + 𝑅𝑒𝑐𝑎𝑙𝑙)
The efficacy of the classifier was assessed through training and testing
sets. The optimal number of reduced feature dimensions for the SEL
classifier was determined by analysing the accuracy, precision, recall,
f1-score, training, and test time of the classifier. The study further
compared the optimal lightweight SEL classifier with state-of-the-art
classifiers. The results indicated that the former outperformed the
latter in terms of overall performance metrics. Additionally, we used
a Decision Tree classifier to demonstrate and explain the performance
gain of the SEL classifier. Our study established an in-depth insight into
how the SEL classifier improves performance against a DT-based learner
using the ‘expert opinion’.
5. Performance evaluation
This section analyses the experimental outcomes obtained from
the lightweight FI-SEL classifiers discussed in Section 4. This analysis
assesses the effectiveness of the classifier in detecting attacks within
IoT/IIoT networks. The efficacy of the lightweight FI-SEL classifier
and state-of-the-art ML classifiers is compared in multiclass classifi-
cation scenarios. The effectiveness of the lightweight FI-SEL classifier
is contingent upon the satisfaction of the following conditions within
the given context. Table 4 illustrates the metrics used to evaluate the
effectiveness of an ML model.
• Minimal Memory Requirement Space for Storing Network Traffic
Data: The assessment is contingent upon the magnitude of the
data and the rate of reduction in the dimensionality of the fea-
tures. A decrease in the dimensionality of data and a high rate
of reduction in data storage indicates that network traffic data
storage necessitates only a small amount of memory space.
• Enhanced Classification Performance: The enhanced classification
performance is assessed using the acc., pre., rec., and f1-score ob-
tained when evaluating the lightweight FI-SEL classifier with the
test set of the dataset. These evaluation metrics comprehensively
revealed the performance of the classifier on reduced feature
dimensions.
• Improved Training and Testing Time: This evaluation is based on the
time required to train and evaluate the dataset using Original-F
and FI-F reduced features.
5.1. Preliminary classification results
In this part, we examine the performances of the single, homoge-
neous (SEL-DT, SEL-LR, SEL-NB) and heterogeneous (SEL-Merged/SEL)
SELs for multiclass classification on the IoT/IIoT datasets. Table 5
demonstrates that the single classifiers obtained average performance
for all evaluation metrics for the Edge-IIoT dataset multiclass classifi-
cation task. Nonetheless, the Homogeneous and Heterogeneous built
SEL classifiers outperformed the Single classifiers across all metrics,
supporting the efficacy of the SELs. This is due to the incorrect clas-
sification of instances, as the low metric scores indicate. Furthermore,
compared to the performance of the single classifiers, the homoge-
neously and heterogeneously built SELs performed better across all
metrics, showing a better and more accurate classification performance.
Additionally, Fig. 3(a) illustrates the accuracy performance for all the
classifiers used for the first phase of the experiment.
S.A. Abdulkareem et al. Journal of Network and Computer Applications 230 (2024) 103980

Table 5 Table 7
Single & EL classifiers results for Edge-IIoTset dataset (values are in %). Bias & variance result summary of the single & EL classifiers for Edge-IIoTset dataset.
Type Classifier Acc. Pre. Rec. F1. Type Classifier Bias Variance
DT 73.43 60.85 63.13 60.38 DT 0.2637 0.0293
Single classifiers LR 60.43 67.26 52.60 55.64 Single classifiers LR 0.3955 0.0091
NB 53.53 64.88 44.64 46.72 NB 0.4647 0.0082
SEL-DT 78.25 82.74 71.27 72.31 SEL-DT 0.2155 0.0225
SEL-LR 78.71 71.64 81.73 74.51 EL SEL-LR 0.2082 0.0319
EL
SEL-NB 72.98 74.98 64.91 66.93 SEL-NB 0.2699 0.0342
SEL 89.05 90.94 79.53 82.00 SEL 0.0922 0.0582

[Acronym: Accuracy = Acc., Precision = Pre., Recall = Rec., F1-Score = F1.]

Table 8
Average bias and variance for all and 8 FI features.
Table 6
Features Bias Variance Features Bias Variance
Precision, recall and F1 score for the Edge-IIoTset dataset multiclass network categories
(values are in %). 0.0922 0.0582 0.1070 0.0565
0.0915 0.0602 0.1071 0.0562
Clf. Met (%) Norm. DDoS IG. MITM Inj. Mal.
All 0.0926 0.0574 8 0.1070 0.0563
Pre. 76.11 98.45 53.38 00.00 71.39 65.78 0.0918 0.0583 0.1070 0.0565
DT Rec. 93.85 74.74 90.54 00.00 48.40 71.25 0.0924 0.0601 0.1072 0.0565
F1. 84.05 84.98 67.16 00.00 57.69 68.41
Average 0.0921 0.0588 Average 0.1071 0.0564
Pre. 73.25 82.36 61.95 93.15 46.15 46.72
LR Rec. 42.72 72.72 45.84 27.98 58.02 68.32
F1. 53.96 77.24 52.69 43.04 51.41 55.49
Pre. 100.00 67.42 48.70 87.10 47.83 38.21 NB classifier score was the least for the Recall metric, implying some
NB Rec. 30.49 75.33 38.04 22.22 25.71 76.04 instances of the Normal network categories were significantly misclas-
F1. 46.74 71.15 42.71 35.41 33.44 50.87
sified as attacks. The lowest classification performance was recorded
Pre. 81.84 90.67 64.15 100.00 61.52 98.23
for the Injection attack category, as the precision and f1 score metrics
SEL-DT Rec. 93.85 82.36 91.77 29.22 72.61 57.81
F1. 87.43 86.31 75.52 45.22 66.61 72.78 were lower than the other categories, reflecting the low classification
performance of NB for this network attack category. The SEL variants
Pre. 84.86 90.06 78.21 37.56 66.63 72.52
SEL-LR Rec. 94.55 83.19 84.26 95.06 66.26 67.08 had superior overall performance in all the network categories and,
F1. 89.44 86.49 81.12 53.85 66.44 69.69 more specifically, in the MITM attack category, where the DT classifier
Pre. 81.27 78.33 64.37 88.41 61.64 75.84 failed to detect any attack.
