intrusion detection system to advance internet of things

Research ArticleIntrusion Detection System to Advance Internet of ThingsInfrastructure-Based Deep Learning Algorithms

Hasan Alkahtani1 and Theyazn H H Aldhyani 2

1College of Computer Science and Information Technology King Faisal University P O Box 400 Al-Ahsa Saudi Arabia2Community College of Abqaiq King Faisal University P O Box 400 Al-Ahsa Saudi Arabia

Correspondence should be addressed to eyazn H H Aldhyani taldhyanikfuedusa

Received 28 February 2021 Revised 23 March 2021 Accepted 17 April 2021 Published 7 July 2021

Academic Editor M Irfan Uddin

Copyright copy 2021 Hasan Alkahtani and eyazn H H Aldhyani is is an open access article distributed under the CreativeCommons Attribution License which permits unrestricted use distribution and reproduction in any medium provided theoriginal work is properly cited

Smart grids advanced information technology have become the favored intrusion targets due to the Internet of ings (IoT)using sensor devices to collect data from a smart grid environment ese data are sent to the cloud which is a huge network ofsuper servers that provides different services to different smart infrastructures such as smart homes and smart buildings esecan provide a large space for attackers to launch destructive cyberattackse novelty of this proposed research is the developmentof a robust framework system for detecting intrusions based on the IoTenvironment An IoTID20 dataset attack was employed todevelop the proposed system it is a newly generated dataset from the IoT infrastructure In this framework three advanced deeplearning algorithms were applied to classify the intrusion a convolution neural network (CNN) a long short-term memory(LSTM) and a hybrid convolution neural network with the long short-term memory (CNN-LSTM) model e complexity of thenetwork dataset was dimensionality reduced and to improve the proposed system the particle swarm optimizationmethod (PSO)was used to select relevant features from the network dataset e obtained features were processed using deep learning al-gorithms e experimental results showed that the proposed systems achieved accuracy as follows CNN 9660LSTM 9982 and CNN-LSTM 9880e proposed framework attained the desired performance on a new variable datasetand the system will be implemented in our university IoT environment e results of comparative predictions between theproposed framework and existing systems showed that the proposed system more efficiently and effectively enhanced the securityof the IoT environment from attacks e experimental results confirmed that the proposed framework based on deep learningalgorithms for an intrusion detection system can effectively detect real-world attacks and is capable of enhancing the security ofthe IoT environment

1 Introduction

Currently there are more than 25 billion devices connectedto the Internet worldwide three times as many humanbeings [1ndash3] e Internet of ings (IoT) is based oninterconnected smart devices and different services are usedto integrate them into a single networkis allows the smartdevices to gather sensitive information and carry out im-portant functions and these devices connect and commu-nicate with each other at high speeds and make decisionsaccording to indicator information e IoT environmentuses cloud services as a backend for processing informationand maintaining remote control Client users use mobile

applications or web services to access data and control thedevicese IoT infrastructure uses large numbers of sensorsto extract significant information and this information isanalyzed by artificial intelligence algorithms [4 5]

Intrusion detection systems (IDSs) are the technicalregulatory and administrative means used to prevent un-authorized use abuse and recovery of electronic informa-tion and communication systems and the information theycontain aimed at ensuring the availability and continuity ofthe work of the information systems and enhancing theprotection confidentiality and privacy of personal data bytaking all measures Cybersecurity is the practice ofdefending computers servers mobile devices electronic

HindawiComplexityVolume 2021 Article ID 5579851 18 pageshttpsdoiorg10115520215579851

systems networks and data frommalicious attacks It is alsoknown as information technology security [6ndash9] eseintrusions incorporate field of research control systems bycontrolling an alteration of the document system height-ening benefits making unapproved logins accessing sen-sitive records and using malware (eg infections Trojanhorses and worms) which can change the condition of thenetwork Network intrusions occur due to approachingpackets in the network system to perform behaviors such asdenial of service (DoS) attacks or even attempts to be splitinto the system DoS attacks are attempts to make PC assetsunapproachable by their planned clients for example landattacks ping of death (POD) and flood attacks Indicationsof intrusions incorporating abnormal outcomes while exe-cuting different client charges are exemplified by moderatesystem execution and sudden system crashes and changes inparts of information structures are bizarrely moderatesystem implementations (eg opening records or accessingsites)

Attackers exploit unknown vulnerabilities and bypassknown signatures e IoT environment is based on a smartgrid that uses sensor devices and these devices connect toeach other to pass information Figure 1 displays the worldpopulation and the number of sensor devices required forprotection from attackers With the exponential growth ofIoT use the IoT has become a smart object of attackersachieving their targetserefore using artificial intelligencebased on deep learning algorithms can detect unknownvulnerabilities using sensors devices [10]

Artificial intelligence is a kind of information-drivenapproach in which the first step is to understand the dataVarious types of data represent specific attack behaviorsincluding host behaviors and network activities Server logsreflect host behaviors and network traffic represents net-work behaviors ere are several types of attacks with eachhaving a particular pattern erefore it is important toselect suitable data sources to detect various attacks as perthe features of the threat One of the key features of a DoSattack for example is to send several packets in a very shorttime thus flow data are ideal for DoS attack detection Ahidden channel includes a data-leaking operation betweentwo different IP addresses and is best suited for session datadetection erefore the advance of deep learning algo-rithms can help detect these network behaviors [11 12]

Many studies have proposed the development of net-work security systems and artificial intelligence plays aprimary role in the area of cybersecurity based on IoT fordesigning an intelligent system for security in the IoT en-vironment e proposed research aimed to develop anintelligent model that could help secure the IoT structureand devices from threats Currently most companies andorganizations have undergone digital transformationsthrough IoT devices However this has created new com-plexities and vulnerabilities that once cybercriminals learnabout them can be quickly exploited Jokar et al [13] de-veloped classification algorithms to detect abnormal elec-tricity consumption Alseiari et al [14] used soft computingbased on clustering technology to monitor network traffic inadvanced metering infrastructure (AMI) Vijayanand et al

[15] applied a support vector machine (SVM) based on amulticlass to detect the IDS where decision tree algorithmsgave very powerful results compared with an SVM proposedby Jindal et al [16] Boumkheld et al [17] used a traditionalmachine learning algorithm over a naive Bayesian networkto test the ability of this algorithm to detect IDS Zigbee-based Q-learning was proposed by Jokar et al [18] to protectnetworks from intrusion who found it the best strategy formonitoring system attacks Hasan et al [19] proposed ahybrid convolution neural network (CNN) with long short-term memory (LSTM) to classify the characteristics ofelectricity information and the use of a hierarchy to selectsignificant features from intrusion detection networks wasproposed by Wang et al [20] CNN and LSTM algorithmshave been applied to detect attacks [21] Ullah et al [22]introduced a hybrid deep neural network to detect intrusionby combining a CNN and a gated recursive unit A particleswarm optimization (PSO) algorithm has been used to selectsignificant features from data and a developing system canautomatically perform the processes of selecting features andclassifications In Liu et alrsquos [23] research a CNN algorithmwas applied to identify attacks and it was noted that deeplearning based on the CNN improved the system Xiao et al[24] adopted an autoencoder to reduce the dimension of theintrusion detection data to decrease the interference of re-dundant features these features were processed using aCNN to classify the attacks Yang et al [25] used a CNN todetect intrusion for improved extraction of features acrosslayers and feature fusion has been used to obtain com-prehensive features Yang et al [26] developed a system tosecure the IoT in the healthcare environment it controlledtraffic and made the healthcare environment smarterFurthermore security methods have been developed for IoTsystems as described in [27ndash29] Other algorithms appliedas solutions for the security of DNP3 traffic include statisticalapproaches and machine learning [30 31] Keliris et al [32]used the support vector machine (SVM) algorithm forclassification intrusion and it was noted that the SVMperformed well It has been suggested that a detection systemusing machine learning techniques in power systems wouldbe feasible for detecting malicious states [33] Arrigntonet al introduced a machine learning algorithm based onanomaly based intrusion detection for the protection of IoTdevices Liu et al [34] developed an IDS using suppressedfuzzy clustering and principal component analysis (PCA)algorithms Kasinathan et al [35] developed a system sig-nature-based IDS for low-power wireless personal areanetwork (6LoWPAN)-based IoT networks this systemaimed to detect DoS attacks with the highest accuracyDanda et al [36] designed a host-based IDS for the securityof IoT network devices using rule-based detection

Cho et al [37] proposed machine leaning algorithms todetect the botnet attacks at hosts and network levels on theIoT environment e feature selection method was pre-sented to select the features of malicious attack behaviorsDiro and Chilamkurti [38] introduced the deep learning toclassify the intrusion from host level in IoT Cruz et al [39]proposed the intelligent mechanism model to detect theintrusion based on the decision making method moreover

2 Complexity

and developed recurrent neural network (RNN) to improvethe previous model [40]

Currently artificial intelligence based on machinelearning and deep learning algorithms for data-processingcapabilities provide the most effective value to the area ofcyber defense by uncovering patterns shapes and outliersthat indicate potential incidents even if these solutions donot align with known attack patterns [41] An IDS is acommonly used security tool for protecting and mitigatingthe IoTand its infrastructure from unseen and unpredictableintrusionsere are few studies on IDSs in the IoT based onartificial intelligence therefore developing a framework andachieving optimal results are the biggest challenges due tothe network data having imbalanced data Our target was todevelop a secure movable framework for securing large IoTnetworks Here we present advanced artificial intelligencesuch as deep learning models namely CNN LSTM andcombined CNN-LSTM algorithms We have significantlyexpanded the framework to integrate a deep learning al-gorithm to familiarize it with changing threats to the IoTnetwork for anomaly detection e main contributions ofthis study are as follows

