Evolutionary-Based Deep Stacked Autoencoder for Intrusion Detection in a Cloud-Based Cyber-Physical System

Abstract

As cyberattacks develop in volume and complexity, machine learning (ML) was extremely implemented for managing several cybersecurity attacks and malicious performance. The cyber-physical systems (CPSs) combined the calculation with physical procedures. An embedded computer and network monitor and control the physical procedure, commonly with feedback loops whereas physical procedures affect calculations and conversely, at the same time, ML approaches were vulnerable to data pollution attacks. Improving network security and attaining robustness of ML determined network schemes were the critical problems of the growth of CPS. This study develops a new Stochastic Fractal Search Algorithm with Deep Learning Driven Intrusion Detection system (SFSA-DLIDS) for a cloud-based CPS environment. The presented SFSA-DLIDS technique majorly focuses on the recognition and classification of intrusions for accomplishing security from the CPS environment. The presented SFSA-DLIDS approach primarily performs a min-max data normalization approach to convert the input data to a compatible format. In order to reduce a curse of dimensionality, the SFSA technique is applied to select a subset of features. Furthermore, chicken swarm optimization (CSO) with deep stacked auto encoder (DSAE) technique was utilized for the identification and classification of intrusions. The design of a CSO algorithm majorly focuses on the parameter optimization of the DSAE model and thereby enhances the classifier results. The experimental validation of the SFSA-DLIDS model is tested using a series of experiments. The experimental results depict the promising performance of the SFSA-DLIDS model over the recent models.

1. Introduction

With the emergence of disruptive technology, Industry 4.0 is experiencing huge transitions in terms of cost efficiency and performance [1]. In particular, this applies to smart computing on a big scale, namely, Cloud Computing, the Internet of Things (IoTs), and Cyber Physical System (CPS). CPS is a multi-dimensional, complex system that integrates a computer, network, and physical environment [2]. With the deep collaboration of 3C (control, computation, and communication) techniques, the dynamic control, information servicing, and real-time perception of large engineering systems are realized [3]. CPS realizes the organic design of physical, computation, and transmission systems, making the system capable, reliable, and effective for simultaneous collaboration, resulting in extensive and important application prospects. CPS is utilized in different industries and fields [4,5]. In recent times, the information technology sector has expanded rapidly. Innovations and breakthroughs of several techniques have been established, resulting in earth-shaking changes in people’s lives [6].

Particularly, in the process of rapid development, embedded technologies are often applied to human life [7,8]. CPS has become the most prominent in researches and development direction for scholars in different countries because of its extensible, scalable, and interactive features, and also it becomes a priority investment region for large enterprises. In contrast to embedded technologies, a CPS, as a combination of computer technology and physical equipment, transforms a computing object from distributed to unified, discrete to continuous, and digital to analog [9]. In contrast to the IoT system, the perceptibility of CPS after the connection of physical entities pay increased attention to dynamic or ongoing data control of the information services and major component of the device. In comparison to software system, CPS focuses on the feedback and control of the physical process, highlighting the dynamic response and interaction of data processing [10].

In relation to CPS security, a conventional pattern approaches the cyber and physical systems individually and cannot address vulnerability that is related to embedded controllers and networks that are intended for controlling and monitoring physical processes [11]. Hence, it is necessary for an organic security system to protect CPS from cyberattacks. In this study, there exists strong evidence of the necessity for security in this system and the havoc that can result if the security is disregarded. To identify unexpected errors and attacks in CPS, an anomaly detection method is suggested to mitigate the threat. For instance, state estimation (i.e., Kalman filter), rule, statistical models (histogram-based model and Gaussian model) based methods are applied for learning the regular status of CPS [12]. However, each method generally needs expert knowledge (for example, operator manually extracts some rules), or should know the fundamental distribution of data. The machine learning (ML) approach does not depend upon domain-specific knowledge [13]. However, it generally needs an abundance of labeled datasets (for example, classification-based method). As well, they could capture the unique attribute of CPS (for example, spatial-temporal relationship). The intrusion detection (ID) method is dedicated to ensuring network security.

This study develops a new Stochastic Fractal Search Algorithm with Deep Learning Driven Intrusion Detection system (SFSA-DLIDS) for a cloud-based CPS environment. The presented SFSA-DLIDS technique majorly focuses on the recognition and classification of intrusions for accomplishing security from the CPS environment. The presented SFSA-DLIDS approach primarily performs min-max data normalization approach to convert the input data to a compatible format. In order to reduce a curse of dimensionality, the SFSA technique is applied to select a subset of features. The SFSA uses the idea of fractals to satisfy the intensification (exploitation) property needed by optimization algorithms, and the stochasticity feature to guarantee the diversification (exploration) of the search space. Additionally, chicken swarm optimization (CSO) with deep stacked auto encoder (DSAE) technique was utilized for the identification and classification of intrusions. The experimental validation of the SFSA-DLIDS model is tested using a series of experiments.