SEL-NB Rec. 84.84 78.89 68.61 25.10 65.03 67.00 In summary, we inferred from this phase of experimental results that
F1. 83.02 78.61 66.42 39.10 63.29 71.15 there was an improvement in the detection performance for the SELs
Pre. 94.69 91.46 91.10 100.00 84.26 84.12 classifier variants compared to the single classifiers when evaluated
SEL Rec. 94.22 91.60 91.73 29.22 83.20 87.13 with the Edge-IIoTset dataset. Also, since the heterogeneously built
F1. 94.45 91.53 91.41 45.22 83.78 85.60
SEL had the most optimal classification performance compared to
the other SEL variants, our subsequent experiments and performance
evaluation are based on this SEL variant. In addition, we could deduce
Based on the results recorded by all the classifiers in Table 6, that although the homogeneously built SELs had a better classification
the SEL that is built using different (heterogeneous) single classifiers performance than the single classifier, they were not as efficient as
had an overall better performance for all the metrics compared to the heterogeneously built SEL for the IoT/IIoT attack classification.
the homogeneously built SELs and the single learners for the IoT/IIoT This we attribute to the similarities between the base and meta-learner
datasets. When combined, it was apparent that the different classi- behaviour when processing the dataset network categories, making it
fiers that comprise the heterogeneously built SEL can complement the difficult for the meta-learner to correct the mistakes of the base learners
classification deficiencies associated with them to classify the network (expert opinions), which is not the case for the heterogeneously built
instances better than the homogeneous SEL variants and the single SEL.
classifiers, as it recorded more optimal scores for precision, recall, and Additionally, in Table 7, we further evaluated the performance of
f1-score evaluation metrics. Using the DT classifier, the metric score for the single and SELs on the Edge-IIoTset dataset by examining the bias
the Normal and DDoS network categories recorded the highest scores and variance values recorded for the multiple classifiers. The degree
compared to the other four network categories. The MITM network of bias is indicative of the extent to which classifiers are capable of
category exhibited a precision and recall value of 0%, indicating that accurately capturing the mapping function that exists between input
accurate classification of instances within this attack category was not and output variables. On the contrary, the variance of the classifier
achieved. refers to the extent to which the efficacy of the classifier varies when
The precision score recorded by the LR classifier for the MITM trained on distinct datasets. The decomposition of the loss into bias and
attack was above 90%, signifying the percentage of correctly classified variance helps us understand the classifiers better, as these concepts are
instances. However, the lowest Recall score, 27.98%, was also recorded correlated to underfitting and overfitting.
for the MITM attack category, indicating that the percentage of the total The bias and variance values recorded for all the classifiers during
relevant instances correctly classified by the classifier is low. The F1 the preliminary experiments revealed that both metric values were
score, the harmonic mean of the precision and recall metrics recorded low on the dataset. However, the EL variant values were lower than
for the DDoS attack category, is the highest for the LR classifier. This the single classifiers. More specifically, when the performance of other
implies that the classifier performed better at classifying the DDoS net- classifiers is compared to the SEL, which is the heterogeneously built
work category than the other five categories evaluated. The precision SEL, it recorded the least values for bias and variance, signifying that
score recorded for the Normal category is highest at 100% compared the classifier has a balanced bias–variance trade-off, i.e., it found a
to the other single learners for the NB classifier, with scores recorded good balance between the bias and variance of the classifier. Also, the
for the other categories ranging from 38% to 87%. However, similar recorded values show that the LR and NB classifiers that made up the
to the DDoS category by the LR classifier, the Normal category of the base learner of the SEL are low variance and high bias classifiers, which

7
S.A. Abdulkareem et al.
Fig. 2. Illustration of Edge-IIoTset dataset feature importance.
Fig. 3. (a) Accuracy score of all classifiers and (b) Bias and variance values for all classifiers.
are less complex with a simple or rigid underlying structure, which
makes them prone to underfitting. In contrast, the DT classifier, the
meta-learner, is more complex (high variance and low bias) with a
flexible underlying structure, making it prone to overfitting. Combining
these three single classifier attributes resulted in the optimal SEL.
Furthermore, it is worth noting that the homogeneously built SELs
slightly increased performance compared to the single classifiers. This
is because their base and meta-learners consist of the same type of
classifiers, which resulted in the consolidation of classifiers with similar
classification performance. Fig. 3(b) illustrates the bias and variance
values recorded for all the classifiers with the dataset. In addition,
we further evaluated the bias and variance performance of the SEL
classifier using all and the most important 8 FI reduced features, as
illustrated in Table 8 by bootstrapping the dataset. We performed eight
experiments, four each for all, and the eight FI features added to one
each for both from the initial experiments, after which we calculated
the average of the five results for each feature dimension. Evaluation
8
Journal of Network and Computer Applications 230 (2024) 103980
and analysis of the average bias and variance results revealed that
the SEL classifier performed optimally as the average recorded results
for the experiments were all within the same range, which further
shows that the SEL classifier with and without the reduced features can
maintain a good balance between the bias and variance.
5.2. Feature selection for dimensionality reduction results
To determine the optimal number of reduced feature dimensions,
we analyse the significant features produced by the FI dimensionality
reduction technique when the top 5, 6, 7, 8, 10, 15, and 20 features
of the Edge-IIoTset dataset are used to train the SEL. Fig. 2 depicts
the importance of distinct dataset features with the target labels. The
figure illustrates that using eight features resulted in the most optimal
testing accuracy loss of (1.68%) for the SEL compared to using all the
dataset features. Although using 20 and 15 most important features
produced a slightly better performance, settling for the most important
S.A. Abdulkareem et al. Journal of Network and Computer Applications 230 (2024) 103980

Fig. 4. (a) Bias and variance values of the important features and (b) Accuracy score for the varied number of important features.

Table 9
Varied feature dimensions results for Edge-IIoT dataset (values are in %).
No. of features Acc. Pre. Rec. F1. TrT. TeT.
All 89.05 90.94 79.53 82.00 37.23 0.28
20 88.78 90.69 79.33 81.77 19.78 0.16
15 88.58 90.16 79.31 81.43 17.38 0.12
10 87.31 90.55 77.73 80.83 16.28 0.11
8 87.37 90.65 77.73 80.88 16.18 0.10
7 87.28 90.57 77.68 80.81 11.49 0.09
6 84.72 88.28 75.49 78.58 8.73 0.06
5 83.63 87.55 74.63 77.78 8.47 0.06

[Acronym: Training Time = TrT., Test Time = TeT.]