(1) Use of advanced artificial intelligence algorithmssuch as CNN LSTM and a hybrid CNN-LSTM todevelop a system to detect intrusions into the IoTenvironment

(2) e proposed system was developed using IoTnetwork data that are not commonly used thisdataset was generated in 2020 and was the biggestchallenge for developing a robust framework

(3) e proposed system was compared with a researcharticle that developed these data It was noted thatthe results of our system were outperformed

2 Materials and Methods

Figure 2 displays the framework of the proposed system fordetecting IoT environment intrusions e proposed system

is composed by some phases to evaluate for obtaining thebest accuracy e components of the proposed system aredescribed in the following sections

21 IoTID20 Dataset Attack For this experiment anIoTID20 dataset attack was conducted to test the proposedframework e IoTID20 dataset was collected from IoTdevices and interconnecting structures the IoTdevices wereconnected to or installed in a smart home environment suchas SKTNGU and EZVIZ Wi-Fi cameras to create theIoTID20 dataset Figure 3 shows the environment of theIoTID20 dataset the laptops tablets and smartphone de-vices were connected byWi-Fi to the smart home routereSKT NGU and EZVIZ Wi-Fi cameras were IoT victimdevices and all other devices in the testbed were theattacking devices

e newly developed IoTID20 dataset was adopted fromPcap files available online e dataset contained 80 featuresand two main label attacks and normal e IoTID20 datasetattack was generated in 2020 Figure 2 shows the IoT en-vironment of the generated IoTID20 dataset Table 1 displaysall the types of IoTID20 dataset attacks and the numbers offeatures for each class label are presented in Figure 4 isdataset was obtained from Kaggle httpssitesgooglecomviewiot-network-intrusion-datasethome

22 Particle SwarmOptimizationMethod Preprocessing is avery important stage for improving classification algorithmsIoT data have various types of formats and dimensionalitytherefore dimensionality reduction was necessary to selectsignificant features from the data e PSOmethod has beensuggested for handling important features from networkdatasets for detecting malicious attacks PSO is a population-based computation intelligence method suggested byEberhat and Kennedy [42] and it is an operative andrespected global search system [43] e PSO algorithm iscalled a reasonable algorithm because of its simple feature

50

40

30

20

10

02003 2008

6307 6721 6894 7347 783

2010 2015 2020

Iflection point

Tables laptops phones

Rapid adoption rate of digital infrastructure5X faster than electricity and telephony

~6 things online per personsensors smart objects devices clustered systems

World populationIoT

Figure 1 Projecting the ldquothingsrdquo behind the internet of things (IoT)

Complexity 3

coding global search computational reasonability fewerparameters and less demanding execution to address andselect important feature problems [44] PSO is used to findimportant features Figure 5 shows the particles swarmoptimization algorithm steps for selecting significant fea-tures from an intrusion network dataset PSO uses theprincipal space method for searching space using a subset ofprimary components that have explored and selected fea-tures For the PSO method particles are used to represent

solutions from the population in the search space particleswhich is called a swarm To generate the particles by distrib-uting 1 and 0 randomly in the particle if the principalcomponent is 1 the particle is chosen for another side and ifthe particle component is 0 then it is ignored Tomake the PSOmore powerful it works randomly and travels in the searchspace to search for an obtained optimal subset of features byupdating their position and velocity e place of particle i andits rapidity are shown in the following equations

IOTID20datasetattack

Preprocessing

PSO

21 Features

Deep learning

CNN model LSTM model

Evaluationperformance

of IDS

CNN- LSTMmodels

Figure 2 Generic framework of the proposed system

AI speaker

Security camera

Access point

Smart phone

Wireshark Laptop(wireshark and

attacking toolscript)

Figure 3 IoTID20 dataset testbed environment

Table 1 IoTID20 dataset attacks

Dos Mirai Mitm ScanSyn flooding Host brute force HTTP flooding UDP flooding ARP spoofing services Host port os

4 Complexity

xi xi1 xi2 xiD1113864 1113865 (1)

vxi vi1 vi2 viD1113864 1113865 (2)

where D indicates the search space of the particle Equation(3) was used to calculate the velocity and position for searchspace as follows

vt+1id wlowast v

tid + c1 lowast r1i lowast pid minus x

tid1113872 1113873

+ c2 lowast r2i lowast pgd minus xtid1113872 1113873

(3)

vt+1id v

tid + v

t+1id (4)

where d is the dimension in the search space t denotes theiteration in the process for search space w is the inertiaweight c1 and c2 are acceleration constants r1i and r2i arerandom values distributed in 0 and 1 and pid and pgdrepresent the pbest and gbest in dimension space in thesearch space e values of location and rapidity in eachparticle are updated until they obtain the best featuresenthe condition is stopped when the iteration reaches themaximum number and obtains satisfactory fitness values

e IoTID20 dataset was very big with around 6332562instances for improving the deep learning algorithms ePSO algorithm was proposed for handling dimensionalityreduction Twenty-one of the most significant features wereselected to develop the system e PSO method used po-sition and velocity for searching the best road to obtainappropriate features from the dataset We used Iteration 19gbest and the value of fitness was 90666351 whereas It-eration 20 was used for gbest and the value of fitness was90666351 e significant features obtained using the PSOmethod are presented in Table 2 (Algorithm 1)

23 Correlation Analysis Pearsonrsquos correlation coefficientmethod was applied to analyze the correlation between the

selected features and classes (normal and attacks) for ap-proving the significant subset feature as follows

R n 1113936(x times y) minus 1113936 x( 1113857 1113936 y( 1113857

n 1113936 x2

1113872 1113873 minus 1113936 x2

1113872 11138731113960 1113961 times n 1113936 y2

1113872 1113873 minus 1113936 y2

1113872 11138731113960 1113961times 100

(5)

where R is Pearsonrsquos correlation coefficient approach x istraining input values of the features y is input values ofclasses (normal and attack) and n is total number of inputvariables

Table 3 summaries Pearsonrsquos correlation coefficientmethod and it was employed to evaluate and examine theselected features by using the PSOmethod It is noted that all20 features have optimal correlation with normal classHowever the features namely Fwd_Bytsb_Avg andBwd_Bytsb_Avg have strongest relationship (R 100)with normal class Overall all the features have good rela-tionship with normal class

Table 4 shows Pearsonrsquos correlation coefficientmethod forfinding the relationship between the most significant featuresobtained from the PSO method with attack class It is notedthat the Fwd_PSH_Flags Fwd_Bytsb_Avg and Bwd_Pktsb_Avg features obtained R 100 whereas FIN_Flag_CntRST_Flag_Cnt CWE_Flag_Count and ECE_Flag_Cnt fea-tures have obtained R 990 We have approved that se-lected features by employing the PSO method wereappropriated for enhancing the intrusion detection system

24 Deep Learning Algorithms In this section the threeadvanced deep learning algorithms are presented CNNLSTM and CNN-LSTM

241 Convolution Neural Network Deep neural networksare part of artificial neural networks (ANNs) with multi-layers Over the last few decades ANNs have been

55124 59391 53073

121181

183554

55818 Normal

40073

2219235377

Mirai ack floodingMirai UDP floodingDoSMirai HTTP floodingScan port OS

NormalMirai brute forceScan host portMITM

Figure 4 Numbers of instances for each class of IoTID20 dataset

Complexity 5

considered to be some of the most powerful algorithms forhandling many real-time applications [45] Deep learningalgorithms use many deeper hidden layers to surpass clas-sical ANN methods [46 47] A convolutional neural net-work is one of the most popular deep neural networkalgorithms and it is named convolution by using mathe-matical linear operation between matrices Our proposedCNN comprised five main layers input convolutionpolling FC and output Figure 6 shows the structure of theCNN model used to develop the IoT cybersecurity system

To extract features from cybersecurity-based IoT dataconvolution layers were used e convolution layers hadmultiple convolution kernels composed of the weight of thekernels e convolution kernel is i the weight coefficient isindicated by wi and the deviation quantity is bi e inputconvolution layer is ximinus1 and the convolution layer wasprocessed using equation (5)

xi f wi otimes ximinus1 + bi( 1113857 (6)

IoTID20 datasetattack

Swarminitialization Fitness of particle Pbest

Fitness of particlegbest

Update velocity

Update position

Evaluate the subsetfeatures

NoYesObtained best subset

features

Figure 5 Particle swarm optimization algorithm steps for selecting subsets

Table 2 21 significant features obtained by using the PSO method

Totalfeatures Feature name

21Src_IP Fwd_Pkt_Len_Min Flow_Pktss Flow_IAT_Mean Flow_IAT_Min Fwd_IAT_Tot Fwd_IAT_Mean

Bwd_IAT_Mean 1 Bwd_IAT_Max Bwd_IAT_Min Fwd_PSH_Flags FIN_Flag_Cnt RST_Flag_Cnt CWE_Flag_CountECE_Flag_Cnt fwd_bytsb_avg bwd_pktsb_avg Init_Bwd_Win_Byts Active_Mean Idle_Max class

