Machine learning based intrusion detection framework for detecting security attacks in internet of things (2025)

Internet of Things (IoT) provides a connectivity of physical moving things known as “Things” that are equipped with sensors,electronic chips, and other types of technology¹. Machine learning improves Intrusion Detection System (IDS) systems by enhancing threat detection, reducing false positives, and adapting to evolving threats, which are distributed among Internet of things(IoT), devices, edge nodes, and cloud nodes. For device connection, different protocols used for providing protection susceptibility, can brunt the entire scheme in IoT systems². For purchaser usage, the Internet of Things is a combination of cloud-connected embedded systems to entrance IT-relevant services by the consolidation of electronics-related things and internet protocol³. Due to its scarcity of elementary defense protocols, IoT devices are unprotected targets for cybercriminals and attackers^4,5. That alludes, to IoT being hacked by botnets used to launch DDoS against entities⁶. To overcome these problems, an Intrusion Detection System (IDS) is a suitable solution. In general, the IDS consents sleuthing apprehensive or anomalous happenings which activates an alarm when an interruption transpires⁷. The enactment of IDSs for IoT is more problematic than other schemes as IoT devices are habitually premeditated to be minuscule and economical, and it does not have sufficient hardware possessions⁸. The traditional models for instance;^11,12,13 do not provide sufficient accuracy and it increases the computation time. To overcome this problem, Here we propose a machine learning-based intrusion detection framework that facilitates to recognition of different types of intruders⁹. At first, the IoT data are gathered via the dataset of Bot-IoT¹⁰. Afterward, the data are fed to pre-processing. In pre-processing, it restored the missing value utilizing the local least squares method. The preprocessing output is fed to feature selection. Here, optimum features are selected based on the War Strategy Optimization Algorithm. Based on the optimum features, the intruders of IoT data are categorized into normal and anomalous data with the help of SAPGAN. The proposed SAPGAN-IDS-IoT approach is implemented in Python utilizing the dataset of Bot-IoT. The performance metrics, like accuracy, F1-score, RoC, and computational time are examined to validate the proposed efficiency. The obtained results of the proposed SAPGAN-IDS-IoT approach are analyzed with existing systems, like Design and development of a deep learning-based method for anomaly identification in IoT networks (CNN-IDS-IoT)¹¹; intrusion detection scheme for IoT botnet attacks utilizing deep learning (DNN-IDS-IoT)¹² and Chronological Salp swarm algorithm based deep belief network for intrusion detection in cloud under fuzzy entropy (DBN-CSSA-IDS-IoT)¹³ respectively. Industrial IoT networks lack protection against cyber threats, necessitating the development of Intrusion Detection Systems. Three models, using CNN, LSTM, and a hybrid combination, detect intrusions in IIoT networks.²⁵, in this article author presents a hybrid intrusion detection system utilizing a combination of CNN and LSTM for industrial IoT networks. Author introduces an autoencoder-based intrusion detection system model for detecting security anomalies in critical infrastructures, demonstrating its accuracy in attack detection using the UNSW-NB15 dataset.²⁶, here we proposed WSOA, Based upon the optimum features, the intruders were categorized into two categories named Anomaly and Normal using the proposed framework.

The key contributions of this manuscript are given briefly:

• Herein, we propose a machine learning-based Intrusion detection framework named SAPGAN for Identifying intruders in IoT network. our proposed model classify the network traffic to normal or abnormal. Numerous attacks are assembled, including camera-based flood, DDoS, RTSP brute force, etc. Applying feature selection methods to improve the IDS performance of IoT network devices. Hence, we examined multiple ML algorithms to determine the most accurate and efficient learners for building an efficient IDS to detect attacks on IoT devices within IoT network data.

• Herein, we design a framework that receive raw and preprocess data using local least square method. The key features were extracted in feature selection phase. A modified WSOA is applied. Finally the intruders were extracted. We have launched different attacks and found that proposed model is efficient.

• We evaluated four supervised models using data preprocessing and feature selection methods. The performance evaluation includes accuracy, precision, recall, and F1-score metrics.

