Weighted salp swarm algorithm with deep learning-powered cyber-threat detection for robust network security

1.   Introduction

The continuous development and wide-ranging utilization of the internet benefits several network users from several points of view ^[1]. In the meantime, security is highly significant with the vast exploitation of the network. Network security has undoubtedly been connected with programs, different information, networks, computers, and more, where the need for defense is to avoid adaptation and unauthorized access ^[2]. However, the increasing number of systems connected to the internet in e-Commerce, military and finance make them targets of network attacks, contributing to a lot of damage and risks ^[3]. Providing efficient approaches for identifying and protecting from attacks and maintaining network security is essential. Additionally, various categories of attacks have been frequently needed and processed in numerous ways ^[4]. Recognizing various types of network attack is the main problem that needs to be solved in network security, particularly those that have not been noticed. Researchers have recently employed different types of machine learning (ML) techniques for classifying network attacks without previous knowledge of their comprehensive features ^[5].

Internet of things (IoT) networks have continuously exposed and modified the topology by connecting nodes and exiting the network in real time ^[6]. The lack of centralized network control tools makes them susceptible to security attacks. IoT devices can have superior features, including limited data storage, connection bandwidth, smaller memory size, and restricted power supply ^[7]. These limitations considerably affect the efficiency of security protocols for IoT platforms concerning development and effectiveness. Consequently, a competent intrusion detection system (IDS) for IoT networks will probably emerge due to the lack of the computational power needed ^[8]. Cyberattacks are highly difficult to recognize, as hackers utilize cutting-edge methods to take sensitive data while avoiding identification by IDS. The interaction between internetworks has also been subject to cyber-security vulnerabilities. Consequently, a novel technique can be essential for attack prevention activities and earlier intrusion detection ^[9].

Machine learning and deep learning (DL) approaches are currently used for intrusion detection, network abnormality detection, and avoidance. The DL technique should be utilized to increase the accuracy and proficiency of IDS in IoT devices ^[10]. Since hyperparameter tuning of the DL model remains a challenging process, metaheuristic algorithms can be used, which in turn improves the overall detection performance. Some of the recently developed metaheuristics are Liver cancer algorithm (LCA) ^[11], slime mould algorithm (SMA) ^[12,13], moth search algorithm (MSA) ^[14], hunger games search (HGS) ^[15], Runge Kutta method (RUN) ^[16], colony predation algorithm (CPA) ^[17], weighted mean of vectors (INFO) ^[18], Harris Hawks optimization (HHO) ^[19], Rime optimization algorithm (RIME) ^[20,21], etc.

This article presents a weighted Salp swarm algorithm with a DL-powered cyber threat detection and classification (WSSADL-CTDC) technique for robust network security, utilizing a min-max normalization approach to scale data into even formats. In addition, it applies a shuffled frog leap algorithm (SFLA) to elect an optimum subset of features. The WSSADL-CTDC technique applies a hybrid convolutional autoencoder (CAE) model to identify and classify cyber threats. A WSSA-based hyperparameter tuning process can be employed to enhance the detection performance of the CAE model. The experimental analysis can be examined on a benchmark dataset.

● Uses SFLA to choose an optimum feature subset from the network security dataset. This process is crucial to mitigate the input data's dimensionality, enhance the technique's effectualness, and concentrate on the most appropriate features for recognizing cyber threats.

● Proposes a novel fusion CAE technique to detect and classify cyber threats within network traffic data. This method incorporates the robustness of convolutional neural networks (CNNs) and autoencoders (AEs), allowing for productive feature extraction and anomaly recognition in network data.

● The WSSADL-CTDC model augments the accomplishment of the CAE technique by implementing a WSSA-based hyperparameter tuning procedure.

The remaining sections of the article are arranged as follows: Section 2 offers the literature review, and Section 3 represents the proposed method. Then, Section 4 elaborates on the evaluation of the results, and Section 5 completes the work.