(1) Initialize parameters Xti is fitness N numbers of particles

(2) Initialize population Pi_besta while (number of generations or the stopping criterion is not met) (3) for (i 1 to N) (4) if fitness Xt

i gt fitness Pi_best(5) (6) then update Pi_best Xt

i

(7) if the fitness of Xti gt gbest then

(8) then update gbest Xti

(9)

(10) Update velocity vector(11) Update particle position(12) Next particle(13) (14) Next generation

ALGORITHM 1 PSO algorithm

6 Complexity

Tabl

e3

Correlatio

ncoeffi

cientbetweenfeatures

andno

rmal

class

Features

Normal

Normal

Normal

Normal

Normal

inNormal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Src_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

064

Flow

_IAT_

Min

063

Fwd_

IAT_

Tot

080

Fwd_

IAT_

Mean

089

Bwd_

IAT_

Mean

062

Bwd_

IAT_

Max

062

Bwd_

IAT_

Min

062

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

058

Active_Mean

01

Idle_M

ax050

Complexity 7

Tabl

e4

Correlatio

ncoeffi


andattack

class

Features

Atta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckSrc_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

050

Flow

_IAT_

Min

068

Fwd_

IAT_

Tot

069

Fwd_

IAT_

Mean

084

Bwd_

IAT_

Mean

063

Bwd_

IAT_

Max

063

Bwd_

IAT_

Min

063

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

053

Active_Mean

094

Idle_M

ax087

8 Complexity

where xi is the output convolution l i is the convolutionkernel otimes is the convolution operation and f(x) is theactivation function

e convolution kernel was used to pass the IoT trainingdata into max pooling for the extraction of the character-istics of the IoT network data e extracted features weretransferred into the output layer using the tanh function Itwas noted that the tanh function was an appropriate acti-vation function for designing the system

f(x) tanh(x) 2

1 + eminus 2x

minus 1 (7)

where tanh is the function and x is the training input data

Qj Max P0j P

1j P

2j P

3j P

tj1113872 1113873 (8)

where Qj is the output results from the IoT cybersecuritydataset j is the pooling region Max is the operation and Pt

j

is the element of the poolinge softmax function was used to calculate the proba-

bility distribution of an N-dimensional vector e mainpurpose of using softmax at the output layer was for themulticlass classification method used in machine learningalgorithms deep learning and data science e correctcalculation of the output probability helps determine theproper target class for the input dataset and the probabilitiesof the maximum values are increased using an exponentialelement e softmax equation is shown in the followingequation

Oi e

zi

1113936Mi1 e

zi (9)

where i and zi are the output from pervious layers Oi in-dicates the output of softmax function and M is the totalnumber of output nodes

242 Long Short-Term Memory Recurrent Neural Networke recurrent neural network (RNN) is an advanced arti-ficial intelligence algorithm used in many real-life applica-tions A traditional RNNwas applied to predict the temporaltraining data but it faced difficulties when handling gradient

explosion data To solve this issue the LSTM model wasproposed e LSTM model used a memory function toreplace the hidden RNN unit Figure 7 displays the structureof the LSTM model for detecting intrusions from the IoTnetwork dataset e LSTM model consisted of three im-portant gates the forget input and output gates [48]

e forget gate was used to find forgotten informationwhere ht is the input data and the interval number of theoutput gate is [0 1] where 0 indicates ldquocompletely dis-cardedrdquo and 1 indicates ldquocompletely retainedrdquo e currentstate is represented by ct as follows

ht sigma Wxt + Uhtminus1 + b(h)

1113872 1113873

ft sigma W(f)

+ Xt + U(f)

htminus1 + b(f)

1113872 1113873(10)

where ht is input training data and input to the previous cell ispresented by htminus1 e forget gate is indicated by ft thesignificant parameters of the LSTM are weight W(f) and b(f)

is biase input gate was used to update the information usingtwo functions namely sigma and tanhe sigma functionwasemployed to determine what information needed updatingwhereas the tanh function generated information for updating

it sigma W(i)

+ Xt + U(i)

htminus1 + b(i)

1113872 1113873

mt tanh W(m)

+ Xt + U(m)

htminus1 + b(m)

1113872 1113873

ct it middot mt + ft middot ctminus1

(11)

When the cell state ctminus1 is the cell state from the previouscell which was used to update by using cell state ct the newinformation must be discarded and ft ctminus1 and it mt arecombined to obtain the next cell state as follows

ot sigma W(o)

+ Xt + htminus1 + b(o)

1113872 1113873

ht ot middot tanh ct( 1113857(12)

where ot is the output gate and the weight vector of theneural network is represented by W U and V e sigmafunction was used to find which information would be theoutput and tanh was employed to propose the cell state anddeclare the final output

Convolution Convolution Max pooling Convolution Convolution Max pooling Fully connected

Figure 6 Structure of the convolution neural network (CNN) model for classification of Internet of ings (IoT) intrusions

Complexity 9

243 Combined CNN-LSTM Network We proposedcombining two advanced deep learning algorithms todetect intrusion from an IoT network dataset A hybridmodel was designed to automatically detect the attacksand the structure of the proposed model is presented inFigure 8 e architecture was developed by combiningtwo deep learning models namely the CNN and LSTMnetworks whereas the CNN algorithm was used toprocess the significant features obtained from the PSOmethod with the size of 20 times 625783 to extract newcomplex features A convolutional layer size of threekernels was used to extract the complex features and tanhactivation was proposed to transfer the data A two-kernel max pool was used for dimension reduction andwe mapped the features to the LSTM model for the ex-traction of new time information After the LSTM timeinformation was extracted the fusion features were fullyconnected for use in the classification process esoftmax was proposed to detect attacks from the IoTnetwork data

3 Results

In this section results of the proposed formwork for de-tection intrusion are presented

31 Experiment Environment Setup e proposed researchwas completed using different software and hardware en-vironments Table 5 shows the requirements used to developthe proposed system It was noted that these requirementswere suitable for training the big data

Significant parameters used for the development of thedeep learning algorithm are presented in Table 6 e kernelconvolution was three and the dropout was 50 Moreoverthe experiment epochs were 10 due to the big dataWe used thetanh function for the activation function for both models

32 Evaluation Metrics Sensitivity specificity precision re-call and F1-score evaluation metrics were proposed to test andevaluate the framework e equations are defined as follows

Input does X(t) matter

h(tndash1)

X(t)

h(tndash1)

X(t)

W(i)

σ

σU(i)

W(o)

U(o)

i(t)

h(tndash1)

X(t)h(t)

W(c)

U(c)

σ

f (t)

h(tndash1)

X(t)

W(f)

U(f)

cprime(t)

c(t)

o(t)

c(tndash1)

tanh

tanh+

deg

deg

deg

New memory computer new memory

Forget should c(tndash1) be forgotten

Output how much c(t) should be exposed

Figure 7 Generic structure of the long short-term memory (LSTM) model for the classification of Internet of ings (IoT) intrusions

10 Complexity

accuracy TP + TN

FP + FN + TP + TN

specificity TN

TN + FPtimes 100

sensitivity TP

TP + FNtimes 100

recall TPTP + FN times 100

F1 minus score 2lowastprecisionlowastRecallprecisionlowastRecall

times 100QUOTE Sensivity TP

TP + FNtimes 100

(13)

where TP is true positive FP is false positive TN is truenegative and FN is false negative

33 Results and Discussion e experiments were con-ducted using a real IoT based on cybersecurity network dataand three advanced artificial intelligence models namelyCNN LSTM and CNN-LSTM were proposed to classify theattacks from the IoT network dataset Experiments for de-veloping a robust IoT cybersecurity system for detectingintrusions have been presented e PSO method was ap-plied to deal with dimensionality reduction and improve theclassification process Among the 81 features we selected 21as the most significant features for processing the data todetect the intrusions It was noted that the proposed methodwas very robust when using the PSO method

e numbers of false positives false negatives true posi-tives and true negatives were reported using a confusion

matrix In this research we had to deal with big data (the totaldata were 625783 instances and the training data were 438048instances whereas the total testing was 187735 instances)Figure 9 shows the size of sample for training and testingTable 7 shows the results of the confusionmatrix obtained fromthe proposed system Figure 10 shows the confusion matrix ofthe proposed system and the confusion matrix of the com-bined CNN-LSTM model is presented in Figure 11

To validate the proposed system we divided thedataset into 70 training and 30 testing ree exper-iments were conducted using different algorithmsnamely CNN LSTM and CNN-LSTM to detect theintrusions Table 8 demonstrates the results of the pro-posed model and it was noted that the LSTM algorithmobtained a slightly higher accuracy compared with theCNN and CNN-LSTM models

From the evaluation of the deep learning models of thetwo classes of normal and attacks obtained from the

80 times 625783The

Original Preprocessing

PSO method

Dimensionality reduction

Convolution Convolution ConvolutionConvolutionMax pooling Max pooling20 times 625783

20 times 625783

LSTM LSTM LSTM LSTM LSTM LSTM

Flatten

Fully connected

ClassificationNormal Attacks

Figure 8 Architecture of the combined convolution neural network long short-term memory (CNN-LSTM) model