Fig. 5. Accuracy score for FI-SEL and state-of-the-art classifiers on the Edge-IIoT
dataset.
eight features was based on the total training and test time required
for developing the SEL classifier, which is reduced compared to when
the latter number of features is used. Table 9 and Fig. 3(a) highlight
the performance of using eight features compared to other reduced
features of the Edge-IIoTset dataset when the FI feature dimensionality
reduction method is applied.
Also, to assess the effects of various feature dimensionality reduc-
tion techniques, we compared the reduced-dimensional feature sets,
namely RF-F, FS & RF-F, DEIGASe-F, and FI-F, with the Original Feature
set (O-F) (Ferrag et al., 2022). Table 12 demonstrates that FI and other
state-of-the-art methods substantially reduced the data size of the O-
F. FI attained the smallest feature size with an 86.9% reduction rate.
This method could not be explicitly compared with the RF method used
in Ferrag et al. (2022) as they considered the five best features for
each attack category for their multiclass classification. The FS & RF
methods used by Thiyam and Dey (2023) selected the 15 most impor-
tant features in their work, and the DEIGASe method (Hazman et al.,
2022) did not give details on the number of reduced dataset features
after the feature dimensionality reduction was applied. The feasibility
of utilising the FI feature dimensionality reduction method for efficient
IoT/IIoT attack detection on memory-constrained IoT devices increases
when the network traffic data feature set size is significantly reduced.
5.3. Multiclass classification results
To further assess the most suitable number of reduced features
to classify the network attacks into multiclass categories efficiently,
Fig. 4(b) illustrates the accuracy of the SEL classifier for the multiclass
classification when the variation of the FI dimensionality reduced
features is utilised. In all scenarios, the accuracy of the SEL was reduced
the most for the five most important features with a 5.42% difference,
with the highest accuracy value recorded for the 20 most important
features. The best accuracy was recorded for the 20 most important fea-
tures at 88.78% while using 15 and 8 features of the dataset produced
88.58% and 87.37% being the second and third best, and the two least
accuracies were recorded for the 7 and 5 most important features at
87.28% and 83.63% respectively. Also, Fig. 5 illustrates the accuracy of
the SEL compared to other state-of-the-art classifiers for the Edge-IIoT
dataset.
As seen in Table 9, we first evaluated the performance of the
SEL with all the features of the dataset. Afterwards, we used the FI
technique to reduce the dimensions of both datasets by retaining the
most important features in the order of the most important 20, 15,
10, 8, 7, 6, and 5 features. Our proposed combination of FI with
the SEL maintained optimal detection metric scores across the diverse
feature dimensions of the dataset, comparable to those achieved when
utilising all original features. However, a slight performance reduction
can be seen with decreasing dataset features. However, the training
and test time for the SEL gained more optimal time values with each
varied and reduced feature. However, more varied performance results
were recorded for the dataset based on a different number of features.
The result of our experiment on the Edge-IIoTset dataset revealed
that the eight most important features are: (1) tcp.dstport ; (2) tcp.ack;
(3) tcp.seq; (4) tcp.len; (5) tcp.checksum; (6) tcp.ack_raw; (7) tcp.flags;
(8) tcp.flags.ack gave an optimal classification result, in addition to
satisfactory training and test time.
In addition, we compared the bias and variance scores recorded
for the varied number of important features in Table 11, revealing

9
S.A. Abdulkareem et al. Journal of Network and Computer Applications 230 (2024) 103980

Table 10
Ensemble dataset outlook with the predictions of the base learners.
tcp.ack tcp.ack_raw tcp.checksum tcp.dstport tcp.flags tcp.flags.ack tcp.len tcp.seq predictionNB predictionLR Attack_type
442 2 093 976 515 47 583 80 16 1 0 104.0 1 4 4
16 798 3 883 203 052 8589 48 470 24 1 495 22 772.0 5 5 2
1448 480 485 278 15 531 50 716 24 1 495 2477.0 1 2 2
23 840 3 966 309 415 64 117 50 344 24 1 495 44 162.0 1 5 2
0 0 0 0 0 0 0 0.0 1 1 1

Fig. 6. Tree created using single DT on the Edge-IIoT dataset.

Fig. 7. Tree created using single DT on the Edge-IIoT dataset with expert opinions prediction labels.

that each decreasing number of the dataset features and classifica- dataset indicate that the proposed FI-SEL maintained optimum detec-
tion performance increased the bias and variance score. This can be tion performance while detecting network attacks. Furthermore, it can
attributed to the classifier performance reduction impacting the two be observed that the training and testing duration of the SEL diminishes
metrics, hence the reduced scores. Overall, the metric scores for the as the number of feature dimensions decreases. This suggests that the

10
S.A. Abdulkareem et al.
Table 11
Bias and variance for varied feature dimensions for Edge-IIoT dataset.
No. of features Bias
All 0.0922
20 0.0910
15 0.0944
10 0.1067
8 0.1070
7 0.1066
6 0.1304
5 0.1434
Table 12
Edge-IIoT dataset original and reduced features.
Feature set Number of features Reduction rate (%)
O-F (Ferrag et al., 2022) 61 Nil
RF (Ferrag et al., 2022) Varied –
FS & RF-F (Thiyam and Dey, 2023) 15 –
DEIGASe-F (Hazman et al., 2022) – –
FI 8 86.9
combination that has been proposed is both efficient and effective for
detecting intrusions in the network environment of IoT/IIoT.
5.4. SEL explainability using DT
To understand the performance gain of the SEL, we shall analyse
the embedded DT to explain its accuracy improvement. We choose to
use DT mainly because of its high transparency among all other ML
models, and the transparency permits an explanation of how DT derives
outcomes (Mukhtar Bhatti et al., 2023; Blanco-Justicia and Domingo-
Ferrer, 2019; Sagi and Rokach, 2020; Petch et al., 2022). Some research
works have previously attempted the explainability of the SEL classifier.
However, our approach is different from the current state-of-the-art.