The remaining manuscript is arranged as Segment 2 analyses the literature survey, the proposed method is described in Segment 3, the outcomes and discussion are demonstrated in Segment 4, and the conclusion is presented in Segment 5.

Numerous research works were suggested in the literature related to deep learning-based intrusion detection in IoT; a few recent works are expressed here, In 2021, Ullah, I.et.al.,¹¹ suggested the design and development of a deep learning-based method for anomaly identification in Internet of Things networks. Here, the BoT-IoT dataset was taken and it was given to the pre-processing segment for retrieving the missing value. Then the pre-processed output was given a Recursive Feature Elimination (RFE)feature selection system. In which, the optimal features were selected. Then Convolutional Neural Network (CNN) classifier was utilized as IDS for detecting intruders in the IoT network. It provides high accuracy and low F-score. In 2021, Shareena, J.et.al.,¹² presented an intrusion detection scheme for IoT botnet attacks with the help of deep learning. Here, the BoT-IoT dataset was taken and it was given to the pre-processing segment for retrieving the missing value. Then the pre-processed output was given to a Deep Neural Network (DNN)) classifier, which was utilized as IDS for detecting intruders in IoT networks. It provides a high F-score with low computation time. In 2022, Karuppusamy, L.et.al.,¹³ presented a Chronological salp swarm approach based deep belief network (CSSA-DBN) for intrusion detection in the cloud utilizing fuzzy entropy. Here, the BoT-IoT dataset was taken and it was given to the pre-processing segment for retrieving the missing value. Then the pre-processed output was given to the Fuzzy entropy feature selection system. In which, the optimal features were selected. Then the CSSA-DBN classifier was utilized as IDS for detecting intruders in the IoT network. It provides a high Area under curve value and low accuracy.

Table 1 discuss the existing methods for classifying IoT attacks. The literature primarily explores potential solutions based on IoT standards, technologies, architecture types, security threats, machine learning approaches, datasets, and implementation tools. Support Vector Machine (SVM) is a machine learning technique used to detect network intrusions and cyber-attacks, offering a second line of defense and alternative detection methods. Analytical study on support vector machine (SVM)-based intrusion detection techniques, involving data collection, preprocessing, training and testing, and decision-making steps in network intrusion detection systems.¹⁷ The increasing frequency of network attacks necessitates the development of intrusion detection systems (IDS) to actively detect intrusions and attacks in networks or intranets, which can be classified as known or unknown.¹⁸. IDS is distributed among IoT devices, edge nodes, and cloud nodes, using lightweight detectors, Smart Data concepts, and cloud clustering. ML models detect unusual IoT activity, preventing security breaches and prompting appropriate responses.

The proposed SAPGAN-IDS-IoT framework is shown in Fig.1. The proposed SAPGAN-IDS-IoT workflow is dived into steps. The expliantion details are given as below.

Data acquisition

In this step, at first the BoT-IoT dataset is considered. This dataset is developed through a realistic IoT network environment together with 5IoT scenarios: weather station, smart fridge, smart thermostat, remotely activated, motion-activated lights. The environment incorporates is normal with botnet traffic. The dataset contains 3,668,522 samples, which comprise kinds of attacks: DDoS (HTTP, TCP, and UDP), DoS (HTTP, TCP, and UDP), OS, Service Scan, Keylogging, Data exfiltration, and normal data.

Pre-processing phase

In this section, local least squares espoused pre-processing is described. Here missing value renewal is gawked as an imperious trepidation in the BoT-IoT dataset¹⁴. It uses \(P\) similarity records and then it employs regression and estimation of how the \(P\) records are selected. By this, the missing value can be restored using Pearson correlation coefficients. Then, the pre-processed IoT data is fed as input for feature selection.

Feature selection

This is used to categorize and eradicate extraneous and superfluous traits as innovative feature vectors that do not contain considerable influence to augment the efficiency of an intrusion detection system. Reducing overfitting and training periods, also improving detection accuracy are the main objectives of the War Strategy Optimization Algorithm.