Complexity 11

confusion metrics the empirical results for the LSTMmodelshowed a slightly better performance the LSTM modelresults were 9884 9960 7772 9900 and 9882with respect to precision sensitivity specificity F1-scoreand accuracy respectively Overall the deep learning al-gorithms achieved optimal results for detecting intrusionsfrom the IoT network data Figure 12 displays the trainingloss of the deep learning algorithms it shows the rela-tionship between training loss and the number of epochs inthe proposed framework It was noted that training lossgradually decreased when the training loss increased andthe proposed system of 10 epochs was suitable e training

loss and number of epochs for the combined model arepresented in Figure 13

e proposed system was validated by dividing thedataset into 30 testing and the accuracy performancesof the CNN and LSTM algorithms are presented in Fig-ure 14 e performance of the combined CNN-LSTMmodel is presented in Figure 15 e three deep learningalgorithms performed differently when detecting intru-sions based on the IoT dataset e CNN algorithmachieved 96 accuracy and the LSTM achieved 98 ac-curacy whereas the combined CNN-LSTM modelattained 98 accuracy It was observed that the LSTM

Table 5 Experiment environment setup

Hardware EnvironmentOperation system Windows 10CPU I7Memory 8Development environment Jupyter Python 36

Table 6 Parameters of the proposed model

Parameters ValueParameter name ValueConvolutions filters 100Kernel size of filter 3Max pooling size 2Drop out 050Fully connected layer 256Activation function TanhClassification function SoftmaxOptimizer RSMpropEpochs 10Batch size 5000

438048

187735

Size

Size

Training Testing

Figure 9 Size of sample for training and testing

Table 7 Confusion matrices for the proposed framework in testing phase

Models TP TN FP FNCNN 171895 9512 2592 3736LSTM 174918 9101 3003 713CNN-LSTM 175059 9346 2758 572

12 Complexity

model was slightly better than the CNN and the combinedCNN-LSTM models Overall it was noted that bothclassifications achieved better results due to the datasethaving the highest dimensionality and we found that thesystem was able to handle this and improve the perfor-mance of systems

e proposed methodology was compared with researchwork that generated these data by Ullah et al [49] whoproposed a machine learning algorithm namely SVM andGaussian Naıve bays (NB) linear discriminant analysis

(LDA) and decision and random forest to detect intrusionfrom the IoT environment e ShapirondashWilk algorithmwas used to select the significant features from the entiredataset the LDA the decision tree the random forest andthe ensemble It was noted that 10 features were the mostsignificant features that enhanced the classification al-gorithm to attain good results ey used cross-validations3 5 and 10 to validate their results us we developed asystem based on deep learning algorithms to improve theaccuracy of detecting attacks e PSO method was

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038

True positive1749189317

Figure 11 Confusion matrix of the convolution neural network long short-term memory (CNN-LSTM) model

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)

Figure 10 Confusion matrix of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM) model

Table 8 Results of the proposed system for the validation phase

Precision () Sensitivity () Specificity () F1-score () Accuracy () Time (second)CNN 9840 990 7720 9870 9660 80LSTM 980 9970 7160 9890 9820 160CNN-LSTM 9840 9920 7740 9880 980 80

Complexity 13

022

020

018

016

014

012

010

Accu

racy

2 4 6 8 10Number of epochs

Training lossValidation loss

(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)

Figure 12 Training loss and epochs of (a) the convolution neural network (CNN) model and (b) the long short-term memory (LSTM)model

020

018016014012010

008006

Accu

racy



Figure 13 Training loss and number of epochs of the convolution neural network long short-term memory (CNN-LSTM) model

097

096

095

094

Accu

racy


Training accuracyValidation accuracy

(a)

Accu

racy



098

097

096

095

094

093

(b)

Figure 14 Performance of the proposed models (a) convolution neural network (CNN) model and (b) long short-term memory (LSTM)model

14 Complexity

considered to handle imbalanced data for obtaining sig-nificant subset features We found that our system im-proved the effectiveness of detecting cyberattacks basedon the IoT environment Table 9 compares the

performances of our proposed systems with data fromprevious studies e proposed framework yielded su-perior detection accuracy compared with other machinealgorithms (see Figure 16)

0102030405060708090

100

SVM NB LDA Decsiontree

Randomforest

Ensemble Proposedmodel

(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models

AccuracyPrecisionF1-score

Figure 16 Comparison of the proposed system against the existing system in terms of accuracy metric

Accu

racy


098

097

096

095

094

093



Table 9 Comparison of the proposed and existing model results

Algorithms Precision Sensitivity Specificity F1-score Accuracy Time (second)SVM 55 - - 37 40Gaussian NB (Naıve bays) 55 - - 62 73LDA 71 62 70Decision tree 85 88 88Random forest 85 84 84Ensemble 87 87 87CNN 9840 0990 0772 9870 0966 80LSTM 980 0997 0716 9890 0982 160CNN-LSTM 9840 0992 0774 9880 0980 80

Complexity 15

4 Conclusion

We presented the implementation and evaluation of aproposed framework to detect intrusions based on IoTinfrastructure We developed a robust system using ad-vanced artificial intelligence algorithms namely CNNLSTM and combined CNN-LSTM For computationintelligence PSO was employed to derive subset featuresfrom the entire dataset e selected subset features wereprocessed using a classification algorithm We made thefollowing conclusions

e novel proposed system was evaluated and devel-oped using a new real standard dataset generated fromthe IoT environment is was a big challenge to de-veloping the systemAdvanced deep learning algorithms namely CNNLSTM and CNN-LSTM were applied for the auto-matic classification of the intrusionse experimental results of the proposed system weresuperior to a research article that generated the datasetand the robustness and efficiency of the proposedmodel will be implemented in our university IoTinfrastructure

Data Availability

e IoTID20 dataset supporting the study was obtainedfrom Kaggle httpssitesGooglecomviewiot-network-in-trusion-datasethomee newly developed IoTID20 datasetwas adopted from Pcap files available online e datasetcontained 80 features and two main label attacks andnormal e IoTID20 dataset attack was generated in 2020Figure 2 shows the IoT environment of the generatedIoTID20 dataset Table 1 displays all the types of IoTID20dataset attacks and the numbers of features for each classlabel are presented in Figure 4

Conflicts of Interest

e authors declare that they have no conflicts of interest

Acknowledgments

e authors extend their appreciation to the Deanship ofScientific Research at King Faisal University for funding thisresearch work and APC through the project number no206068

References

[1] H Alkahtani T H H Aldhyani and M Al-Yaari ldquoAdaptiveanomaly detection framework model objects in cyberspacerdquoApplied Bionics and Biomechanics vol 6660489 p 14 2020

[2] T Aldhyani and M Joshi ldquoIntelligent time series model topredict bandwidth utilizationrdquo International Journal of Ad-vanced Computer Science and Applications vol 14 pp 130ndash141 2017

[3] M Tang M Alazab and Y Luo ldquoBig data for cybersecurityvulnerability disclosure trends and dependenciesrdquo Institute of

Electrical and Electronics Engineers Transactions on Big Datavol 5 no 3 pp 317ndash329 2019

[4] D Vasan M Alazab S Venkatraman J Akram and Z QinldquoMTHAEL cross-architecture IoT malware detection basedon neural network advanced ensemble learningrdquo Institute ofElectrical and Electronics Engineers Transactions on Com-puters vol 69 no 11 pp 1654ndash1667 2020

[5] A Karim S Azam B Shanmugam K Kannoorpatti andM Alazab ldquoA comprehensive survey for intelligent spamemail detectionrdquo Institute of Electrical and Electronics Engi-neers Access vol 7 pp 168261ndash168295 2019

[6] T H H Aldhyani M Alrasheedi M Y AlzahraniA M Bamhdi A A Alqarni et al ldquoIntelligent hybrid modelto enhance time series models for predicting network trafficrdquoInstitute of Electrical and Electronics Engineers Access vol 8pp 130431ndash130451 2020

[7] G Press Internet of6ings by the NumbersWhat New SurveysFound Springer Berlin Germany 2018

[8] V Danish M Alazab W Sobia N Hamad S Babak andQ Zheng ldquoIMCFN Image-based malware classification usingfine-tuned convolutional neural network architecturerdquoComputer Networks vol 171 Article ID 107138 2020

[9] M Alazab K Lakshmanna G ippa Reddy Q-V Phamand P K R Maddikunta ldquoMulti-objective cluster head se-lection using fitness averaged rider optimization algorithm forIoTnetworks in smart citiesrdquo Sustainable Energy Technologiesand Assessments vol 43 2021 ISSN 2213-1388 Article ID100973

[10] M Joshi and T H Hadi ldquoA Review of Network TrafficAnalysis and Prediction Techniquesrdquo p 23 2015 httpsarxivorgabs150705722

[11] T Aldhyani and M Joshi ldquoAnalysis of dimensionality re-duction in intrusion detectionrdquo International Journal ofComputational Intelligence and Informatics vol 4 no 3pp 199ndash206 2014

[12] I V Sitalakshm and M Alazab ldquoUse of data visualisation forzero-day malware detectionrdquo Security and CommunicationNetworks vol 1728303 p 13 2018

[13] P Jokar N Arianpoo and V C M Leung ldquoElectricity theftdetection in AMI using customersrsquo consumption patternsrdquoInstitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 7 pp 216ndash226 2017

[14] F A A Alseiari and Z Aung ldquoReal-time anomaly-baseddistributed intrusion detection systems for advancedMetering Infrastructure utilizing stream data miningrdquo inProceedings of the International Conference on Smart Grid ampClean Energy Technologies Offenburg Germany October2015

