Applied Soft Computing Journal 155 (2024) 111434

Contents lists available at ScienceDirect

Applied Soft Computing

journal homepage: www.elsevier.com/locate/asoc

Modified genetic algorithm and fine-tuned long short-term memory

network for intrusion detection in the internet of things networks with
edge capabilities
Yakub Kayode Saheed a, *, Oluwadamilare Harazeem Abdulganiyu b, Taha Ait Tchakoucht b
a
School of IT & Computing, American University of Nigeria, Nigeria
b
Euromed Research Center, School of Digital Engineering and Artificial Intelligence, Euro-Mediterranean University of Fes, Fes 30030, Morocco

H I G H L I G H T S

• This study proposed a new framework named IoT-Defender based on edge computing for intrusion detection in IoT networks.
• We employed a Modified Genetic Algorithm for choosing the best subset of features on the BoT-IoT, UNSW-NB15, and N-BaIoT datasets.
• We design a fine-tuned LSTM parameter using the genetic algorithm to adjust the number of hidden layers.
• The proposed model IoT-Defender is a lightweight IDS that can be deployed on edge servers.
• The effectiveness of IoT-Defender in comparison to existing shallow models outperformed the state-of-the-art shallow models.

A R T I C L E I N F O A B S T R A C T

Keywords: The emergence of smart cities is an example of how new technologies, such as the Internet of Things (IoT), have
Internet of things facilitated the creation of extensive interconnected and intelligent ecosystems. The widespread deployment of
Edge computing IoT devices has enabled the provision of constant environmental feedback, thereby facilitating the automated
Intrusion detection system
adaptation of associated systems. This has brought about a fundamental transformation in the way contemporary
Long short-term memory
Genetic algorithm
society functions. The security of emerging technologies such as IoT has become a significant challenge due to
Modified genetic algorithm the added complexities, misconfigurations, and conflicts between modern and legacy systems. This challenge has
BoT-IoT a notable impact on the reliability and accessibility of existing infrastructure. Edge computing (EC) is a
Focal loss function collaborative computing system that brings data processing and analysis closer to the edge of the network, where
Class imbalance the data is generated, rather than in a centralized cloud environment. The utilization of the IoT has become more
UNSW-NB15 prevalent in both everyday life and the manufacturing sector, with a particular emphasis on critical infra­
N-BaIoT structure. The IoT is presently being utilized across diverse domains, including but not limited to industrial,
agricultural, healthcare, and logistical sectors. The security of IoT networks has implications for the safety of
individuals, the security of the nation, and economic development. Notwithstanding, conventional intrusion
detection techniques that rely on centralized cloud-based systems that have been suggested in previous studies
for IoT network security are insufficient to meet the requirements for data confidentiality, network capacity, and
prompt responsiveness. In addition, the integration of IoT applications into smart devices has been shown to
augment their functionalities. However, it is important to note that this integration also brings about potential
security vulnerabilities. Furthermore, a significant number of contemporary IoT devices exhibit restricted se­
curity capabilities, rendering them vulnerable to intricate attacks and impeding the extensive integration of IoT
technologies. Also, a lot of IoT network devices have been put in place that don’t have hardware security
measures. This means that traditional intrusion detection systems (IDS) aren’t enough to protect the IoT network
ecosystem. To address these issues, this research suggests the IoT-Defender framework, which combines a
Modified Genetic Algorithm (MGA) model with a deep Long Short-Term Memory (LSTM) network to find
cyberattacks in IoT networks. This research represents a pioneering attempt to employ the MGA for feature
selection and the GA for fine-tuning the LSTM parameters within an EC framework. The parameters of the LSTM
model were fine-tuned through the manipulation of the number of hidden layers, utilizing the GA fitness

* Corresponding author.
E-mail address: [email protected] (Y.K. Saheed).

https://doi.org/10.1016/j.asoc.2024.111434
Received 25 October 2023; Received in revised form 23 January 2024; Accepted 20 February 2024
Available online 28 February 2024
1568-4946/© 2024 Elsevier B.V. All rights reserved.
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

function. The customization of the MGA aimed to enhance its performance in selecting relevant features, opti­
mizing the use of limited resources on IoT devices and edge nodes. The fine-tuning process involved optimizing
hyperparameters, architecture, and training strategies to maximize the LSTM network’s effectiveness in learning
and detecting patterns in IoT network traffic. The synergy between the MGA and LSTM aimed at creating a
comprehensive and efficient IDS. The feature selection by the MGA contributes to improving the LSTM’s per­
formance by providing it with more relevant and discriminating features. In order to solve the issue of class
imbalance, we utilize the focal loss function, which provides greater weights to minority classes, hence
improving the model’s capacity to learn from those particular classes. The performance of the IoT-Defender
model was assessed on the BoT-IoT, UNSW-NB15, and N-BaIoT datasets utilizing a Raspberry Pi IoT device.
The results of our study show that the IoT-Defender model works better than other methods. This is shown by its
accuracy score of 99.41%, detection rate of 99.78%, precision score of 98.50%, false alarm rate of 2.56%, mean
intersection over union (mIoU) of 0.68, and training time of 81.3 seconds on BoT-IoT. The proposed IoT model is
designed to be lightweight and can be installed on edge servers to detect cyber-attacks in real-time, specifically in
the context of IoT security.

1. Introduction reference [9]. The centralized CC architecture has been rendered inef­
ficient in analyzing and processing the vast quantities of data gathered
The Internet of Things (IoT) refers to a network of interconnected from IoT systems due to the restricted network performance experienced
physical devices, sensors, and objects that are capable of communicating during data transfer, as noted in reference [10]. EC refers to the process
with each other and exchanging data. The proliferation of IoT devices is of transferring computing operations from a cloud-based system to an
projected to reach 55.7 billion units by 2025, thereby necessitating the edge location that is situated close to IoT devices [11]. The imple­
development of security solutions specifically designed for IoT [1]. The mentation of preprocessing techniques results in a significant decrease
devices in question exhibit constraints of an economic and physical in the volume of data transmitted, thereby refining the overall perfor­
nature, resulting in restricted availability of both hardware and software mance in cases where the size of the intermediate data is less than that of
resources. The distributed nature and significant role of IoT devices in the original data. The present study employs the use of EC to surmount
the evolution of cyber-physical systems (CPSs) render them a prime the obstacles associated with the implementation of security measures in
target for cyberattacks [1]. The anticipated surge in the number of IoT the IoT. Nodes with the ability to perform computational tasks, known
devices is predicted to yield a significant amount of valuable data. With as EC hosts, have the potential to offer services with decreased latency.
efficient and effective analysis, this data has the potential to facilitate The implementation of IDSs in the IoT is a promising idea, as evi­
the creation of numerous innovative applications [2]. The traditional denced by scholarly literature [1]. A variety of potential solutions have
framework of computing relies on cloud-based technology to ensure been proposed in this regard [12]. As depicted in Fig. 1, conventional
adequate computational resources and sustainable energy. In this IDSs designed for the IoT are positioned either at the device or gateway
particular framework, IoT devices are responsible for the collection and level and in certain cases, they make use of CC [13]. Nevertheless, the
transmission of data to a distant and robust cloud infrastructure. Cloud utilization of EC has presented novel prospects for enhancing security in
servers, on the other hand, undertake computationally demanding tasks the realm of IoT. The EC framework extends the CC model to the pe­
and furnish the outcomes [3]. Although the advantages of networked riphery of the network, enabling intelligent computing functionalities
devices are evident, the considerable physical separation among them that can effectively reduce network latency by facilitating storage ca­
may result in elevated latency, posing challenges for applications that pacity and computation at the edge. This holds significant importance,
demand low latency, such as virtual reality gaming and autonomous especially in the context of the IoT. However, the deployment of edge
vehicles [4]. In addition, the substantial volume of data that is conveyed nodes presents novel security vulnerabilities that may be susceptible to
through the network can impose a burden on the core network, leading exploitation by malicious entities. It is conceivable that edge nodes,
to significant expenses for providers of services. The problem of data particularly those situated in public spaces, may be susceptible to un­
transfer latency can potentially be addressed through the utilization of sanctioned remote entry and physical interference. The aforementioned
emerging edge computing (EC) [3]. While EC may be referred to by attacks can alter network traffic, selectively transmit packets, and
different names, such as fog computing and cloudlet [5], its core concept potentially introduce new packets while masquerading as an authentic
involves the deployment of computational resources close to the data device. IDSs that are situated at the device or gateway level may face
source for processing, rather than transferring the data to remote loca­ limitations in detecting such attacks, owing to their occurrence in a
tions with computing capabilities. In EC, a multitude of servers are sit­ distinct network segment. In Fig. 1, IDSs situated at the network pe­
uated at the network’s edge, and tasks originating from IoT end devices riphery can identify such attacks. However, their dependability is
can be assigned to these edge servers for prompt processing [6]. This compromised by emerging concerns. Thus, it is necessary to employ
methodology offers multiple advantages in comparison to cloud specialized IDSs that are specifically designed for the network’s edge to
computing [7]. Processing data in proximity to the source can effectively resolve this challenge. The proliferation of IoT devices at an unprece­
diminish communication latency, thereby conferring benefits for the dented pace has necessitated the development of effective and
development of low-latency applications. Furthermore, the imple­ dependable security measures to safeguard these devices against cyber
mentation of local computation has the potential to enhance data pri­ threats. The utilization of Edge Computing-based Intrusion Detection
vacy and security measures with greater efficiency. Finally, Systems (EC-IDS) [14] presents a viable resolution to tackle the afore­
implementing data processing at the edge of the network may mitigate mentioned problem. This is achieved by empowering IoT devices to
network congestion, consequently decreasing the strain on the core promptly identify and react to cyber-attacks.
network. The proliferation of IoT devices has brought transformative changes
The current trend toward the era of the IoT is attributed to the swift to various domains, introducing unparalleled connectivity and func­
proliferation of smart devices [8]. The integration of mobility support, tionality. However, the inherent complexity, diversity, and dynamism of
geographical distribution, location awareness, and low latency into IoT ecosystems present substantial challenges to security. The inter­
cloud computing (CC) poses significant challenges to the development of connected nature of devices, coupled with their varying capabilities and
IoT applications. The integration of EC technology is deemed to be of resource constraints, amplifies the vulnerability landscape. Current
paramount importance for the provision of IoT services, as stated in intrusion detection techniques, designed for traditional networks,

2
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

exhibit limitations in adapting to the unique characteristics of IoT en­ capacity of the suggested framework to significantly augment the
vironments. Inefficiencies in handling dynamic network topologies, comprehension and elucidation of cyber-attacks in IoT networks.
susceptibility to evolving attack vectors, and resource-intensive re­
quirements contribute to the inadequacy of existing methods. The subsequent sections of the paper are organized in the following
This pressing scenario underscores the critical need for innovative manner. Section 2 contained a discussion of the pertinent research.
intrusion detection approaches tailored to the intricacies of IoT security. Section 3 outlines the approach, while Section 4 presents the evaluation
This research introduces IoT-Defender, a novel framework addressing results derived from experiments and comparative studies. Section 5
these challenges through a synergistic blend of a modified Genetic Al­ provides a comparison with previous studies. The sixth section of the
gorithm (MGA) and Fine-Tuned Long Short-Term Memory Networks paper addressed the constraints, obstacles, and potential risks to the
(LSTM). The proposed solution aims to enhance the adaptability, effi­ accuracy and reliability of the study. Section 7 encompasses the
ciency, and accuracy of intrusion detection in IoT networks with edge concluding remarks and prospects for future research.
capabilities. By strategically integrating advanced algorithms and
leveraging IoT-specific considerations, IoT-Defender contributes to the 2. Related work
evolution of security measures in response to the evolving threat land­
scape. This research seeks to pave the way for more effective and The authors [15] designed Passban IDS, a system that can apply a
resilient intrusion detection solutions in the realm of IoT security. This layer of protection to directly connected IoT devices. The system targets
research presents an EC-IDS designed for IoT devices, which utilizes GA- only TCP/IP-based attacks, excluding those dependent on IoT technol­
LSTM machine learning models to promptly identify and address cyber- ogy. The system requires no complex computations and can be installed
attacks as they occur. The IoT-Defender system utilizes the computa­ on inexpensive edge devices such as Raspberry Pis. The IDS is designed
tional capabilities of edge devices to locally process network traffic, to safeguard devices against a restricted set of attacks. However, it ex­
resulting in reduced latency and enhanced response times. The archi­ hibits a notably low rate of false positives and a high degree of precision.
tecture and design of the proposed system are thoroughly examined, This IDS is one of the limited number of systems that have been fully
with a focus on its salient characteristics and advantages. The IoT- implemented, encompassing both recognition and alerting mechanisms
Defender is a proposed IDS that utilizes EC technology to effectively that utilize a web-based interface for the user. In EC, the authors [16]
and dependably identify and counteract cyber-attacks on IoT devices. Its presented an architecture for both resource allocation and IDS. The
implementation guarantees the protection and confidentiality of the method that has been presented is specifically intended to streamline the
devices and their users. The following are the main contributions of this distribution and collaboration of diverse resources. The implementation
research; of a computing edge IDS is proposed, and resource allocation is
contingent upon its deployment. The authors [17] describe a new
• We develop a novel framework named IoT-Defender based on edge scheme for distributed DL that is used for detecting cyber-attacks in
computing for intrusion detection in IoT networks. fog-to-things environments. Based on the experiments, deep models
• We suggest an MGA for choosing the best subset of features that have been observed to demonstrate superior performance compared to
satisfied IoT protocol requirements trained on the BoT-IoT, UNSW- shallow models concerning their ability to accurately detect, scale, and
NB15, and N-BaIoT datasets instead of a dataset from a traditional achieve a lower FAR. The researchers [18] propose a framework for
network that doesn’t meet IoT protocol requirements. detecting intrusions at the network level, as well as machine learning
• We design an LSTM model and fine-tuned the parameters by algorithms for safeguarding smart devices and appliances that are situ­
adjusting the number of hidden layers using the genetic algorithm. ated within residential settings. The precision and recall metrics were
The suggested framework’s key features and the initial input feature employed to evaluate the efficacy of the classifiers. The dataset utilized
set combine to train the GA-LSTM model. The incorporation of input in the study exhibited an imbalance, with the majority of the samples
features enhances the efficacy of the IDS by diminishing the duration being attributed to illegal access. As a result, the evaluation methods
of both the training and overall detection time. employed may not provide an accurate reflection of the model’s per­
• We design IoT-Defender with a focus on minimizing computational formance. In the context of imbalanced data, it may be more appropriate
and memory requirements, ensuring its practical feasibility and to utilize alternative performance metrics, such as the AUC, as opposed
applicability in diverse IoT deployment scenarios. to relying solely on accuracy, recall, and precision.
• The proposed IoT-Defender is a lightweight IDS implemented on The authors [19] proposed an IDS for IoT systems that utilizes a
Raspberry Pi 4 that can be deployed on edge servers to detect real- hybrid detection approach, as stated in their publication. The proposed
time cyber-attacks in IoT networks. approach by the author involves utilizing a specification-based meth­
• We assess the effectiveness of IoT-Defender in comparison to existing odology to identify intrusions at the local node. This methodology en­
shallow, centralized models. The proposed study showcases the tails analyzing the conduct of the host nodes. Subsequently, the obtained