2. Literature Review

Li et al. [14] present a novel federated DL approach termed DeepFed, for identifying cyber threats against industrial CPSs. Especially, the authors’ primary design is a novel DL-based ID method for industrial CPSs, creating utilization of CNN and GRU. Secondary, the authors create a federated learning structure and permit several industrial CPSs to combine a detailed ID method from a privacy-preserving approach. de Araujo-Filho et al. [15] present FID-GAN, a novel fog-based, unsupervised IDS for CPSs employing a generative adversarial network (GAN). The IDS was presented to a fog structure that takes computation resources as near as possible to the end node and so provides for a lesser latency requirement. For achieving superior detection rates, the presented structure estimates a reconstruction loss depending upon the reform of data instances mapped to latent spaces. Alohali et al. [16] project a novel AI-enabled multimodal fusion-based IDS (AIMMF-IDS) for CCPS from the Industry 4.0 environments. The presented method primarily executes the data pre-processed approach in two manners such as data conversion and data normalization. Moreover, an improved fish swarm optimization-based FS (IFSO-FS) system is utilized to suitable selective features. The IFSO approach was developed by utilizing a Levy Flight (LF) model as the search process of a typical FSO technique in order to avoid the local optimum problems.

Althobaiti et al. [17] examine a novel cognitive computing-based IDS approach for achieving security from industrial CPS. The presented method contains pre-processing for discarding the noise which exists from the data. Afterward, the proposed method utilizes a binary bacterial foraging optimization (BBFO) based FS approach for selecting the best subset of features. Additionally, the GRU method was executed for identifying the occurrence of intrusions from the industrial CPS environments. The authors in [18] primarily present a new self-learning spatial distribution technique called Euclidean distance-based between-class learning (EBC learning) that enhances between-class learning by computing the Euclidean distance (ED) amongst KNN of distinct classes. Moreover, a cognitive computing-based ID model termed order-line SMOTE and EBC learning dependent upon RF (BSBC-RF) is also presented as dependent upon EBC learning to industrial CPSs. Ibor et al. [19] present a new hybrid technique for intrusion forecast on a CPS’s communication network. The authors utilize a bio-simulated hyperparameter searching approach for generating an enhanced DNN infrastructure dependent upon the basic hyperparameters of NNs. In addition, the authors develop a forecasting method dependent upon the enhanced NN infrastructure. Some other methods in the literature are available in [20,21,22,23].

3. The Proposed Model

In this article, a new SFSA-DLIDS technique has been projected for the classification and identification of intrusions from the CPS environment. The presented the SFSA-DLIDS model primarily performs a min-max data normalization approach to convert the input data to a compatible format, followed by the SFSA technique, which is applied to select a subset of features. Finally, the CSO-DSAE approach was utilized for the identification and classification of intrusions. Figure 1 depicts the block diagram of the SFSA-DLIDS approach.

3.1. Data Pre-Processing

At the initial stage, the presented approach performs the min-max data normalization approach to convert the input data to a compatible format. It can be executed to scale the feature from the zero and one range with the execution in Equation (1):

$${\nu }^{\prime }=\frac{v-{\min }_A}{{\max }_A-{\min }_A}$$

(1)

At this point, ${\min }_A$ and ${\max }_A$ signifies the minimal and maximal values of features $A$. The original and normalized values of the elements, $A$ have been demonstrated by $\nu$ and ${\nu }^{\prime }$ correspondingly. It is apparent in the above formula that the maximal and minimal feature values were mapped to one and zero correspondingly.

3.2. Feature Selection Using SFSA Technique

In this work, the SFSA technique is applied to select a subset of features. SFSA is based on the specific development marvel of a random fractal and basically uses two processes afterward for population initialization: (1) diffusion and (2) update to enhance the searching [24]. In the arithmetical modeling of the SFSA, the finest solution is only preferred from the diffusion method to generate novel arrangements, while overlooking discrete arrangements. The procedure for making a new arrangement is characterized as Gaussian walks $\left(Gw\right)$ that are determined in the following:

$$G{w}_1=Gaussian \left({\mu }_G, \sigma \right)+\left(rand\left(0,1\right)\times P_B-rand \left(0,1\right)\times P_i\right)$$

(2)

$$G{w}_2=Gaussian\left({\mu }_P, \delta \right)$$

(3)

The expression: $rand\left(0, 1\right)$ refers to an arbitrary value that lies between zero and one, $P_i$ and $P_B$ denotes the $i$-$th$ solutions and every particle diffuses around its position and completes correspondingly; ${\mu }_G$ and ${\mu }_P$ indicates the Gaussian means walk that is equivalent to $\left|P_i\right|$ and $\left|P_B\right|$ correspondingly;$\delta$ denotes the standard deviation that is calculated by:

$$\delta \left|\frac{\log \left(g\right)}{g}\left(P_i-P_B\right)\right|$$

(4)