[15] R Vijayanand D Devaraj and B Kannapiran ldquoSupportvector machine based intrusion detection system with re-duced input featuresfor advanced metering infrastructure ofsmart gridrdquo in Proceedings of the 4th International Conferenceon Advanced Computing and Communication SystemsCoimbatore India January 2017

[16] A Jindal A Dua K Kaur M Singh N Kumar andS Mishra ldquoDecision tree and SVM-based data analytics fortheft detection in smart gridrdquo Institute of Electrical andElectronics Engineers Transactions on Industrial Informaticsvol 12 no 3 pp 1005ndash1016 2016

[17] N Boumkheld M Ghogho and M E Koutbi ldquoIntrusiondetection system for the detection of blackhole attacks in asmart gridrdquo in Proceedings of the 4th International Symposiumon Computational and Business Intelligence Olten Switzer-land September 2016

16 Complexity

[18] P Jokar and V Leung ldquoIntrusion detection and preventionfor ZigBee-based home area networks in smart gridsrdquo In-stitute of Electrical and Electronics Engineers Transactions onSmart Grid vol 9 pp 1800ndash1811 2016 [CrossRef]

[19] M N Hasan R N Toma A-A Nahid M M M Islam andJ-M Kim ldquoElectricity theft detection in smart grid systems aCNN-LSTM based approachrdquo Energies vol 12 no 17p 3310 2019 [CrossRef]

[20] W Wang Y Sheng J Wang et al ldquoHAST-IDS learninghierarchical spatial-temporal features using deep neuralnetworks to improve intrusion detectionrdquo Institute of Elec-trical and Electronics Engineers Access vol 6 pp 1792ndash18062018 [CrossRef]

[21] R Vinayakumar K P Soman and P PoornachandranldquoApplying convolutional neural network for network intru-sion detectionrdquo in Proceedings of the International Conferenceon Advances in Computing Communications and InformaticsKarnataka India September 2017

[22] A Ullah N Javaid and S Omaji ldquoCNN and GRU based deepneural network for electricity theft detection to secure smart gridrdquoin Proceedings of the 2020 InternationalWireless Communicationsand Mobile Computing Limassol Cyprus June 2020

[23] G Liu and J Zhang ldquoCNID research of network intrusiondetection based on convolutional neural networkrdquo DiscreteDynamics in Nature and Society vol 202011 pages 2020[CrossRef]

[24] Y Xiao C Xing T Zhang and Z Zhao ldquoAn intrusion de-tection model based on feature reduction and convolutionalneural networksrdquo Institute of Electrical and Electronics En-gineers Access vol 7 pp 42210ndash42219 2019 [CrossRef]

[25] H Yang and F Wang ldquoWireless network intrusion detectionbased on improved convolutional neural networkrdquo Instituteof Electrical and Electronics Engineers Access vol 7pp 64366ndash64374 2019 [CrossRef]

[26] S S Chakravarthi and S Veluru ldquoA review on intrusiondetection techniques and intrusion detection systems inMANETsrdquo in Proceedings of the International Conference onComputational Intelligence and Communication NetworksBhopal India November 2014

[27] L Santos C Rabadao and R Goncalves ldquoIntrusion detectionsystems in Internet of ings a literature reviewrdquo in Pro-ceedings of the 13th Iberian Conference on Information Systemsand Technologies (Cisti) Caceres Spain June 2018

[28] A B Mohamed N B Idris and B Shanmugum ldquoA briefintroduction to intrusion detection systemrdquo in Proceedings ofthe Trends in Intelligent Robotics Automation andManufacturing Proceedings of the IRAM 2012 Communi-cations in Computer and Information Science Kuala LumpurMalaysia November 2012

[29] S G Ponnambalam J Parkkinen and K C RamanathanEds in Proceedings of the International Conference on In-telligent Robotics Automation and Manufacturing vol 330Springer Kuala Lumpur Malaysia November 2012

[30] Y Fu Z Yan J Cao O Kone and X Cao ldquoAn automatabased intrusion detection method for internet of thingsrdquoMobile Information Systems vol 2017 2017 [CrossRef] Ar-ticle ID 1750637

[31] A Kapitonov S Lonshakov A Krupenkin and I BermanldquoBlockchain-based protocol of autonomous business activityformulti-agent systems consisting of UAVsrdquo in Proceedings oftheWorkshop on Research Education and Development ofUnmanned Aerial Systems (RED-UAS) pp 84ndash89 [CrossRef]Linkoping Sweden October 2017

[32] C Liang B Shanmugam S Azam M Jonkman F D Boerand G Narayansamy ldquoIntrusion detection system for internetof things based on a machine learning approachrdquo in Pro-ceedings of the International Conference on Vision towardsEmerging Trends in Communication and Networking (ViTE-CoN) pp 1ndash6 [CrossRef] Vellore India March 2019

[33] C Savaglio G Fortino M Ganzha M Paprzycki C Badicaand M Ivanovic ldquoAgent-based internet of things state-of-the-art and research challengesrdquo Future Generation ComputerSystems vol 102 2019 [CrossRef]

[34] L Liu B Xu X Zhang and X Wu ldquoAn intrusion detectionmethod for internet of things based on suppressed fuzzyclusteringrdquo EURASIP Journal on Wireless Communicationsand Networking vol 2018 p 113 2018 [CrossRef]

[35] P Kasinathan G Costamagna H Khaleel C Pastrone andM A Spirito ldquoDEMO an IDS framework for internet ofthings empowered by 6LoWPANrdquo in Proceedings of the 2013ACM SIGSAC Conference on Computer amp CommunicationsSecurity Berlin Germany November 2013

[36] J M R Danda and C Hota ldquoAttack identification frameworkfor IoT devicesrdquo Advances in Intelligent Systems and Com-puting In Information Systems Design and Intelligent Appli-cations Springer India New Delhi India pp 505ndash513 2016

[37] K A P Da Costa J P Papa C O Lisboa R Munoz andV H C De Albuquerque ldquoInternet of ings a survey onmachine learning-based intrusion detection approachesrdquoComputer Networks vol 151 pp 147ndash157 2019 [CrossRef]

[38] A A Diro and N Chilamkurti ldquoDistributed attack detectionscheme using deep learning approach for Internet of ingsrdquoFuture Generation Computer Systems vol 82 pp 761ndash7682018 [CrossRef]

[39] M A A Da Cruz J J P C Rodrigues J Al-MuhtadiV V Korotaev and V H C De Albuquerque ldquoA referencemodel for internet of things middlewarerdquo Institute of Elec-trical and Electronics Engineers Internet of 6ings Journalvol 5 no 2 pp 871ndash883 2018 [CrossRef]

[40] A Azmoodeh A Dehghantanha and K-K R Choo ldquoRobustmalware detection for internet of (battlefield) things devicesusing deep eigenspace learningrdquo Institute of Electrical andElectronics Engineers Transactions on Sustainable Computingvol 4 pp 88ndash95 2018 [CrossRef]

[41] X Larriva-Novo V A Villagra M Vega-Barbas D Riveraand M Sanz Rodrigo ldquoAn IoT-focused intrusion detectionsystem approach based on preprocessing characterization forcybersecurity datasetsrdquo Sensors vol 21 no 2 p 656 2021

[42] J Kennedy and R C Eberhart ldquoParticle swarm optimiza-tionrdquo in Proceedings of the IEEE Int Conf Neural Networkspp 1942ndash1948 Perth Australia November 1995

[43] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012

[44] S X Wu and W Banzhaf ldquoe use of computational in-telligence in intrusion detection systems a reviewrdquo AppliedSoft Computing vol 10 no 1 pp 1ndash35 2010

[45] C D McDermott F Majdani and A V Petrovski ldquoBotnetdetection in the internet of things using deep learning ap-proachesrdquo in Proceedings of the 2018 International JointConference on Neural Networks (IJCNN) pp 1ndash8 [CrossRef]Rio de Janeiro Brazil July 2018

[46] T H H Aldhyani M Al-Yaari H Alkahtani and M MaashildquoWater quality prediction using artificial intelligence algo-rithmsrdquo Applied Bionics and Biomechanics vol 2020 ArticleID 6659314 2020

Complexity 17

[47] J Bassey D Adesina X Li L Qian A Aved and T KroeckerldquoIntrusion detection for IoT devices based on RF finger-printing using deep learningrdquo in Proceedings of the 2019Fourth International Conference on Fog and Mobile EdgeComputing (FMEC) pp 98ndash104 [CrossRef] Rome Italy June2019

[48] T Al-Mughanam T H H Aldhyani B Alsubari and M Al-Yaari ldquoModeling of compressive strength of sustainable self-compacting concrete incorporating treated palm oil fuel ashusing artificial neural networkrdquo Sustainability vol 12 no 22Article ID 9322 2020

[49] I Ullah and Q H Mahmoud ldquoA scheme for generating adataset for anomalous activity de-tection in IoTnetworksrdquo inAdvances in Artificial Intelligence Canadian AI 2020 LectureNotes in Computer Science C Goutte and X Zhu Edsvol 12109 Berlin Germany Springer 2020

