Threat analysis model to control IoT network routing attacks through deep learning approach

Abstract

Most of the recent research has focused on the Internet of Things (IoT) and its applications. The open interface and network connectivity of the interconnected systems under the IoT network make them vulnerable to hackers. A model has been proposed to identify and classify IoT routing attacks. To generate IoT routing datasets, the Cooja simulator is used at first. The IoT routing dataset is then augmented into larger volumes using ADASYN, which is also used to solve the class imbalance problems. A deep learning hybrid model based on a Long-Short-Term Memory (LSTM) network and adaptive Mayfly Optimization Algorithm (LAMOA) was presented for the classification of IoT attacks. The adaptive MOA adjusts the weights in the various layers of the LSTM network and the Fully Connected Layer with SoftMax Classification. As part of the validation process, the proposed model was also compared with benchmark datasets NSL-KDD, BoT-IoT, and IoT-23. Using benchmark datasets, LAMOA achieved 99.94% accuracy for multiclassifications, 99.92% accuracy for binary classifications, and 98.42% accuracy for real-time datasets. Compared to other models, our proposed model significantly improves the accuracy of each attack's classification by 5–10%.

GRAPHICAL ABSTRACT

KEYWORDS:

• Adaptive mayfly optimisation
• Adam optimisation
• Deep Learning
• Threat Analysis Model
• IoT Routing attack
• LAMOA

1. Introduction

IoT is the cornerstone for next-generation technologies. IoT application like Smart villages provide real-time data analysis and automating selection in agriculture, healthcare and education, transportation, environmental, and power, many wireless sensor devices use wireless internet, so they may not resist all assaults (Aljuhani et al., 2022). The IoT connects physical objects with individual identities and functions through the internet. Sensing, actuating, exchanging information, analysing and processing data are activities. The communication path should be safeguarded since the IoT collects critical data. Intruders potentially misuse network communications. A routing protocol is used by the nodes in the network to talk to each other. There are two types of routing in the IoT systems: proactive (using a dynamic path selection process) and reactive (sending nodes trigger the route discovery). RPL is an IPv6 routing protocol that is utilised in Internet of Things environments (Xin et al., 2022), RPL is considered to be part of the proactive group that actively searches for the route path. Using the RPL routing protocol in IoT led to sinkhole, Sybil, selective forwarding, black hole, hello flood, wormhole, rank, and version number attacks. The IoT connects physical objects with individual identities and functions through the internet. Sensing, actuating, exchanging information, analysing and processing data are activities. The communication path should be safeguarded since the IoT collects critical data. Intruders potentially misuse network communications. A routing protocol is used by the nodes in the network to talk to each other. There are two types of routing in the IoT systems: proactive (using a dynamic path selection process) and reactive (sending nodes trigger the route discovery). RPL is a routing protocol for IPv6 that is used in Internet of Things environments (Krishnaveni & Prabakaran, 2021), Low Power and Lossy Networks (RPL) are considered to be part of the proactive group that actively searches for the route path. Sinkhole, Sybil, selective forwarding, black hole, hello flood, wormhole, rank, and version number attacks happened when IoT devices used the RPL routing protocol.

DL algorithms have led to the development of long-short term memory networks (LSTMs) from recurrent neural networks (RNNs) as a model that can learn patterns in long sections. LSTMs can do this because they evolved from RNNs. It is possible to use LSTM networks to learn features and patterns in network data so that they can be used to classify them as either normal or attacked (Wu et al., 2022; Wang & Zhang 2022). LSTM is a DL (Deep Learning) algorithm, which means that it doesn't have to do as much work with features as classical machine learning because it works with raw data. That's also obvious from this: The LSTM network is hard to break into because attackers can't use feature learning algorithms to improve their own methods of breaking into it. The Internet of Things has a bunch of unstructured datasets, and LSTM is good at training on them. Most DL algorithms work with numerical datasets (IoT). Historical data could be used to look for attacks over time, because a single deep packet will not be enough to find patterns. People can feed the data packets to DL algorithms that can remember them for a long time. Unlike traditional machine learning, LSTM networks can be used to recognise attacks that happen over a long period of time, no matter how big the window.

The class imbalance problem is widespread, and various solutions have been recommended in recent years. This issue's solutions fall into three categories: Data, algorithms, and hybrid approaches Data level-methods, also called pre-processing strategies, reduce the majority-minority class imbalance. Upgrade traditional learning methodologies or create new ones that address imbalanced data. Hybrid methods combine data and algorithm levels. The SMOTE is a popular oversampling method. KNN algorithm for synthesising minority class observations (Wang et al., 2022b), to balance the data, more minority class findings are added. SMOTE arbitrarily creates synthetic observational data from minority class observations. The class boundaries between the majority and minority classes after applying SMOTE may not represent the minority class's underlying distribution. (Wang et al., 2022a) proposed ADASYN sampling as a solution. More synthetic observations are produced for harder-to-learn minority observations by the ADASYN algorithm (Sreeja, 2019).

In the year 2020, the Mayfly algorithm has been proposed as a newly designed swarm intelligence bioinspired algorithm. The Mayfly optimisation algorithm is inspired by the flight behaviour and the mating process of mayflies in real life. This algorithm is a modification of the particle swarm optimisation algorithm (Zervoudakis & Tsafarakis, 2020). We can use this algorithm to solve both continuous and discrete problems’ single-objective and multi-objective optimisation problems, as this algorithm is inspired by the flight behaviour and mating behaviour of mayflies.

1.1. Research motivation

The IoT-based data flow across the networks becomes the routine operation in any smart applications. Continuous monitoring and timely alerts are made through the IoT-based sensors and actuators. The sensing and transmitting the IoT data across the public networks open the number of security challenges. The open interfaces with unsecured network channels tamper the data flowing across the public networks. The high-level security framework needs to be established to protect the IoT data and its application domain. The vast range of IoT-based applications including smart network monitoring, Smart city environment, intelligent transportation, ecommerce applications, secure cloud platforms highly demand for the secure IoT framework instead regular security mechanism. The proposed LAMOA model classifies all-possible combinations of RPL-based attacks, which are identified as a major security threat for any IoT infrastructure. The model classifies the attacks using advanced mayfly optimisation techniques to enhance the IoT security framework. The implementation of LAMOA model with advanced DL-based optimisation motivates the digital infrastructure to utilise the framework in an effective manner. The IT operations rely on the digital data processing and its operations expanded to the next level of services without any severe security glitches. The proposed model possibly has a greater impact on the establishment of IoT-based applications and its services to the next level. The threat free IoT infrastructure with DL-based security classification improve the market of IoT-based solutions in the IT industry.

1.2. Industrial significant of the proposed model

IoT technology has greatly improved the industrial sector in terms of real-time remote monitoring and control, reducing latency, smart manufacturing, supply chain management, and asset tracking. The way in which industrial IoT devices are made, such as their low cost and security standards, open the space for the attackers to maliciously exploits the IoT infrastructure which reduces the security, privacy, and trust on this platform. As a special ingredient, the hybrid approach LAMOA is proposed to be able to predict and classify different types of attacks on IIoT solutions. The field of connecting IIoT with hyper-tuned LSTM with adaptive mayfly optimisation, which is called “intelligent” IIoT, has put in a significant amount of work on attack classifications. The proposed model enhanced the security in terms of attack classification at the IoT infrastructure level.

1.3. Background of the proposed model

In this section, an initial review of the Long Short-Term Memory, the Mayfly optimisation technique, ADASYN oversampling techniques, and the proposed deep learning models LAMOA are discussed. Similar related works are also discussed. In the field of academic research, RPL Routing threats are resource-intensive. Although IoT RPL routing assaults are successful, there is little research on calculating energy expenditure when identifying rogue nodes. This work will add to the literature with the methodologies presented and the successful attack prevention system suggested. Energy consumption computation while identifying malicious nodes has not been extensively studied. This study's techniques and suggested assault prevention strategy are innovative. the energy consumption computation of resources used during the detection of malicious nodes has been the focus of relatively few investigations. As a result, the approaches that are suggested and the successful attack prevention system that is advocated in this study will add something new to the existing collection of studies.

1.3.1. RNN

Recurrent Neural network (RNN) primarily used to process of time series data. This Neural Network includes a feedback loop that sends output of processed information back as an input at the next time step in the sequence (Hu et al., 2022). An RNN's ability to remember the outcomes of its previous computations and apply that knowledge to new problems is its primary point of differentiation from other types of neural networks. As a result, RNN models are well-suited for the task of modelling context dependencies in inputs of arbitrary length in order to generate an appropriate composition of the input. Which is the perfect fit for Natural Language processing applications as we are feeding a sequence of words into the RNN, the stage gets updated for each word being input. Since the state is changed sequentially, it also contains information about the words’ sequence as well as the words themselves. The final state of the RNN contains semantic and sequential information about the sentence's words, which really is great for understanding sentences since it operates like our brain. RNN have problem with vanishing gradient and Exploding gradient particularly avoiding these two issues go for LSTM Network.

1.3.2. LSTM

RNN is known as the long short-term memory or LSTM networks, Figure 1 shown, LSTM also have this chain like a structure instead of having a single neural network layer, which contains gates that can allow or block information from passing by gates consists of a sigmoid neural net layer along with a pointwise multiplication operation. Sigmoid output ranges from 0 means don’t allow any data to flow to 1 means allow everything to flow. The subsequent tanh layer generates a vector of candidate values to be added to the state. In the subsequent phase, we will combine these two to generate a state update. It is time to update the previous cell state, C_t-1, to the new state, C_t. The previous phase has already determined what action to take; all that remains is to execute it. We multiply the previous state by root, ignoring the items that we opted to disregard earlier. Then we add i_t*C_t. This is the new candidate values, scaled according to the degree to which we decided to update each state value. Finally, we must determine what we will output. This result will be a filtered version of our current cell state. First, a sigmoid layer determines which aspects of the cell state will be output. Then, the cell state is multiplied by the sigmoid gate's output and tanh (to push the values between −1 and 1) so that only the desired portions are output. The first stage consists of deciding if the information gained from the previous timestamp should be maintained or if it is redundant and should thus be discarded. In the second step, the cell analyses the data that is provided to it in an effort to learn new knowledge. In the final phase, known as the third section, the cell passes the information that has been updated since the present timestamp to the subsequent timestamp. The name “gate” refers to each of these three components of an LSTM cell. The initial component is known as the Forget gate, the second component is called the Input gate, and the third and final component is called the Output gate (He et al., 2021).

Figure 1. Traditional RNN Model.