2.   Related works

In ^[22], an ensemble DL algorithm was developed that implements the gains of the long short-term memory (LSTM) and AE technique. The LSTM was implemented to create an architecture on a standard time series of data. Khan et al. ^[23] projected an AE-based identification model using recurrent and convolutional networks. A two-phase sliding window (SW) was employed. Malicious activities in the raw time series were converted to fixed-length series using a first-phase SW. All series were transformed into constant time-dependent sub-series through additional small SW. In classification, fully connected networks employ the removed temporal-spatial features. Bibi et al. ^[24] developed a well-organized, self-learning, autonomous multi-vector attack intelligence and identification method. An innovative convolutional LSTM2D technique powered by the computational integrated device model (ConvLSTM2D) is developed. Das et al. ^[25] introduced a novel transient search optimization (TSO) method enabled by the optimum stacked sparse AE (OSSAE) method. This technique followed the TSA-based feature selection method. Furthermore, the Transient search optimization-optimum stacked sparse AE (TSA-OSSAE) method implements the SSAE method. Lastly, the hyperparameters of the SSAE technique were selected using a multi-versus optimizer (MVO) approach.

In ^[26], the authors presented a graph pattern based on a technique equivalent to a deep hunter graph neural network (GNN) model. A GNN model was developed mainly with two new networks: feature embedding networks integrated with the indicators of compromise (IOC) data and graph embedding networks that took connections among IOCs. Ndife et al. ^[27] developed a Bayesian neural networks (BNNs) model called SGtechNet. Spatio-temporal feature engineering and uncertainty evaluation in Bayesian modeling are exploited. In ^[28], a two-stage IDS was developed. Initially, an adversarial training method was introduced employing the generative adversarial networks (GAN) method. In addition, a DL method was presented for the secondary detector to recognize intrusions. In ^[29], an IDS depended on DL, and a DL method for IDS was developed, employing the efficient recurrent neural networks (ERNN) method. Additionally, the effectiveness of the system in binary and multi-class classifications, as well as the count of neurons and diverse learning rate, has implications under the efficiency of the developed method. This technique relates the method to recurrent neural networks (RNN) and support vector machine (SVM) models.

Zhou et al. ^[30] proposed a model to build a continuous leakage-resilient identity-based encryption (IBE) model with tight security. In ^[31], a bioinspired motion-sensitive technique is presented, which comprises spatial and temporal perception of motion cues, employing simple visual signal processing. Li et al. ^[32] presented a model employing the multi-scale radial basis function (MRBF) and Fisher vector (FV) encoding. The high-resolution time-frequency approach gray level co-ocurrence matrix (GLCM) texture descriptors and FV extraction are also utilized. Chen et al. ^[33] introduced a Lung-Dense attention network (LDANet) method. The residual spatial attention (RSA) method is employed to weigh spatial data, and the weight of every channel is calibrated utilizing the gated channel attention (GCA) technique. A dual attention guidance module (DAGM) technique is constructed for maximization. A lightweight dense block (LDB) technique is also utilized. In ^[34], a deep neural network (DNN) model is proposed, which excels in a localized and sparse approximation. Savanovi et al. ^[35] proposed an optimized ML model employing an altered firefly model. In ^[36], a novel feature selection (FS) model is introduced, which improves the gorilla troops optimizer (GTO) by incorporating the bird swarm modeling (BSA) technique. Jovanovic et al. ^[37] proposed an improved firefly model to tune the extreme gradient boosting (XGBoost) technique.

3.   Proposed method

His article introduces an innovative method for robust network security WSSADL-CTDC. The technique aims to detect the presence of cyber threats and accomplish network security using metaheuristics with DL models. Figure 1 demonstrates the entire procedure of this approach.