18 Complexity

systems networks and data frommalicious attacks It is alsoknown as information technology security [6ndash9] eseintrusions incorporate field of research control systems bycontrolling an alteration of the document system height-ening benefits making unapproved logins accessing sen-sitive records and using malware (eg infections Trojanhorses and worms) which can change the condition of thenetwork Network intrusions occur due to approachingpackets in the network system to perform behaviors such asdenial of service (DoS) attacks or even attempts to be splitinto the system DoS attacks are attempts to make PC assetsunapproachable by their planned clients for example landattacks ping of death (POD) and flood attacks Indicationsof intrusions incorporating abnormal outcomes while exe-cuting different client charges are exemplified by moderatesystem execution and sudden system crashes and changes inparts of information structures are bizarrely moderatesystem implementations (eg opening records or accessingsites)

Attackers exploit unknown vulnerabilities and bypassknown signatures e IoT environment is based on a smartgrid that uses sensor devices and these devices connect toeach other to pass information Figure 1 displays the worldpopulation and the number of sensor devices required forprotection from attackers With the exponential growth ofIoT use the IoT has become a smart object of attackersachieving their targetserefore using artificial intelligencebased on deep learning algorithms can detect unknownvulnerabilities using sensors devices [10]

Artificial intelligence is a kind of information-drivenapproach in which the first step is to understand the dataVarious types of data represent specific attack behaviorsincluding host behaviors and network activities Server logsreflect host behaviors and network traffic represents net-work behaviors ere are several types of attacks with eachhaving a particular pattern erefore it is important toselect suitable data sources to detect various attacks as perthe features of the threat One of the key features of a DoSattack for example is to send several packets in a very shorttime thus flow data are ideal for DoS attack detection Ahidden channel includes a data-leaking operation betweentwo different IP addresses and is best suited for session datadetection erefore the advance of deep learning algo-rithms can help detect these network behaviors [11 12]

Many studies have proposed the development of net-work security systems and artificial intelligence plays aprimary role in the area of cybersecurity based on IoT fordesigning an intelligent system for security in the IoT en-vironment e proposed research aimed to develop anintelligent model that could help secure the IoT structureand devices from threats Currently most companies andorganizations have undergone digital transformationsthrough IoT devices However this has created new com-plexities and vulnerabilities that once cybercriminals learnabout them can be quickly exploited Jokar et al [13] de-veloped classification algorithms to detect abnormal elec-tricity consumption Alseiari et al [14] used soft computingbased on clustering technology to monitor network traffic inadvanced metering infrastructure (AMI) Vijayanand et al

[15] applied a support vector machine (SVM) based on amulticlass to detect the IDS where decision tree algorithmsgave very powerful results compared with an SVM proposedby Jindal et al [16] Boumkheld et al [17] used a traditionalmachine learning algorithm over a naive Bayesian networkto test the ability of this algorithm to detect IDS Zigbee-based Q-learning was proposed by Jokar et al [18] to protectnetworks from intrusion who found it the best strategy formonitoring system attacks Hasan et al [19] proposed ahybrid convolution neural network (CNN) with long short-term memory (LSTM) to classify the characteristics ofelectricity information and the use of a hierarchy to selectsignificant features from intrusion detection networks wasproposed by Wang et al [20] CNN and LSTM algorithmshave been applied to detect attacks [21] Ullah et al [22]introduced a hybrid deep neural network to detect intrusionby combining a CNN and a gated recursive unit A particleswarm optimization (PSO) algorithm has been used to selectsignificant features from data and a developing system canautomatically perform the processes of selecting features andclassifications In Liu et alrsquos [23] research a CNN algorithmwas applied to identify attacks and it was noted that deeplearning based on the CNN improved the system Xiao et al[24] adopted an autoencoder to reduce the dimension of theintrusion detection data to decrease the interference of re-dundant features these features were processed using aCNN to classify the attacks Yang et al [25] used a CNN todetect intrusion for improved extraction of features acrosslayers and feature fusion has been used to obtain com-prehensive features Yang et al [26] developed a system tosecure the IoT in the healthcare environment it controlledtraffic and made the healthcare environment smarterFurthermore security methods have been developed for IoTsystems as described in [27ndash29] Other algorithms appliedas solutions for the security of DNP3 traffic include statisticalapproaches and machine learning [30 31] Keliris et al [32]used the support vector machine (SVM) algorithm forclassification intrusion and it was noted that the SVMperformed well It has been suggested that a detection systemusing machine learning techniques in power systems wouldbe feasible for detecting malicious states [33] Arrigntonet al introduced a machine learning algorithm based onanomaly based intrusion detection for the protection of IoTdevices Liu et al [34] developed an IDS using suppressedfuzzy clustering and principal component analysis (PCA)algorithms Kasinathan et al [35] developed a system sig-nature-based IDS for low-power wireless personal areanetwork (6LoWPAN)-based IoT networks this systemaimed to detect DoS attacks with the highest accuracyDanda et al [36] designed a host-based IDS for the securityof IoT network devices using rule-based detection

Cho et al [37] proposed machine leaning algorithms todetect the botnet attacks at hosts and network levels on theIoT environment e feature selection method was pre-sented to select the features of malicious attack behaviorsDiro and Chilamkurti [38] introduced the deep learning toclassify the intrusion from host level in IoT Cruz et al [39]proposed the intelligent mechanism model to detect theintrusion based on the decision making method moreover

2 Complexity












50

40

30

20

10

02003 2008

6307 6721 6894 7347 783

2010 2015 2020

Iflection point




World populationIoT


Complexity 3




Preprocessing

PSO

21 Features

Deep learning



of IDS

CNN- LSTMmodels


AI speaker

Security camera

Access point

Smart phone






4 Complexity

xi xi1 xi2 xiD1113864 1113865 (1)

vxi vi1 vi2 viD1113864 1113865 (2)


vt+1id wlowast v


tid1113872 1113873


(3)

vt+1id v

tid + v

t+1id (4)






n 1113936 x2

1113872 1113873 minus 1113936 x2

1113872 11138731113960 1113961 times n 1113936 y2

1113872 1113873 minus 1113936 y2

1113872 11138731113960 1113961times 100

(5)






55124 59391 53073

121181

183554

55818 Normal

40073

2219235377




Complexity 5







Update velocity

Update position



features









i



(9)



6 Complexity

Tabl

e3

Correlatio

ncoeffi


andno

rmal

class

Features

Normal

Normal

Normal

Normal

Normal

inNormal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Src_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

064

Flow

_IAT_

Min

063

Fwd_

IAT_

Tot

080

Fwd_

IAT_

Mean

089

Bwd_

IAT_

Mean

062

Bwd_

IAT_

Max

062

Bwd_

IAT_

Min

062

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

058

Active_Mean

01

Idle_M

ax050

Complexity 7

Tabl

e4

Correlatio

ncoeffi


andattack

class

Features

Atta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckSrc_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

050

Flow

_IAT_

Min

068

Fwd_

IAT_

Tot

069

Fwd_

IAT_

Mean

084

Bwd_

IAT_

Mean

063

Bwd_

IAT_

Max

063

Bwd_

IAT_

Min

063

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

053

Active_Mean

094

Idle_M

ax087

8 Complexity



f(x) tanh(x) 2

1 + eminus 2x

minus 1 (7)


Qj Max P0j P

1j P

2j P

3j P

tj1113872 1113873 (8)


j



Oi e

zi

1113936Mi1 e

zi (9)






1113872 1113873

ft sigma W(f)

+ Xt + U(f)

htminus1 + b(f)

1113872 1113873(10)



it sigma W(i)

+ Xt + U(i)

htminus1 + b(i)

1113872 1113873

mt tanh W(m)

+ Xt + U(m)

htminus1 + b(m)

1113872 1113873


(11)


ot sigma W(o)


1113872 1113873





Complexity 9


3 Results






h(tndash1)

X(t)

h(tndash1)

X(t)

W(i)

σ

σU(i)

W(o)

U(o)

i(t)

h(tndash1)

X(t)h(t)

W(c)

U(c)

σ

f (t)

h(tndash1)

X(t)

W(f)

U(f)

cprime(t)

c(t)

o(t)

c(tndash1)

tanh

tanh+

deg

deg

deg





10 Complexity

accuracy TP + TN

FP + FN + TP + TN

specificity TN

TN + FPtimes 100

sensitivity TP

TP + FNtimes 100




TP + FNtimes 100

(13)







80 times 625783The


PSO method



20 times 625783


Flatten

Fully connected



Complexity 11








438048

187735

Size

Size

Training Testing




12 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity












50

40

30

20

10

02003 2008

6307 6721 6894 7347 783

2010 2015 2020

Iflection point




World populationIoT


Complexity 3




Preprocessing

PSO

21 Features

Deep learning



of IDS

CNN- LSTMmodels


AI speaker

Security camera

Access point

Smart phone






4 Complexity

xi xi1 xi2 xiD1113864 1113865 (1)

vxi vi1 vi2 viD1113864 1113865 (2)


vt+1id wlowast v


tid1113872 1113873


(3)

vt+1id v

tid + v

t+1id (4)






n 1113936 x2

1113872 1113873 minus 1113936 x2

1113872 11138731113960 1113961 times n 1113936 y2

1113872 1113873 minus 1113936 y2

1113872 11138731113960 1113961times 100

(5)






55124 59391 53073

121181

183554

55818 Normal

40073

2219235377




Complexity 5







Update velocity

Update position



features









i



(9)