In the work of Almohimeed et al. (2023), they evaluated the perfor-
mance of the SEL classifier on Alzheimer’s disease (AD) datasets. They
utilised SHapley Additive exPlanation (SHAP) and Local Interpretable
Model-Agnostic Explanations (LIME) explainers to interpret the pro-
posed classifier. Also, in the paper published by Hooshmand et al.
(2024), they evaluated the performance of an ensemble learner on two
network datasets. After that, they utilised SHAP as their explainer to
explain the proposed techniques in their work. Similarly, the works
of AlMohimeed et al. (2023) and Munshi et al. (2024) utilised SHAP
in their contributions. While both papers are healthcare-related, the
first focused on the explainability of ensemble learning on a cervical
cancer diagnosis dataset, and the latter focused on breast cancer-
related dataset ensemble learning explainability. In our contribution,
we utilised a different explainability approach using a DT classifier
as our explainer instead of the explainers currently employed in the
literature.
To analyse SEL, we first disassemble it into each classifier to under-
stand how a DT classifier arrived at each split. Although some attempts
have been made to explain the working mechanism of some ML clas-
sifiers (Das and Birant, 2022; Monroe et al., 2021; Sarica and Angin,
2020; Garcia-Magarino et al., 2019; Dang, 2021; Andresini et al., 2022;
Stein et al., 2005; Kumar et al., 2012; Dang, 2020; Al Hammadi et al.,
2021), none of these approaches can be readily used to explain SEL
performance advantages. By viewing the outcomes from base learners
as expert opinions and using DT as the meta-learner, we can explain
how SEL derives its performance gain.
We evaluate the performance of the two base learners on the
IoT/IIoT dataset. The predictions of both classifiers, seen as expert
opinions, are appended to the original dataset (ensemble) with two
extra columns representing the predicted outcomes, as given in Ta-
ble 10 labelled as predictionNB and predictionLR. In contrast, the
(Attack_type) column represents the correct categories of the network
Journal of Network and Computer Applications 230 (2024) 103980
records as labelled by the dataset authors. This ensemble dataset is
saved with the predictions from the two base learners (i.e. expert
Variance opinions) and then evaluated with the DT classifier, which serves as
0.0582 the meta-learner in the original SEL we built previously. We reduce
0.0563 the depth of the tree to prevent the splits from overlapping over one
0.0566 another and allow for better visualisation of each decision node.
0.0566
Fig. 6 depicts the tree created using the single DT classifier and
0.0565
0.0560 the dataset without adding the two expert opinions. As shown in the
0.0755 figure, a decision node (located on the left) that is derived from the root
0.0730 node of the tree employed a split based on the feature (tcp.ack_raw)
with an index number of 1 in the dataset to establish its split. The
utilisation of this feature was based on its minimal computed entropy
value and the highest information gain value for the decision node.
At this decision node, the classification of the six distinct network
categories was limited to 7981 samples (network records). One of the
two terminal nodes produced by the decision node exhibits high purity,
as it accurately classified all network records as ‘‘Normal’’.
Conversely, the second terminal node on the left classifies the
Normal network correctly in addition to a single Information Gathering
attack that shares the same decision node split condition. Furthermore,
all the entropy values are calculated for all the branches of the dif-
ferent splits, totalling 11.45. The DT constructed using the modified
dataset, incorporating the two predictions as mentioned earlier, yields
a subsequent decision node (right) that employs the feature indexed
as 9 (predictionLR) to determine its split, as depicted in Fig. 7. This
feature corresponds to the prediction output of the LR-based learner. As
previously explicated in Section 3, wherein the functionality of the SEL
was elucidated, it is observed that during the final classification process
of the meta-learner, it incorporates the newly generated predictions as
a constituent of its training features. The decision node utilises the en-
tropy value recorded for predictionLR, as it is the minimum, to establish
the split. The entropy value of 0.0 observed in the leftmost terminal
node indicates a state of maximum purity, wherein no impurity is
recorded, and all classifications for the Normal network records are
done correctly.
On the contrary, the alternative terminal node exhibits a single
instance of being classified as an Information Gathering attack, just
like the previous decision node in Fig. 6. The entropy values of all
the splits total 7.448, signifying that adding expert opinions alters the
classification performance of the tree, making it purer compared to
the previous. In addition, the number of decision nodes and leaves
generated by the tree with the expert opinion is reduced compared
to the previous. This affirms the positive contribution to correctly
classifying the different network categories more efficiently.
To evaluate the performance of the proposed FI-SEL further, we
contrasted its performance with state-of-the-art results in Fig. 5. From
the comparison, we established that the FI-SEL outperformed other
state-of-the-art classifier results in the work of Ferrag et al. (2022)
with SVM, kNN, RF, and DT recording 85.62%, 83.39%, 82.90%,
and 77.90% respectively, compared to our proposed lightweight FI-
SEL with 87.37% accuracy. Similarly, in the work of Nkoro et al.
(2024), they evaluated the performance of their DNN classifier on
nine and fifteen classes of the dataset, and they recorded 84.74% and
71.22% accuracy scores, respectively. In contrast, a similar work by
Tareq et al. (2022) evaluated the performance of a Deep Learning (DL)
Classifier on the same dataset using fifteen classes and recorded an
accuracy score of 94.94%. However, the training and test time utilised
to record this level of performance was not stated in their submissions.
The FI method can identify and select the most important features
of a dataset, thereby reducing its dimensionality. Reducing dimen-
sionality reduces the computational resources needed while achieving
optimal classification performance. Experiment findings have shown
that combining with the SEL classifies IoT/IIoT network attacks more
accurately and efficiently than state-of-the-art classifiers. In addition,
the findings of the experiment indicate that while the SEL exhibited
commendable performance in classifying network records, using the FI
feature dimensionality reduction technique for preprocessing the fea-
ture sets significantly enhanced overall performance efficiency during
the training and testing phases.
11
S.A. Abdulkareem et al.
6. Conclusion
This paper assessed the efficacy of a heterogeneously built SEL on
an Edge-IIoT dataset. Initial findings revealed that combining single
learners to form an SEL can yield optimal classification performance.