Figure1 shows the proposed framework SAPGAN-IDS-IoT approach, It contains the training phase, the training phase contains data acquisition, pre-processing and feature selection method, and is connected with Intrusion detection system using self-attention based progressive generative adversarial network ant accept the testing data. The data mining and analysis tool ‘Weka’ is utilized as the primary tool for simulation. Weka provides a comprehensive environment for performing data analysis and ML tasks.

War Strategy Optimization Algorithm (WSOA) is a metaheuristic optimization algorithm in terms of ancient war strategy¹⁵. Fitness functions describe how close an architecture is to achieving an architectural aim. whale optimization with seagull algorithm (WSOA), for solving global optimization problems. Initially, the features of the BoT-IoT dataset are initialized with soldier size as 25 and maximum iteration as 500. After the initialization process, the input features of the BoT-IoT dataset are randomly created through the WSOA Algorithm. Then the Fitness function is assessed based on the following Eq.(1)

Then select the King with the preeminent fitness and the Chief Commander with the second-best fitness. Subsequently, choosing the king and chief commander, check the iteration reached as maximum i.e., selecting the optimal features, if it reached means the process is terminated otherwise go to the next step of soldier size checking. If the soldiers’ size is gratify means going to the next step of updation. The situation of soldier size is contented means and then updates the king and commander position. If it does not satisfy the condition then goes to exploitation and investigation. The exploitation phase is assessed based on the following Eq.(2)

where \(z_{n} (x + 1)\) is the new position, \(z_{n} (x)\) is the preceding location of Army chief, \(king\) represents the position of the king, \(Wt_{n}\) denotes weight and value is \(Wt_{n} = {{2 \times {\text ones\, (1, \, soldier size})}}\), the value of \(\alpha\) is 0.5. Then the investigation phase is assessed based on the following Eq.(3)

After updation, check the fitness of each soldier based on Eq.(4), if the fitness is better than the previous one then update the weight factor based on Eq.(6), otherwise it goes to check the size of the soldier based on Eq.(5), up to best fitness found, steps are repeated.

where \(N_{PS}\) depicts the new position of a soldier and \(P_{PS}\) depicts the previous position of a soldier. If a soldier updates successfully the position, then soldier ranks are accessed based on the following Eq.(5),

where, \(Rank_{n}\) represents the soldier’s rank. By this, new weight can be determined based on the following Eq.(6)

Then the replacement of weak soldier is accessed based on the following Eq.(7)

The weak soldiers are replaced with new ones and the iteration is. By this, the optimal feature is selected depending on the Hybrid WSOA Algorithm iteratively repeats until fulfill \(Max\,\,Itrn = Max\,\,Itrn + 1\) halting criteria. Then, the selected features are given as the input for the intrusion detection system. If all the processes are achieved it will select the accurate feature for attaining better intrusion detection of IoT. Table 2 tabulates the selected features.

The selected features are specified as the input of the Intrusion detection scheme.

Incorporation of generative adversarial network (GAN) in SAPGAN

In this subsection, we proposed SAPGAN framework. The proposed SAPGAN framework contains a generator \(Gnr\) and a discriminator \(Dmtr\). The Generative Adversarial Network (GAN) design encompasses of convolution technique that is set in multi-layers to attain the order of designated features from WSOA. By this, it is knowledgeable over an arrangement of convolution procedure. Subsequently, the corporeal deceitful of convolutional filters, the IoT data crusade in CNNs is inhibited in local neighbor areas, which bound the entire classification of IoT intrusion¹⁶. Consequently, self-attention is exploited that accomplish appreciation for the convolution procedure. Equally, liberal training lessens the extent of training, in the meantime extra iterations are made in lesser action space, and in this the network size is miniature. Adopt the formed samples data are represented as \(IoT\,D(a)\) and the original IoT data are depicted as \(OD\). Aimed at the Z-layer discriminator \(Dmtr\), the domain discrepancy (DD) is done based on the following Eq.(8)