Fig. 1. The architecture of an Edge-oriented IoT scheme.

3
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

analysis outcomes are transmitted to the worldwide node, which em­ detection. The system comprises of two IDS: a signature-based IDS that
ploys a machine learning-oriented approach to identify potential has a lower energy consumption but may generate a considerable
breaches. The detection of potentially harmful edge devices was exam­ number of false positives, and an anomaly-based IDS that demands more
ined by the authors cited in reference [20]. Edge devices possess the power but delivers more accurate analysis. A methodology was devel­
capability to manage the storage and data processing requirements of a oped by the researchers cited in reference [32] to identify anomalies
significant quantity of IoT devices. According to the authors cited in present in the sensor data of power grids. The utilization of anomaly
reference [21], it is suggested that AEs be utilized as a generative model alerts could serve not only as an indicator of unauthorized intrusion, but
to identify the concealed representation of diverse feature sets. The also as a means of ensuring grid safety by avoiding blackouts and fail­
authors illustrate the capacity of the autoencoder to acquire semantic ures. According to the findings of the study referenced as [33], it was
relatedness between input features in an automated manner. The AE is concluded that the deployment of a solitary IDS at the network perim­
capable of receiving a feature vector about cyber security phenomena eter was insufficient in terms of effectively monitoring and analyzing all
and producing a code vector that denotes the semantic similarity events. The authors suggested a distributed IDS as a potential solution,
existing between the feature vectors. Li and colleagues [22] introduced which involves multiple edge devices functioning as IIoT agents, along
the idea of using game theory in the context of EC systems, and they with a central unit that aggregates the logs generated by these agents.
proposed a system called GLIDE, which is based on an imitative ID game The IDS employ one-class classification methodologies as their primary
theory approach that is data-driven. The authors analyzed the revenue approach to detect anomalies. This technique operates under the
generated by the game participants and examined different strategies for assumption that the agents can learn the normal behavior of the system.
determining utility based on their position in the game. The technique The IDS is deemed appropriate for employment in low-power micro­
proposed by the authors in reference [23] involves the utilization of controllers due to its non-reliance on computationally intensive opera­
ANNs and FCM at the edge to improve the precision of an IDS. The tions. Table 1 summarizes the comparative analysis against a variety of
authors drew a comparison between their approach and traditional ANN state-of-the-art intrusion detection systems. In Table 1, we conducted a
methodologies, and demonstrated its efficacy in achieving a high level of performance comparison between the proposed IoT-Defender model and
precision, particularly in instances of low-frequency attacks. A scholarly the current state-of-the-art models. Most state-of-art-models focused on
article [24] presented a deep learning framework aimed at improving analyzing the NSLKDD, KDD Cup 99, and private datasets. These data­
cybersecurity and streamlining attack identification in IoT networks. sets are not representative of real-world data and are intended for
The study substantiated that the proposed model is suitable for safe­ evaluating IoT systems. Due to the absence of an IoT traffic pattern,
guarding IoT devices. The authors in [25] suggested a structure for these applications are ineffective in realistic scenarios. This is because
fine-tuning DIDS-based edge computing devices’ smart false alarm the dataset used to train and assess the underlying models does not
reduction. The method that has been proposed exhibits the potential to accurately represent real-world conditions. However, numerous
achieve energy efficiency by facilitating data processing at the network’s state-of-the-art methods tackle these problems but lack the ability to
edge, thereby enabling rapid response. The findings of the evaluation identify zero-day attack scenarios, which hinders their adoption in
indicate that the suggested architecture has the potential to alleviate the commercial systems. It is important to note that the current
burden on the central server and mitigate latencies, in contrast to the state-of-the-art models did not consider the attack surface or utilize the
comparative investigation. The authors in [26] suggested a method for edge servers to identify real-time cyber-attacks in IoT networks.
performing network edge gateway anomaly detection. The system de­ In contrast to prior endeavors, our research introduces IoT-Defender,
scribes network traffic using TCP/IP features that are common across which specifically tackles the issues outlined in the state-of-art models in
different IoT communication technologies, allowing various systems Table 1. Our primary objective is to reduce computational and memory
with different technologies to be connected to the same IDS. The system demands, guaranteeing that the solution is both practical and applicable
employs a fuzzy clustering methodology to detect anomalies. The in various IoT deployment scenarios. The IoT-Defender is a lightweight
aforementioned methodology yields a notable precision level and a IDS that runs on Raspberry Pi 4. It is designed to be installed on edge
minimal occurrence of false positives when applied to their specific servers and is capable of promptly identifying and responding to cyber-
dataset. Additionally, processing the data at the network’s edge can help attacks occurring in real-time within IoT networks.
decrease the capacity on the central server and delay. The authors [27]
showed a technique for hypergraph clustering founded on the Apriori 2.1. Motivation for the proposed IoT-defender framework
strategy. The research could effectively figure out the link between FCs
that are vulnerable to DDoS attacks. Resulting, they confirmed that the The selection of the IoT-Defender framework stems from a strategic
model’s resource consumption could be effectively promoted using response to the identified gaps in current intrusion detection systems
DDoS analysis. The researchers in [28] created a framework for the within IoT networks. The motivation revolves around the need for a
distributed detection of anomalies on edge nodes. The proposed model solution that can effectively navigate the unique challenges presented by
involves installing AE models on different edge nodes in various network the dynamic and diverse nature of IoT environments.
regions. These models are used to detect anomalies using the conven­
tional Auto Encoder technique. As the edge nodes continue to operate, 2.1.1. Adaptability to IoT challenges
they update their models with new information to detect new tendencies IoT-Defender is chosen for its ability to adapt to the distinct char­
in network traffic. The authors Mourad et al.[29] introduced a novel acteristics of IoT networks, including diverse device types, dynamic
system termed as the vehicular edge computing fog-assisted system. This network topologies, and resource constraints. It specifically targets the
system enables the offloading of Intrusion Detection System (IDS) tasks limitations that render traditional intrusion detection systems less
to federated vehicle nodes situated within the Adhoc vehicular fog with effective in the IoT context.
minimal latency. Although edge nodes possess superior computational
capabilities in comparison to IoT devices, they are incapable of man­ 2.1.2. Addressing inefficiencies of current systems
aging resource-intensive operations, such as the training of complex The framework is motivated by a recognition of the inefficiencies in
machine learning models. This problem has been previously addressed existing intrusion detection systems concerning IoT traffic patterns. IoT-
in the literature with proposed systems that do not need intensive op­ Defender is designed to enhance the accuracy and efficiency of intrusion
erations. The authors [30] have suggested a host IDS for devices with detection by addressing the inadequacies that commonly hinder current
limited energy resources. As per the findings of scholars cited in refer­ systems from effectively securing IoT ecosystems.
ence [31], a sophisticated system has been put forth with the objective of
achieving equilibrium between energy consumption and precision

4
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

Table 1
Comparative analysis of the existing state-of-the-art models.
Authors Models Dataset Internet of Things Zero-Day Edge-Oriented Attack Surfaced Secured
Traffic Scenario IoT

[17] DL algorithm NSLKDD - - - Application layer

[18] IoT-IDM Private data ✓ - - Network Layer
[19] Hybrid OPF+MapReduce Private data ✓ - - Network layer
[21] AE NSLKDD - - - Network layer
[24] DM NSLKDD - - - Application Layer
[34] ANN NSLKDD - Network Layer
[35] GRU-SVM KDDCup199 - - - Network
WSN-DS
CIDS2017
[36] GRU Private - - - Network Layer
[37] DNN BoT-IoT ✓ ✓ - Network Layer
N-BaIoT
[38] Binarized Neural ISCX2014 - - - Network layer
Networks CICIDS2017
Our IoT- MGAþLSTM BoT-IoT ✓ ✓ ✓ Network Layer and Application
Defender UNSW- Layer
NB15
N-BaIoT

2.1.3. Leveraging the combined strengths are dependent on their system software and available services. The
The choice of combining an MGA and LSTM is deliberate. The MGA aforementioned data can subsequently be utilized to execute focused
offers a sophisticated approach to feature selection, optimizing the use assaults on hosts.
of limited resources on IoT devices. Simultaneously, the Fine-Tuned
LSTM excels in learning and detecting patterns within dynamic and 2.2.3. A3: Man-in-the-middle
evolving IoT network traffic. Man-in-the-middle attacks are utilized to monitor communication
networks of user devices and alter network traffic to carry out replay and
2.1.4. Synergistic benefits of the framework injection attacks. It is possible for a hacker to potentially disrupt a home
The synergy between the MGA and LSTM provides a comprehensive security system without the user’s awareness by replaying smartphone
and adaptive intrusion detection solution. The MGA contributes by traffic.
selecting pertinent features, optimizing the input for the subsequent
processing by the Fine-Tuned LSTM network. This collaboration is aptly 2.2.4. A4: data theft
suited to the complex and evolving nature of IoT traffic. Intelligent household appliances, Internet of Things (IoT) healthcare
devices, and comparable technological devices collect a substantial
2.1.5. Tailoring to edge capabilities quantity of user data. Typically, users possess restricted authority
IoT-Defender’s choice is further motivated by its suitability for regarding the gathering and dissemination of this information. The
deployment in edge computing environments. Recognizing the resource exploitation of vulnerabilities in IoT devices can enable a hacker to
constraints on edge devices, the framework is tailored to operate effi­ intercept the data belonging to the user [40].
ciently in such settings, allowing for real-time intrusion detection at the
edge. 2.2.5. A5: Botnets
Botnets in the present era are typically composed of collaborative
2.2. Attacks in edge networks devices situated at the periphery of networks [41]. Moreover, a device
that has been compromised has the potential to infect additional devices
Edge networks frequently comprise a fusion of IoT and personal and incorporate them into the botnet. Distributed Denial of Service
computer (PC)-like devices, including tablets. In contrast to PC-like (DDoS) attacks serve as a notable illustration of how seemingly harmless
devices, the presumption of implicit trustworthiness in linked IoT de­ user devices within edge networks can be leveraged to initiate extensive
vices cannot be upheld owing to the ease with which susceptible IoT attacks [42]. The IoT-Defender that we have proposed is designed to
devices can be manipulated [26], thereby enabling attacks on other detect and avert potential threats in edge networks.
devices within the network. The present section delineates prevalent
attack categories that are typically witnessed in edge networks. 2.3. Motivation for the edge-based method
Contemporary ransomware in the IoT realm, such as the notorious Mirai
[39], may employ a combination of various attacks to accomplish their Edge computing has been proposed as a means to enhance the
intended goals. functionality and reliability of traditional IoT applications [33]. The IoT
application can delegate storage and management responsibilities to
2.2.1. A1: network scanning edge nodes. Anticipated improvements in quality comprise a reduction
In general, such attacks are employed to explore target nodes before in the management of network operations in real-time, enhanced man­
initiating specific attacks against them. Scanning attacks facilitate the agement of data, and a decrease in latency. In the present context, it is
identification of active UDP and TCP services on the targeted system, the plausible to relocate security applications, such as an IDS, to the edge as
determination of the installed operating system version, and the evalu­ depicted in Fig. 1. The aforementioned action has the potential to
ation of the implemented network traffic filtering. The present investi­ enhance the capabilities of an IDS by augmenting its computational
gation delves into the service scanning attack, which is categorized as a resources, enabling the utilization of more advanced algorithms, and
form of network scanning attack. expanding the storage capacity for system logs or operations that require
significant memory usage. In addition, it is worth noting that a node
2.2.2. A2: Vulnerability scanning situated at the periphery of the network may provide superior latency
The objective of these attacks is to detect weaknesses in systems that compared to the cloud, a crucial factor for IoT applications that require