Further experiment results demonstrated that combining FI and SEL
enhanced computational resource usage by ensuring that only the most
important dataset features were used during training. In contrast, the
less important ones are discarded, reducing the feature dimensions of
the dataset. Using the FI feature dimensionality reduction technique,
we found the eight most important features of the dataset to be the most
optimal for training the SEL classifier. The SEL maintained optimal
classification performance for the multiclass classification task while
maintaining a balanced bias–variance trade-off, thereby handling the
overfitting and underfitting of the classifier. Furthermore, we compared
the performance of the proposed FI-SEL to that of other state-of-the-
art approaches utilising the Edge-IIoT dataset. We found that our
approach produced superior results. More importantly, we pioneered
using a DT to visualise and explain how an SEL classifier works and
its performance gains on a network dataset. The visualisation made
it possible for us to understand how the initial dataset features and
the addition of the base learning classifier predictions (expert opinions)
contributed differently to the performance of the DT meta-learner. This
made the ensemble dataset perform better and made its comprehension
visible to humans when assessed. Notwithstanding the commendable
efficacy of the FI-SEL, it is imperative to conduct further assessment
of the proposed method on additional IoT/IIoT datasets to substantiate
its suitability. In addition, our work revealed that heterogeneously built
SELs yield better classification performance than homogeneously built
SEL variants. Also, in our future work, we would evaluate different
rearrangements of the single learners that make up the SEL classifier
to determine and assess the performance of the varied rearrangements,
as this study has demonstrated the efficacy and efficiency of the FI-
SEL approach in detecting attacks in IoT/IIoT networks. In addition,
dataset sampling will be considered to evaluate the performance of
the proposed classifier on a balanced dataset. We also plan to explore
adaptive learning techniques to optimise resource usage in IoT security
and evaluate its real-time training and learning performance.
CRediT authorship contribution statement
Sulyman Age Abdulkareem: Writing – original draft, Visualiza-
tion, Methodology, Investigation, Formal analysis, Conceptualization.
Chuan Heng Foh: Writing – review & editing, Supervision. François
Carrez: Supervision, Project administration. Klaus Moessner: Writing
– review & editing, Project administration, Funding acquisition.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Data availability
Data will be made available on request.
Acknowledgements
This work was also partially supported by the Horizon 2020 re-
search and innovation programme of the European Union in the
projects L3Pilot, EU under grant agreement number 723051, 5G-HEART,
EU under grant agreement number 857034, and DEDICAT 6G, EU un-
der grant agreement number 101016499. We also want to acknowledge
the contributions of the members of the 5GIC/6GIC, UK to this work.
12
Journal of Network and Computer Applications 230 (2024) 103980
References
Abbas, A., Khan, M.A., Latif, S., Ajaz, M., Shah, A.A., Ahmad, J., 2022. A new ensemble-
based intrusion detection system for internet of things. Arab. J. Sci. Eng. 47 (2),
1805–1819.
Abdulhammed, R., Musafer, H., Alessa, A., Faezipour, M., Abuzneid, A., 2019. Features
dimensionality reduction approaches for machine learning based network intrusion
detection. Electronics 8 (3), 322.
Abdulkareem, S.A., Foh, C.H., Carrez, F., Moessner, K., 2022a. FI-PCA for IoT network
intrusion detection. In: 2022 International Symposium on Networks, Computers and
Communications. ISNCC, pp. 1–6.
Abdulkareem, S.A., Foh, C.H., Carrez, F., Moessner, K., 2022b. SMOTE-stack for network
intrusion detection in an IoT environment. In: 2022 IEEE Symposium on Computers
and Communications. ISCC, pp. 1–6.
Ahmed, H.A., Hameed, A., Bawany, N.Z., 2022. Network intrusion detection using
oversampling technique and machine learning algorithms. PeerJ Comput. Sci. 8,
e820.
Al Hammadi, A.Y., Yeun, C.Y., Damiani, E., Yoo, P.D., Hu, J., Yeun, H.K., Yim, M.-S.,
2021. Explainable artificial intelligence to evaluate industrial internal security using
EEG signals in IoT framework. Ad Hoc Netw. 123, 102641.
Al-Hawawreh, M., Sitnikova, E., Aboutorab, N., 2021. X-IIoTID: A connectivity-agnostic
and device-agnostic intrusion data set for industrial Internet of Things. IEEE
Internet Things J. 9 (5), 3962–3977.
Almohimeed, A., Saad, R.M., Mostafa, S., El-Rashidy, N., Farag, S., Gaballah, A.,
Abd Elaziz, M., El-Sappagh, S., Saleh, H., 2023. Explainable artificial intelligence of
multi-level stacking ensemble for detection of Alzheimer’s disease based on particle
swarm optimization and the sub-scores of cognitive biomarkers. IEEE Access.
AlMohimeed, A., Saleh, H., Mostafa, S., Saad, R.M., Talaat, A.S., 2023. Cervical
cancer diagnosis using stacked ensemble model and optimized feature selection:
An explainable artificial intelligence approach. Computers 12 (10), 200.
Andresini, G., Appice, A., Caforio, F.P., Malerba, D., Vessio, G., 2022. ROULETTE: A
neural attention multi-output model for explainable network intrusion detection.
Expert Syst. Appl. 201, 117144.
Bagui, S., Li, K., 2021. Resampling imbalanced data for network intrusion detection
datasets. J. Big Data 8 (1), 1–41.
Bellman, R.E., 1961. Adaptive Control Processes: A Guided Tour. Princeton University
Press, Princeton, [Online]. Available: https://doi.org/10.1515/9781400874668.
Blanco-Justicia, A., Domingo-Ferrer, J., 2019. Machine learning explainability through
comprehensible decision trees. In: Machine Learning and Knowledge Extraction:
Third IFIP TC 5, TC 12, WG 8.4, WG 8.9, WG 12.9 International Cross-Domain
Conference, CD-MAKE 2019, Canterbury, UK, August 26–29, 2019, Proceedings 3.
Springer, pp. 15–26.
Chaabouni, N., Mosbah, M., Zemmari, A., Sauvignac, C., Faruki, P., 2019. Network
intrusion detection for IoT security based on learning techniques. IEEE Commun.
Surv. Tutor. 21 (3), 2671–2701.