3.1.   Min-max normalization

Primarily, the technique WSSADL-CTDC employs a min-max normalization approach to normalize data ^[38]. In this study, the input data is standardized from the ranges $0$ and $+1$ utilizing the specified Eq (3.1),

Here, $X_i$ is the observed input value, $X_{min}$ and $X_{max}$ refer to the maximum and minimum values of the descriptive variables, and $X_n$ represents the normalized input values at intervals of $[-1, +1]$.

3.2.   Feature selection

At this stage, the WSSADL-CTDC technique applies SFLA to elect an optimum feature subclass. SFLA has a new population-based metaheuristic approach ^[39] that Integrates the social behaviors of the particle swarm optimization (PSO) technique and the benefits of the memetic algorithm ^[40]. In this approach, a population can be a group of frogs that find optimum food by employing search strategies relevant to the PSO technique. The search process is performed by alternating frogs' intra- and inter-cluster transmission to find food. Intra-cluster transmission is performed within the memeplex for local invention, and inter-cluster transmission is performed among the frogs belonging to the dissimilar memeplexes for global exploration. In classical SFLA, consider that the early population was randomly generated with a $P$ number of frogs. Evaluate fitness values for every individual frog. Subsequently, arrange $P$ in descending sequence of the fitness values. The frogs are then distributed into an $M$ count of memeplexes, and every memeplex has $N$ frogs. Here, the frog distribution can be performed thus: The initial frog moves to the initial memeplex, the next frog moves to the initial memeplex, frog $M$ goes to the $M^{th}$ memeplex and frog $M+1$ goes to the initial memeplex, up to the last frog. In every memeplex, $X_b$ and $X_w$ are the best and worst frogs based on fitness. $X_g$ represents the frog with global fitness $X$. The position of the worst frog has been updated according to the random position or position of the global or local best frog so that the frog can move to the optimum solution. This can be mathematically modeled as the set of Eqs (3.2) and (3.3).

In Eq (3.3), $Stp$ denotes the size of the leaping step of the frog with $[-1, 1]$. $rand()$ represents the random integer. If $X_w(new)$ generates the best solution, it replaces $X_w$. Otherwise, the computations in Eqs (3.2) and (3.3) are reiterated by replacing $X_b$ with $X_g$. The new random solution can be replaced with $X_w$ if there is no improvement. Thus, each memeplex is shuffled together to exchange data and generate a new population for the following search ranges.

In this SFLA method, the objectives could be incorporated into a single objective equation, such as a preset weight that recognizes the significance of all the objectives ^[41]. In this study, an fitness function (FF) is implemented to integrate these FS objectives, as represented in Eq (3.4),

Here, $Fitness(X)$ denotes the fitness value of $X$, $|R|$ and $|N|$ which have the number of particular features $\alpha$, and $\beta$ describes the weights of the classification error. $E(X)$ signifies the classification error rate employing the preferred features in the $X$ subset, as well as the number of new features in the dataset and the reduction ratio $\alpha \in [0, 1]$ and $\beta = (1 - \alpha)$.

3.3.   Classification using CAE model

The WSSADL-CTDC technique applies a hybrid CAE model for the detection and classification of cyber threats. AE is a self-directed learning procedure that utilizes a neural network (NN) for representation learning ^[42]. It has a method for a model to learn how to encrypt input data. AEs have been used to map input data to low‐dimension spaces or representations of reduced areas. To fix this, a bottleneck is presented that implements a method to learn the condensed area of the input data. Figure 2 illustrates the CAE infrastructure.