5
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

real-time responsiveness. Furthermore, an IDS implemented at the pe­ adaptive intrusion detection.
riphery of a network must be capable of accommodating various IoT
communication technologies, thereby being IoT-agnostic. The imple­ 2.4.4. Enforcement module
mentation of an IDS can effectively oversees a multitude of disparate Objective of phase 4: Once malicious activities are identified, the
devices that cohesively utilize varying communication technologies. enforcement module comes into play to mitigate potential threats and
This approach obviates the necessity for a separate IDS that is specific to safeguard the IoT network.
each subnetwork of devices within the IoT. Process: The Enforcement Module takes appropriate actions based
on the severity and nature of detected threats. This may involve isolating
compromised devices, modifying network access controls, or triggering
2.4. Methodology and proposed system preventive measures to contain and neutralize the identified malicious
activities.
This section describes how the IoT-Defender operates. The block
diagram of the IDS throughout its primary functioning phases, namely 2.4.5. Alert
training, and prediction, is illustrated in Fig. 2. A more detailed and step- Objective of phase 5: The final phase involves alerting relevant
by-step explanation of the five distinct stages of the IoT-Defender stakeholders about the detected and mitigated security incidents.
approach are: Process: The Alert module generates notifications or alerts to inform
administrators, security personnel, or relevant parties about the iden­
2.4.1. Activity receiver tified threats and the actions taken for mitigation. These alerts may
Objective of phase 1: The initial phase involves the reception and include details on the type of threat, affected devices, and recommended
gathering of activity data from IoT devices within the network. responses.
Process: The activity receiver module captures data pertaining to This step-by-step breakdown illustrates how IoT-Defender system­
device interactions, communication patterns, and various activities atically progresses through each module, from receiving and monitoring
within the IoT ecosystem. This may include information on device activity to evaluating, enforcing security measures, and ultimately
connections, data transfers, and system events. providing alerts to ensure a comprehensive and adaptive intrusion
detection approach.
2.4.2. Network traffic monitoring
Objective of phase 2: In this phase, the collected activity data un­
dergoes comprehensive monitoring to analyze network traffic patterns. 2.5. System architecture
Process: The network traffic monitoring module scrutinizes the
received data, examining communication flows, data volumes, and the This section details IoT-Defender’s internal architecture, as illus­
frequency of device interactions. This stage aims to establish a baseline trated in Fig. 2. The system architecture is not dependent on specific
understanding of normal network behavior to identify anomalies hardware since it can be implemented using edge network gateways like
effectively. Linksys or single-board computers [43]. IoT-Defender includes five
modules: activity receiver, network traffic monitoring, malicious activ­
2.4.3. Malicious activity evaluation and detection ity evaluation and detection, enforcement module, and alert. The in­
Objective of phase 3: Leveraging the insights gained from network ternal workings of each of these five modules will be explained as
traffic monitoring, this phase focuses on the identification of potentially follows.
malicious activities.
Process: The malicious activity evaluation and detection module 2.6. Activity receiver
employs a combination of the MGA and Fine-Tuned LSTM networks. The
GA optimizes feature selection, while the LSTM network detects patterns In this phase, the IoT-Defender activity receiver gathers and docu­
indicative of malicious behavior. This stage is pivotal for accurate and ments the actions of all IoT devices to create a representation of the

Fig. 2. IoT-Defender system architecture.

6
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

current activities, which will be displayed in a feature space. CE(p,y) = CE (pt) = - log (pt) (4)

When handling imbalanced datasets with the CE loss function,

2.7. Monitoring network traffic
models have a tendency to prioritize training samples from the majority
class, leading to lower performance on minority classes. Therefore, it
The responsibility of this module is to observe all traffic flows that
becomes necessary to introduce a weighting factor α∈ [0,1] to adjust the
have passed through the gateway. It keeps informed data on the traffic
weights of positive and negative samples. When y = 1, the weight factor
created by devices that are linked to the network. The detection module
is α, and when y = − 1, the weight factor is y = 1- α. Eq. (6) represents the
employs this data to assess the progression of a device’s network
α-balanced CE loss function:
conduct. Additionally, this module performs data preprocessing, which
{
is divided into data preprocessing, one-hot encoding, and normalization. α, &if y = 1
αt = (5)
1 − α, &otherwise
2.7.1. Data preprocessing
An IDS cannot function effectively without the preparation of data CE (pt) = -αtlog(pt) (6)
for analysis [44]. Therefore, data pre-processing is crucial [45]. Two
units comprise the pre-processing phase: one-hot encoding and Where αt denotes the weight of the class for the t-th sample.
normalization. The utilization of a weighting factor helps alleviate the issue of
imbalanced distribution between positive and negative samples. How­
2.7.2. One hot encoding ever, it does not mitigate the impact of easy samples on the model’s
One of the most commonly used methods for converting categorical performance. Despite assigning a lower weighting factor to easy sam­
features into numerical values is the one-hot encoding technique [46]. ples, their loss still contributes significantly to the overall loss when their
We used this method to convert each attribute of a categorical type into numbers are high. In order to address this issue, focal loss introduces a
a binary vector, with a value of 1 assigned to the relevant category and modulating factor that diminishes the influence of easy samples in the
0 assigned to all other categories. As an example, the DDoS attribute in overall loss function, allowing the model to focus more on hard samples.
the BoT-IoT dataset and the DoS attribute in the UNSW-NB15 dataset Focal loss is shown in Eq. (7).
was converted into binary vectors using this technique. FL (pt) = -αt (1- pt) γlog (pt) (7)

2.7.3. Normalization method (1-pt) is the modulating factor, where γ represents the focusing
γ

Using maximum-minimum normalization methods after the trans­ parameter. As pt approaches 1, it indicates that the sample is easy to
formation of categorical variables prevented a possible overlap in the classify.
training process resulting from the manipulation of large datasets [47].
In the normalization procedure, we used a scaling range of 0–1 to scale
2.8. Evaluating and detecting malicious activity module
the dataset to the same range. Eq. 1 illustrates the fundamental formula
utilized in Min-Max normalization.
The objective of this module is to analyze network traffic data
j − min(j) derived from the BoT-IoT and UNSW-NB15 datasets to detect any in­
Jnew = (1)
max(j) − min(j) stances of malevolent network behavior. The creation of security pol­
icies is informed by traffic analysis, and subsequently, the enforcement
In the context of this study, the variable ji denotes a specific feature, module implements these policies within the network. The subsequent
while j min and j max represent the minimum and maximum values of sections will explicate our proposed methodology for conducting feature
said feature, respectively. selection analysis and traffic classification. This approach empowers
IoT-Defender to categorize online traffic while minimizing resource
2.7.4. Focal loss utilization. Through the implementation of this approach for training a
Although the GA-LSTM architecture is highly effective at extracting categorization model, it is possible to depict it as a collection of regu­
spatiotemporal characteristics, the problem of class imbalance in lations that can be disseminated among various IoT-Defender de­
network traffic data could still negatively affect the model’s perfor­ ployments. The implementation of this particular strategy enhances the
mance. To effectively address this difficulty, we propose the utilization efficacy of classification in existing deployments and expedites the
of the focus loss function [48]. The focal loss is a superior version of the classification process for novel deployments.
cross entropy (CE) loss. During the training phase, the model calculates
the loss by comparing the anticipated probability distribution with the
actual probability distribution. The model utilizes the loss value to apply 2.9. Feature analysis
the backpropagation method, which updates the parameters of each
layer in the network. This process aims to minimise the loss and improve Our objective is to develop a traffic forecasting system that is effi­
the accuracy of predictions. Eq. (2) displays the CE loss function. cient and compatible with various platforms. The process involves the
{ identification and extraction of pertinent features from traffic data
CE(p, y) =
− log(p), &if y = 1
(2) sourced from BoT-IoT, UNSW-NB15, and N-BaIoT datasets. The variance
− log(1 − p), &otherwise and mode of each feature are analyzed to ascertain their efficacy in the
classification procedure. Non-beneficial features are eliminated from the
where y ∈ { ± 1} denotes the ground truth. p∈[0,1] represents the
classification process to enhance its efficiency and diminish the system’s
predicted probability of the model for class y = 1.
resource demands [49]. The identification of anomalous behavior in IoT
In order to simplify Eq. (2), a function defined in terms of p is as
devices and the detection of malicious activities can be facilitated
follows:
through the examination of the tail end of the feature value distribu­
{
p, &if y = 1 tions. Through an analysis of the distributions of feature values, it is
pt = (3)
1 − p, &otherwise possible to reveal potential correlations among distinct features. The top
ten features selected are given in Table 2.
where pt represents the predicted probability of the t-th sample
belonging to a certain class. By combining Eq. (3), we can simplify Eq. 2.9.1. GA parallel processing
(2) to obtain Eq. (4): To fine-tuned the efficacy of a genetic algorithm (GA), it is

7
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

Table 2 the network traffic. This was done to ensure that network traffic attacks
Features selected. were effectively captured. The GA-LSTM training phase algorithm is
BoT-IoT features UNSW-NB15 features N-BaIoT features depicted in Table 3, and its flowchart is shown in Fig. 5a and b.
selected selected selected
1
pkSeqID Src_bytes MI-dir-L5-mean Fitness = (8)
MSE
Saddr Src_ip MI-dir-L5-weight
Dport Dstip MI-dir-L3-variance The flowchart illustrates the various processes involved in gener­
proto_number Swin MI-dir-L1-weight ating and manipulating the GA-LSTM model of the IoT-Defender.
Flgs Sjit MI-dir-L3-mean Initially, there are 100 LSTM objects as the population size, which are
Sport Dur HpHp-L0.1-pcc
Stime State MI-dir-L5-variance
evaluated for fitness using Eq. 2, with lower mean squared error (MSE)
Pkts Dload HpHp-L0.01-weight indicating greater suitability. The resulting objects are then ranked
Seq ct_state_ttl HpHp-L0.01-radius based on fitness and undergo recombination and mutation using a
Bytes ct_src_dport_ltm HpHp-L0.01-covariance random tendency. This produces a new generation, which is used as the
population for the next iteration. The stopping criteria are based on the
number of generations, with the fitness that is highest in the neural
imperative to prioritize the enhancement of the fitness function, which
network object utilized for classification. The GA-LSTM classifier setting
is commonly regarded as the most computationally intensive compo­
is detailed in Table 4. In this context, each LSTM neural network is
nent. The present research investigates the utilization of the Parallel
referred to as a chromosome, where the genes are associated with the
Processing optimization methodology to enhance the efficiency of GA by
momentum updates, learning rates, and several hidden layers. By
fine-tuning the fitness function. Improving the fitness function is a
applying a GA technique, the values of these genes are determined to
straightforward approach to improving GA performance, as it is often
fine-tuned the LSTM object. Importantly, by automatically adjusting the
the bottleneck due to its computational intensity. Parallel processing is
LSTM’s control parameters such as MuP and learning rate, the GA-LSTM
an effective way to fine-tuned the fitness function by computing the
is better equipped to handle imbalanced network traffic data, specif­
fitness of multiple individuals concurrently across several cores, which
ically for the BoT-IoT, UNSW-NB15, and N-BaIoT datasets. The fitness of
is crucial when evaluating hundreds of individuals per population. This
the LSTM object is computed using its mean squared error (MSE), and
study utilized Google Collaboratory Graphics Processing Unit (Google
the neural network parameters are re-tuned until the GA-LSTM iden­
Collab GPU) libraries to simplify the handling of parallel processing, and
tifies the optimal network from the LSTM pool that has been generated
it can distribute the fitness function across multiple CPUs to reduce GA’s
through multiple generations. As a stopping criterion, the value of
overall execution time, leading to faster convergence [50]. This process
"NoG," which is set to 25, is due to the simulation’s available compu­
results in a Modified Genetic Algorithm (MGA), which selects optimal
tational resources.
features for predicting normal and attack behavior in network traffic.
The MGA selects ten (10) traits from BoT-IoT, UNSW-NB15, N-BaIoT
2.9.3. Fine-tuning process of LSTM parameters via the MGA
attributes that help the classifier avoid local minima and increase its
In the IoT-Defender framework, the fine-tuning process of LSTM
performance.
parameters is a critical stage that optimizes the efficacy of intrusion
detection. This process involves leveraging the MGA to systematically
2.9.2. Fine-tuned LSTM via genetic algorithm (GA-LSTM)
explore and refine the LSTM network’s configuration, enhancing its
The GA-LSTM is a hybrid model that combines the genetic algorithm
ability to discern patterns indicative of malicious activities.
[51] with the Long Short-Term Memory Network (LSTM). This pairing is
driven by the GA’s ability to direct the search intelligently, favoring
chromosomes with high fitness to find the best solution. In this com­ 2.9.3.1. Parameter space exploration. The MGA initiates by defining a
bined architecture, LSTM parameters are encoded as GA chromosomes. parameter space encompassing key LSTM configurations, such as the
Fig. 3 illustrates that the GA-LSTM utilizes four LSTM parameters: the number of hidden layers, units per layer, learning rate, and dropout
number of hidden layers, the network momentum update (NMU), the rates. This parameter space represents a spectrum of potential LSTM
NMU decreasing factor (NMU DF), and the learning rate. architectures. Fig. 6 describes the architecture of the LSTM network.
The implementation used a single-point crossover, which involved
selecting a point of random on the parent chromosome. The genes to the 2.9.3.2. Population initialization. A population of LSTM configurations
right of this point were exchanged to create new offspring, as shown in is generated within the defined parameter space. Each configuration
Fig. 4. represents a potential setup for the LSTM network.
The population size (SoP) is set to 100, the number of generations
(NoG) to 25, the mutation probability (MuP) to 0.1, and the crossover 2.9.3.3. Fitness evaluation. The fitness of each LSTM configuration is
probability (CoP) to 0.5. The stopping criterion is based on the total evaluated based on its ability to accurately detect malicious activities in
number of iterations, which equals the number of generations (NoG). As the context of IoT network traffic. This assessment considers metrics
shown in Eq. (8), fitness is computed using the inverse of the LSTM mean such as accuracy, precision, detection rate, and false alarm rate score,
squared error (MSE). providing a comprehensive evaluation of the network’s performance.
The object compartment of the GA-LSTM was trained using 85% of