where, \(Dmtr_{m} (OD)\) describes the features from the discriminator by middle layer inspiration. Now, the ultimate mean incongruity (UMI) loss function is subjugated for domain discrepancy (DD), which actions the detachments among two probability distributions from formed IoT samples data and the reference IoT samples data. The UMI accomplishes its smallest zero if the original IoT data samples and formed IoT data samples are equal. The fitness function for the discriminator can be expressed as the following Eq.(9),

where \(Knl\) portrays the kernel, which trials the resemblance between two IoT data. Customarily, the discriminator predictable diminishes the \({\rm E}_{OD,IoT\,D} \left[ {Knl_{Dmtr} \left( {OD,IoT\,D} \right)} \right]\), which forces the used data left from the original IoT data for deploying the loss function. In the interim, the discriminator diminishes the intra-class absurdity by prompting \({\rm E}_{{IoT\,D,IoT\,D^{ * } }}\) and \({\rm E}_{{OD,OD^{ * } }} \left[ {Knl_{Dmtr} \left( {OD,OD^{ * } } \right)} \right]\).

Correspondingly, the loss function for the generator is stated in the following Eq.(10)

By this, ultimate mean incongruity (UMI) fostered domain discrepancy (DD) weakens the detachments among two probability deliveries from formed IoT data samples and the reference IoT data. Participating self-attention mechanism explains the Progressive Generative Adversarial Network to prominence on target networks, whereas, the discriminator implicitly attains to engulfun suitable data in the input IoT data. The self-attention mechanism is amalgamated erstwhile the discriminator’s Down-sample layer and afterward the generator’s Up-sample layer. To broaden the importance of formed IoT data (FIoTD) samples, the self-attention mechanism is dominated based on the following Eq.(11)

where \(\alpha\) illustrates the updated weight functions, \(W_{1} ,W_{2} ,W_{3}\) and describes the convolution weights with the kernel sizes of \(1 \times 1\). The final loss function is dominated based on the following Eq.(12)

By this, the proposed SAPGAN classifier classifies the IoT data as DDoS (HTTP, TCP, UDP), DoS (HTTP, TCP, UDP), OS, Service Scan, Keylogging with Data exfiltration, and normal data.

In this section, we discuss experimental results. We have used 2.50GHz CPU, Intel Core i5, 8GB RAM, and Windows 7 for the experiemntation. The proposed SAPGAN-IDS-IoT approach is implemented in Python utilizing the BoT-IoT dataset. The performance metrics are examined to verify the efficiency of the proposed method. The derived outcomes of the proposed SAPGAN-IDS-IoT approach are analyzed with existing systems, like CNN-IDS-IoT¹¹; DNN-IDS-IoT¹², and DBN-CSSA-IDS-IoT¹³ respectively.

Dataset description

The data is gathered from the dataset of BoT-IoT. It encompasses 3,668,522 archives. Out of which, 50% of data is selected for training purposes and 50% of data for testing purposes.

Performance measures

This is a significant task for best classifier selection. To examine the performance, the performance metrics, like accuracy, RoC, F1-score, and computational time are examined. To determine the performance metrics, the given confusion matrix is needed.

• True Positive (TP): Count of samples wherever the predicted class labels are attacked, then a real class label is exact.

• True Negative (TN): Count of samples wherever the predicted class label is normal, then a real class label is exact.

• False Positive (FP): Count of instances wherever the predicted class labels are attacked, then a real class label is inexact.

• False Negative (FN): count of instances wherever the predicted class label is normal, then the real class label is inexact.

Accuracy

This is computed via the following Eq.(13)

F1 score

This is determined by Eq.(14)

AUC

AUC may be computed through the aid of Eq.(15)

Figure2 depicts the simulation results of the proposed SAPGAN-IDS-IoT method. Then, the proposed SAPGAN-IDS-IoT method is analyzed with existing CNN-IDS-IoT¹¹, DNN-IDS-IoT¹², and DBN-CSSA-IDS-IoT¹³ respectively.