An AE includes four modules: bottleneck layer (BL), encoder network (EN), reconstruction loss (RL), and decoder network (DN). EN is an NN that encrypts input data in a condensed area. The BL is the latter layer; the output is called encoded input data. $N$ layers in an EN in which the latter layer (i.e., $N^{th}$ layer) is BL. The arithmetical calculation used to signify the functioning of every layer existing in the EN can be revealed in Eq (3.5),

where $X_{e_i}$ denotes the input for the EN layer $i^{th}$, $f_{e_i}$ denotes the activation function for the layer $i^{th}$, $b_{e_i}$ is the bias for the layer $i^{th}$, $WV_{e_i}$ signifies the weight vector for the $i^{th}$ layer, and $X_{e_i+1}$ refers to the output of the layer $i^{th}$. DN is also known as an NN that consumes the output of the BL as input and attempts to renovate the original data. The number of layers in DN is similar to the number in the EN, in the opposite order. The last layer of the DN offers a loud regeneration of input data. The scientific expression used to signify the functioning of every layer existing in the DN is presented in Eq (3.6),

where $X_{d_i}$ denotes the input for the DN layer $i^{th}$, $X$ refers to the output of the layer $i^{th}$, $f_{d_i}$ refers to the activation function for the $i^{th}$ layer, $b_{d_i}$ represents the bias for the $i^{th}$ layer, and $WV_{d_i}$ signifies the weight vector for the layer $i^{th}$. The dissimilarity between the original data $X^O$ and the renovated data $X^R$ is termed RL. The AE is trained by employing the backpropagation algorithm to reduce the RL.

Mean squared error (MSE) and binary cross‐entropy (BCE) losses are dual, highly employed loss functions to calculate RL. These dual loss function formulas have been exposed in Eqs (3.7) and (3.8), while $D$ denotes the number of samples in a dataset used by the AE,

3.4.   WSSA-based hyperparameter tuning

Eventually, the WSSA-based hyperparameter tuning process can be employed. SSA is a recent metaheuristic optimization technique introduced by Mirjalili et al. ^[43]. SSA must be stimulated by the navigation and swarming behaviors of salps in the oceans for food. The individual salp belongs to the Salpidae family and has a bottle-shaped body. Salps form chains, similar to flocks or swarms, in the deep ocean for foraging and navigation. The leader and followers are two levels of the salp chain. During navigation, the leaders are guided by the swarm (followers) in a multidimensional search range, resulting in the optimum solution (food source) for the optimizer problems. SSA begins with a random solution and later reinvents the search for optimum fitness of salps by exploiting and exploring the search range. The salp moves in the N‐dimension search range and updates the leader location according to the distance between a food source and the salp as Eq (3.9),

● $X_i^1$ - denotes the leader's location in the $i^{th}$ location.

● $ub_i, lb_i$ - shows the upper and lower bounds of $i^{th}$ location.

● $F_i$ - represents the food source location in $i^{th}$ location.

● $r_1$ parameter - balances the exploration and exploitation in searching space.

● $r_1, r_2, r_3$ - refer to random numbers (see Eq (3.10)), where $L$ refers to the maximal iteration count, and $l$ denotes the existing iteration,

Newton's law of motion updates the follower's location in Eq (3.11),

● $v_0$ represents the initial speed;

● $x_i^j$ denotes the location of the $j^{th}$ follower at the $i^{th}$ dimension;

● $t$ is the iteration;

In SSA, salp forms chains for the foraging process. Salp navigates through the jet propulsion process. Based on the available information from the neighborhood, the leader updates the location with food sources. In a typical SSA approach, the follower salp updates the area according to Newton's law of motion. The model's ability to find solutions for the global search process is compromised due to its lost inertia parameter. Inertia controls the speed and direction of the object. However, such an approach only works well for multimodal and unimodal issues of smaller dimensions. However, this provides poor outcomes for high-dimension difficulties, representing poor convergence. Thus, the location update formula should be modified in all iterations to achieve the optimum solution.

Here, a WSSA has been introduced according to weighted distance location updating to enhance the efficiency of traditional SSA. This model boosts the variety of the original SSA. The weighted location updating parameter was developed based on the findings of Shi and Eberhart (1998). The author initially established the idea of inertia weight and stated that it provides the best control through exploitation and exploration processes. The position updating approach can be adapted as a weighted sum of optimum positions rather than implementing averages to improve the search capability of a typical SSA. This approach can be obtained by evaluating the weight according to the coefficient vectors $C_1, C_2,$ and $C_3$. Location updating is modeled as the set of Eqs (3.13) to (3.16),

This weighted location-update approach balances searching agents' exploitation and exploration capabilities. Furthermore, it improves the convergence rate and leads to better SSA performance.