Fig. 3. GA-LSTM chromosome sample.

8
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

Fig. 4. Implementation of crossover in GA-LSTM model.

2.11. Alert
Table 3
Fitness function.
Upon identification of an attack, the system in question ceases the
Parameters of GA-LSTM Values user’s session and subsequently informs the administration to undertake
Train Function TrainIm suitable measures.
Hidden Layer Autotune by GA
The measure of the function MSE 2.11.1. Adaptive alert thresholds
Criteria used for stopping 1e-3
Function divide Divideblock
IoT-Defender incorporates adaptive alert thresholds that dynami­
Training ratio 75/100 cally adjust based on changes in network configurations. This ensures
Testing ratio 25/100 that the framework maintains a balanced approach, minimizing false
positives or negatives associated with shifting environments. The
adaptive alert thresholds contribute to the overall robustness of IoT-
2.9.3.4. Genetic operations. Genetic operations, including selection,
Defender in the face of dynamic network changes.
crossover, and mutation, are applied to the population of LSTM con­
figurations. This mimics the process of natural selection, favoring con­
2.11.2. Noise-tolerant learning algorithms
figurations with higher fitness values and introducing variations to
The IoT-Defender model is trained using noise-tolerant learning al­
explore new potential solutions.
gorithms. These GA+LSTM algorithms equip the framework to discern
meaningful patterns amidst noisy data. Whether the noise stems from
2.9.3.5. Iterative refinement. The process iteratively refines the popu­ environmental factors, device malfunctions, or communication in­
lation over multiple generations, guiding the GA towards optimal LSTM terferences, IoT-Defender’s robust learning algorithms enable it to
configurations. This iterative refinement is crucial for adapting the distinguish genuine threats from irrelevant fluctuations in the data.
LSTM network to the dynamic and evolving patterns of IoT network
traffic.
2.12. Experimental analysis
2.9.3.6. Enhancement of detection efficacy. The fine-tuning process en­
hances detection efficacy by tailoring the LSTM network to the unique Three novel traffic databases, namely the BoT-IoT data [52],
characteristics of IoT traffic. The adaptability of the GA allows for the UNSW-NB15, and N-BaIoT were employed in our experiments.
discovery of LSTM configurations that effectively capture and discern Tables 5–7 present a comprehensive overview of the threat statistics
patterns indicative of malicious activities. This adaptability is para­ about the train and testing sets derived from the three datasets.
mount in ensuring that the intrusion detection system remains robust
and agile in the face of evolving threats. 2.13. Description of datasets employed for the assessment of the efficacy
of the IoT-defender
2.10. Enforcement module
To evaluate the effectiveness of the proposed IoT-Defender, three
The IoT-Defender system is designed with an enforcement module currently available datasets focused on IoT are utilized. The datasets are
that can automatically limit network access for devices that display divided into two distinct subsets, specifically referred to as the training
malicious behavior. If a smartwatch engages in a network scanning set and the testing set, with a distribution ratio of 85% and 15%
attack, IoT-Defender will impede its network access and confine its accordingly. A fundamental obstacle in the field of anomaly detection
communication to the cloud service of its manufacturer. The IoT-De­ research pertains to the acquisition or creation of an appropriate dataset
fender’s policing module establishes access control through the utiliza­ for experimental purposes. In this research, the researchers analyzed
tion of security policies generated from the traffic analysis detection pre-existing datasets to determine the most suitable dataset for subse­
module. The aforementioned security policies are utilized to generate quent investigation. The authors delineated the dataset prerequisites by
flow table rules to regulate network traffic in OVS deployment. The the research objective of identifying anomalies in IoT:
security policies are retained in a cache that is based on memory during
operation. The cache has a predetermined lifespan or time-to-live, which CR1: the acquisition of the dataset ought to be conducted from the
is refreshed each time a policy is utilized. IoT networks.
CR2: the dataset ought to comprise records of events.
CR3: It is recommended that the dataset includes anomalies.

9
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

Fig. 5. a Flowchart of GA-LSTM fitness value. b. Flowchart of GA-LSTM model.

CR4: The dataset must be appropriately labeled to distinguish be­ subsets, namely a training set (UNSW NB15 training-set.csv) and a test
tween normal and abnormal data. set (UNSW NB15 testing-set.csv), through the application of a hierar­
CR5: It is recommended that the dataset utilized in the study closely chical sampling technique. The training dataset comprises 175,341 en­
approximates real-world data, specifically data derived from tries, whereas the test dataset encompasses 82,332 entries [55]. The
authentic or partially authentic systems. dataset that has been partitioned comprises 43 features that have been
labeled with their respective classes. This number of features is 6 less
The datasets that meet the specified criteria 1–5 (CR1-CR5), namely than the total number of features present in the original dataset. The
those that comprise labeled sensors and network data, include the aforementioned comprises a set of ten distinct attack categories,
recently developed BoT-IoT dataset and the UNSW-NB15[53] dataset. encompassing generic, exploits, fuzzers, DoS, reconnaissance, analysis,
These datasets were subjected to a comprehensive analysis by the au­ backdoor, shellcode, and worms. Table 6 provides a comprehensive
thors. The particulars of each dataset are delineated as follows: breakdown of the classification of the UNSW-NB15 dataset. The
UNSW-NB15 data is available at https://research.unsw.edu.au/project
2.13.1. BoT-IoT dataset s/unsw-nb15-dataset.
The distribution of attacks within the BoT-IoT dataset is depicted in
Table 5 [54]. The category of attacks is listed in the first column, fol­ 2.13.3. N-BaIoT
lowed by the attack types, training size, and testing size for each attack The N-BaIoT data set [56] is publicly accessible and free for use in
type. The BoT-IoT is available at https://www.unsw.adfa.edu.au/unsw cyber security research. The data set was created by an IoT testbed
canberracyber/ cybersecurity/ADFA-NB15-Datasets/bot_iot.php. consisting of two doorbells, a thermostat, a baby monitor, four security
cameras, and a webcam. The commercial IoT devices were compromised
2.13.2. UNSW-NB15 dataset by BASHLITE and Mirai botnets. From the network packets, 115 statis­
The UNSW-NB15 dataset comprises genuine real-world everyday tical features were extracted to capture the behaviour of the network
activities and artificial contemporary attacks, thereby distinguishing it traffic throughout different time periods. For a comprehensive under­
from the NSL-KDD dataset and presenting a more intricate and current standing of the data gathering and feature extraction methods, please
threat landscape. The dataset was produced utilizing the Tcpdump refer to [56]. The dataset includes benign IoT network traffic as well as
software in conjunction with 12 additional algorithms, yielding a total of IoT botnet scenarios, encompassing ACK, Scan, SYN, and UDPP flooding
49 features accompanied by class labels. The dataset in its entirety attacks. This research utilised a total of 363,979 benign IoT network
comprises 25,400,443 records, however, it was segregated into two traffic samples and 1483,658 samples of IoT botnet attacks. The network

10
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

Table 4 [58]. The provided table outlines the efficacy of a classification model
GA-LSTM algorithm. when applied to a dataset with pre-existing true values. Fig. 7 depicts a
1. GA-LSTM Algorithm table with two dimensions, one displaying the actual values and the
2. Start
Input: Population size (N), Number of generations (G), Fitness function (F),
Crossover probability (Pc), Mutation probability (Pm). Table 5
3. Set GA parameters (CoP, MuP, NoG, and SuP) The distribution of attacks in BoT-IoT data.
4. pushCount = 0, FitMin = 0, optimalLSTMobject = NULL, getCount = 0 Category Type of Attack Train Test
5. WhilepushCount ≤ SuP
6. Create arbitrary values for the LSTM parameters encoded on the GA Benign Benign 7634 1909
Chromosome. Information OS Fingerprinting 28,662 7166
7. Add Parent to the population Gathering Service scanning 117,069 29,267
8. Input: Input sequence X, Number of LSTM layers (L), Number of neurons per DoS DoS TCP 985,280 246,320
layer (N), Activation function (f), Loss function (L), Optimization algorithm Attack DoS HTTP 2376 594
(O), Performance metric (M), Number of epochs (E), and Batch Size (B) DoS UDP 1,652,759 413,190
9. Using Eq. 7, determine the fitness of each parent (LSTM object). Information Data theft 94 24
10. While pushCount ≤ NoG Theft Keylogging 1175 294
11. Select parents in descending order of high fitness. DDoS DDoS UDP 1,517,208 379,302
12. If fitness > fitmaximum go to 13 else go to 14 Attack DDoS TCP 1,563,808 390,952
13. Fitmaximum = fitness go to 15 DDoS HTTP 1582 395
14. Fitmaximum = fitmaximum Total - 5877,647 1,469,413
15. OptimalLSTMObject = Parent
16. Develop crossover for the strongest parents to produce new offspring, then
replace the weakest parent with the offspring produced.
17. Adjust the population based on the probability of mutation Table 6
18. Determine the viability of the newly developed population (that is new LSTM The spread of classes within the UNSW-NB15 data.
pool) Category Train set Test set
19. Increase pushCount and repeat steps (11) to (18) until pushCount is equal to
the number of NoG Benign 56,000 37,000
20. Optimal LSTMObject is assigned GA-LSTM concerning global minimal Backdoor 1746 583
21. Return the GA-LSTM object for categorization Exploits 33,393 11,132
22. End Generic 40,000 18,871
Shellcode 1133 378
Analysis 2000 677
traffic features were standardized using a normalization process based DoS 12,264 4089
Fuzzers 18,184 6062
on Eq. (1) in order to remove any potential bias towards a certain
Worms 130 44
feature. The N-BaIoT data is available at https://www.kaggle.com/data Reconnaissance 10,491 3496
sets/mkashifn/nbaiot-dataset/discussion Total 175,341 82,332

2.14. The metrics employed for evaluating the efficacy of IoT-defender

Table 7
The spread of classes within the N-BaIoT data.
The utilization of ML performance evaluation metrics enables the
Class Training Testing
quantification of the performance of an ML model. The utilization of
these metrics enables the assessment of the efficacy of the ML model Normal 0 14,877
[57]. The evaluation of IoT-Defender’s performance from an ML ACK 71,529 30,557
SYN 85,900 36,621
perspective commences with the conventional components of a confu­ UDPP 57,436 24,781
sion matrix, which encompass true negatives (TN), true positives (TP), Scan 75,239 32,359
false negatives (FN), and false positives (FP). The utilization of a Total 290,104 139,195
confusion matrix is an essential element in the evaluation of ML efficacy

Fig. 6. Architecture of the LSTM network.