1.3.3. Mayfly optimisation

The Mayfly optimisation algorithm is modified by the particle swarm optimisation algorithm, and it also combines the advantages of evolutionary algorithms and swarm intelligence algorithms, forming a powerful hybrid algorithmic structure that can be used to solve both continuous and discrete problems. This algorithm was inspired by the flight and mating habits of mayflies. MOA benchmarked against seven high-quality meta-heuristic optimisation algorithms on 25 test functions (unimodal, multimodal, fixed dimensional), multi-objective optimum, The suggested method combines the benefits of swarm intelligence with evolutionary computation. To assess the proposed algorithm's efficiency, 38 benchmark functions, including 13 CEC2017 test functions, are used and compared to seven well-known metaheuristic optimisation approaches. The MA's efficiency is also evaluated using multi-objective optimisation and a discrete flow-shop scheduling issue. and a discrete traditional flow-shop scheduling issue. These functions test the method's use and exploration. The MA approach outperforms well-known metaheuristic optimisation algorithms in local and global searching. Early iterations usually provide the best overall result. MA's discrete and multi-objective optimisation results are good. Mayfly optimisation fits real-world challenges. Adaptive mayfly optimisation was utilised to optimise the deep learning model's hyperparameters.

Table

Mayfly Algorithm

Step 1: Initialise the Populations

Step 2: Initialise the population and velocities of female maleflies

(i) Female mayflies position: yi where i = 1,2, 3, … N

(ii)Female mayflies velocities: VFi

Step 3: Calculate Fitness values for each mayflies

(i) Mayfly position = solution to the problem

Step 4: Initialise the population and velocities of male mayflies

xi where i = 1,2,3, … , population size (N)

Step 5: Initialise the population and velocities of female mayflies

yi where i = 1,2,3, … M

Step 6: Calculate Fitness values for each mayfly f(x)

Step 7: Find out Global best mayfly among all

${\text{g}}_{\text{best}}\to$ Best mayfly among all

Step 8: Check stopping criteria

Check current iteration = Maximum Iteration

Step 9: Update position and velocities for male and

Female mayflies change position by adding velocity in

current position xi t + 1 = xit + vit + 1

i = number of mayfly in the current population

(i = 1,2,3,4,5, … Population Size)

x = Male Mayfly Position

v = Mayfly velocity

t = Current Iteration

t + 1 = Next Iteration

$V_{ij}t+1=V_{ij}+a,e^{-\beta \gamma }2(P_{bestij}-x^{t}ij)+a_2{e}^{-\beta \gamma }g(g_{bestj}-x^{t}ij)$

Step 10: Evaluate Solution

Step 11: Rank Mayflies

Step 12: Mate the Mayflies

Step 13: Evaluate offspring f(x)

Step 14: Separate offspring to male and female randomly

Create Merged the population

Keep best male and female

Step 15: Replace worst solution with best solution

Step 16: Update $\text{Positio}{\text{n}}_{\text{best}}$ and $\text{globa}{\text{l}}_{\text{best}}$ solution

In step 1, we have the population initialisation, which will initialise the population for the male and female may flies in the problem space, so first initialise the population and velocity of the male mayflies in the problem space. Here you can see that step 4 for the male mayfly's position in the population is denoted with x (i). x is used to represent the position, and i is the total number of agents, or you can say the mayflies. Here i is one to population size, which means the position for the first mayfly is the same as for the second and so on. After that, in step 2, we will initialise the population for the female mayflies, and here is used to denote the position for the female mayflies in the problem space. You can see the velocity. After that, in step 3, we will calculate the fitness value for each mayfly, and every position represents the solution to the problem, so you can see Here First, we will initialise the population of the female and male mayflies randomly in the problem space, and then, using a cost function, or you can say, the objective function, we will calculate the fitness values and the performance. After that, we will select the best mayfly among all (i.e. step 4). When we calculate the fitness value for each mayfly, we will consider the minimum value among all of them as the global best mayfly. After that, in step 5, we will check the stopping criteria. If the math is correct, we will display the best solution that you obtained in the previous iteration. If the stopping criteria are not met, we will repeat the loop. After that, in step 6, we will update the position and velocity for both male and female mayflies. We can change the position by adding the velocity to the current position. As we know that the male mayflies gather in the swamp, we can change the position of the male mayfly by adding some velocity to the current position. So, you can see here, this is the grunt position, and you can see the velocity added. This is the new position that we obtained for the male mayfly. Here, x is the male mayfly. i is the male mayfly population. So, we use the velocity to represent the number. So, for velocity, step 7, we will use this mathematical model to calculate velocity; because they perform nuptial dances to attract female mayflies, it is assumed that they cannot develop great speed and move constantly, and as you can see, velocity for male mayflies can be computed using this Equation (7(7) $f(IW,RW,B,W,b,D)=\frac{1}{N}\sum _{i=1}^N(T_i-Y_i{)}^2$(7) ). And this corresponds to p's best and g's best. And after that, as you can see here, we can update the pbest position using this. If the fitness value that we obtained for the new position is better than the old one, we will consider the new one. the neutral density coefficient, and here is the normally distributed random value. After that, step 8 we will update the velocity and position for the female mayfly. As we know, the female mayflies do not gather in the swarm, so they fly to where the male mayfly is in order to breed. We can change their position by adding some velocity to the initial position, so in the current position at some velocity. Now you can see this formula. We can calculate the velocity for the female mayfly if the fitness value of the female mayfly is greater than the male mayfly, then we will use this Equation (8(8) $\begin{array}{rl}{V}_{t+1}^i& =\omega \times V_t^i+k_1{r}_1\times (Pbes{t}^i-P_t^i)+k_2{r}_2\times (Gbes{t}^i{P}_t^i)\end{array}$(8) ). As you can see in the previous tab, step 9, we updated the position and velocity of the male and female mayflies before ranking them based on their fitness value.

We have the mutation phase, in which the mayfly is mated, and we will select the parents, one from a male and one from a female, in which the best from invested female breeds with the best male, and the second-best female breeds with the second-best male, and so on, as the first best female is attracted to the first best male. After the crossover, step 10, we will opt into offspring. As you can see here, l is the random value, and both male and female represent the male partner. After that, in step 11, we will evaluate the offspring and then we will create a merged population and keep the best male and female mayfly. step 12: If the current iteration is equal to the maximum number of iterations, then stop and display the best solution. step 13: Otherwise, repeat from step six.

1.3.4. Comparative analysis bio-inspired algorithm

Table

Bio-inspired Optimisation Algorithms	Population Size	Memory usage	Speed Convergence	Tunning for optimisation	Position update
Adaptive-Mayfly Optimisation	Low	Low`	High	Simple	Global optimal-Male and Female Mayfly Ranking update
Genetic Algorithm	More	Low	Slow	Difficult	Near optimal-Random update
Particle Swarm Optimisation Algorithm	Low	High	High	Medium	Global Optimal Update

1.3.5. Oversampling technique

Adaptive synthetic oversampling that is based on the samples of the minority class When compared to other data expansion algorithms, it is distinguished by the fact that it generates more instances in a feature space that has a lower density and fewer instances in a special space that has a lower density. This is in contrast to other data expansion algorithms, which generate more instances in a feature space that has a higher density. Because of this feature's advantage of adaptively shifting decision boundaries to difficult-to-learn samples, AdaSyn is more suitable than some other data augmentation techniques to manage internet traffic with extreme data imbalance (Bagui & Li, 2021). It is the nature of unbalanced learning that a classifier's decisions are influenced by the extreme minority-majority ratio. According to many evaluation metrics, classifiers have a low detection rate of minority classes. This is not to say that classifiers cannot learn from unbalanced datasets

Choose N and β, which denote the number of nearest neighbours and the desired level of class balance after generating the synthetic data, respectively. then

• Step 1: Let $n_l$ denote the number of observations of the majority class and let $n_s$ denote the number of observations of the minority class. Calculate $G=(n_l-n_s)\times \beta$ .

• Step 2: Let $x_i,=1,\dots .,n_s)$, denotes the observations belonging to the minority class and let

• A denote the set of all $x_i$, such that $A\ni x_i$. For every $x_i$

• Step 3: Calculate the Euclidean distance between $x_i$ and all other element of A to obtain the K - nearest neighbours of $x_i$.

• Step 4: Let $S_{ik}$ denotes the set of the K - nearest neighbors of $x_i$.

• Step 5: Define ${\mathrm{\Delta }}_i$ as the number of observation in the K nearest neighbors region of

• $x_i$ that belong to the majority class. Calculate the ratio $r_i$ defined as $r_i={\mathrm{\Delta }}_i/K,i=1,..,n_s$

• Step 6: Normalize $r_i$ according to $\frac{r_i}{{\sum }_{i=1}^{n_s}{r}_i}$, so that $r_l$ is a probability $\left(\sum _i{r}_i=1\right)$.

• Step 7: Calculate $g_i=r_i\times G$, which is the number of synthetic observation that need to be generated for aech $x_i$

• Step 8: Randomly sample $g_i$ synthetic observations denoted $x_{ij,}(j=1,\dots g_i)$ from $S_{ik}$ with replacement.

• Step 9: Let $\lambda$ denote a number in the range $[0,1]$. For a given $x_{ij}$, generate a synthetic observation according to $x_k=x_i+\lambda (x_i-x_{ij})$, is uniformly drawn for each $x_k$.

• Step 10: Stop

1.4. Contribution of the research work

The article's main focus is to build a secure IoT-based infrastructure that can predict and classify different types of attacks in various situations (Stellios et al., 2022). In this case, a new deep learning framework called LAMOA has been used. Furthermore, a lot of tests have been done on the proposed learning algorithm with different benchmark tests and real-time Cooja data. Our suggested technique can identify most IoT threats and discriminate between benign and malicious traffic data. The experimental outcomes reveal that our proposed layered deep learning method outperforms current classification algorithms in real-time problems. Furthermore, the paper discusses how to get information and make features that make it easier to predict and classify threats.

• In order to solve the problems of effective attack classification and exploding gradients in the LSTM neural network, we implemented the Adaptive Mayfly algorithm. This algorithm allowed us to determine the hyperparameter optimal value of the initial input weights, recurrent weights, and bias of the LSTM model, as well as the input weights and biases of the feed-forward connected layer in the RNN model, which led to a high level of accuracy in the attack classification.

• A hybrid model was developed using the improved LSTM technique combined with metaheuristic algorithms such as GA and PSO, Mayfly.

• To increase the size of the IoT RPL routing dataset, we used the data augmentation (ADASYN) technique.

• Through LAMOA, we identify the energy impacts of IoT RPL routing attacks to reduce power consumption.

• The hybrid LAMOA global optimisation was combined with training the LSTM with Adam optimiser locally to improve attack classifications.