Figure2 depicts the accuracy analysis. Here the proposed SAPGAN-IDS-IoT method attains 18.67%, 30.84% and 14.45% higher accuracy for DoS-HTTP attack; 23.47%, 11.84%, and 15.59%, higher accuracy for DoS-TCP attack; 19.38%, 18,53% and 21.56% higher accuracy for DoS-UDP attack;25.79%, 23.15% and 16.05% higher accuracy for DDoS-HTTP attack; 19.45%, 25.45%, and 15.74%, better accuracy for DDoS-TCP attack; 15.36%, 24.65% and 29.57% higher accuracy for DDoS-UDP attack; 13.84%, 15.54% and 18.25%, higher accuracy for OS Fingerprinting attack; 17.87%, 13.98% and 23.98% higher accuracy for Server Scanning attack; 17.25%, 22.36% and 19.56% higher accuracy for Keylogging attack; 11.83%, 19.65% and 26.54% higher accuracy for Data Theft attack;16.98%, 19.76%, and 24.76% higher accuracy for normal compared with the existing CNN-IDS-IoT, DNN-IDS-IoT, and DBN-CSSA-IDS-IoT methods respectively.

Figure3 depicts the F-score analysis. Here the proposed SAPGAN-IDS-IoT method attains 14.74%, 20.63% and 17.98% better F-score for DoS-HTTP attack; 16.98%, 27.45%, 17.34% better F-score for DoS-TCP attack; 13.56%,23.87%, 10.87% better F-score for DoS-UDP attack;18.98&, 26.23% and 15.85% better F-score for DDoS-HTTP attack; 11.89%, 25.67% and 16.87% better F-score for DDoS-TCP attack; 17.98%, 14.56% and 19.45% better F-score for DDoS-UDP attack; 15.87%, 28.98%, 12.76%better F-score for OS Fingerprinting attack; 13.23%, 16.98% and 29.65% higher F-score for Server Scanning attack; 26.67%, 17.76% and 20.67% better F-score for Keylogging attack; 17.65%, 24.67%, 18.67% better F-score for Data Theft attack;25.56%, 12.56% and 27.65% better F-score for normal analyzed to the existing CNN-IDS-IoT, DNN-IDS-IoT and DBN-CSSA-IDS-IoT methods respectively.

Figure4 depicts the computational time analysis. Here the proposed SAPGAN-IDS-IoT method attains 14.46%, 26.76%, and 13.65% lower Computational Time compared with existing methods such CNN-IDS-IoT, DNN-IDS-IoT and DBN-CSSA-IDS-IoT methods respectively. Figure5 depicts the RoC analysis. Here the proposed SAPGAN-IDS-IoT method attains 15.45%, 21.55% and 17.79%, higher AUC estimated to the existing methods named CNN-IDS-IoT, DNN-IDS-IoT and DBN-CSSA-IDS-IoT methods respectively.

Authors and Affiliations

1. Deparment of AI&ML, BMS Institute of Technology and Management (Affiliated to Visvesvaraya Technological University, Belagavi), Bengaluru, India

   V. Kantharaju&M. Niranjanamurthy

2. Department of ISE, KNS Institute of Technology, Bengaluru, 560064, India

   H. Suresh

3. Department of Management studies, University of Kashmir, North campus, Delina, India

   Syed Immamul Ansarullah

4. School of Computer Science and Engineering, Yeungnam University, Gyeongsan, 38541, Korea

   Farhan Amin

5. Department of Information Systems, College of Computer and Information Science, King Saud University, 11543, Riyadh, Saudi Arabia

   Amerah Alabrah

Contributions

Kantharaju V.Farhan Amin. and Suresh Niranjanamurthy M. wrote the main manuscript text and Syed Immamul Ansarullah.Amerah Alabrah. prepared figures 1-3. All authors reviewed the manuscript.

Corresponding authors

Correspondence to Farhan Amin or Amerah Alabrah.

Competing interests

Authors declare that there is no conflict of interest.

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.

Reprints and permissions