11
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

Fig. 7. Confusion matrix.

other presenting the predicted outcomes. of accurately predicted positive classes (TP) by the overall count
As per the conducted experiments, the identification of an attack by of positive classes that exist in reality (TP + FN).
IoT-Defender is considered a true positive (TP), whereas the correct
TP
identification of a normal flow by IoT-Defender is referred to as a true Detectionrate = (11)
TP + FN
negative (TN). Conversely, a type I error, or false positive (FP), arises
when IoT-Defender incorrectly flags an attack (i.e., a false alarm), while
a type II error, or false negative (FN), arises when IoT-Defender fails to 2.15. Long short-term memory configuration
identify an attack. It is noteworthy that IoT-Defender functions as an
anomaly detection system, whereby anomalies are infrequent events in The LSTM models, as described in reference [59], consist of an input
comparison to normal occurrences. Consequently, it is customary to layer with a neuron count equivalent to the number of input attributes,
aggregate the elements of the confusion matrix to derive the detection two hidden layers, and an output layer. The model underwent four
rate (DR), precision (P), accuracy, and false alarm, as expressed by Eqs. epochs of training, utilizing batches of 100 elements and the dataset
(9)–(11). When assessing an IDS, it is imperative to take into account containing the top 10 features. The neural network architecture is
false positives (FP) as a key metric of performance, given that an comprised of 10 input neurons, which is equivalent to the number of
excessive number of erroneous alerts can have a detrimental effect on features in the first layer. The network further consisted of four hidden
the dependability and efficiency of the system. Therefore, the minimi­ layers, with 20, 60, 80, and 90 neurons, respectively, and one output
zation of false positives is a key objective of IoT-Defender. The ratios neuron. The model was initially evaluated using a batch size of 1000.
used to evaluate the efficacy of our model were derived from the However, due to its inadequate performance, an alternative value was
confusion matrix previously mentioned: explored. It was found that utilizing a batch size of 100 resulted in an
enhancement of the model’s specificity. The activation functions uti­
i. Accuracy: The metric that evaluates the effectiveness of a clas­ lized for the input and hidden layers were “tanh,” whereas the activation
sifier in predicting classes is accuracy. The aforementioned ratio function employed for the output layer was “sigmoid.” The Tanh and
is derived through the division of the aggregate count of precise sigmoid activation functions are commonly utilized in the construction
predictions, encompassing true positives and true negatives, by of neural networks, with the latter being the more favored option.
the overall count of predictions made, which includes true posi­ Table 8 presents a comprehensive summary of the parameters of the
tives, true negatives, false positives, and false negatives. LSTM model.

TP + TN
Accuracy = (9) Table 8
TP + TN + FP + FN
The parameters associated with the LSTM network.
Parameters Values
ii. The concept of precision pertains to the ratio of true positive Epochs 4
predictions to the total number of positive predictions made. The Layers 6
calculation involves the division of the count of accurately pre­ Neurons 10 Input
Hidden Layers
dicted positive classes (TP) by the overall count of predicted
20 1st
positive classes (TP + FP). 60 2nd
80 3rd
TP
Precision = (10) 90 4th
TP + FP 1 Output
Activation function Hidden layers;
‘tanh’
iii. The Detection Rate (DR) is a metric that expresses the proportion Output layers;
of correctly identified positive classes out of the total number of ‘sigmoid’
Batch_size 100
positive classes. The calculation involves the division of the count

12
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

2.16. Platform and software training of intrusion detection models on the edge can facilitate the
identification of unknown attacks by enabling participants to share
Python 3.8 was employed to conduct the experiments, with Numpy threat intelligence.
and Scipy utilized for both the experimentation and preprocessing
phases. Furthermore, the Matplotlib library was employed for data
3.1. The detection of unfamiliar (unknown) attacks in IoT networks
visualization, TensorFlow was utilized for the implementation of neural
through the utilization of edge computing collaboration
networks, and Scikit Learn was employed for ML, as cited in reference
[36]. Python has gained popularity as a language for ML due to its un­
Within this section, we construct experiments utilizing the BoT-IoT
complicated syntax and simplicity in handling text manipulation. The
data to authenticate the efficacy of the edge computing collaborative
rapid documentation and development of Scikit Learn, a scientific li­
effort-based approach in identifying unfamiliar attacks within the IoT
brary established by David Cournapeau in 2007 as part of a Google
ecosystem. Tables 9 and 10 display the division of the dataset into eleven
summer code project [60], can be attributed to its popularity among
distinct categories. Given that the quantity of training samples has an
researchers from public and private organizations. The Raspberry Pi 4, a
impact on the efficacy of the model, the experiment was conducted using
diminutive single-board computer produced by the Raspberry Pi Foun­
the eleven categories of samples that possessed the highest volume of
dation in the UK, was utilized to conduct the experiments due to its low
data. The present investigation posits the existence of eleven distinct IoT
power consumption. The Raspberry Pi 4 has garnered attention in the
edge devices, denoted as D1, D2, D3, D4, D5, D6, D7, D8, D9, D10, and D11.
fields of robotics and IoT projects due to its robust Broadcom BCM2711,
The present study employs an experimental design to assess the efficacy
Quad Core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5 GHz and 40 General
of detecting unanticipated attacks through the utilization of edge
Purpose Input Output (GPIO) pins, rendering it a suitable choice for
computing collaboration within IoT settings. Additionally, these exper­
IoT-device-related applications. The utilization of Raspberry Pi 4 as an
iments sought to address the requirement for the development of an IDS
edge node in diverse IoT applications has been expounded upon by re­
that is responsive to the most recent attacks via BoT-IoT, UNSW-NB15,
searchers [61]. Thus, the current study utilizes the Raspberry Pi 4, which
and N-BaIoT for use in IoT-based edge computing. Table 9 presents the
is the fourth iteration of the Raspberry Pi. The Raspberry Pi 4 is
performance evaluation of the IoT-Defender (GA-LSTM) in comparison
equipped with a potent Broadcom BCM2711, Quad Core Cortex-A72
to benign activities and various forms of attacks on the BoT-IoT dataset.
(ARM v8) 64-bit System on a Chip (SoC) that operates at 1.5 GHz and
The study presents a proposed GA-LSTM approach for fingerprinting,
40 General Purpose Input Output (GPIO) pins, rendering it a suitable
which achieves a DR of 99.83%, an accuracy of 98.40%, a precision of
device for IoT applications due to its low-power and high-performance
96.45%, a sensitivity of 98.20%, a FAR of 4.10, and a training time of
capabilities. Fig. 8 presents the technical specifications of the Rasp­
68.8. The results of the scanning service indicate an accuracy rate of
berry Pi 4.
98.64%, a DR of 99.43%, a precision rate of 98.02%, a sensitivity of
98.79%, a FAR of 2.80, and a training duration of 90.14. The DoS TCP
3. Results and discussion
model demonstrated a precision rate of 98.50%, a sensitivity of 97.90%
a FAR of 2.56, and a DR of 99.78%, resulting in an overall accuracy of
The study showcased empirical findings that establish the efficacy
99.41%. The training process required 81.3 units of time. The results of
and expediency of intrusion detection in IoT networks through the
the Data Theft experiment indicate a level of accuracy of 100%, a DR of
collaborative utilization of edge computing. Through this performance
98.48%, a precision of 95.20%, a FAR of 5.20%, and a training duration
evaluation, the inquiry pertains to the feasibility of training an intrusion
of 271 units.
detection model using the two-stage MGA feature selection and GA-
Fig. 9 shows that the DDoS User Datagram Protocol (UDP) yielded an
LSTM model, while addressing the challenges posed by resource con­
accuracy rate of 98.49%, a DR of 99.43%, a precision rate of 95.10%, a
straints (such as storage resources and computational time) on edge
FAR of 5.63, and required a training time of 650 units. The results of the
devices and the need to preserve the privacy of IoT data. Collaborative
keylogging analysis indicate an accuracy rate of 98.56%, a DR of

Fig. 8. Raspberry Pi 4 Specifications used for IoT-Defender.

13
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

Table 9
Performance evaluation of the GA-LSTM model on the BoT-IoT.
Type of Attack Edge Devices Accuracy DR Precision Sensitivity False-alarm Training Time

Benign D1 98.42 99.62 97.21 98.20 3.23 68.7

OS Fingerprinting D2 98.40 99.83 96.45 97.50 4.10 68.8
Service scanning D3 98.64 99.43 98.02 98.79 2.80 90.14
DoS TCP D4 99.41 99.78 98.50 97.90 2.56 81.3
DoS HTTP D5 98.79 99.13 97.10 98.60 3.20 115
DoS UDP D6 99.02 98.49 96.41 97.52 4.69 165
Data theft D7 100 98.48 95.20 99.60 5.20 271
Keylogging D8 98.56 99.81 97.49 98.00 3.51 319
DDoS UDP D9 98.49 99.43 95.10 97.80 5.63 650
DDoS TCP D10 98.57 97.40 96.10 98.12 4.40 400
DDoS HTTP D11 98.97 98.32 96.50 97.60 4.52 880

Table 10
Performance evaluation of the GA-LSTM model on the UNSW-NB15.
Type of Attack Edge Devices Accuracy DR Precision Sensitivity False Alarm Training Time

Benign D1 98.6 99.9 98.2 97.70 2.30 20.2

DoS D2 99.5 98.6 93.5 98.40 6.15 96.6
Back door D3 97.4 96.4 95.6 96.70 5.16 83
Worm D4 95.6 93.7 92.3 94.50 7.20 110
Shellcode D5 93.4 82.1 83.2 95.50 7.30 112
Probe D6 92.6 95.6 94.6 96.80 6.41 100
Exploits D7 98.0 97.20 97.1 97.31 3.80 35
Fuzzer D8 89.3 90.21 91.5 96.20 7.24 111
Analysis D9 94.5 95.43 94.5 95.41 5.60 90
Generic D10 99.0 98.9 97.9 98.21 3.32 30
Reconnaissance D11 97.3 96.8 95.5 96.62 5.10 80

99.81%, a precision rate of 97.49%, a FAR of 3.51, and a training 82.1%, and a FAR of 7.30%. Additionally, the accuracy of the shellcode
duration of 319. The HTTP Denial of Service (DoS) model yielded an was determined to be 93.4%. The shellcode was trained for a total of 112
accuracy rate of 98.79% and 99.13%, a precision rate of 97.10%, a FAR units of time. The results of the experiments yielded an accuracy rate of
of 3.20, and required a training time of 115 units. The DoS User Data­ 98.0%, a DR of 97.20%, a precision rate of 97.1%, a FAR of 3.80, and a
gram Protocol (DoS UDP) yielded a precision rate of 96.41%, a FAR of training duration of 35 seconds. The findings indicate that the accuracy
4.69, a DR of 98.49%, and an accuracy rate of 99.02%. Additionally, the rate is 94.5%, the DR is 95.43%, the precision rate is 94.5%, the FAR is
training period for this model was 165 units of time. The DDoS Trans­ 5.60, and the duration of the training process is 90 seconds. The results
mission Control Protocol (TCP) achieved an accuracy rate of 98.57%, a obtained from the fuzzer indicate an accuracy rate of 89.3%, a DR of
DR of 97.40%, a Precision rate of 96.10%, a FAR of 4.40, and required a 90.21%, a precision rate of 91.5%, a FAR of 7.24, and a training time of
training time of 400 units. The HTTP-based Distributed Denial of Service 111 seconds. The model achieved a 99.0% accuracy rate, a 98.9% DR,
(DDoS) technique yielded a high level of accuracy at 98.97%, with a DR and a 97.9% precision rate. The FAR was 3.32, and the training process
of 98.32%, a Precision of 96.50%, a FAR of 4.52, and a relatively brief took 30 seconds. The results of the reconnaissance indicate an accuracy
training time of 880 units. The accuracy of the Benign class was 98.42%, rate of 97.3%, a DR of 96.8%, a precision rate of 95.5% seconds, a FAR of
with a detection rate of 99.62% and a precision of 97.21%. The FAR was 5.10, and a training duration of 80 seconds. The accuracy of the benign
3.23, and the training time was 68.7. The results indicate that the DoS class was found to be 98.6%, with a DR of 99.9%, and a FAR of 98.2%.
TCP exhibited the most accurate performance, achieving a 99.41% ac­ The FAR was also measured to be 2.30, and the training time for this
curacy rate, a 99.78% detection rate, a precision of 98.50%, a false class was determined to be 20.2 seconds. According to the results, the
acceptance rate (FAR) of 2.56, and a training time of 81.3 seconds, DoS attack exhibited the most precise outcomes, with an accuracy of
surpassing all other attack classes. 99.5%, a DR of 98.6%, a precision of 93.5%, a FAR of 6.15, and a
Table 10 presents the evaluation results of the GA-LSTM model on training time of 96.6 seconds, surpassing all other attack categories.
the UNSW-NB15 dataset, concerning benign traffic and various types of Table 11 presents the evaluation results of the GA-LSTM model on
attacks. The results indicate that the GA-LSTM model applied to Benign the N-BaIoT dataset, concerning normal traffic and various IoT zero-day
data attained a high level of accuracy at 98.9%, a DR of 99.9%, a pre­ botnet scenarios, including ACK, Scan, SYN, and UDPP flooding attacks.
cision of 98.2%, a FAR of 2.30, and a relatively short training time of The results indicate that the GA-LSTM model applied to normal attained
20.2. The DoS attack yielded a 99.5% accuracy rate, a 98.6% DR, a a high level of accuracy at 99.99%, a DR of 100%, a precision of 99.97%,
93.5% precision rate, a FAR of 6.15, and required a training time of 96.6. a sensitivity of 99.90%, a FAR of 1.00, and a training time of 15.40. The
The Worm attack exhibited a precision of 92.3%, an accuracy of 95.6%, ACK botnet attack yielded a 99.98% accuracy rate, a 99.54% DR, a
a DR of 93.7%, a FAR of 7.20, and required 110 units of training time. 99.78% precision rate, a sensitivity of 99.75%, a FAR of 1.20, and
The findings indicate that the probe exhibits a precision of 94.6%, a FAR required a training time of 12.90.
of 6.41, a DR of 95.6%, and an accuracy of 92.6%. Additionally, the Fig. 11 shows that the obtained results of the UDPP exhibit a preci­
training duration for the probe was 100 units of time. sion of 99.60%, a detection rate of 99.50%, and a FAR of 2.30%.
Fig. 10 depicts the Backdoor model exhibited a high level of accu­ Additionally, the accuracy of the UDPP flooding attack was determined
racy, with a recorded rate of 97.4%. Additionally, it demonstrated a DR to be 98.67%, and a sensitivity of 98.62%. The SYN botnet attack
of 96.4% and a precision of 95.6%. The FAR of backdoor was measured exhibited a precision of 99.82%, an accuracy of 99.95%, a DR of
at 5.16, while its training time was recorded at 83 seconds. The obtained 99.99%, a sensitivity of 97.50%, a FAR of 1.50, and required 2.30 units
results of the shellcode exhibit a precision of 83.2%, a detection rate of of training time. The Scan botnet attack yielded a 99.89% accuracy rate,