• To collect real-time data, we use the Contiki-OS Cooja Simulator for designing the IoT infrastructure.

• We compare the multiclass and binary class classification performance with benchmark datasets, namely BoT-IoT, NSL-KDD, and IoT-23.

The suggested plan was evaluated and contrasted with a number of other methods that were already in use. In addition, the statistically significant correlation analysis for attack classification was carried out on all simulation dataset and three separate benchmark datasets.

This article is followed by Section 2, which summarises the related works of the IoT network classification models’ recent research papers and discusses the background part, where detailed, given the traditional techniques of the proposed model. Section 3 discussed the methodology of my proposed work algorithms for Cooja simulation setup and data collections, ADASYN oversampling techniques, LSTM, adaptive mayfly optimisation method, and overall flow diagram. Section 4 discussed the results and discussion of my pre-processing and features and simulation attacks based on the power consumption of all performance metrics and gave the detailed three benchmark datasets results with comparative analysis with existing models. Finally, Section 5, which brought this paper to a conclusion.

2. Literature survey

This paper develops an anomaly-based IoT intrusion detection methodology. First, a CNN creates a multiclass classification model (Ullah & Mahmoud, 2021). CNN in 1D, 2D, and 3D implement the suggested paradigm. BoT-IoT, Network Infrastructure Breach, MQTT-IoT-IDS2020, and IoT-23 network security datasets were used to test the proposed CNN model. Using a CNN multiclass pre-trained models, domain adaptation implements binary and multiclass classification. Since the model must study anomaly detection utilising several deep learning approaches, such FFN and LSTM, BI-LSTM, and compare the results to a CNN model (Ullah et al., 2021). A model for anomaly-based attack detection in Internet of Things systems is proposed and implemented in this research. The model makes use of a CNN and GRU to identify and categories binary and multiclass Internet of Things network data. The developed framework is verified by utilising the BoT-IoT dataset (Kumar, Tripathi, & Gupta, 2021d) the IoT Network Intrusion dataset, the MQTT-IoT-IDS2020 dataset, and the IoT-23 dataset. owing to the fact that they have to concentrate on real-time cyberattacks applying a number of different deep learning models and generative adversarial networks, and then compare the findings to the model that is currently being used. Xiu Kan et al. (2021) proposed a unique APSO-CNN system detects multi-type attacks performed by zombie hosts infected by zombie viruses. Dynamic hyper-parameters of each keras layer structure are used as particle location parameters, and CNN's initial training period cross-entropy loss function value is used as APSO fitness. By adjusting the particle swarm's velocity and direction, optimal scheduling searches for a smaller fitness value. The inertia weight factor is adaptively altered with fitness value to avoid PSO local parameter problems and achieve CNN structure parameters. In addition, picking a high variety of attributes may cut down on the amount of time needed to train the model, and those responsible for the off-line model need to find a way to cut down the amount of time spent looking for the optimal solution.

Iterative Genetic Algorithm generates optimal individuals. DBN can analyse complex, high-dimensional data effectively and classify it well (Zhang et al., 2019). In this paper, the adaptive genetic algorithm is integrated with deep belief networks. GA runs numerous iterations to generate an ideal network topology, which DBN uses to identify attacks. So, when employing deep learning techniques for malware detection, the challenge of how to find a suitable neural network structure is solved, improving classification accuracy, generalisation, and overall network complexity. The model classification accuracy is 99.45%. Models and methods were simulated and evaluated using the NSL-KDD dataset. However, they do not utilise the optimisation to improve the other parameters of the deep network, hence reducing the amount of time spent training and enhancing the accuracy of detection.

Bovenzi et al. (2020) propose H2ID, a hierarchical Network Intrusion Detection method with two stages. H2ID uses a new lightweight solution is based on a Multi-modal Deep AutoEncoder (M2-DAE) to find anomalies and soft-output classifiers to sort attacks. We test our idea by looking at the recently released Bot-IoT dataset and making connections between four relevant types of attacks (DDoS, DoS, Scan, and Theft) and unknown attacks. Results indicate improvements of the proposed M2-DAE for simple intrusion detection system (up to 40% false-positive rate when measured with several baseline methods that had the same true positive rate) and also for H2ID as a whole when tried to compare to the finest misuse sensor strategy (up to +5% F1 score). As a result, only denial-of-service and distributed denial-of-service attacks are considered. There is a further need to explore the implementation of a particular use case with various attacks (Nascita et al., 2021). Deep Learning (DL) approaches have recently developed as an alternative to ML techniques focused on arduous, time-consuming model is characterised. However, DL models’ black-box nature limits their practical and trustworthy deployment in important circumstances where serviceability of outcomes is essential. XAI approaches have lately gained popularity to overcome these restrictions. We study trustworthiness and interpretability using XAI-based algorithms to comprehend, evaluate, and enhance multimodal DL traffic classifiers. Alkahtani and Aldhyani (2021) developed a comprehensive framework for identifying IoT intrusions. They generated a novel dataset called IoTID20 dataset was used to develop the proposed solution. In this architecture, three different learning algorithms were used to classify the attack: a CNN, an LSTM, and a CNN-LSTM hybrid model. To improve the suggested system, key network dataset features were selected using particle swarm optimisation (PSO). Learning based algorithms analysed variables. CNN achieved 96.60% accuracy, LSTM 98.62% accuracy, and CNN-LSTM 98.80% accuracy. As a result, they do not make an effort to discover new methods that might increase the detection of scan and TCP flood assaults (Mohamand et al., 2022).

This work employed machine learning to anticipate DDoS attack types. Random Forest and XGBoost were utilised. To access the research's DDoS prediction system. Python was used as a simulator for the UNWS-np-15 dataset from GitHub. We created a confusion matrix after applying machine learning models to evaluate model performance. In first classification, Random Forest's Precision (PR) and Recall (RE) are 89%. This model's AC is 89%, which is excellent. In the second categorisation, both Precision (PR) and Recall (RE) are 90% for XGBoost. Our model's AC is 90%. By comparing our work to prior studies, they increased fault detection accuracy by 85% and 79%. However, it’s crucial to develop a user-friendly, faster alternative to deep learning computations that produces better outcomes in less time (Dasgupta & Saha, 2022). This research suggests a hybrid Mayfly apriori-intrusion detection technique for big data applications. Mayfly-optimised Apriori is employed to identify intrusions in the suggested mechanism. In the suggested approach, network information is analysed to build an apriori rule based on the most frequently occurring items. Rare items or transactions are considered intrusions. The recommended mechanism's efficacy is compared to AI, Random Forest, K-Nearest Neighbour, and SVM. The proposed mechanism has improved accuracy, precision, and recall to 97%. However, they also need to compare the proposed model with other optimisation techniques.

Iterative Genetic Algorithm generates optimal individuals (Alferaidi et al., 2022). DBN can analyse complex, high-dimensional data effectively and classify it well. In this paper, the adaptive genetic algorithm is integrated with deep belief networks. GA runs numerous iterations to generate an ideal network topology, which DBN uses to identify attacks. So, when employing deep learning techniques for malware detection, the challenge of how to find a suitable neural network structure is solved, improving classification accuracy, generalisation, and overall network complexity. The model classification accuracy is 99.45%. Models and methods were simulated and evaluated using the NSL-KDD dataset. However, they do not utilise the optimisation to improve the other parameters of the deep network, hence reducing the amount of time spent training and enhancing the accuracy of detection (Cai et al., 2022). Author proposed a hybrid parallel deep learning model (HPM) for finding intrusions that work well and is based on margin learning is proposed. First, HPM builds two CNN architectures in parallel and combines the spatial features that come from full convolution. Second, two parallel LSTMs are used to separate the temporal information of the combined features. After global convolution and global pooling, the extracted spatial–temporal features are then fed into the CosMargin classifier to find the classification. Also, this paper suggests a better method for extracting traffic features, which not only cuts down on redundant information but also speeds up the speed at which the network converges. In the experiment, our HPM was able to spot each malicious class 99% of the time. However, the model has a very high accuracy rate for classifying, all of its performance is based on two assumptions: a huge number of datasets that have been classified and known attacks only (Wang et al., 2022b; Kumar, Tripathi, & Gupta, 2021e). This article suggests a network abnormality detection approach that combines principal component analysis and single-stage headless face detector algorithms. PCSS uses the PCA algorithm in the pre-processing of data to get rid of redundant data that could cause problems. At the same time, PCSS also combines feature fusion and SSH to enhance the features that are extracted from data that isn't clear, which speeds up and improves the accuracy of detection. In this paper, simulation tests are done with the IDS2017 and IDS2012 data sets. it can't fulfil the demands of detecting new network traffic that isn't normal and doesn't scale well. It might even be called a training data set by mistake. Considering how important traffic flows detection is in the real world, it is important to design a network model that can automatically discover new kinds of attacks in the network environment. However, the PCSS framework will be enhanced to make it more useful and important in terms of defending against different kinds of cyberattacks.

(Churcher et al., 2021 (Islam et al., 2022). For predicting DDOS attacks, we have used more than one way to classify things. Authors have made the architecture of generic models a little more complicated so that they can work well. Authors have also used the support vector machine (SVM), the K-nearest neighbour algorithm, and the random forest algorithm. For detecting (DDoS) attacks, the SVM is 99.5% accurate, while KNN and RF are 97.5% and 98.74% accurate, respectively. However, this model only works with offline datasets, so author want to work with real-time datasets, we need to start moving this work to real-time fraud detection applications that are focused on such supervised learning models (Samy et al., 2020). This research offers a distributed, resilient, high-detection-rate method to identify IoT cyberattacks using DL. Due to fog nodes’ decentralised nature, high computing capability, and proximity to edge devices, the proposed framework includes a threat detector. Six DL models are compared to find the best. All DL models are assessed using five datasets with distinct attacks. The LSM significantly achieves the other five DL models, according to experiments. The suggested framework is successful in response time and high detection, detecting different forms of cyberattacks with 99.97% high detection and 99.96% detection accuracy in classification model and 99.65% detection rate in multi-class classification. But it may be hard to label the data collected in the edge layer so that the LSTM model can be trained in the cloud. The author should use a decentralised computer network like Apache Spark and various datasets to evaluate the proposed attacks with unsupervised DL models and reinforcement learning.