The WSSA algorithm has obtained an FF to achieve increased classification effectiveness. It evaluates a positive integer to denote the higher efficiency of the candidate solutions. The decrease in the classifier error rate can be measured as FF, as shown in Eq (3.17),

4.   Performance validation

The performance analysis of the WSSADL-CTDC system can be examined using the network-based detection of IoT botnet attacks (N-BaIoT) dataset ^[44]. It includes 11 classes with 1000 samples for each class, as defined in Table 1. The suggested technique is simulated using the Python 3.6.5 tool on PC i5-8600k, 250GB SSD, GeForce 1050Ti 4GB, 16GB RAM, and 1TB HDD. The parameter settings are provided: learning rate: 0.01, activation: ReLU, epoch count: 50, dropout: 0.5, and batch size: 5.

Figure 3 shows the confusion matrices acquired by the WSSADL-CTDC system with 80:20 and 70:30 of true positive rate per hour / true negative rate per hour (TRPH/TSPH) under the N-BaIoT dataset. The completed findings show effective recognition with 11 classes.

The results of cyber threat detection of the WSSADL-CTDC technique in the N-BaIoT dataset are shown in Table 2 and Figure 4. The results obtained show that the WSSADL-CTDC system achieves effective findings in each class. According to 80% of TRPH, the WSSADL-CTDC method obtains an average $Acc$ of 98.86%, $Prec$ of 93.76%, $Recall$ of 93.73%, $F-Score$ of 93.74%, and Matthews correlation coefficient ($MCC$) of 93.12%. In addition, on 20% of TSPH, the WSSADL-CTDC algorithm gains an average $Acc$ of 99.13%, $Prec$ of 95.23%, $Recall$ of 95.25%, $F-Score$ of 95.23%, and $MCC$ of 94.76%, respectively.

The cyber threat detection analysis of the WSSADL-CTDC technique in the N-BaIoT dataset can be seen in Table 3 and Figure 5. The results obtained show that the WSSADL-CTDC system obtains adequate results in all classes. According to 70% of TRPH, the WSSADL-CTDC algorithm receives an average $Acc$ of 98. 22%, $Prec$ of 90. 22%, $Recall$ of 90. 21%, $F-Score$ of 90. 20%, and $MCC$ of 89.23%. Furthermore, based on 30% of TSPH, the WSSADL-CTDC method acquires an average $Acc$ of 98. 07%, $Prec$ of 89. 39%, $Recall$ of 89. 44%, $F-Score$ of 89. 39%, and $MCC$ of 88. 34%, respectively.

The $Acc$ curves for training (TR) and validation (VL) are illustrated in Figure 6 for the WSSADL-CTDC methodology with the N-BaIoT dataset providing valuable insight into its performance on various epochs. Specifically, it shows constant improvement at both TR and testing (TS) $Acc$ with improving epochs, demonstrating the model's proficiency in learning and recognizing patterns in both TR and TS data. The upward trend in TS $Acc$ emphasizes the model adaptability to the TR dataset and its ability to generate correct predictions on unnoticed data, underscoring the robust generalization capabilities.

Figure 7 displays a wide-ranging overview of the TR and TS loss values for the WSSADL-CTDC algorithm with the N-BaIoT dataset at different epochs. The TR loss is reliably minimized as the model refines its weights to decrease classification errors in both datasets. The loss curves exemplify the alignment of the model with TR data, highlighting its ability to capture patterns efficiently. Consider the continuous improvement of parameters in the WSSADL-CTDC technique, which aims to diminish the discrepancies between predictions and actual TR labels.