14
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

Fig. 9. Performance of the proposed IoT-Defender model on the BoT-IoT.

a 99.85% DR, a 99.50% precision rate, a sensitivity of 98.32%, a FAR of detection in IoT, trained on the BoT-IoT, UNSW-NB15, and N-BaIoT
1.60, and required a training time of 2.60. datasets. The evaluation involved various performance metrics such as
accuracy, DR, precision, FAR, and training time to show that our deep
3.2. Comparison with the existing shallow centralized models model outperformed shallow ones. Furthermore, we found that
distributed attack detection is more effective in detecting cyberattacks
Table 12 provides a qualitative comparison between IoT-Defender than centralized algorithms due to parameter sharing, which can pre­
and current best practices in IoT abnormality detection. The authors vent the formation of local minima during training. While our approach
[12] gave an outstanding FAR performance at the expense of accuracy, yielded encouraging results, a more in-depth examination revealed
DR, and FAR. The authors [13] considered the accuracy and DR. How­ crucial information for effective selection and efficient detection of IoT
ever, the FAR was neglected. The authors in [16] considered the accu­ network attacks using fine-tuned GA-LSTM. This information is pro­
racy but silenced the DR and FAR. Researchers in [19] gave low vided in the following sections.
accuracy and low DR when compared to our proposed IoT-Defender. The
existing models are not implemented in the IoT-Raspberry environment. 1. The proposed model showcases that the proposed MGA feature se­
Additionally, the existing models are unsuccessful in practical uses lection method is optimal in terms of selecting the most efficacious
due to the dataset used to train and evaluate the underlying models features from BoT-IoT, UNSW-NB15 and N-BaIoT datasets.
being non-representative. On the other hand, several existing techniques 2. The findings of the study indicate that the proposed IoT-Defender
as shown in Fig. 12 addressed these issues but provide low accuracy, DR, model exhibits superior efficacy in comparison to the shallow
and FAR preventing them from being implemented in commercial sys­ centralized machine learning models, as evidenced by the results
tems as compared to our proposed IoT-Defender that can be generalized obtained relative to existing techniques. The GA-LSTM method,
to commercial software development projects. when fine-tuned demonstrates notable efficiency in detecting
anomalies and intrusions within IoT networks.
3. The study’s findings demonstrate that the chosen metrics possess
3.3. Discussion and analysis usefulness in predicting cyber-attacks within the context of IoT.

Our IoT-Defender model was experimentally analyzed to demon­

strate its effectiveness in real-time anomaly, cyber-attack, and intrusion

15
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

Fig. 10. Performance of the proposed IoT-Defender model on the UNSW-NB15.

Table 11
Performance Evaluation of the GA-LSTM model on the N-BaIoT.
Types of Attack Edge Devices Accuracy DR Precision Sensitivity False Alarm Training time

Normal D1 99.99 100 99.97 99.90 1.00 15.40

ACK D2 99.98 99.54 99.78 99.75 1.20 12.90
UDPP D3 98.67 99.50 99.60 98.62 2.30 2.50
SYN D4 99.95 99.99 99.82 97.50 1.50 2.30
Scan D5 99.89 99.85 99.50 98.32 1.60 2.60

3.4. Implications for the field of IoT security efficient intrusion detection system.

3.4.1. Advancing intrusion detection paradigms 3.5.2. Dynamic fine-tuning for evolving threat landscapes
The study contributes to the evolution of intrusion detection para­ The iterative fine-tuning process, guided by the GA, introduces a
digms in the context of IoT security. IoT-Defender introduces a holistic dynamic element to the intrusion detection system. This adaptability is
and adaptive framework that can effectively safeguard diverse and dy­ crucial for responding to the constantly evolving threat landscape in IoT
namic IoT ecosystems. security. IoT-Defender emerges as a pioneering intrusion detection
framework, offering a nuanced and adaptive solution to the complex
3.4.2. Practical deployment in resource-constrained environments challenges of securing IoT networks. The study’s findings provide
The efficient integration with edge computing environments posi­ valuable insights for researchers, practitioners, and stakeholders
tions IoT-Defender as a practical solution for resource-constrained IoT involved in the ongoing evolution of IoT security measures.
devices. This has significant implications for the scalability and feasi­
bility of intrusion detection measures in IoT deployments.
3.6. Device capabilities, network architecture, and attack scenario
compatibility across IoT devices
3.5. Novel insights gained
When developing a machine learning model for detecting unautho­
3.5.1. Synergistic use of MGA and LSTM networks rized access in IoT environments, it is crucial to take into account the
The study sheds light on the synergistic benefits of integrating an capabilities of the devices, the structure of the networks, and the po­
MGA with Fine-Tuned LSTM networks. This novel approach leverages tential attack scenarios that the model will address. This is particularly
the strengths of each component, resulting in a more adaptive and significant due to the varying levels of processing capacity among

16
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

Fig. 11. Performance of the proposed IoT-Defender model on the N-BaIoT.

Table 12
IoT-defender comparison with the existing models.
Authors Methods Accuracy DR FAR Attack Surfaced Secured

[17] DL algorithm 99.20 99.27 0.85 Application layer

[18] IoT-IDM 98.53% 85.05% x Network Layer
[19] Hybrid OPF+MapReduce 76.19% 96.02% 5.92% Network layer
[21] xgboost 95.7 x x Network layer
[24] DM 99.31 99.24 0.95 Application Layer
IoT-Defender GA-LSTM 99.41 99.78 2.56 Network layer þ Application layer

Fig. 12. Comparison with the existing studies.

different IoT devices. An algorithm that performs efficiently on high- IoT-Defender was experimented on the new N-BaIoT dataset that cap­
performance devices may have difficulties or be unfeasible to deploy ture a more comprehensive spectrum of botnet and flooding cyber-
on IoT devices with limited resources. Consider a situation in which our attacks scenarios prevalent in real-world IoT environments. This
suggested IoT-Defender model is implemented to detect anomalies in shows the efficacy of IoT-Defender’s across diverse threat landscapes.
real-time within a smart home setting. This environment consists of a IoT-Defender was assessed across varied network topologies (applica­
variety of IoT devices, ranging from sensors with limited resources to tion layer and network layer), and traffic patterns, demonstrating its
more advanced edge devices. Our GA+LSTM model’s lightweight nature adaptability to different IoT network configurations. The architecture of
allows for effortless integration across several devices in this scenario. IoT-Defender is designed to adapt its device capabilities, network ar­
Jobs that require a lot of resources are transferred to devices with chitecture requirements, and attack scenarios based on the resources
greater computing capabilities, whereas jobs that require fewer re­ available. This ensures that it operates effectively and efficiently in the
sources are handled by devices with lower processing capability. The diverse IoT landscape.

17
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

3.7. Transferable of the research to real-world IoT applications ensures that IoT-Defender maintains its efficacy in the face of evolving
cybersecurity landscapes. IoT-Defender’s forward-looking design, dy­
The aim of our research is to prioritize the practical usability of IoT namic learning mechanisms, continuous model evaluation, adaptive
ecosystems in real-world scenarios. The following major features feature extraction, and real-time threat intelligence integration collec­
emphasize the applicability of our study to practical IoT applications: tively safeguard against the dependence on periodic retraining. The
framework stands as a vigilant guardian, consistently adapting to new
3.7.1. Scalability attack patterns and ensuring enduring performance over time.
We have successfully tackled the scalability issues commonly faced
in IoT environments, guaranteeing that our research is capable of ac­ 3.7.9. Adversarial detection framework
commodating increasing numbers of devices and data quantities without IoT-Defender incorporates a state-of-the-art adversarial detection
compromising its effectiveness. framework that scrutinizes input data for potential manipulations. This
framework employs advanced anomaly detection techniques to identify
3.7.2. Memory requirements deviations from expected patterns, making it inherently resilient to
The proposed IoT-Defender is designed with a focus on minimizing adversarial attempts aimed at deceiving the system.
computational and memory requirements, ensuring its practical feasi­
bility and applicability in diverse resource constrained IoT deployment 3.7.10. Ensemble learning strategies
scenarios. oT-Defender leverages ensemble learning strategies (MGA+LSTM),
combining the strength of multiple models to enhance its resilience to
3.7.3. Processing power adversarial attacks. By diversifying its approach, the framework mini­
IoT-Defender exhibits exceptional processing power, ensuring swift mizes vulnerability to manipulative inputs, as adversarial attacks would
and accurate model inference. Its architecture is finely tuned to meet the need to subvert a variety of detection mechanisms.
computational demands of diverse IoT environments. Leveraging inno­
vative GA algorithms and optimized LSTM hyperparameters IoT- 3.8. Comprehensive representation of IoT-defender model generalization
Defender efficiently utilizes processing resources, making it well- through diverse training data
suited for deployment on resource-constrained IoT devices.
3.8.1. BoT-IoT
3.7.4. Storage space BoT-IoT, a cornerstone of our training dataset, provides an extensive
One of IoT-Defender’s notable strengths lies in its efficient use of array of real-world IoT threat scenarios. This dataset encapsulates a
storage space. The framework minimizes its model size without diverse set of attack vectors, ensuring that the model is exposed to a
compromising on performance. Through meticulous design consider­ broad spectrum of malicious activities prevalent in IoT ecosystems. Its
ations and model compression techniques, IoT-Defender achieves a inclusion guarantees that the IoT-Defender model is well-versed in
balance between compact storage requirements and the need for a recognizing and mitigating various threat types.
comprehensive intrusion detection system. This feature proves invalu­
able for IoT devices with limited storage capacity. 3.8.2. UNSW-NB15
UNSW-NB15, with its focus on network-based attacks, enriches the
3.7.5. Lightweight model architecture training data by addressing the intricacies of IoT communication. The
IoT-Defender embraces a lightweight model architecture tailored for dataset captures nuances in network behaviors, allowing the IoT-
edge devices. The framework is conscientiously designed to minimize Defender model to discern and adapt to diverse communication pat­
computational complexity without compromising detection accuracy. terns within IoT environments. This inclusion is pivotal for the IoT-
This lightweight architecture ensures that the intrusion detection model Defender model to generalize well in scenarios characterized by varied
operates seamlessly on resource-constrained IoT devices, mitigating any network architectures.
undue burden on their processing capabilities.
3.8.3. N-BaIoT
3.7.6. Continuous learning mechanism The N-BaIoT dataset contributes invaluable insights into IoT device
IoT-Defender integrates sophisticated continuous learning mecha­ behaviors, shedding light on normal and anomalous activities. By
nisms that enable the model to evolve alongside emerging cyber threats. incorporating behavioral patterns into the training data, the IoT-
Through regular updates and retraining cycles, the framework acquires Defender model gains a deeper understanding of device interactions,
insights into new attack patterns, ensuring its capacity to discern and enhancing its capacity to generalize across diverse IoT scenarios where
counteract previously unseen threats. Additionally, IoT-Defender was behavioral intricacies play a pivotal role.
trained on the new N-BaIoT dataset, which consists of several zero-day
attacks on the IoT network. 3.8.4. Ensuring diversity through ensemble learning
To further fortify generalization capabilities, our approach integrates
3.7.7. Adaptive model architecture ensemble learning strategies (MGA+LSTM). By leveraging the collective
The architectural design of IoT-Defender is inherently adaptive. It knowledge from diverse datasets [62], the IoT-Defender model tran­
leverages flexible and scalable model architectures that accommodate scends individual limitations, ensuring adaptability to unforeseen sce­
the integration of new knowledge seamlessly. This adaptability ensures narios and bolstering its ability to generalize effectively in real-world
that the framework remains at the forefront of cyber-threat intelligence, IoT deployments.
continuously evolving to counteract the ever-changing tactics employed
by malicious entities. 3.9. Unmatched real-time responsiveness in dynamic and large-scale IoT
landscapes
3.7.8. Regular model updates
To bolster its capability to adapt, IoT-Defender commits to regular 3.9.1. Streamlined model architecture
model updates. These updates incorporate the latest threat intelligence At the core of IoT-Defender’s real-time capabilities lies a streamlined
such as Zero-Day botnet attacks in N-BaIoT, enabling the IoT-Defender model architecture optimized for swift decision-making. The framework
framework to stay ahead of the curve in recognizing and mitigating strategically balances model complexity with computational efficiency,
emerging attack patterns. This commitment to continuous improvement ensuring that it can process incoming data in real-time without