The author presents a new algorithm to detect DDoS attacks based on changes in traffic and two machine learning models for identifying and classifying DDoS attacks (Jia et al., 2020). To show how well the two machine learning models work, we use the DDoS simulators BoNeSi and Slow HTTP Test to make a large data set and combine it with the CICDoS2019 data set to examine the precision of detection and classification in addition to the models’ performance. Our findings indicate that the proposed long-term poor memory has an identifying accuracy of up to 98.9%, which is much better than the other four well-known learning mentioned models in the most related research. The proposed convolutional neural networks are good at classifying things up to 99.9% of the time (Otoum et al., 2022). Propose a DL-IDS to detect security concerns in IoT contexts. Many IDSs exist, however they lack optimal feature learning and data set management, which affects attack detection performance. Our suggested module integrates spider monkey optimisation (SMO) and stacked-deep polynomials network (SDPN) to perform effective tools identification; SMO picks the ideal features in the data sets and SDPN classifications the data as normal or anomalies. DL-IDS detects DoS, U2R, probing, and R2L attacks. The suggested DL-IDS provides superior accuracy, precision, recall, and F-score. However, need to analyses DL-IDS with Naive Bayes, decision tree, and random forest using KDD-99 and UNSW-NB 15.

Author work uses the Bot-IoT dataset to develop a new Intrusion Detection System based on Machine Learning and Deep Learning models (Almaraz-Rivera et al., 2022). It does this by addressing the Bot-IoT dataset's problem of class imbalance. To figure out how the timestamps of the records affect the predictions, we used three different feature sets for binary and multiclass classifications. This helped us avoid feature dependencies, which were made by the Argus flow data generation system, while getting an average accuracy of >99%. Then, we did a lot of testing, which included measuring how well the models worked over time. The Decision Tree and Multi-layer Feed – forward neural models have been the best at finding DDoS and DoS attacks over IoT networks. However, the model needs to work with advanced method for the classification (Salman et al., 2022). Author suggests a framework that will help identify IoT devices and find malicious activity. This framework pulls features from each network flow to find the source, the type of traffic it creates, and network attacks. It does this by pushing intelligence to the edges of the network. Several machine learning algorithms are put up against random forest to see which one works best: Up to 94.5% accuracy for figuring out what kind of device it is, up to 93.5% accuracy for figuring out what kind of traffic it is, and up to 97% accuracy for finding strange traffic. However, the model needs to work with advanced method for the classification.

LSTM and GAT were used to come up with a new inductive model for classifying text (Wang & Li, 2022). Each text has its own structural graph, which changes the problem of putting texts into groups into a problem of putting graphs into groups. Our model takes into account the word order and syntax of the text and can build edges without being limited by the distance between words. At the same time, the graph attention network reduces the effect of noisy data and gives more weight to important words. Experiments with multiple datasets show that our model works. It can learn inductive representations of words from a small number of labelled documents and uses a lot less memory than other models. However, need to look on graph-aware text classification algorithms that don't rely on training data or leverage what little specific information needs they have to their advantage (Kumar, Tripathi, & Gupta, 2021a). Proposed a new intrusion detection framework called P2IDF for software-defined Internet of Things-Fog network activity that is based on protecting privacy. First, to protect privacy, an SAE method has been used, which changes real data into a coded form to stop inferential attacks. Then, an ANN-based intrusion prevention system was tested to see how well it could spot attacks and normal vectors in the ToN-IoT dataset before and after the transformation. They plan to Build a platform prototype that checks security and privacy in real-time, SDIoT-Fog in future (Mirsky et al., 2018). While in train mode, Kitsune believes that all approaching traffic is of a beneficial nature. As a result, an opponent that has already existed could be able to avoid being discovered by Kitsune. Nevertheless, while Kitsune is operating in the execute mode, it will identify fresh assaults and new dangers as they come into play. However, when installing Kitsune on a network that could already be hacked, a user should be conscious of this danger anyway.

Table 1 provides an overview of my related research work using machine and deep learning models, datasets, classification, models, data imbalanced techniques, and accuracy, finally given the limitations of each paper.

Table 1. Summary of related research using machine and deep learning models to classify IoT attacks.

S. No	Author (Year)	Datasets	Classification	Model	Type of the attacks	Model performance	Limitation
1	Khan et al. (2022)	NSL-KDD, NIDS, UNSW-NB15	Binary and Multiclass	Ensemble with Machine Learning	Diverse attack	96%	The proposed model is not compare with Newly developed models, also not used hyperparameter tuning techniques.
2	Ullah and Mahmoud (2022)	BoT-IoT, MQTT-IoT, IoT-23	Binary and Multiclass	Anomalous detection using Feed Forwarding Network	MQTT based attacks	99.25%	Proposed model not implemented with the data preprocessor and optimisation-based approach
3	Albulayhi et al. (2022)	NSL-KDD, IoTID20	Binary and Multiclass	Information gain (IG) Ensemble, gain ratio (GR) Ensemble	Network attack	99.41%	This model is not Concentrate about power consumption during attacks
4	Moizuddin and Jose (2022)	NSL-KDD, BoT-IoT	Binary and Multiclass	Grey Wolf Algorithm and an ElasticNet Contractive Auto Encode	Malicious Attacks	0.99%	Processing time is more
5	Masum et al. (2022)	Real-Time	Binary	Machine Learning	Ransomware attacks	0.96%	The proposed model is not compared with other models
6	Kumar, Tripathi, and Gupta (2021d)	Bot-IoT, ToN-IoT	Binary	Enhanced Proof of work, Machine Learning	Cyber Attacks	97.81%	The proposed model detection rate is very low 62.98% not used with advanced techniques like Deep learning, Federative Learning based algorithms.
7	Kumar, Tripathi, and Gupta (2021b)	NSL-KDD, BoTIoT, DS2OS	Ensemble classifier	Ensemble with Machine Learning	Cyber Attacks	99%	The Proposed model not using any advanced Techniques like Deep Learning model, real-time simulation-based datasets
8	Kumar, Tripathi, and Gupta (2021c)	DS2OS	Binary	Machine Learning	abnormal traffic based attacks	99.24%	The proposed model not done any preprocessing approach in the data.
9	Ikram et al. (2022)	NSL-KDD, KDD-CUP	Binary classification	ANN-PSO	NIDS attacks	99.80%	The proposed work does not use real-time datasets for attack classification
10	Churcher et al. (2021)	BoT-IoT	Binary and Multi classification	KNN-ANN	IDS attacks	99%	The proposed work not considered any unbalanced dataset for classification.
11	Huan et al. (2022)	NSL-KDD	Binary and Multi classification	Bi-LSTM	Spam Detection	98.66	Lack of integrative optimisation techniques to improve IoT attack classification.
12	Tang et al. (2022)	BoT-IoT	Binary and Multi classification	LSTM	Anamaly Detection	99%	Author does not focus on the imbalanced techniques
13	Hassan et al. (2020)	UNSW-NB15	Binary and Multi classification	WDLSTM	IDS based attacks	97.17%	Proposed work is not based on real-time data, and there is also not focused on the imbalanced dataset
14	Aversano et al. (2021)	NSL-KDD	Binary and Multi classification	DNN	Anamaly Detection	97%	Proposed work is not based on real-time data, and there is also not focused on the imbalanced dataset
15	Kim et al. (2020)	N-BaIoT	Binary and Multi classification	Machine and Deep Learning	Botnet attacks	94%	Proposed work is not based on real-time data, and there is also not focused on the imbalanced dataset
16	Shhadat et al. (2020)	Benchmark	Binary and Multi classification	Machine Learning Classifiers	Malware	91%	Proposed work is not based on real-time data, and there is also not focused on the imbalanced dataset
17	Proposed Model	New Generated Dataset, NSL-KDD, BoT-IoT, IoT-23	Binary and Multi classification	LAMOA, PSO-LSTM, GA-LSTM	RPL-based attacks, Network attacks	99.92%	Proposed work is met all the requirements compared with other existing model. Refer contribution section 1

3. Methodology

3.1. IoT-based simulation infrastructure

This part talks about the proposed model, which is made up of units for collecting data, extracting features, classifying data, and proposing learning models. A high-level overview of the LAMOA-based intrusion detection and mitigation systems is presented in Figure 2. To simulate Internet of Things networks in real time, the first layer of the framework makes use of media access control (MAC) identifiers. A data collection unit is located at the second level, and it is responsible for gathering network packets under both normal and attack scenarios. The third layer uses adaptive synthetic-based pre-processing using the feature extracted data from the AMOA and the proposed deep learning technique for threat prediction were trained using the pre-processed data in order to provide accurate predictions. The LAMOA networks were finally utilised to make the final prediction of malicious nodes as one of five serious assaults. The system uses this information to identify a malicious or benign node. The suggested architecture uses message forwarding in order to warn all network nodes of the impending attack.

Figure 2. General LSTM Structure.

This work proposes a strategy for detecting and identifying attacks in resource-constrained IoT environments. Figure 2 shows the model's general architecture. The suggested model includes network simulation, data balancing, data pre-processing, and attack detection and classification. Cooja simulates the network, malicious and normal nodes alike. Each node's is calculated. The routers’ message packets are intercepted and analysed. All simulated data is stored in a.csv file. The specified features (ID number, and processing times) are stored in a csv data entitled “RPLattack.log”. ADASYN-LAMOA Deep learning methods examine the normalised data set to increase performance.

3.2. ADASYN oversampling techniques

The minority class is represented by (i) instances, and k-means is the number of the closest neighbours. Each epoch is being oversampled at a variable pace in seven studies. The resulting dataset will be multiplied by four for each experiment. The version attack is the minority group compared with all other classes: DDoS/DoS, wormhole, blackhole attack, RPL Rank exploitation, flooding, sinkhole. The number of versions attacked expanded from 120 to 708 after the first experiment was done, utilising 100% oversampling. In the first experiment, the blackhole and wormhole classes were found to be lower than the rest. As a result, results from the second experiment have been applied to those from the first experiment. Blackholes, hello flooding, sinkholes, DDoS, and DoS have been oversampled by a factor of 200% in this experiment. The number of incidents of DDoS and DoS increased by 400–5780. The number of HF and blackhole events grew from 172 to 1580 and 148 to 1250, respectively, in the second experiment. The last experiment's findings showed that the RPL Rank class had fallen to the lowest rung of the social ladder. Because of this, the third experiment should be carried out at a sample rate of 300%. In 180 to 1875 instances, the RPL Rank attack class was added. The third test proved that the number of occurrences in the RPL Rank and DDoS classes grew far more than the other classes’ numbers had done. As a result, the remaining experiments must be completed as soon as possible. The number of wormhole and version attacks increased dramatically in the fourth experiment with 400% oversampling. Then there were 250 sinkhole and 165 wormhole attacks, totalling 2580 and 1758 instances. In this experiment, DDoS were found to be in the minority when compared to the other classes. Oversampling by 500% was the final test, and the results are in. An extensive investigation has revealed that the most common types in the RPL, wormhole, and DDoS/DoS classes are larger instances. In addition, the frequency of all attacks increased by 600% and 700%. In total, 36,626 instances were formed from 6893 during the studies. Thus, the routing dataset has grown. The results of the experiments are shown in Figure 3.