6 Complexity

Tabl

e3

Correlatio

ncoeffi


andno

rmal

class

Features

Normal

Normal

Normal

Normal

Normal

inNormal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Src_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

064

Flow

_IAT_

Min

063

Fwd_

IAT_

Tot

080

Fwd_

IAT_

Mean

089

Bwd_

IAT_

Mean

062

Bwd_

IAT_

Max

062

Bwd_

IAT_

Min

062

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

058

Active_Mean

01

Idle_M

ax050

Complexity 7

Tabl

e4

Correlatio

ncoeffi


andattack

class

Features

Atta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckSrc_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

050

Flow

_IAT_

Min

068

Fwd_

IAT_

Tot

069

Fwd_

IAT_

Mean

084

Bwd_

IAT_

Mean

063

Bwd_

IAT_

Max

063

Bwd_

IAT_

Min

063

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

053

Active_Mean

094

Idle_M

ax087

8 Complexity



f(x) tanh(x) 2

1 + eminus 2x

minus 1 (7)


Qj Max P0j P

1j P

2j P

3j P

tj1113872 1113873 (8)


j



Oi e

zi

1113936Mi1 e

zi (9)






1113872 1113873

ft sigma W(f)

+ Xt + U(f)

htminus1 + b(f)

1113872 1113873(10)



it sigma W(i)

+ Xt + U(i)

htminus1 + b(i)

1113872 1113873

mt tanh W(m)

+ Xt + U(m)

htminus1 + b(m)

1113872 1113873


(11)


ot sigma W(o)


1113872 1113873





Complexity 9


3 Results






h(tndash1)

X(t)

h(tndash1)

X(t)

W(i)

σ

σU(i)

W(o)

U(o)

i(t)

h(tndash1)

X(t)h(t)

W(c)

U(c)

σ

f (t)

h(tndash1)

X(t)

W(f)

U(f)

cprime(t)

c(t)

o(t)

c(tndash1)

tanh

tanh+

deg

deg

deg





10 Complexity

accuracy TP + TN

FP + FN + TP + TN

specificity TN

TN + FPtimes 100

sensitivity TP

TP + FNtimes 100




TP + FNtimes 100

(13)







80 times 625783The


PSO method



20 times 625783


Flatten

Fully connected



Complexity 11








438048

187735

Size

Size

Training Testing




12 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity




Preprocessing

PSO

21 Features

Deep learning



of IDS

CNN- LSTMmodels


AI speaker

Security camera

Access point

Smart phone






4 Complexity

xi xi1 xi2 xiD1113864 1113865 (1)

vxi vi1 vi2 viD1113864 1113865 (2)


vt+1id wlowast v


tid1113872 1113873


(3)

vt+1id v

tid + v

t+1id (4)






n 1113936 x2

1113872 1113873 minus 1113936 x2

1113872 11138731113960 1113961 times n 1113936 y2

1113872 1113873 minus 1113936 y2

1113872 11138731113960 1113961times 100

(5)






55124 59391 53073

121181

183554

55818 Normal

40073

2219235377




Complexity 5







Update velocity

Update position



features









i



(9)



6 Complexity

Tabl

e3

Correlatio

ncoeffi


andno

rmal

class

Features

Normal

Normal

Normal

Normal

Normal

inNormal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Src_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

064

Flow

_IAT_

Min

063

Fwd_

IAT_

Tot

080

Fwd_

IAT_

Mean

089

Bwd_

IAT_

Mean

062

Bwd_

IAT_

Max

062

Bwd_

IAT_

Min

062

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

058

Active_Mean

01

Idle_M

ax050

Complexity 7

Tabl

e4

Correlatio

ncoeffi


andattack

class

Features

Atta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckSrc_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

050

Flow

_IAT_

Min

068

Fwd_

IAT_

Tot

069

Fwd_

IAT_

Mean

084

Bwd_

IAT_

Mean

063

Bwd_

IAT_

Max

063

Bwd_

IAT_

Min

063

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

053

Active_Mean

094

Idle_M

ax087

8 Complexity



f(x) tanh(x) 2

1 + eminus 2x

minus 1 (7)


Qj Max P0j P

1j P

2j P

3j P

tj1113872 1113873 (8)


j



Oi e

zi

1113936Mi1 e

zi (9)






1113872 1113873

ft sigma W(f)

+ Xt + U(f)

htminus1 + b(f)

1113872 1113873(10)



it sigma W(i)

+ Xt + U(i)

htminus1 + b(i)

1113872 1113873

mt tanh W(m)

+ Xt + U(m)

htminus1 + b(m)

1113872 1113873


(11)


ot sigma W(o)


1113872 1113873





Complexity 9


3 Results






h(tndash1)

X(t)

h(tndash1)

X(t)

W(i)

σ

σU(i)

W(o)

U(o)

i(t)

h(tndash1)

X(t)h(t)

W(c)

U(c)

σ

f (t)

h(tndash1)

X(t)

W(f)

U(f)

cprime(t)

c(t)

o(t)

c(tndash1)

tanh

tanh+

deg

deg

deg





10 Complexity

accuracy TP + TN

FP + FN + TP + TN

specificity TN

TN + FPtimes 100

sensitivity TP

TP + FNtimes 100




TP + FNtimes 100

(13)







80 times 625783The


PSO method



20 times 625783


Flatten

Fully connected



Complexity 11








438048

187735

Size

Size

Training Testing




12 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity

xi xi1 xi2 xiD1113864 1113865 (1)

vxi vi1 vi2 viD1113864 1113865 (2)


vt+1id wlowast v


tid1113872 1113873


(3)

vt+1id v

tid + v

t+1id (4)






n 1113936 x2

1113872 1113873 minus 1113936 x2

1113872 11138731113960 1113961 times n 1113936 y2

1113872 1113873 minus 1113936 y2

1113872 11138731113960 1113961times 100

(5)






55124 59391 53073

121181

183554

55818 Normal

40073

2219235377




Complexity 5







Update velocity

Update position



features









i



(9)



6 Complexity

Tabl

e3

Correlatio

ncoeffi


andno

rmal

class

Features

Normal

Normal

Normal

Normal

Normal

inNormal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Src_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

064

Flow

_IAT_

Min

063

Fwd_

IAT_

Tot

080

Fwd_

IAT_

Mean

089

Bwd_

IAT_

Mean

062

Bwd_

IAT_

Max

062

Bwd_

IAT_

Min

062

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

058

Active_Mean

01

Idle_M

ax050

Complexity 7

Tabl

e4

Correlatio

ncoeffi


andattack

class

Features

Atta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckSrc_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

050

Flow

_IAT_

Min

068

Fwd_

IAT_

Tot

069

Fwd_

IAT_

Mean

084

Bwd_

IAT_

Mean

063

Bwd_

IAT_

Max

063

Bwd_

IAT_

Min

063

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

053

Active_Mean

094

Idle_M

ax087

8 Complexity



f(x) tanh(x) 2

1 + eminus 2x

minus 1 (7)


Qj Max P0j P

1j P

2j P

3j P

tj1113872 1113873 (8)


j



Oi e

zi

1113936Mi1 e

zi (9)






1113872 1113873

ft sigma W(f)

+ Xt + U(f)

htminus1 + b(f)

1113872 1113873(10)



it sigma W(i)

+ Xt + U(i)

htminus1 + b(i)

1113872 1113873

mt tanh W(m)

+ Xt + U(m)

htminus1 + b(m)

1113872 1113873


(11)


ot sigma W(o)


1113872 1113873





Complexity 9


3 Results






h(tndash1)

X(t)

h(tndash1)

X(t)

W(i)

σ

σU(i)

W(o)

U(o)

i(t)

h(tndash1)

X(t)h(t)

W(c)

U(c)

σ

f (t)

h(tndash1)

X(t)

W(f)

U(f)

cprime(t)

c(t)

o(t)

c(tndash1)

tanh

tanh+

deg

deg

deg





10 Complexity

accuracy TP + TN

FP + FN + TP + TN

specificity TN

TN + FPtimes 100

sensitivity TP

TP + FNtimes 100




TP + FNtimes 100

(13)







80 times 625783The


PSO method



20 times 625783


Flatten

Fully connected



Complexity 11








438048

187735

Size

Size

Training Testing




12 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity







Update velocity

Update position



features









i



(9)



6 Complexity

Tabl

e3

Correlatio

ncoeffi


andno

rmal

class

Features

Normal

Normal

Normal

Normal

Normal

inNormal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Src_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

064

Flow

_IAT_

Min

063

Fwd_

IAT_

Tot

080

Fwd_

IAT_

Mean

089

Bwd_

IAT_

Mean

062

Bwd_

IAT_

Max

062

Bwd_

IAT_

Min

062

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

058

Active_Mean

01

Idle_M

ax050

Complexity 7

Tabl

e4

Correlatio

ncoeffi


andattack

class

Features

Atta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckSrc_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

050

Flow

_IAT_

Min

068

Fwd_

IAT_

Tot

069

Fwd_

IAT_

Mean

084

Bwd_

IAT_

Mean

063

Bwd_

IAT_

Max

063

Bwd_

IAT_

Min

063

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

053

Active_Mean

094

Idle_M

ax087

8 Complexity



f(x) tanh(x) 2

1 + eminus 2x

minus 1 (7)


Qj Max P0j P

1j P

2j P

3j P

tj1113872 1113873 (8)


j



Oi e

zi

1113936Mi1 e

zi (9)