18
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

compromising on the depth of intrusion detection analysis. 4.2. Safeguarding bluetooth wireless communications and Zigbee

3.9.2. Parallel processing paradigm The classification approach employed in our study primarily relies
IoT-Defender leverages a parallel processing paradigm, enabling it to on attributes derived from packet timing, inter-arrival delays, and
scale seamlessly across distributed computing resources. This architec­ packet counters using MGA. If analogous data is obtainable through
ture is pivotal in large-scale IoT deployments, where the framework can cellular, ZigBee, or other analogous protocols, IoT-Defender has the
dynamically allocate resources based on demand, thereby meeting real- potential to be expanded to function in conjunction with these modes of
time requirements even in scenarios with a multitude of concurrently communication. Subsequent studies will examine the feasibility of this
monitored devices. prospect.

3.9.3. Edge computing integration 4.3. Threats to validity

To further enhance real-time processing, IoT-Defender integrates
edge computing principles. By performing initial data processing and Our study focused on predicting performance using metrics such as
intrusion detection at the edge of the network, the framework minimizes accuracy, DR, precision, FAR, and training time, without including other
latency and ensures rapid response times, making it well-suited for metrics like MCC and G-means.
scenarios where stringent real-time requirements are paramount.
4.3.1. External validity
3.9.4. Continuous model reevaluation across protocols External validity pertains to the extent to which the conclusions
To affirm its transferability, IoT-Defender undergoes continuous drawn from an experiment can be generalized to other contexts or
reevaluation across different IoT protocols. The framework is system­ populations. Two realistic datasets were utilized in conducting experi­
atically tested and fine-tuned with datasets representative of various ments on IoT to mitigate the potential threat to its validity. The exper­
communication standards. This ongoing evaluation ensures that the imental analysis was carried out on the BoT-IoT, UNSW-NB15, and N-
intrusion detection model remains effective and transferable across the BaIoT datasets, which are widely used in IoT research, making our
dynamic landscape of IoT protocols. findings applicable to commercial software development projects.
Furthermore, given that the characteristics of our benchmark dataset
exclusively comprise representative features that are appropriate for IoT
3.10. Safeguarding sensitive data with IoT-defender networks, it would be inappropriate to assert that our experimental
findings can be universally applied to datasets that lack representa­
3.10.1. Data minimization strategies tiveness and do not reflect the typical attacks observed in IoT networks.
IoT-Defender adopts robust data minimization strategies to ensure
that only essential information is processed for intrusion detection 4.3.2. Internal validity
purposes. By limiting the scope of data collection to pertinent features The proposed methods were implemented utilizing the Scikit-learn
(selection of relevant features via MGA) necessary for threat analysis, machine learning library and PyTorch toolbox to mitigate the poten­
the framework mitigates the risk of unnecessary exposure of sensitive tial impact of erroneous implementations on the experimental out­
information. comes. Furthermore, we fine-tuned the optimal parameter values in
LSTM, by utilizing the GA. However, it is advisable to contemplate a
3.10.2. Edge-based processing for sensitive data meticulously regulated experiment for parameter selection.
IoT-Defender integrates edge-based processing for sensitive data to
minimize the need for transmitting raw information to centralized 4.3.3. Construct validity
servers. By performing initial analyses at the edge of the network, the Despite the utilization of five widely-used metrics to assess the effi­
framework limits the exposure of sensitive data, promoting a privacy- cacy of the proposed IoT-Defender model in predicting attacks in the
first approach in the intrusion detection process. IoT, these metrics do not account for the cost of the inspection. In
forthcoming research, we intend to employ effect-aware indicators to
3.10.3. Explainable model architectures assess the efficacy of our approach in commercial projects using our
IoT-Defender adopts explainable model architectures, ensuring that proposed model and other relevant IoT data.
the decision-making process is not shrouded in obscurity. By utilizing
components that facilitate transparency, such as fine tuning of hyper­ 5. Conclusion and future work
parameters in LSTM networks, the framework enables users to
comprehend how specific features contribute to the detection of cyber This research has proposed IoT-Defender, a system that can identify
threats. This architectural choice enhances interpretability, allowing for network attacks and execute appropriate security protocols to avert
meaningful insights into the model’s decisions. potential IoT device attacks. The IoT-Defender is a solution that is in­
dependent of hardware and has a low weight. It can be installed on
4. Limitations, challenges, and recommendations network gateways to safeguard communication of both local and remote
IoT. This research delves into the methodologies and structure employed
4.1. Changes in device operation in IDS for the IoT and introduces IoT-Defender as a potential remedy to
counteract emerging cyber threats in IoT networks that may be lever­
IoT-Defender can detect alterations in network behavior, thereby aged by malevolent actors. The IoT-Defender approach comprises five
enabling the identification of firmware updates and configuration issues distinct phases, namely activity reception, network traffic surveillance,
in IoT devices. The possession of this knowledge facilitates the timely identification and assessment of malevolent activities, enforcement
revision of security policies, thereby impeding the exploitation of mechanism, and notification. The MGA algorithm is utilized to perform
recognized vulnerabilities and imperfections in the firmware iteration. feature selection, while the GA algorithm is employed to fine-tuned
Furthermore, it aids in the prevention of erroneous alerts that may arise parameters to enhance detection efficacy in edge computing settings.
due to alterations in network activity. It is noteworthy that IoT-Defender The study showcases the superior performance of the deep model, IoT-
cannot identify insignificant modifications, such as alterations in screen Defender with mean intersection over union (mIoU) of 0.68, in com­
luminosity, as these modifications do not exert any influence on the parison to shallow models across multiple metrics such as accuracy, DR,
device’s network performance. precision, FAR, and training time. According to the research findings,

19
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

IoT-Defender is capable of operating without necessitating alterations or [8] B.S. Khater, et al., Classifier performance evaluation for lightweight IDS using fog
computing in IoT security, Electronics 10 (14) (2021) 1633, https://doi.org/
intricate hardware components to pre-existing IoT devices. In summary,
10.3390/electronics10141633.
the research presents a comprehensive intrusion detection framework, [9] T.G. Rodrigues, K. Suto, H. Nishiyama, N. Kato, Hybrid method for minimizing
IoT-Defender, tailored for the unique challenges of IoT security. The key service delay in edge cloud computing through VM Migration and transmission
findings and contributions are that IoT-Defender systematically ad­ power control, IEEE Trans. Comput. 66 (5) (2017) 810–819, https://doi.org/
10.1109/TC.2016.2620469.
dresses the challenges posed by the dynamic and diverse nature of IoT [10] J. Liu, H. Guo, Z.M. Fadlullah, N. Kato, Energy consumption minimization for FiWi
environments. The framework’s adaptability is demonstrated in its ca­ enhanced LTE-A HetNets with UE connection Constraint, IEEE Commun. Mag. 54
pacity to navigate diverse device types, evolving network topologies, (11) (2016) 56–62, https://doi.org/10.1109/MCOM.2016.1600169CM.
[11] J. Almutairi, M. Aldossary, A novel approach for IoT tasks offloading in edge-cloud
and resource constraints. Additionally, IoT-Defender is tailored for environments, J. Cloud Comput. 10 (1) (2021), https://doi.org/10.1186/s13677-
efficient deployment in edge computing environments, acknowledging 021-00243-9.
the resource constraints of IoT devices. This feature positions the [12] A.L. Buczak, E. Guven, A survey of data mining and machine learning methods for
cyber security intrusion detection, IEEE Commun. Surv. Tutor. 18 (2) (2016)
framework as a practical solution for real-time intrusion detection 1153–1176, https://doi.org/10.1109/COMST.2015.2494502.
directly at the network’s edge. The researchers intend to conduct a [13] M.A. Mabayoje, J.F. Ajao, F.E. Usman-Hamza, Y.K. Saheed, K.A. Adeniran,
comparative analysis between distributed deep learning intrusion Enhanced data storage security in cloud based on blowfish algorithm and text
steganography, J. Niger. Comput. Soc. (2018).
detection systems and traditional machine learning methods, utilizing [14] Y.K. Saheed, Data analytics for intrusion detection system based on recurrent
diverse datasets and scrutinizing network payload data to identify neural network and supervised machine learning methods. in: Recurrent Neural
intrusion patterns in forthcoming research. Networks, CRC Press Taylor & Francis Group, 2023, pp. 167–179.
[15] M. Eskandari, Z.H. Janjua, M. Vecchio, F. Antonelli, Passban IDS: an intelligent
anomaly-based intrusion detection system for IoT edge devices, IEEE Internet
CRediT authorship contribution statement Things J. 7 (8) (2020) 6882–6897, https://doi.org/10.1109/JIOT.2020.2970501.
[16] F. Lin, Y. Zhou, X. An, I. You, K.K.R. Choo, Fair resource allocation in an intrusion-
detection system for edge computing: ensuring the security of Internet of Things
Taha Ait Tchakoucht: Data curation, Funding acquisition, Project devices, IEEE Consum. Electron. Mag. 7 (6) (2018) 45–50, https://doi.org/
administration, Resources, Writing – original draft. Oluwadamilare 10.1109/MCE.2018.2851723.
Harazeem Abdulganiyu: Conceptualization, Data curation, Funding [17] A. Abeshu, N. Chilamkurti, Deep learning: the frontier for distributed attack
detection in fog-to-things computing, IEEE Commun. Mag. 56 (2) (2018) 169–175,
acquisition, Project administration, Software, Visualization, Writing – https://doi.org/10.1109/MCOM.2018.1700332.
original draft. Yakub Kayode Saheed: Conceptualization, Data cura­ [18] M. Nobakht, V. Sivaraman, and R. Boreli, A host-based intrusion detection and
tion, Formal analysis, Investigation, Methodology, Resources, Software, mitigation framework for smart home IoT using OpenFlow, in: Proceedings of the -
2016 Eleventh Int. Conf. Availability, Reliab. Secur. ARES 2016, 147–156, 2016,
Supervision, Validation, Writing – original draft, Writing – review & doi: 10.1109/ARES.2016.64.
editing. [19] H. Bostani, M. Sheikhan, Hybrid of anomaly-based and specification-based IDS for
Internet of Things using unsupervised OPF based on MapReduce approach,
Comput. Commun. 98 (2017) 52–71, https://doi.org/10.1016/j.
comcom.2016.12.001.
Declaration of Competing Interest [20] R. Sandhu, A.S. Sohal, S.K. Sood, Identification of malicious edge devices in fog
computing environments, Inf. Secur. J. 26 (5) (2017) 213–228, https://doi.org/
10.1080/19393555.2017.1334843.
The authors declare that they have no known competing financial [21] M. Yousefi-Azar, V. Varadharajan, L. Hamey, and U. Tupakula, Autoencoder-based
interests or personal relationships that could have appeared to influence feature learning for cyber security applications, in: Proceedings of the Int. Jt. Conf.
the work reported in this paper. Neural Networks, 2017-May, 3854–3861, 2017, doi: 10.1109/
IJCNN.2017.7966342.
[22] Q. Li, J. Hou, S. Meng, H. Long, GLIDE: a game theory and data-driven mimicking
Data Availability linkage intrusion detection for edge computing networks, Complexity 2020 (2020),
https://doi.org/10.1155/2020/7136160.
The authors do not have permission to share data. [23] N. Pandeeswari, G. Kumar, Anomaly detection system in cloud environment using
fuzzy clustering based ANN, Mob. Netw. Appl. 21 (3) (2016) 494–505, https://doi.
org/10.1007/s11036-015-0644-x.
Acknowledgements [24] A.A. Diro, N. Chilamkurti, Distributed attack detection scheme using deep learning
approach for Internet of Things, Futur. Gener. Comput. Syst. (2017), https://doi.
org/10.1016/j.future.2017.08.043.
We appreciate the reviewers for their great effort, time, and valuable [25] Y. Wang, W. Meng, W. Li, Z. Liu, Y. Liu, H. Xue, Adaptive machine learning-based
feedback. alarm reduction via edge computing for distributed intrusion detection systems,
Concurr. Comput. 31 (19) (2019) 1–12, https://doi.org/10.1002/cpe.5101.
[26] I. Hafeez, M. Antikainen, A.Y. Ding, S. Tarkoma, IoT-KEEPER: detecting malicious
References iot network activity using online traffic analysis at the edge, IEEE Trans. Netw.
Serv. Manag. 17 (1) (2020) 45–59, https://doi.org/10.1109/TNSM.2020.2966951.
[27] X. An, J. Su, X. Lü, F. Lin, Hypergraph clustering model-based association analysis
[1] G. Bovenzi, G. Aceto, D. Ciuonzo, A. Montieri, V. Persico, A. Pescapé, Network
of DDOS attacks in fog computing intrusion detection system, Eurasip J. Wirel.
anomaly detection methods in IoT environments via deep learning: a fair
Commun. Netw. 2018 (1) (2018), https://doi.org/10.1186/s13638-018-1267-2.
comparison of performance and robustness, Comput. Secur. 128 (2023) 103167,
[28] J. Schneible and A. Lu, Anomaly detection on the edge, Proc. - IEEE Mil. Commun.
https://doi.org/10.1016/j.cose.2023.103167.
Conf. MILCOM, vol. 2017-Octob, pp. 678–682, 2017, doi: 10.1109/MILCOM.201
[2] Y. Kayode, S. Sanjay, A voting gray wolf optimizer-based ensemble learning models
7.8170817.
for intrusion detection in the Internet of Things, Int. J. Inf. Secur. (2024), https://
[29] A. Mourad, H. Tout, O.A. Wahab, H. Otrok, T. Dbouk, Ad hoc vehicular fog
doi.org/10.1007/s10207-023-00803-x.
enabling cooperative low-latency intrusion detection, IEEE Internet Things J. 8 (2)
[3] Fog Computing and the Internet of Things: Extend the Cloud to Where the Things
(2021) 829–843, https://doi.org/10.1109/JIOT.2020.3008488.
Are What, vol. 28, no. 1. 2014, pp. 41–62.
[30] B.S. Khater, A.W.B.A. Wahab, M.Y.I.Bin Idris, M.A. Hussain, A.A. Ibrahim,
[4] Y.K. Saheed, Machine learning-based blockchain technology for protection and
A lightweight perceptron-based intrusion detection system for fog computing,
privacy against intrusion attacks in intelligent transportation systems, Mach.
Appl. Sci. 9 (1) (2019), https://doi.org/10.3390/app9010178.
Learn., Block Technol. Big Data Anal. IoTs: Methods, Technol. Appl., 16 (2022)
[31] H. Sedjelmaci, S.M. Senouci, and M. Al-Bahri, A lightweight anomaly detection
323.
technique for low-resource IoT devices: A game-theoretic methodology, in:
[5] M. Satyanarayanan, P. Bahl, R. Cáceres, N. Davies, The case for VM-based cloudlets
Proceedings of the IEEE Int. Conf. Commun. ICC 2016, 2016, doi: 10.1109/
in mobile computing, IEEE Pervasive Comput. 8 (4) (2009) 14–23, https://doi.org/
ICC.2016.7510811.
10.1109/MPRV.2009.82.
[32] D. Utomo and P.A. Hsiung, Anomaly detection at the IoT edge using deep learning,
[6] Y.K. Saheed, S. Misra, and S. Chockalingam, Autoencoder via DCNN and LSTM
in: Proceedings of the IEEE Int. Conf. Consum. Electron. - Taiwan, ICCE-TW 2019,
Models for Intrusion Detection in Industrial Control Systems of Critical
pp. 1–2, 2019, doi: 10.1109/ICCE-TW46550.2019.8991929.
Infrastructures, 2023 in: Proceedings of the IEEE/ACM fourth Int. Work. Eng.
[33] M. Niedermaier, M. Striegel, F. Sauer, D. Merli, and G. Sigl, Efficient Intrusion
Cybersecurity Crit. Syst. (EnCyCriS), Melbourne, Aust., 9–16, 2023, doi: 10.1109/
Detection on Low-Performance Industrial IoT Edge Node Devices, 1–16, 2019,
EnCyCriS59249.2023.00006.
[Online]. http://arxiv.org/abs/1908.03964.
[7] Y. He, B. Fu, J. Yu, R. Li, R. Jiang, Efficient learning of healthcare data from IoT
devices by edge convolution neural networks, Appl. Sci. 10 (24) (2020) 1–19,
https://doi.org/10.3390/app10248934.