Figure 3. Cooja simulation based AMILSTM Framework.

3.3. Attack classification model using LAMOA

The deep learning architecture is characterised by (Shekhar, 2021) Its important features are shown in the Figure 4 and the hyper-parameter Table 2 detailed below.

Figure 4. IoT Attack Classification using Realtime Datasets.

Table 2. Hyper-parameter for LAMOA model.

Layer	Layer Name	Layer	Configuration
Input	Input Layer	1	64 input features
Hidden Layer	GA-LSTM PSO-LSTM LAMOA	4	Units=512 Kernal regularizer, Bias regularizer, Activity regularizer
	Activation	4	ReLU (alpha=0.2)
	Layer Normalization	4	Axis=1,Center=True,Scale=True
	Regularization	4	11=0.0001, 12=0.0001
	Dropout	4	Dropout rate=0.2
Classification	Dense	1	Neuron=512
			Activation=ReLU
Output	Output	2	The number of neurons is equal to the number of classes in the dataset, Activation=SoftMax Activation=Sigmoid
Hyperparameter	Early stopping (monitor=loss, patience=5,verbose=1)optimizers=Adam, Adaptive mayfly,GA,PSO Loss function=sparse categorical cross entropy, Learning rate=0.001,Batch size=120,epochs=100 to 500

Input Layer: The beginning of entrance into the networks, which includes as many nodes as there are features to examine.

Batch Normalisation Layer: effective for improving neural network training, as it speeds up training and allows complex learning rates and saturation of probable nonlinear effects to be adopted. useful for neural network training. Because the network's gradient propagation is always the same, this usually leads to better accuracy when validating and testing.

Number of Hidden Layers: The hidden layers have varying numbers of artificial activation functions that output the weight value of their inputs after being activated with a Leaky ReLU activation function. We did a series of tests to see how the overall performance changed with different numbers of hidden layers.

Dropout Layer: Following on from the preceding layer, we viewed this layer as an integral part of the whole. In fact, in the above-mentioned trials, the pair hidden layer dropout layer was reproduced multiple times. In order to avoid overfitting, the dropout layer employs a regularisation approach called the Gaussian dropout, which randomly disables some neurons in a layer. Each node in the connected hidden layer has a 0.2% chance of having the same probability.

Output layer: This layer is in charge of figuring out the final classification, and it has the same number of nodes as the total number of classes. In Figure 5, we present two distinct output levels because the binary classifier issue and the multi-classification issue are represented by those layers in their respective ways. Nevertheless, when we were running our tests, we only evaluated for every problem one of the two output layers that were presented at a time. This was a dense layer that used a SoftMax function for the layers.

Figure 5. Mayfly solution representation.

3.4. Computational complexity AMOA

In most cases, the time required to complete an algorithm is proportional to the number of individual operations that it performs, including such addition, simple arithmetic operations. It is assumed that the number of mayflies in the AMOA algorithm is N, that the number of genetic offspring mayflies is M, and that the total of adaptive mayflies is k. The time complexity of the algorithm is evaluated in accordance with the following the method The time required to initialise all of the different parameters only requires one execution, which brings the total number of executions to one $O(1).$ It is necessary for the mayfly population to carry out N processes so that the initial positions and velocities of the male and female mayflies can be randomly determined the time complexity of $O(N+N).$ It is necessary to update both the speed and position of the male and female mayflies, as well as the number of executions, which must be N times for each $O(N+N).$ The current mayfly fitness value is used to sort the number of executions, which results in the following $2Nlg2N,O[2Nlg2N]$. In accordance with the Gaussian mutation method, the offspring of the mutation are produced at random and then carried out $M/2$ times $O[M/2].$ Continue the procedure of separating the males and females of the mayflies, and use the superior solution to replace the one you were using before. The total number of executions are $2Nlg2N,O[2Nlg2N].$ The balance between global search and local search is done N times, so the time complexity is N,$O(N).$ Within the predetermined search radius in a given region, k adaptive mayflies are located, and k total executions are carried out $O(K).$ The number of executions is k times as large as the search range, which is there to ensure that the elite mayfly doesn't go looking in unexplored areas $O(K).$ N times the number of executions is required to determine if the maximum number of iterations has been achieved $O(N)$. The adaptive mayfly's position is factored into the process, and there is only one execution $O(1)$. When all of that is done, the AMOA algorithm's computation time after NC rounds is (5) $O\left(NC\times \left(6N+\frac{M}{2}+4Nlg2N+2k+2\right)\right)$(5)

3.5. Adaptive LAMOA

In this work, we want to employ the Adaptive Mayfly optimisation algorithm to find the best biases and weights for LSTM. There are many hyper-parameters to think about when making an LSTM, and there are numerous ways to make an RNN. In this research, we looked at a LSTM with one input layer with a batch normalisation and variable number of hidden states with dropout layer, one output layer all was linked to the input layers. AMOA is used to change the initial biases and weights of a forget gate, input gate, candidate solution vector, and output gate of LSTM, in addition to the bias and weights between both the completely connected layer and also the output layer. Figure 6 shows the main structure of the proposed adaptive Mayfly-based hybrid LSTM model. AMOA is made up of so many steps, as shown in Figure 6. These steps are encoding, initialisation, calculate the fitness function, Find the $\text{Positio}{\text{n}}_{\text{best}}$ and $\text{globa}{\text{l}}_{\text{best}}$ evaluation, and update.

Figure 6. LAMOA Iterative LSTM network parameter evaluation.

In processes based on swarm intelligence, showing possible solutions represents the most important step. In this work, possible solutions are presented by encoding the LSTM weights and biases as swarm mayfly. Input weights ($\text{IW}$), recurrent weights ($\text{RW}$), and bias are the three types of weights that can be changed in an LSTM network are input activation state weight $\text{IW}$ = [$W_{i,}{W}_{f,}{W}_{C,}{W}_O$],$\text{RW}$ = [$U_i,U_{f,}{U}_C{U}_O$] and B = [$b_{i,}{b}_{f,}{b}_{c,}{b}_o$]_. The matrices are made up of the weights of the input gates, the weights of the forget gates, the weights of the cell candidates, and the weights of the output gates. The variables of are shown by the weight training matrix “W” and the bias “b”. Figure 7 shows how each “spring” in the MOA represents a “potential solution” for the LSTM parameters that need to be optimised.

Figure 7. Overall Flow of activities on proposed LAMOA Model.

The initial value for a particle's velocity, denoted by the notation $V_o^i$, is zero. Mayfly's execution depends on setting a variety of parameters, including the overall population of the swarm (S), the total number of iterations (maxGen), the individual coefficient ($k_1$), the social ratio ($k_2$), and the inertia coefficient ($\omega$). To contrast the adaptive MAO suggested here with conventional MOA, we will employ the inertia factor x, which varies linearly from ${\omega }_{max}$ to ${\omega }_{min}$ with time. (6) $\omega ={\omega }_{max}-\frac{({\omega }_{max}-{\omega }_{min)t}}{T}$(6) where $t$ is the iteration number at the moment and $T$ is the maximum number of iterations that can be performed.

3.5.1. Evaluation

The effectiveness of each population solution is determined by computing the cost function, or mean squared error between the real and predicted values (see Figure 7)

Since we have samples of data $D=\{X_i{T}_i{\}}_{i=1}^N$ where $T_i$ is the desired value that should be achieved with the help of feature $X_i$ as input. Fitness's opportunity cost function is described below: (7) $f(IW,RW,B,W,b,D)=\frac{1}{N}\sum _{i=1}^N(T_i-Y_i{)}^2$(7) where $N$ represents the total of observations, $IW$ is indeed the input weight, $RW$ is the recurrent weight, $B$ is the bias, and $W$ and $b$ are the weights and biases assigned to LSTM and Feed forwarding FCLSC, respectively, and $Y_i$ is the predicted value of input $X_i$ from LSTM's output layer. AMOA iteration t's output.

3.5.2. Update

Each mayfly fitness is used to determine its “Position best”, and the “global best”, is the best position occupied by any mayflies within the swarm. Pbest and Gbest are both optimised with each iteration, and the location and velocity of mayflies are adjusted accordingly.

Let the velocity and position of the $ith$ mayfly at epoch $t$ be denoted by the notations $V^i$ and $P^i$, respectively. The equations then cause changes to take place in the velocity $V_{t+1}^i$ and the location $P_{t+1}^i$ of the ith mayfly at the epoch $t+1$. Equations (10) and (11) in their respective positions. (8) $\begin{array}{rl}{V}_{t+1}^i& =\omega \times V_t^i+k_1{r}_1\times (Pbes{t}^i-P_t^i)+k_2{r}_2\times (Gbes{t}^i{P}_t^i)\end{array}$(8) (9) $\begin{array}{rl}{P}_{t+1}^i& =P_t^i+V_{t+1}^i\end{array}$(9)

We employ the velocity of the adaptive mayfly that is considered to be both the personal best and the global best in order to preserve the exploitation and exploratory features of Adaptive mayfly.

The formula for the adaptive inertia coefficient is as follows: (10) ${\omega }_i^t={\omega }_{max}-({\omega }_{max}-{\omega }_{min})\times (V_{Gbes{t}_i}^t-V_{Pbest}^t)$(10) where ${\omega }_i^t$ represents the adaptive inertia parameter, $V_{Gbes{t}_i}^t$ represents the velocity of the global best ($Gbes{t}^i$), $V_{pbes{t}_i}^t$ represents the velocity of the personal best ($Pbes{t}^i$), and ${\omega }_{max}$ and ${\omega }_{min}$ represent the maximum and minimum values of the inertia coefficient, respectively. The search process of the mayfly is seen in Figure 8. This technique utilises the adaptive inertia coefficient $({\omega }_t^i)$, which is provided by Equation (10(10) ${\omega }_i^t={\omega }_{max}-({\omega }_{max}-{\omega }_{min})\times (V_{Gbes{t}_i}^t-V_{Pbest}^t)$(10) ), in place of x to compute the position and velocity of mayflies using Equations (8) and (9), respectively.

Figure 8. Real-Time Data augmented Using ADASYN.

The process of modifying a mayfly $Pbest$, $Gbest$, position, and velocity continues until either the number of iterations approaches the maximum number of iterations ($maxGen$) or the tolerance reaches a value that has been previously determined. The final $Gbest$ is the optimal solution, which is made up of tuned weights and bias of LSTM and a completely controlled Feedforward Layer. In the end, the weights and bias that were generated by the Adaptive MOA-LSTM are given as the initial values of the LSTM and the Feed forward FCLSC, that are then trained further through the Adam optimiser.