Chandola, V., Banerjee, A., Kumar, V., 2009. Anomaly detection: A survey. ACM
Comput. Surv. (CSUR) 41 (3), 1–58.
Dang, Q.-V., 2020. Understanding the decision of machine learning based intrusion
detection systems. In: Future Data and Security Engineering: 7th International
Conference, FDSE 2020, Quy Nhon, Vietnam, November 25–27, 2020, Proceedings
7. Springer, pp. 379–396.
Dang, Q.-V., 2021. Improving the performance of the intrusion detection systems by
the machine learning explainability. Int. J. Web Inf. Syst. 17 (5), 537–555.
Das, D.B., Birant, D., 2022. Xhac: Explainable human activity classification from
sensor data. In: Emerging Trends in IoT and Integration with Data Science, Cloud
Computing, and Big Data Analytics. IGI Global, pp. 146–164.
Dawoud, A., Shahristani, S., Raun, C., 2019. Dimensionality reduction for network
anomalies detection: A deep learning approach. In: Web, Artificial Intelligence
and Network Applications: Proceedings of the Workshops of the 33rd International
Conference on Advanced Information Networking and Applications (WAINA-2019)
33. Springer, pp. 957–965.
Dini, P., Begni, A., Ciavarella, S., De Paoli, E., Fiorelli, G., Silvestro, C.,
Saponara, S., 2022. Design and testing novel one-class classifier based on poly-
nomial interpolation with application to networking security. IEEE Access 10,
67910–67924.
Eesa, A.S., Orman, Z., Brifcani, A.M.A., 2015. A novel feature-selection approach based
on the cuttlefish optimization algorithm for intrusion detection systems. Expert
Syst. Appl. 42 (5), 2670–2679.
Elsi, Z.R.S., Stiawan, D., Oklilas, A.F., Kunang, Y.N., Idris, M.Y., Budiarto, R., et al.,
2022. Feature selection using chi-square to improve attack detection classifica-
tion in IoT network: Work in progress. In: 2022 9th International Conference
on Electrical Engineering, Computer Science and Informatics. EECSI, IEEE, pp.
226–232.
Fadhilla, C.A., Alfikri, M.D., Kaliski, R., 2022. Lightweight meta-learning BotNet attack
detection. IEEE Internet Things J..
Ferrag, M.A., Friha, O., Hamouda, D., Maglaras, L., Janicke, H., 2022. Edge-IIoTset: A
new comprehensive realistic cyber security dataset of IoT and IIoT applications for
centralized and federated learning. IEEE Access 10, 40281–40306.
Ferrag, M.A., Shu, L., Friha, O., Yang, X., 2021. Cyber security intrusion detection for
agriculture 4.0: machine learning-based solutions, datasets, and future directions.
IEEE/CAA J. Autom. Sin. 9 (3), 407–436.
S.A. Abdulkareem et al.
Garcia-Magarino, I., Muttukrishnan, R., Lloret, J., 2019. Human-centric AI for trust-
worthy IoT systems with explainable multilayer perceptrons. IEEE Access 7,
125562–125574.
Ghafir, I., Hammoudeh, M., Prenosil, V., Han, L., Hegarty, R., Rabie, K., Aparicio-
Navarro, F.J., 2018. Detection of advanced persistent threat using machine-learning
correlation analysis. Future Gener. Comput. Syst. 89, 349–359.
Gurung, S., Ghose, M.K., Subedi, A., 2019. Deep learning approach on network intrusion
detection system using NSL-KDD dataset. Int. J. Comput. Netw. Inf. Secur. 11 (3),
8–14.
Hafeez, I., Antikainen, M., Ding, A.Y., Tarkoma, S., 2020. IoT-KEEPER: Detecting
malicious IoT network activity using online traffic analysis at the edge. IEEE Trans.
Netw. Serv. Manag. 17 (1), 45–59.
Hazman, C., Benkirane, S., Azrour, M., et al., 2022. DEIGASe: Deep extraction and
information gain for an optimal anomaly detection in IoT-based smart cities.
Hooshmand, M.K., Huchaiah, M.D., Alzighaibi, A.R., Hashim, H., Atlam, E.-S., Gad, I.,
2024. Robust network anomaly detection using ensemble learning approach and
explainable artificial intelligence (XAI). Alexandria Eng. J. 94, 120–130.
Jiang, S., Xu, X., 2021. Network data classification mechanism for intrusion detection
system. In: 2021 IEEE 24th International Conference on Computer Supported
Cooperative Work in Design. CSCWD, IEEE, pp. 342–347.
Kamaldeep, Malik, M., Dutta, M., 2023. Feature engineering and machine learning
framework for DDoS attack detection in the standardized Internet of Things. IEEE
Internet Things J. 10 (10), 8658–8669.
Kang, S.-H., Kim, K.J., 2016. A feature selection approach to find optimal feature
subsets for the network intrusion detection system. Cluster Comput. 19 (1),
325–333.
Koroniotis, N., Moustafa, N., Sitnikova, E., Turnbull, B., 2019. Towards the development
of realistic botnet dataset in the internet of things for network forensic analytics:
Bot-iot dataset. Future Gener. Comput. Syst. 100, 779–796.
Kumar, M., Hanumanthappa, M., Kumar, T.S., 2012. Intrusion detection system
using decision tree algorithm. In: 2012 IEEE 14th International Conference on
Communication Technology. IEEE, pp. 629–634.
Li, C., Zhang, Y., Wang, W., Liao, Z., Feng, F., 2022. Botnet detection with deep neural
networks using feature fusion. In: 2022 International Seminar on Computer Science
and Engineering Technology. SCSET, IEEE, pp. 255–258.
Luo, F., Du, B., Zhang, L., Zhang, L., Tao, D., 2018. Feature learning using spatial-
spectral hypergraph discriminant analysis for hyperspectral image. IEEE Trans.
Cybern. 49 (7), 2406–2419.
Mehmod, T., Rais, H.B.M., 2016. Ant colony optimization and feature selection for
intrusion detection. In: Advances in Machine Learning and Signal Processing.
Springer, pp. 305–312.
Monroe, W.S., Skidmore, F.M., Odaibo, D.G., Tanik, M.M., 2021. HihO: accelerating
artificial intelligence interpretability for medical imaging in IoT applications
using hierarchical occlusion: Opening the black box. Neural Comput. Appl. 33,
6027–6038.