Regarding the precision-recall (PR) curve in Figure 8, the findings confirm that the WSSADL-CTDC system in the N-BaIoT dataset consistently achieves increased PR values in every class. These findings emphasize the model's better capacity to discriminate among diverse classes, underscoring its efficiency in accurately recognizing class labels.

Furthermore, in Figure 9, receiver operating characteristic (ROC) curves produced by the WSSADL-CTDC technique are denoted under the N-BaIoT dataset, representing its proficiency in differentiating between classes. These curves offer valuable insights into how the trade-off between false positive rate (FPR) and true positive rate (TPR) differs through diverse classification epochs and thresholds. The results underscore the accuracy of the model's classification on numerous class labels, emphasizing its efficacy in covering diverse classification challenges.

The detailed comparative statement of the WSSADL-CTDC technique with existing ones under the N-BaIoT dataset is given in Table 4 and Figure 10 ^[42]. These outcomes infer that the WSSADL-CTDC system performs better than other systems. It is noted that the deep belief network (DBN), LSTM, bat algorithm (BA)-NN, and PSO-NN models perform poorly, whereas the lightweight gradient-based algorithm (LGBA)-NN and multi-factor optimization random error linear model (MFO-RELM) models achieve reasonable results. However, the WSSADL-CTDC technique performs better with a maximum $Acc$ of 99.13%, $Prec$ of 95.23%, $Recall$ of 95.25%, and $F-Score$ of 95.23%.

The computation time (CT) analysis of the WSSADL-CTDC methodology can be compared with other systems, as described in Table 5 and Figure 11. The findings show that the WSSADL-CTDC technique obtains a CT decrease of 0.46 s. Alternatively, the DBN, LSTM, BA-NN, PSO-NN, LGBA-NN, and MFO-RELM algorithms gain improved CT expressed in seconds units 4.67, 3.65, 2.64, 2.89, 2.71, and 1.94, respectively. Consequently, the WSSADL-CTDC method has been employed for superior performance over other compared algorithms.

These results state that the WSSADL-CTDC technique improves the network security performance.

5.   Conclusions

This article introduces an innovative WSSADL-CTDC method for robust network security. The WSSADL-CTDC technique aims to detect the presence of cyber threats and accomplish network security using metaheuristics with DL models. To achieve this, the WSSADL-CTDC technique implements a min-max normalization approach to scale the data into a uniform format. In addition, the WSSADL-CTDC technique applies SFLA to elect an optimal subset of features. The WSSADL-CTDC technique applies a hybrid CAE model for cyber threat detection and classification. A WSSA-based hyperparameter tuning method can be employed to enhance the detection performance of the CAE model. The simulation result of the WSSADL-CTDC technique can be evaluated under the benchmark dataset. The extensive analysis of the results found that the WSSADL-CTDC technique performed better than comparable methods on different measures. The WSSADL-CTDC technique may encounter scalability threats with more extensive datasets and benefit from real-time utilization optimizations in dynamic network environments. Future studies may focus on improving scalability and enabling real-time deployment.

Author contributions

Maha M. Althobaiti: Conceptualization, validation, formal analysis, investigation, resources, software, writing–original draft, writing–review & editing; José Escorcia-Gutierrez: Methodology, validation, formal analysis, investigation, visualization, writing–original draft, writing–review & editing. All authors have read and approved the final version of the manuscript for publication.

Use of AI tools declaration

During the revision of this work, the authors used the writefull language check embedded in Overleaf to improve English grammar, proofread and rephrase certain sentences in order to minimize the iThenticate similarity index. Following the use of these tools and services, the authors reviewed and edited the content as necessary, assuming full responsibility for the content of the publication.

Acknowledgments

The authors would like to acknowledge the Deanship of Graduate Studies and Scientific Research, Taif University for funding this work.

Conflict of interest

The authors declare that they have no conflict of interest. The manuscript was written with the contributions of all authors. All authors have approved the final version of the manuscript.