As we talked about in the previous section, LSTM networks use the simple Mayfly algorithms to find the best weights. In this case, adaptive mayfly is used as the main term to optimise the weights of LSTM networks. This is because there are many different ways to best search for and find the best male and female mayflies among all of them. The picture shows how the LAMOA learning methods work in their entirety. First, the LSTM cells are given a random number of weights and biases. The Fitness value is a way to measure how well the model works. For every iteration, step 6 in the flowchart Figure 8 is used to out the input bias and weights. The LSTM network then figures out the fitness function by using these weights. If the fitness value is the same as the threshold, the iteration stops or keeps going until the threshold is reached again.

LAMOA comes up with a new way to fake threats in networks once the many-layered attacks have been determined. The proposed framework suggests using a different path for QoS-aware data transfer, with the route where a suspicious attack has happened being blocked. This information has been saved as separate prevention and mitigation databases that can stop attacks on networks. Here is a full list of the flowcharts that make up the LAMOA and how they work.

3.6. Proposed threat analysis model

IoT devices can be attacked in many different ways depending on how they work. Most of the time, the nodes are set up in the easy-going area. This makes it easier for attackers to get into the network. Aside from these, it is easy to add bad nodes to the network to infect it. The best way to avoid routing attacks is to know what happens when an attack is launched on a network and how it affects its performance. IoT simulations that are accurate and use a lot of data are a better way to design a safe and active sensor network. In this study, we use Cooja, which is a simulation tool of Contiki O.S. and is well-known among researchers in the field of sensing networks. The main reason we use Cooja is to figure out how we might be able to use it to measure the effects of attacks and develop better security measures (Sahay et al., 2018). In this study, we look at how malicious insiders on IoT-based RPL-based sensor nodes affect them.

During the experiment, the values were taken from the mote. were saved in data collection (DC) called “DC1”, “DC2”, “DC3”, “DC4”, “DC5”, “DC6”, and “DC7” based on the seven various scenarios. In each case, there are a different number of normal and attack motes/nodes overall. In the simulation, people join the community by sending a “Hello” message to their nearest neighbours with their identification number and signal power. Then, almost every node changes its routing tables and sends its own messages. In a DDoS/DoS, Hello Flood, Sinkhole, Version, wormhole, RPL Rank, or Blackhole attack, malicious nodes often send out “Hello” messages by sending out DIS packets that make them look like neighbours. This makes them the most accessible node for other nodes. So, they force their neighbours to use their time and money to deal with useless data packets (Simoglou et al., 2021).

A node's level or rank raises the average number of DIO, DIS, and DAO messages it sends out per day. The higher the number of hops between the root and any other node, the longer it takes for a message to go through the system. First-rank malicious nodes, for instance, send out 40 bytes of data every packet, which works out to 320 bytes for a 40-byte packet. In fact, the bandwidth is 10 KByte = 10,240 bits per second. SkyMote's h is supposed to be 320/10,240 = 0.031 s, which corresponds to a 40-byte transmission.

Based on the mentioned range of, this is established by the use of statistical methods. The output shows whether the node is good or bad. So, when the under algorithm is used to find the attacking nodes, their packets will be dropped from the network (Pecori et al., 2020). Both the drop process and the quarantine process have been described in the literature, but the drop procedure has been used more often. In this study, different combinations of features are also used to find the best way to find all seven types of attacks. Using power analyses as well as the LAMOA DL method, research on detecting seven attacks will benefit from the new approach, which is one of the most common types of threats in IoT. This is how the computational complexity of the proposed method was calculated and shown section 4.3.

Table

Cooja Simulation Infrastrcture

$//R=Root(sink)n$

$//N=Othernode$

$//N0=NeighbourRoutingTable$

$START$

$SetRoot=R//broadcasttheDIOmessagetoestablishtheDODAGtree$

$SetNode=N//getDIOmessage$

$SetNode=NO//nodescreatetheirroutingtablebyselectingtheirparentnode$

$SetNode=N//sendDAOmessagetoR$

$SetRoot=R//MulticasttheDAO-ACKtoN$

$SetNewNode=N$

$tree$

$DO:$

$SetR=N//sendDISpacketstojointheDODAG$

$tree$

$DO:$

$SetR=N//sendsDIOtoNfortheirCPU,LPM,T_{x,}and{R}_{x}Values$

$SetN=R//sendsDIOtoRfortheirCPU,LPM,T_{x,}and{R}_x,andTEValues$

$//ST=SimulationTime$

$while(ST<=36000s)$

$return(R)$

$END$

Data Augmentation Process

$fromimblearn.ove{r}_{sampling}importADASYN$

$counter=Counter(y\mathrm{\_}train)$

$print({}^{\mathrm{\prime }}Befor{e}^{\mathrm{\prime }},counter)$

$//oversamplingthetraindatasetusingADASYN$

$ada=ADASYN(rando{m}_{state}=Default)$

$x\mathrm{\_}train\mathrm{\_}DS1,y\mathrm{\_}train\mathrm{\_}DS1=DS1.fit\mathrm{\_}resample(x\mathrm{\_}train,y\mathrm{\_}train)$

$counter=counter(y\mathrm{\_}train\mathrm{\_}DS1)$

$print({}^{\mathrm{\prime }}Afte{r}^{\mathrm{\prime }},counter)$

$BeforeCounter(\{0:6893,1:6893\})$

$aftercounter(\{0:36626,1:36626\})$

Data Pre-processing

$START$

$SetFeaturePreprocessing(ID,LPM,CPU,T_x,R_x,andTE)$

$fn=combinationnumberofthefeature(LPM,CPU,T_x,R_x,andTE$)

$DO$

$SetNewDataset=FeatureSelection(ID,LPM,CPU,T_x,R_x,andTE)forftstep$

$AMILSTM(AdaptivemayflyintegrationLSTM)$

$while(ft<=fn)//triedtoallcombinationofthefeatures$

$return(eveluationmetrics)$

$valuerangeof{R}_{x}determinedbystatisticaloperations$

$End$

Attack Prediction

$START$

$DO$

$ifmax(R_x)>R_x>\text{min}(R_x)$

$NormalNodes({}^{\prime }makesan{\mathrm{N}}^{\prime })$

$ElseMaliciousnodedetectedandDROPpacket(makeas{}^{\prime }{\mathrm{M}}^{\prime }\mathrm{attacks}\mathrm{node})$

$while(t<=SD)$

$return(R)$

$end$

4. Results and discussion

4.1. Network design setup and features

WSN system is part of the IoT ecosystem because it can be used in many different ways and places. Real-life simulations can be used to test this system. Contiki-Cooja is an excellent RPL and WSN simulator. It's free and good for study, so it was recommended. The time duration and speed are shown in the simulation control window, along with buttons to start, pause, reinstall, and stop the modelling. Table 3 shows how the Cooja simulator's parameters have indeed been set up for each of the seven dataset scenarios (1, 2, and 3 … 7).

Table 3. IoT infrastrcture parameter.

No	Features Integrated	Description
1	Simulator	Contiki-2.7 Cooja
2	Network Area	190 m^2
3	Node Type	Sky mote
4	No of Nodes	150 nodes with one sink and malicious 65 node
6	Network Layer	IPV6-ICMP-RPL
7	Attacks Nodes given	Random
8	Data Bytes	100–1200 bytes/cycle
9	Data communication Range	200 m × 200 m
10	Radio medium	UGDM-Unit disk graph medium
11	Application layer	IEEE 802.15.4
12	Internet layer	IPV6-RPL
13	Communication Layer	UDP
14	Speed	180,780
15	Sending Rate	One packet every 5 sec
16	Run Time	64,000 s
17	Size of the packet	40 Bytes

Every sensor's output is simulated to a.csv file, which will then be used for the deep learning methods. In the model that was suggested, the simulation was set up and ran for 10 h in each case. During the simulation, the “Mote output” window shows the outputs for each sky mote sensor node according to the timeline. It also shows the DODAG message details, such as when the message was sent or received, and the node identification (ID) information. Raw packet capture (.pcap) files are made by the Cooja simulation (Thomson et al., 2016). Such files can become.csv files. Python-using the proposed system is self-sufficient, saving node reserves.

4.2. Pre-processing and feature extraction

The IoT routing dataset, which includes both normal and attack nodes, is produced after the simulation starts. More than 6893 instances and 46 features are included in the resulting routing dataset shown in Tables 4 and 5.

Table 4. Total number of features in the Cooja simulation.

Cooja GUI	Total number of features
Network Graph	1) Received (Per Node), 2) Latency, 3) Received (Over Time), 4) Lost (Over Time), 5) Avg Routing Metrix (Over Time), 6) ETX (Over Time), 7) Next Hop (Over Time), 8) Network Hops (Per Node), 9) Routing Metric (Over Time), 10) Neighbours, 11) Beacon Intervel, 12) Network Hops(overtime)
Node Info Graph	1) Reboots, 2) Node, 3) Received, 4) Max Inter Packet Time 5) Dups, 6) LPM Power, 7) Lost, 8) Hops, 9) Transmit Duty Cycle, 10) Rtmetric, 11) ETX, 10) Churn, 12) Listen Power, 13) Beacon Interval, 14) Transmit Power, 15) Avg inter-packet Time, 16) Power, 17) CPU Power, 18) On-Time, 19) Listen Duty Cycle, 20) Min Inter-Packet Time
Power based Graph	1) Average Power, 2) Radio Duty Cycle, 3) Instantaneous Power, 4) Power History
Sensors Graph	1) Average Temperature, 2) Temperature, 3) Battery Voltage, 4) Battery Indicator, 5) Relative Humidity, 6) Light 1, 7) Light 2
Topological Graph	1) Serial Console, 2) Node Control, 3) Network Graph

Table 5. Simulation dataset collection during realtime.