1113872 1113873

ft sigma W(f)

+ Xt + U(f)

htminus1 + b(f)

1113872 1113873(10)



it sigma W(i)

+ Xt + U(i)

htminus1 + b(i)

1113872 1113873

mt tanh W(m)

+ Xt + U(m)

htminus1 + b(m)

1113872 1113873


(11)


ot sigma W(o)


1113872 1113873





Complexity 9


3 Results






h(tndash1)

X(t)

h(tndash1)

X(t)

W(i)

σ

σU(i)

W(o)

U(o)

i(t)

h(tndash1)

X(t)h(t)

W(c)

U(c)

σ

f (t)

h(tndash1)

X(t)

W(f)

U(f)

cprime(t)

c(t)

o(t)

c(tndash1)

tanh

tanh+

deg

deg

deg





10 Complexity

accuracy TP + TN

FP + FN + TP + TN

specificity TN

TN + FPtimes 100

sensitivity TP

TP + FNtimes 100




TP + FNtimes 100

(13)







80 times 625783The


PSO method



20 times 625783


Flatten

Fully connected



Complexity 11








438048

187735

Size

Size

Training Testing




12 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity

Tabl

e3

Correlatio

ncoeffi


andno

rmal

class

Features

Normal

Normal

Normal

Normal

Normal

inNormal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Normal

Src_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

064

Flow

_IAT_

Min

063

Fwd_

IAT_

Tot

080

Fwd_

IAT_

Mean

089

Bwd_

IAT_

Mean

062

Bwd_

IAT_

Max

062

Bwd_

IAT_

Min

062

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

058

Active_Mean

01

Idle_M

ax050

Complexity 7

Tabl

e4

Correlatio

ncoeffi


andattack

class

Features

Atta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckSrc_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

050

Flow

_IAT_

Min

068

Fwd_

IAT_

Tot

069

Fwd_

IAT_

Mean

084

Bwd_

IAT_

Mean

063

Bwd_

IAT_

Max

063

Bwd_

IAT_

Min

063

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

053

Active_Mean

094

Idle_M

ax087

8 Complexity



f(x) tanh(x) 2

1 + eminus 2x

minus 1 (7)


Qj Max P0j P

1j P

2j P

3j P

tj1113872 1113873 (8)


j



Oi e

zi

1113936Mi1 e

zi (9)






1113872 1113873

ft sigma W(f)

+ Xt + U(f)

htminus1 + b(f)

1113872 1113873(10)



it sigma W(i)

+ Xt + U(i)

htminus1 + b(i)

1113872 1113873

mt tanh W(m)

+ Xt + U(m)

htminus1 + b(m)

1113872 1113873


(11)


ot sigma W(o)


1113872 1113873





Complexity 9


3 Results






h(tndash1)

X(t)

h(tndash1)

X(t)

W(i)

σ

σU(i)

W(o)

U(o)

i(t)

h(tndash1)

X(t)h(t)

W(c)

U(c)

σ

f (t)

h(tndash1)

X(t)

W(f)

U(f)

cprime(t)

c(t)

o(t)

c(tndash1)

tanh

tanh+

deg

deg

deg





10 Complexity

accuracy TP + TN

FP + FN + TP + TN

specificity TN

TN + FPtimes 100

sensitivity TP

TP + FNtimes 100




TP + FNtimes 100

(13)







80 times 625783The


PSO method



20 times 625783


Flatten

Fully connected



Complexity 11








438048

187735

Size

Size

Training Testing




12 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity

Tabl

e4

Correlatio

ncoeffi


andattack

class

Features

Atta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckAtta

ckSrc_IP

055

Fwd_

Pkt_Len_

Min

050

Flow

_Pktss

050

Flow

_IAT_

Mean

050

Flow

_IAT_

Min

068

Fwd_

IAT_

Tot

069

Fwd_

IAT_

Mean

084

Bwd_

IAT_

Mean

063

Bwd_

IAT_

Max

063

Bwd_

IAT_

Min

063

Fwd_

PSH_F

lags

01

FIN_F

lag_Cnt

099

RST_

Flag_C

nt099

CWE_

Flag_C

ount

099

ECE_

Flag_C

nt099

Fwd_

Bytsb_A

vg01

Bwd_

Pktsb_A

vg01

Init_

Bwd_

Win_B

yts

053

Active_Mean

094

Idle_M

ax087

8 Complexity



f(x) tanh(x) 2

1 + eminus 2x

minus 1 (7)


Qj Max P0j P

1j P

2j P

3j P

tj1113872 1113873 (8)


j



Oi e

zi

1113936Mi1 e

zi (9)






1113872 1113873

ft sigma W(f)

+ Xt + U(f)

htminus1 + b(f)

1113872 1113873(10)



it sigma W(i)

+ Xt + U(i)

htminus1 + b(i)

1113872 1113873

mt tanh W(m)

+ Xt + U(m)

htminus1 + b(m)

1113872 1113873


(11)


ot sigma W(o)


1113872 1113873





Complexity 9


3 Results






h(tndash1)

X(t)

h(tndash1)

X(t)

W(i)

σ

σU(i)

W(o)

U(o)

i(t)

h(tndash1)

X(t)h(t)

W(c)

U(c)

σ

f (t)

h(tndash1)

X(t)

W(f)

U(f)

cprime(t)

c(t)

o(t)

c(tndash1)

tanh

tanh+

deg

deg

deg





10 Complexity

accuracy TP + TN

FP + FN + TP + TN

specificity TN

TN + FPtimes 100

sensitivity TP

TP + FNtimes 100




TP + FNtimes 100

(13)







80 times 625783The


PSO method



20 times 625783


Flatten

Fully connected



Complexity 11








438048

187735

Size

Size

Training Testing




12 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity



f(x) tanh(x) 2

1 + eminus 2x

minus 1 (7)


Qj Max P0j P

1j P

2j P

3j P

tj1113872 1113873 (8)


j



Oi e

zi

1113936Mi1 e

zi (9)






1113872 1113873

ft sigma W(f)

+ Xt + U(f)

htminus1 + b(f)

1113872 1113873(10)



it sigma W(i)

+ Xt + U(i)

htminus1 + b(i)

1113872 1113873

mt tanh W(m)

+ Xt + U(m)

htminus1 + b(m)

1113872 1113873


(11)


ot sigma W(o)


1113872 1113873





Complexity 9


3 Results






h(tndash1)

X(t)

h(tndash1)

X(t)

W(i)

σ

σU(i)

W(o)

U(o)

i(t)

h(tndash1)

X(t)h(t)

W(c)

U(c)

σ

f (t)

h(tndash1)

X(t)

W(f)

U(f)

cprime(t)

c(t)

o(t)

c(tndash1)

tanh

tanh+

deg

deg

deg





10 Complexity

accuracy TP + TN

FP + FN + TP + TN

specificity TN

TN + FPtimes 100

sensitivity TP

TP + FNtimes 100




TP + FNtimes 100

(13)







80 times 625783The


PSO method



20 times 625783


Flatten

Fully connected



Complexity 11








438048

187735

Size

Size

Training Testing




12 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity


3 Results






h(tndash1)

X(t)

h(tndash1)

X(t)

W(i)

σ

σU(i)

W(o)

U(o)

i(t)

h(tndash1)

X(t)h(t)

W(c)

U(c)

σ

f (t)

h(tndash1)

X(t)

W(f)

U(f)

cprime(t)

c(t)

o(t)

c(tndash1)

tanh

tanh+

deg

deg

deg





10 Complexity

accuracy TP + TN

FP + FN + TP + TN

specificity TN

TN + FPtimes 100

sensitivity TP

TP + FNtimes 100




TP + FNtimes 100

(13)







80 times 625783The


PSO method



20 times 625783


Flatten

Fully connected



Complexity 11








438048

187735

Size

Size

Training Testing




12 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity

accuracy TP + TN

FP + FN + TP + TN

specificity TN

TN + FPtimes 100

sensitivity TP

TP + FNtimes 100




TP + FNtimes 100

(13)







80 times 625783The


PSO method



20 times 625783


Flatten

Fully connected



Complexity 11








438048

187735

Size

Size

Training Testing




12 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity








438048

187735

Size

Size

Training Testing




12 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity




Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9101

485

False positive3003

160

False negative713

038



Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000

True negative9512

507

False positive2592

138

False negative3736

199


(a)

Nor

mal

Atta

ck

Normal Attack

160000

140000

120000

100000

80000

60000

40000

20000


False negative572

030

True negative9346

498

False positive2758

147

(b)




Complexity 13

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity

022

020

018

016

014

012

010

Accu

racy



(a)

Accu

racy


0225

0200

0175

0150

0125

0100

0075

0050


(b)


020

018016014012010

008006

Accu

racy




097

096

095

094

Accu

racy



(a)

Accu

racy



098

097

096

095

094

093

(b)


14 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity



0102030405060708090

100


Randomforest


(LSTM)

Proposedmodel

(LSTM)

Proposedmodel

(CNN-LSTM)

Models



Accu

racy


098

097

096

095

094

093





Complexity 15

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity

4 Conclusion



Data Availability




Acknowledgments


References



















16 Complexity






























Complexity 17




18 Complexity






























Complexity 17




18 Complexity




18 Complexity

intrusion detection system to advance internet of things

Documents