Moustafa, N., Keshky, M., Debiez, E., Janicke, H., 2020. Federated TON_IoT win-
dows datasets for evaluating AI-based security applications. In: 2020 IEEE 19th
International Conference on Trust, Security and Privacy in Computing and
Communications (TrustCom). IEEE, pp. 848–855.
Mukhtar Bhatti, M.A., Awais, M., Iqtidar, A., 2023. Machine learning based intrusion
detection system for IoT applications using explainable AI. In: 2023 Asia Conference
on Artificial Intelligence, Machine Learning and Robotics. pp. 1–6.
Munshi, R.M., Cascone, L., Alturki, N., Saidani, O., Alshardan, A., Umer, M., 2024.
A novel approach for breast cancer detection using optimized ensemble learning
framework and XAI. Image Vis. Comput. 142, 104910.
Newman, P., 2020. THE INTERNET OF THINGS 2020: Here’s what over 400 IoT
decision-makers say about the future of enterprise connectivity and how IoT
companies can use it to grow revenue. Bus. Insider 1–6.
Nkoro, E.C., Nwakanma, C.I., Lee, J.-M., Kim, D.-S., 2024. Detecting cyberthreats
in metaverse learning platforms using an explainable DNN. Internet Things 25,
101046.
Pai, V., Adesh, N., et al., 2021. Comparative analysis of machine learning algorithms for
intrusion detection. In: IOP Conference Series: Materials Science and Engineering.
Vol. 1013, IOP Publishing, 012038, no. 1.
Peng, J., Sun, W., Du, Q., 2018. Self-paced joint sparse representation for the
classification of hyperspectral images. IEEE Trans. Geosci. Remote Sens. 57 (2),
1183–1194.
Petch, J., Di, S., Nelson, W., 2022. Opening the black box: the promise and limitations
of explainable machine learning in cardiology. Canad. J. Cardiol. 38 (2), 204–213.
Prasad, M., Pal, P., Tripathi, S., Dahal, K., 2022. AI/ML driven intrusion detection
framework for IoT-enabled cold storage monitoring system.
Qaddoura, R., Al-Zoubi, A., Almomani, I., Faris, H., 2021. A multi-stage classification
approach for iot intrusion detection based on clustering with oversampling. Appl.
Sci. 11 (7), 3022.
Rajagopal, S., Kundapur, P.P., Hareesha, K.S., 2020. A stacking ensemble for network
intrusion detection using heterogeneous datasets. Secur. Commun. Netw. 2020, 1–9.
Rashid, M.M., Kamruzzaman, J., Hassan, M.M., Imam, T., Gordon, S., 2020. Cy-
berattacks detection in iot-based smart city applications using machine learning
techniques. Int. J. Environ. Res. Public Health 17 (24), 9347.
13
Journal of Network and Computer Applications 230 (2024) 103980
Rashid, M., Kamruzzaman, J., Imam, T., Wibowo, S., Gordon, S., 2022. A tree-based
stacking ensemble technique with feature selection for network intrusion detection.
Appl. Intell. 52 (9), 9768–9781.
Sagi, O., Rokach, L., 2020. Explainable decision forest: Transforming a decision forest
into an interpretable tree. Inf. Fusion 61, 124–138.
Samdekar, R., Ghosh, S., Srinivas, K., 2021. Efficiency enhancement of intrusion
detection in iot based on machine learning through bioinspire. In: 2021 Third
International Conference on Intelligent Communication Technologies and Virtual
Mobile Networks. ICICV, IEEE, pp. 383–387.
Santos, L., Rabadao, C., Gonçalves, R., 2018. Intrusion detection systems in Internet
of Things: A literature review. In: 2018 13th Iberian Conference on Information
Systems and Technologies. CISTI, IEEE, pp. 1–7.
Sarica, A.K., Angin, P., 2020. Explainable security in SDN-based IoT networks. Sensors
20 (24), 7326.
Schuartz, F.C., Fonseca, M., Munaretto, A., 2020. Improving threat detection in
networks using deep learning. Ann. Telecommun. 75, 133–142.
Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A., 2018. Toward generating a new intrusion
detection dataset and intrusion traffic characterization. ICISSp 1, 108–116.
Shone, N., Ngoc, T.N., Phai, V.D., Shi, Q., 2018. A deep learning approach to network
intrusion detection. IEEE Trans. Emerg. Top. Comput. Intell. 2 (1), 41–50.
Siddharthan, H., Thangavel, D., 2023. A novel framework approach for intrusion
detection based on improved critical feature selection in Internet of Things
networks. Concurr. Comput.: Pract. Exper. 35 (1), e7445.
Sollich, P., Krogh, A., 1995. Learning with ensembles: How overfitting can be useful.
Adv. Neural Inf. Process. Syst. 8.
Stein, G., Chen, B., Wu, A.S., Hua, K.A., 2005. Decision tree classifier for network
intrusion detection with GA-based feature selection. In: Proceedings of the 43rd
Annual Southeast Regional Conference-Volume 2. pp. 136–141.
Subba, B., Biswas, S., Karmakar, S., 2016. Enhancing performance of anomaly based
intrusion detection systems through dimensionality reduction using principal com-
ponent analysis. In: 2016 IEEE International Conference on Advanced Networks
and Telecommunications Systems. ANTS, IEEE, pp. 1–6.
Tareq, I., Elbagoury, B.M., El-Regaily, S., El-Horbaty, E.-S.M., 2022. Analysis of ton-iot,
unw-nb15, and edge-iiot datasets using dl in cybersecurity for iot. Appl. Sci. 12
(19), 9572.
Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A., 2009. A detailed analysis of the
KDD CUP 99 data set. In: 2009 IEEE Symposium on Computational Intelligence for
Security and Defense Applications. Ieee, pp. 1–6.
Tengl, S., Zhang, Z., Teng, L., Zhang, W., Zhu, H., Fang, X., Fei, L., 2018. A collaborative
intrusion detection model using a novel optimal weight strategy based on genetic
algorithm for ensemble classifier. In: 2018 IEEE 22nd International Conference on
Computer Supported Cooperative Work in Design ((CSCWD)). IEEE, pp. 761–766.