S. No	Type of data	Number of Samples Received
[1]	Without Attacks Data	6893
[2]	Data-DoS/DDoS Attack	400
[4]	Hello Flood Attack	172
[5]	Sinkhole Attack	190
[6]	Wormhole Attack	165
[7]	RPL Rank Attack	180
[8]	Blackhole Attack	148
[9]	Version Attack	120

4.3. Power consumption

The sum of power generation and power consumption is the power consumption rate. The motes used it to exchange packets of data (Haque et al., 2020). (11) $TP=\frac{Powe{r}_{Value}\times C\times V}{R_{t}second\times runtime}$(11) where R_t clock speed is second, Runtime is the interval, $c$ is power, and $v$ is voltage. The following formula can be used to calculate the total energy usage $TP$. (12) $TP=\frac{V}{t}\times ((I_{cpu}\times E_{cpu})+(I_{LPM}\times E_{LPM})+(I_{Tx}\times E_{Tx})+(I_{Rx}\times E_{Rx}))$(12) $E_{cpu}$ represents the power usage of the CPU, $E_{LPM}$ represents the collected power usage of the LPM, $E_{Tx}$ represents the stored power usage of communication, and $E_{Rx}$ represents the accumulated power usage of listening in iteration $t$ The rest of the parameters in (Equations 6 and 7) are described in Table 6, and their values are obtained from the datasheet that comes with the $\text{Tmote }$ Sky mote (Hkiri et al., 2022). In addition, Cooja simulation gives $rimeaddr$ and sent values. Because the current proposal had a success rate of 99.96%, further features did not need to be included in this source of energy Internet of Things scenario.

Table 6. Power consumption parameters for the confined mote.

Parameter	Value
$I_{cpu,}$ Processing Power utilisation	1.9 mA
$I_{LPM},$ Sleeping power utilisation	0.0646 mA
$I_{Tx,}$ Transmission current utilisation	19.5 mA
$I_{Rx,}$ Receiving Current utilisation	22.9 mA
V, Voltage	4 V
Time interval utilisation value	1 s
rtimer _second, Time Frequency	35,896 tickss

4.4. Performance and metrics

The proposed methodology and the RNN-based GA-LSTM, PSO-LSTM, and LAMOA models were tested for accuracy, precision, recall, and F1 score. The equation derived for these measurements is given in the following equations.

The True Positive (TP) is the number of attacks that were correctly identified as cyberattacks.

The True Negative (TN) is the number of normal samples for which it can be accurately predicted that they are safe.

The number of normal samples that were incorrectly identified as being under assault is referred to as a “false positive (FP)”.

FN stands for “false negative”, which is the number of malicious samples that were wrongly labelled as harmless. $\begin{array}{rl}\text{P}& =\text{Total Number of positive}=TP+FN\\ \text{N}& =\text{Total Number of Negative}=TN+FN\end{array}$ (13) $\begin{array}{rl}\text{Accuracy }& =\frac{TP+TN}{TP+TN+FP+FN}\times 100\mathrm{\%}\end{array}$(13) (14) $\begin{array}{rl}\text{Error}& =\frac{FP+FN}{TP+TN+FP+FN}\times 100\mathrm{\%}\end{array}$(14) (15) $\begin{array}{rl}\text{Precision}& =\frac{TP}{TP+FP}\times 100\mathrm{\%}\end{array}$(15) (16) $\begin{array}{rl}\text{Recall}& =\frac{TP}{TP+FN}\times 100\mathrm{\%}\end{array}$(16) (17) $\begin{array}{rl}\text{F}1& =\frac{2\times TP}{(2\times TP)+FP+FN}\times 100\mathrm{\%}\end{array}$(17) (18) $\begin{array}{rl}\text{FPR}& =\frac{FP}{FP+TN}\times 100\mathrm{\%}\end{array}$(18)

Where $x$ is the first characteristic, $y$ is a second characteristic, and $n$ is the size of the sample. Both inter and logical loss occur simultaneously. Predicted output and intended result are compared to see if there is a difference. In a classification when the prediction input is a probability, it measures performance of the model. It must be minor. As the projected chance deviates from of the actual number, the loss in logistical efficiency increases. (19) $\text{Loss function }=-{\sum }_{x=1}^m{z}_x\log (P_x)$(19) where $m$ is the number of classifiers, $p$ is the expected probability of class $x$, and $z$ indicates if the label accurate.

4.5. Real-time dataset classification performance evaluations

The Cooja simulator was used to get the results of the experiment Table 7. In section four, you can read about the Cooja simulator. IoT routing datasets are being analysed to determine the impact of each mote on with and without attack power usage shown in Figures 9–12.

Figure 9. Normal power consumption scenario.

Figure 10. Attack power consumption scenario.

Figure 11. Power consumption each normal motes during simulation.

Figure 12. Power consumption attack motes during simulation.

Table 7. Generating Cooja simulation dataset.

Dataset	Number of Instances
Normal – DoS/DDoS Attack	6893	6520
Normal – Hello Flood Attack	6893	4250
Normal – Sinkhole Attack	6893	4528
Normal – Wormhole Attack	6893	3520
Normal – RPL Rank Attack	6893	3988
Normal – Blackhole Attack	6893	3240
Normal – Version Attack	6893	2895

GA-LSTM, PSO-LSTM, and LAMOA all consume less energy than the standard RPL with attacks (Figure 13). In comparison to the standard RPL with attacks, our new model LAMOA was found to use up to 60% less energy on average, a significant reduction.

Figure 13. Power consumption using proposed models.

To train and evaluate the model, we use two different approaches. In this experiment, we used 80% of the data for training and 20% for testing. To get the best possible results in the first scenario, sample points are used as an activating function to fine-tune the values of the hyper-parameters through the evaluate phase, making use of the optimised adaptive mayfly technique. In the tuning process, epochs with a learning rate and a performance batch size of were found to be optimal (Thavamani & Sinthuja, 2022). Using a different set of testing data, Figures 14 and 15 illustrates the accuracy and error rate of detection in training. For each dataset, both accuracy and loss and AUC performance are calculated Table 8.

Figure 14. Proposed model accuracy using real-time dataset.

Figure 15. Proposed model loss using real-time dataset.

Table 8. Realtime-loss and accuracy evaluation using proposed model.

Dataset	Accuracy	Loss	AUC
DoS/DDoS – DC1	99.2	0.23%	98.6
Hello Flood – DC2	99.7	0.1	98.24
Sinkhole – DC3	99.99	0.2	99.21
Wormhole – DC4	99.5	0.8	98.84
RPL Rank – DC5	99.89	0.26	98.9
Blackhole – DC6	99.45	0.25	99.01
Version – DC7	99.65	1.6	98.79

4.6. Benchmark dataset comparative analysis with proposed classification

Using the proposed anomaly-based models, tests were done on both multiclass and binary classifying using three benchmark datasets. Our proposed models were trained and deployed using python language on a pc with a 2.4 GHz xeon processor, 32 GB of RAM, and an NVIDIA GeForce 1060 6GB CPU since they need high-speed hardware to show efficiency. The system was examined on Windows 11 using Python 3.8 and Keras 2.5.0. An evaluation of a neural network is made up of three steps: training, validation, and testing. If a dataset is not spread out evenly, the classification technique favours the majority class. Class weights and AdaSyn were utilised in order to address the problem of unevenly distributed classes within the datasets. Because the number of class instances was a factor in determining class weights, a class that has a relatively low number of instances will have a greater load. Every single RNN classifier was trained for iterations with a batch size of 1 using an adaptive mayfly optimiser. The most essential thing about a neural network is, without a doubt, its loss functions. In this particular research study, a minimal classified cross-entropy loss error rate was implemented. There were three ways to stop models from being too good. First, the GA-LSTM, PSO-LSTM, and LAMOA layers were using the kernel, bias, and activity regularises bias. The l1-l2 penalty methods are used to regularise the kernel, the bias, and the activity. The second layer was the activity regularisation layer, and the third layer was the dropout layer. Lastly, in the event that the validation loss did not decrease while the model was being refined, an early termination strategy was implemented. Additionally, the risk of overfitting, which occurs when a model is trained for an extended period of time, is decreased when the early pausing technique is utilised. These strategies get rid of the chance that the model will be too good.

This paper classified three benchmark datasets as multiclass and binary. Table 9 displays GA-LSTM, PSO-LSTM, and LAMOA multiclass classifications have used NSLKDD, BoT-IoT, and IoT-23. Table 10 shows the GA-LSTM, PSO-LSTM, and LAMOA models’ NSLKDD results (a). The NSLKDD dataset's accuracy was $99.67$% for GA-LSTM, 99.82% for PSO-LSTM, and 99.78% for LAMOA. It had the highest detection rate of the three NSLKDD models. FPR averaged 0.12% and FNR 0.18% for LAMOA.

Table 9. NSL-KDD, IoT-23, BoT-IoT datasets balancing using ADASYN and multiclassification classification using proposed models.

Model	GA-LSTM				PSO-LSTM				AMILSTM
Class	Acc	P	R	F1	Acc	P	R	F1	Acc	P	R	F1
(a) NSL-KDD Dataset balancing using AdaSyn and multiclassification using a model Whale-LSTM, PSO-LSTM, GWO-LSTM, AMILSTM
Normal	99.91	99.94	99.95	99.95	99.94	99.95	99.96	99.96	99.95	99.7	99.98	99.98
DoS	99.91	99.93	99.98	99.96	99.94	99.90	99.97	99.94	99.95	99.92	99.97	99.5
Probe	99.91	99.64	99.41	99.52	99.94	99.94	99.37	99.43	99.95	99.95	99.96	99.78
R2L	99.91	97.66	94.14	95.87	99.94	97.54	91.24	94.29	99.95	98.64	93.15	95.75
U2R	99.91	99.04	98.10	98.57	99.94	98.70	98.27	98.48	99.96	99.02	99.15	99.35
(b) BoT-IoT dataset balancing using AdaSyn and multiclassification using a model Whale-LSTM, GWO-LSTM, AMILSTM
Normal	99.94	99.96	99.87	99.91	99.97	99.98	99.90	99.94	99.99	99.99	99.99	99.99
DoS	99.94	99.93	99.93	99.93	99.97	99.96	99.99	99.98	99.99	99.99	99.99	99.99
DDoS	99.24	99.25	99.39	99.42	99.43	99.24	99.58	99.47	99.75	99.78	99.82	99.47
Reconnaissance	97.42	97.61	97.25	97.63	97.65	97.67	97.72	97.2	98.67	98.53	98.64	98.84
Scan	99.94	99.93	99.93	99.93	99.97	99.97	99.95	99.96	99.99	99.83	99.83	99.83
Theft	99.94	99.94	99.96	99.95	99.97	99.97	99.96	99.96	99.99	99.78	99.56	99.67
(c) IoT-23 dataset balancing using AdaSyn and multiclassification using a model Whale-LSTM, GWO-LSTM, AMILSTM
Normal	99.86	99.74	99.89	99.81	99.88	99.74	99.95	99.85	99.89	99.86	99.92	99.89
DDoS	99.86	99.80	99.39	99.59	99.88	99.83	99.39	99.61	99.89	99.73	99.94	99.84
Attack	99.86	98.50	99.99	99.24	99.88	98.50	99.24	98.87	99.89	99.17	90.84	94.82
Mirai	99.86	98.63	97.84	98.23	99.88	99.68	97.90	98.78	99.89	98.58	98.58	98.58
File Download	99.86	96.48	96.93	96.71	99.88	98.64	97.39	98.01	99.89	98.50	93.09	95.72
Hearbeat	99.86	99.07	98.63	98.85	99.88	99.64	98.73	99.18	99.89	99.08	98.53	98.81
C&C	99.86	99.84	99.86	98.85	99.88	99.84	99.84	99.84	99.89	99.90	99.86	99.88
Torii	99.86	99.99	99.99	99.99	99.88	99.99	99.99	99.99	99.89	99.99	99.99	99.99
Port Scan	99.86	99.99	99.99	99.99	99.88	99.99	99.99	99.99	99.89	99.99	99.99	99.99
Okiru	99.86	99.99	99.99	99.99	99.88	99.95	99.99	99.97	99.89	99.93	99.99	99.97

Table 10. Benchmark datasets binary classification using novel LAMOA model.