20
Y.K. Saheed et al. Applied Soft Computing 155 (2024) 111434

[34] S.A. Rahman, H. Tout, C. Talhi, A. Mourad, Internet of Things intrusion detection: [48] P. Lin, T.Y., Goyal, P., Girshick, R., He, & K. Dollár, Focal loss for dense object
centralized, on-device, or federated learning? IEEE Netw. 34 (6) (2020) 310–317, detection, in: Proceedings of the IEEE international conference on computer vision,
https://doi.org/10.1109/MNET.011.2000286. 2017, 2980–2988, doi: 10.1109/ICAICTA49861.2020.9428882.
[35] Z. Chen, N. Lv, P. Liu, Y. Fang, K. Chen, W. Pan, Intrusion detection for wireless [49] Y.K. Saheed, O.T. Kehinde, M.A. Raji, U.A. Baba, Feature selection in intrusion
edge networks based on federated learning, IEEE Access vol. 8 (2020) detection systems: a new hybrid fusion of Bat algorithm and Residue Number
217463–217472, https://doi.org/10.1109/ACCESS.2020.3041793. System, J. Inf. Telecommun. (2023), https://doi.org/10.1080/
[36] T.D. Nguyen, S. Marchal, M. Miettinen, H. Fereidooni, N. Asokan, and A.R. 24751839.2023.2272484.
Sadeghi, DÏoT: A federated self-learning anomaly detection system for IoT, in: Proc. [50] L. Jacobson, B. Kanber, Genetic Algorithms in Java Basics, Apress,, New York,
- Int. Conf. Distrib. Comput. Syst.,2019-July, 756–767, 2019, doi: 10.1109/ 2015.
ICDCS.2019.00080. [51] S. Katoch, S.S. Chauhan, and V. Kumar, A review on genetic algorithm: past,
[37] S.I. Popoola, R. Ande, B. Adebisi, G. Gui, M. Hammoudeh, O. Jogunola, Federated present, and future, Multimedia Tools and Applications, 80, (5) 2021.
deep learning for zero-day botnet attack detection in IoT-edge devices, IEEE [52] C. Liang, et al., Intrusion detection system for the internet of things based on
Internet Things J. 9 (5) (2022) 3930–3944, https://doi.org/10.1109/ blockchain and multi-agent systems, Electron 9 (7) (2020) 1–27, https://doi.org/
JIOT.2021.3100755. 10.3390/electronics9071120.
[38] K.K. L and L.T.Q. Qin, K. Poularakis, Line-speed and scalable intrusion detection at [53] Y. Kayode Saheed, O. Harazeem Abdulganiyu, T. Ait Tchakoucht, A novel hybrid
the network edge via federated learning, in: Proceedings of the 2020 IFIP ensemble learning for anomaly detection in industrial sensor networks and SCADA
Networking Conference (Networking), 2020, pp. 352–360, [Online]. Available: systems for smart city infrastructures, J. King Saud. Univ. Comput. Inf. Sci. 35 (5)
〈https://ieeexplore.ieee.org/abstract/document/9142704〉. (2023) 101532, https://doi.org/10.1016/j.jksuci.2023.03.010.
[39] F. Anwar, S. Saravanan, SComparison of artificial artificial intelligence intelligence [54] N. Koroniotis, N. Moustafa, E. Sitnikova, B. Turnbull, Towards the development of
algorithms algorithms for for IoT IoT Botnet Botnet comparison of detection on on realistic botnet dataset in the Internet of Things for network forensic analytics: Bot-
Apache Apache spark spark platform platform detection, Procedia Comput. Sci. IoT dataset, Futur. Gener. Comput. Syst. 100 (2019) 779–796, https://doi.org/
215 (2023) 499–508, https://doi.org/10.1016/j.procs.2022.12.052. 10.1016/j.future.2019.05.041.
[40] R. Mortier et al., Personal Data Management with the Databox, 49–54, 2016, doi: [55] N. Moustafa and J. Slay, UNSW-NB15: A comprehensive data set for network
10.1145/3010079.3010082. intrusion detection systems (UNSW-NB15 network data set), in: Proceedings of the
[41] E.B. Beigi, H.H. Jazi, N. Stakhanova, and A.A. Ghorbani, Towards effective feature 2015 Mil. Commun. Inf. Syst. Conf. MilCIS 2015 - Proc., 2015, doi: 10.1109/
selection in machine learning-based botnet detection approaches, in: Proceedings MilCIS.2015.7348942.
of the 2014 IEEE Conf. Commun. Netw. Secur. CNS 2014, 247–255, 2014, doi: [56] Y. Meidan, et al., N-BaIoT-Network-based detection of IoT botnet attacks using
10.1109/CNS.2014.6997492. deep autoencoders, IEEE Pervasive Comput. 17 (3) (2018) 12–22, https://doi.org/
[42] I. Hafeez, M. Antikainen, A.Y. Ding, and S. Tarkoma, IoT-KEEPER: Securing IoT 10.1109/MPRV.2018.03367731.
communications in edge networks, 2018, [Online]. 〈http://arxiv.org/abs/181 [57] A. Luque, A. Carrasco, A. Martín, A. de las Heras, The impact of class imbalance in
0.08415〉. classification performance metrics based on the binary confusion matrix, Pattern
[43] O.H. Abdulganiyu, T.A. Tchakoucht, Y.K. Saheed, Towards an efficient model for Recognit. 91 (2019) 216–231, https://doi.org/10.1016/j.patcog.2019.02.023.
network intrusion detection system (IDS): systematic literature review, Wirel. [58] A. Alzaqebah, I. Aljarah, O. Al-Kadi, A hierarchical intrusion detection system
Netw. (2023), https://doi.org/10.1007/s11276-023-03495-2. based on extreme learning machine and nature-inspired optimization, Comput.
[44] O.H. Abdulganiyu, T. Ait Tchakoucht, Y.K. Saheed, A systematic literature review Secur. 124 (2023) 102957, https://doi.org/10.1016/j.cose.2022.102957.
for network intrusion detection system (IDS), Int. J. Inf. Secur. (2023), https://doi. [59] M.O. Hanafi, Abdulfatai Shola, Saheed, Yakub Kayode, Arowolo, An effective
org/10.1007/s10207-023-00682-2. intrusion detection in mobile ad-hoc network using deep belief networks and long
[45] Y.K. Saheed, M.O. Arowolo, A.U. Tosho, An Efficient Hybridization of K-Means and short-term memory, Int. J. Interact. Mob. Technol. 17 (19) (2023) 123–135.
Genetic Algorithm Based on Support Vector Machine for Cyber Intrusion Detection [60] F. Hussain, R. Hussain, S.A. Hassan, E. Hossain, Machine learning in IoT security:
System, Int. J. Electr. Eng. Inform. 14 (2) (2022) 426–442, https://doi.org/ current solutions and future challenges, IEEE Commun. Surv. Tutor. 22 (3) (2020)
10.15676/ijeei.2022.14.2.11. 1686–1721, https://doi.org/10.1109/COMST.2020.2986444.
[46] T. Al-shehari, R.A. Alsowail, An insider data leakage detection using one-hot [61] N. Constant, D. Borthakur, M. Abtahi, H. Dubey, and K. Mankodiya, Fog-Assisted
encoding, synthetic minority oversampling and machine learning techniques, wIoT: A Smart Fog Gateway for End-to-End Analytics in Wearable Internet of
Entropy 23 (10) (2021), https://doi.org/10.3390/e23101258. Things, 1–5, 2017, [Online]. http://arxiv.org/abs/1701.08680.
[47] Y.K. Saheed, A binary firefly algorithm based feature selection method on high [62] Y.K. Saheed, B.F. Balogun, B.J. Odunayo, A. Mustapha, Microarray gene expression
dimensional intrusion detection data, in: S. Misra, C. Arumugam (Eds.), data classification via Wilcoxon Sign Rank Sum and Novel Grey Wolf Optimized
Illumination of Artificial Intelligence in Cybersecurity and Forensics. Lecture Notes Ensemble Learning Models, IEEE/ACM Trans. Comput. Biol. Bioinform. (2023),
on Data Engineering and Communications Technologies, Springer, Cham, 2022. https://doi.org/10.1109/TCBB.2023.3305429.

21