Thiyam, B., Dey, S., 2023. Efficient feature evaluation approach for a class-imbalanced
dataset using machine learning. Procedia Comput. Sci. 218, 2520–2532.
Upadhyay, K., 2021. Network intrusion detection system based on machine learning.
Ann. RSCB 25 (4), 12445–12451.
Varghese, J.E., Muniyal, B., 2017. An investigation of classification algorithms for intru-
sion detection system—a quantitative approach. In: 2017 International Conference
on Advances in Computing, Communications and Informatics. ICACCI, IEEE, pp.
2045–2051.
Verma, S., Kawamoto, Y., Kato, N., 2021. A smart Internet-wide port scan approach for
improving IoT security under dynamic WLAN environments. IEEE Internet Things
J. 9 (14), 11951–11961.
Wang, Z., Du, B., Zhang, L., Zhang, L., Jia, X., 2017. A novel semisupervised active-
learning algorithm for hyperspectral image classification. IEEE Trans. Geosci.
Remote Sens. 55 (6), 3071–3083.
Wang, Y., Guo, L., Zhao, Y., Yang, J., Adebisi, B., Gacanin, H., Gui, G., 2020.
Distributed learning for automatic modulation classification in edge devices. IEEE
Wirel. Commun. Lett. 9 (12), 2177–2181.
Wang, X., Wang, L., 2017. Research on intrusion detection based on feature extraction
of autoencoder and the improved k-means algorithm. In: 2017 10th International
Symposium on Computational Intelligence and Design. ISCID, Vol. 2, IEEE, pp.
352–356.
Zhao, R., Gui, G., Xue, Z., Yin, J., Ohtsuki, T., Adebisi, B., Gacanin, H., 2021. A novel
intrusion detection method based on lightweight neural network for internet of
things. IEEE Internet Things J. 9 (12), 9960–9972.
Zhou, Y., Cheng, G., Jiang, S., Dai, M., 2020. Building an efficient intrusion detection
system based on feature selection and ensemble classifier. Computer networks 174,
107247.
Zolanvari, M., Teixeira, M.A., Gupta, L., Khan, K.M., Jain, R., 2019. Machine learning-
based network vulnerability analysis of industrial Internet of Things. IEEE Internet
Things J. 6 (4), 6822–6834.
Sulyman Abdulkareem received his M.Sc. degree in Management Information Systems
from the Faculty of Computing and Engineering, Coventry University, UK, in 2017.
He is a Ph.D. student at the 5GIC/6GIC, School of Computer Science and Electronic
Engineering, University of Surrey. His main research areas are machine learning for
network security, information systems, IT strategy, and project management.
S.A. Abdulkareem et al.
Chuan Heng Foh received his M.Sc. degree from Monash University, Australia in 1999
and Ph.D. degree from the University of Melbourne, Australia in 2002. After his Ph.D.,
he spent 6 months as a lecturer at Monash University in Australia. In December 2002,
he joined Nanyang Technological University, Singapore as an Assistant Professor until
2012.
He is now a Senior Lecturer at the University of Surrey. His research interests
include protocol design and performance analysis of various computer networks
including wireless local area and mesh networks, mobile ad hoc and sensor networks,
5G networks, and data centre networks.
He has authored or co-authored over 100 refereed papers in international journals
and conferences. He actively participates in IEEE conference and workshop organi-
sation, including the International Workshop on Cloud Computing Systems, Networks,
and Applications (CCSNA) where he is a steering member. He is an Associate Editor for
IEEE Access, IEEE Wireless Communications, International Journal of Communications
Systems, and a Guest Editor for various International Journals. Currently, he is the
Vice-Chair (Europe/Africa) of IEEE Technical Committee on Green Communications
and Computing (TCGCC) and the Chair of Special Interest Group on Green Data Center
and Cloud Computing under TCGCC. He is a senior member of IEEE.
François Carrez received his PhD in Theoretical Computer Science from the University
of Nancy – France in 1991. After 18 years of Research at Alcatel Research (now
Bell Labs) in Telecommunication, Multi-Agent Systems and Security, he joined the
University of Surrey in early 2007. Then, he has been, in particular, leading the ICT-FP7
Internet of Things initiative (IOT-I) Coordination Action, which is the origin of the IoT
International Forum.
14
Journal of Network and Computer Applications 230 (2024) 103980
He has also been the WP leader on Architecture for IoT-A, the flagship European
project on architecture for the Internet of Things, which eventually released the
comprehensive Architecture Reference Model for the IoT (IoT ARM).
More recently, he has been involved in H2020 projects COSMOS, FIESTA and
CPaaS.io, working in particular on IoT-A-inspired system architecture and from 2021
to 2023 in DEDICAT 6G, where he was leading the system architecture activities. His
key topics of interest are IoT, 5G / 6G architecture, Machine Learning/AI and System
Architecture, with interests in GPU programming and medical science (cardiology,
physiology, neurology). He is a senior member of IEEE.
Klaus Moessner is Professor in Cognitive Networks in the 5G Innovation Centre (5GIC).
He has been actively involved in the various European Community funded research
frameworks (from FP 5 onwards). He has also had involvement in some 20+ other
EU funded projects, has been technical manager and project manager, has led the FP7
project SocIoTal and is currently leading the H2020 EU-Japan project iKaaS, the 5G
PPP project Speed5G, and from September 2017 the EU-Taiwan project Clear5G.
Klaus’ research interests are around the aspects of resource management in wireless
communication systems, reconfigurability on the different system levels, including
reconfiguration management and scheduling in wireless networks as well as network
supported adaptability of multimodal user interfaces. He was founding chair of the
IEEE DySPAN working group 6 on Spectrum Sensing Interfaces.
He is actively involved in the investigation and teaching of mobile service provision
(including IoT deployments and services). His research includes the area of resource
efficiency and on mechanisms for dynamic resource allocation. And he is contributing to
the work on System Architecture and Co-existence aspects in the 5GIC, covering aspects
including dynamic spectrum sharing/access, self-organisation of the radio access and
the regulatory implications of DSA and Cognitive Radio Networks.
His work beyond 5G includes methods for dynamic capacity extension in mobile en-
vironments. Since May 2019, Klaus is also head of the Professorship of Communications
Engineering at the Technische Universität Chemnitz, Germany.