Dataset	Class	Accuracy	Precision	Recall	F1 Score	TNR	FPR	FNR
NSL-KDD	Normal	99.92	99.88	99.92	99.90	99.97	0.03	0.08
	Attack		99.98	99.97	99.98	99.92	0.08	0.03
BoT-IoT	Normal	99.96	99.76	99.83	99.80	99.99	0.01	0.17
	Attack		99.99	99.99	99.99	99.83	0.17	0.01
IoT-23	Normal	99.70	99.63	99.71	99.67	99.84	0.16	0.29
	Attack		99.88	99.84	99.86	99.71	0.29	0.16

The NSLKDD dataset was less correct than the BoT-IoT dataset. Table 9(b) shows how well the BoT-IoT dataset was used by the GA-LSTM, PSO-LSTM, and LAMOA models. Normal, DoS, Scan, and Theft were all able to be tracked at a rate of at least 99.50% in the BoT-IoT dataset. For the LAMOA model, the FPR was 0.03% and the FNR was 0.09%. A lot of mistakes are made in the scans and theft classifications.

GA-LSTM, PSO-LSTM, and LAMOA models were used on the ten classes in Table 9(c) IoT-23 dataset. The proposed methods were right between 99.71% and 99.83% of the time. The FPR for the LAMOA model was 0.03%, and the FNR was 0.11%. The IoT-23 dataset has a recall rate of 99.89% and an average accuracy of 99.85%.

4.7. Performance analysis

Class weights were employed to balance datasets during training. ADASYN resolved class inequalities. NSLKDD, BoT-IoT, and IoT-23 use ADASYN. The table shows that NSLKDD Prob, U2L, and R2L malware detection have increased. Randomly selecting 1 million instances from BoT-DoS IoT's and Scan classes, borderline ADASYN was used to balance the remaining classes. Borderline ADASYN was used to balance the IoT-23 dataset's. Table 9 shows that IoT-23 improves minority class detection (d).

We enhance the binary classification approach to classify IoT-23 normal and malicious classes. IoT-23 was separated into 18 subgroups, each containing normal and abnormal data. GA-LSTM, LAMOA, and PSO-LSTM were evaluated for each subgroup. Figure 16 shows the accuracy, precision, recall, and F1 score of the GA-LSTM, LAMOA, and PSO-LSTM models on the IoT-23 normal and attack classes. LAMOA, PSO-LSTM and GA-LSTM A single hidden layer RNN was used to look at both the good and bad IoT-23 data.

Figure 16. Binary classification using GA-LSTM, LAMOA, PSO-LSTM using IoT-23 dataset.

Table 10 summarises the LAMOA binary classification evaluation results. The BoT-IoT dataset was accurate and reliable. The LAMOA model detected 99.96% of BoT-IoT, had a 0.2% FPR, and a 0.1% FNR. BoT-IoT has a 99.81% detection accuracy, greater than other models.

NSLKDD, BoT-IoT, and IoT-23 were properly identified using one deep layer of recurrent neuronal activity. Performance measurements for binary classification were also assessed ROC AUC (ROC AUC). ROC curves were plotted for the three-benchmark dataset training and verification sets. displays the ROC curve for NSLKDD, BoT-IoT, and IoT-23 LAMOA binary classifier models used. The ROC curve for the testing data is shown in Figures 17 and 18.

Figure 17. AMILSTM for the Training data with benchmark datasets.

Figure 18. AMILSTM for the Testing data with benchmark datasets.

This demonstrates how well the proposed methods compare to other learning models that can be used to predict the different types of attacks. On this test, the proposed deep learning models LAMOA, GA-LSTM, and PSO-LSTM outperform other learning approaches significantly. We also tested the frameworks using the benchmarks and evaluated them by comparing them to the other learning models. Tables 11 and 12 show how the models compare when different ways of measuring performance are used.

Table 11. Comparative analysis of binary classification using DL models.

Article	Binary classification Model	Benchmark Dataset	Accuracy	Precision	Recall	F1 Score	FPR
Alkahtani and Aldhyani (2021)	CNN-LSTM	NSL-KDD	98.90	–	–	–	–
Imrana et al. (2021)	BI-LSTM	NSL-KDD	94.26	99.05	90.79	94.75	1.15
Kan et al. (2021)	APSO-CNN	NSL-KDD	98.8	91.5	90.7	98.89	0.8
Yin et al. (2017)	RNN	Botnet-IoT	98.4	98.5	97.1	97.8	5.3
Cakir et al. (2020)	GRU	Botnet-IoT	98.3	98.4	97.1	97.7	5.3
Liu et al. (2020)	PSO-SVM	NSL-KDD	99.4	-	-	-	-
Imrana et al. (2021)	LSTM	NSL-KDD	92	-	-	-	-
Ji et al. (2021)	GA-DBN	NSL-KDD	99	-	-	-	-
Proposed Model	GA-LSTM	NSL-KDD	99.91	99.94	99.92	99.93	0.09
	PSO-LSTM	NSL-KDD	99.91	99.95	99.96	99.96	0.09
	LAMOA	NSL-KDD	99.92	99.96	99.95	99.96	0.07
	GA-LSTM	Botnet-IoT	99.90	99.95	99.95	99.95	0.52
	PSO-LSTM	Botnet-IoT	99.93	99.97	99.97	99.97	0.37
	LAMOA	Botnet-IoT	99.96	99.96	99.99	99.97	0.1

Table 12. Comparative analysis of multi-classification using DL models.

Article	Multi classification Model	Dataset	Accuracy	Precision	Recall	F1 Score	FPR
Yin et al. (2017)	RNN	NSL-KDD	81.29	83.06	81.29	79.25	13.00
Imrana et al. (2021)	LSTM	NSL-KDD	98.93	98.90	99.10	99.00	–
Liu et al. (2020)	PSO-SVM	BoT-IoT	99	–	–	–	–
Imrana et al. (2021)	Bi-LSTM	NSL-KDD	91.36	92.81	91.36	91.67	4.03
Ullah et al. (2021)	CNN-GRU	BoT-IoT	99.21	99.10	99.10	99.10	–
Proposed Model	GA-LSTM	NSL-KDD	99.91	99.94	99.92	99.93	0.06
	PSO-LSTM	NSL-KDD	99.92	99.93	99.92	99.92	0.06
	LAMOA	NSL-KDD	99.94	99.96	99.94	99.95	0.05
	GA-LSTM	Botnet-IoT	99.94	99.97	99.94	99.95	0.03
	PSO-LSTM	Botnet-IoT	99.96	99.96	99.93	99.94	0.02
	LAMOA	Botnet-IoT	99.97	99.97	99.95	99.96	0.02

5. Conclusion

The method that was involved in developing the proposed framework, which is based on real-time traffic routing to provide an Internet of Things environment with both normal and attacked nodes, many steps have been taken to make the proposed system work. To start, an IoT routing dataset related to energy consumption was generated using the Cooja simulator in the proposed framework. This dataset included both normal and attack motes. Deep learning LSTM with metaheuristics High-performance measurements and a powerful model were created using adaptive mayfly integration, which was the basis for the model that was proposed. So, ADASYN was used to make the IoT routing dataset bigger so that a strong model could be built. The IoT routing dataset was made using three ways to extract features: weight by adaptive mayfly, weight by tree significance, and LSTM is used to get rid of characteristics that are irrelevant and redundant features. The IoT routing dataset was enhanced using these techniques in order to get rid of noise and overfitting in the learning model, as well as to determine which characteristics are the most significant for developing a robust model. In addition to this, they suggested a two-hybrid metaheuristic GA-LSTM and PSO-LSTM model in order to evaluate it in contrast to the adaptive mayfly model. The LAMOA outperforms the two models. The final three models for binary classification produced using deep learning have been made using GA-LSTM, PSO-LSTM, and LAMOA. Three sets of benchmark datasets (NSL-KDD, Bot-IoT, and IoT-23) have been used to test the frameworks that were recommended. When compared to previous work done with deep learning, the multiclass and binary classification models that were proposed performed much better in terms of accuracy, precision, recall, and F1 score. Future work plan to implement with the field of AI and machine learning known as explainable AI is a recent one that is only beginning to emerge. It is of the greatest priority to build network trust in relation to the decisions that are made by AI models. Continuous monitoring and accurate data classification operations enhanced the quality of any vulnerability analysis system. The XAI-based advanced models provide better understanding about the dataset and future pattern prediction and classification. Thus, the proposed LSTM-based mayfly optimisation-based algorithm utilises the unique characteristic of XAI tool to classify routing-based network threats under the real-time monitoring. The model can be extended further to analyse and classify blockchain-based network transactions and its security threats. The model also supports the analysis of security attack dataset which captured through mobile devices. The current research model considers only the stand-alone device-based attack and its classification, The future work may be extended with dynamic mobile data-based attacks on the IoT infrastructure.

Abbreviations

LSTM	=	Long Short-Term Memory
AMOA	=	Adaptive mayfly optimisation algorithm
PSO	=	Particle Swarm Optimisation
GA	=	Genetic Algorithm
RPL	=	Routing Protocol for Low-Power and Lossy Network
LAMOA	=	LSTM Adaptive mayfly optimisation algorithm
ADASYN	=	Adaptive Synthetic
APSO	=	Adjusting Particle Swarm optimisation
CNN	=	Convolution Neural Network
IIoT	=	Industrial of Internet of Things
IoT	=	Internet of Things
DL	=	Deep Learning
IDS	=	Intrusion Detection System
SMOTE	=	Synthetic Minority Over-Sampling Technique
KNN	=	k-nearest neighbour
DDoS	=	Distributed Denial of Services

Disclosure statement

No potential conflict of interest was reported by the author(s).