In Equation (4), $g$ represents the iteration count. In the optimization technique, $g$ is increased but lesser than ending criteria $G_{\mathfrak{m}ax},$ $\delta$ are attuned dynamically. All the particles are diffused around their current situation by using the Gaussian walk until a predetermined extreme dissemination number YD is obtained. Based on the following equation, many generated solutions are attained:

$$P_{ij}=L{B}_{ij}+rand\left(0,1\right)\times \left(U{B}_{ij}-L{B}_{ij}\right),j=1,2,3,\dots ,Y_D$$

(5)

In Equation (5), $U{B}_{ij}$ and $L{B}_{ij}$ refers to the upper as well as lower limits of j-th values of solution $i;y_D$ denotes the maximal diffusion count of solutions generated by the SFSA. Then, the quality of solution has been calculated and the optimal solution $P_B$ is defined. In this step, two methods are used: initially update the solution of (p) probability according to the value of $Pa<rand \left(0,1\right)$ as follows:

$$P_a=\frac{rank\left(P_i\right)}{N_D}$$

(6)

$$P_{ij}^{\prime }=P_{aj}-rand\left(0,1\right)\times \left(P_{a1}-P_{a2}\right)$$

(7)

In Equation (7), rank (p) refers to the rank of $i^{th}$ solutions amongst different arrangements in the population; $P_i^{\prime }$ indicates the new solution of the $i$-$th$ solution; $P_{a1}$ and $P_{a2}$ signifies the random solution of population. Next, improve the exploration accordingly and apply the variations to the solution based on discrete solutions from the population. However, the process initiates by sorting each arrangement based on the following equation. When $P_a<rand\left(0,1\right)$ for the $P_i^{\prime }$, there is no update for the present solution $P_i$ or else the solution was upgraded by the following expression:

$$P_i^{\prime \prime }=\{\begin{array}{ll}{P}_i^{\prime } —rand\left(0,1\right)\times \left(P_t^{\prime }-P_B\right)\hfill & rand\left(0,1\right)\le 0.5\hfill \\ P_i^{\prime }+rand\left(0,1\right)\times \left(P_t^{\prime }-P_r^{\prime }\right)\hfill & rand\left(0,1\right)>0.5\hfill \end{array}$$

(8)

Let $P_t^{\prime }$ and $P_t^{\prime }$ be the solution randomly designated from the Gaussian distribution. The following phase is for comparing the quality of $P_i^{″}$ with $P_i^{\prime }$ and $\left(P_i^{″}\right)$ is superior to $\left(P_i^{\prime }\right)$ then $P_i^{″}$ is substituted $P_i$ or else $P_i^{\prime }$ not upgraded.

The fitness function (FF) of the SFSA system utilized from the presented system was planned to contain a balance among the amount of chosen features from all the solutions (minimal) and the classifier accuracy (maximal) reached by utilizing these selective features. Equation (9) defines the FF for evaluating solutions:

$$Fitness=\alpha {\gamma }_R\left(D\right)+\beta \frac{\left|R\right|}{\left|C\right|}$$

(9)

whereas ${\gamma }_R\left(D\right)$ denotes the classifier error rate of provided classifier (the KNN technique was utilized). $\left|R\right|$ stands for the cardinality of chosen subset and $\left|C\right|$ signifies the entire amount of features from the dataset, $\alpha ,$ and $\beta$ signifies the 2 parameters equivalent to significance of classifier quality and subset length. ∈ [1, 0] and $\beta =1-\alpha .$

3.3. DSAE-Based Data Classification

To recognize and classify intrusions, the DSAE model has been exploited in this study. In our study, the SAE used is developed by different LR and AE layers [25]. AE is the fundamental component of SAE classification. Figure 2 demonstrates the infrastructure of SAE. It comprises an encoding step (Layer 1 to Layer 2) and a reconstruction or decoding step (Layer 2 to Layer 3). This procedure is expressed in the following equation, where $W$ and $W^T$ (the transpose of W) refers to the weight matrix of mode $b$ and $b^{\prime }$ are two distinct bias vectors, $s$ indicates a nonlinearity function, namely the sigmoid function applied in the work, $\gamma$ denotes a latent depiction of $x$ input layer, and $z$ is regarded as a prediction of $x$ given $\gamma$ and it must have the identical shape as $x.$

$$\gamma =s\left(Wx+b\right).$$

(10)

$$z=s\left(W^T\gamma +b^{\prime } \right)$$

(11)

Numerous AE layers are collectively stacked to procedure in an unsupervised pre-training phase (Layer 1 to Layer 4). The latent depiction $\prime y$ calculated by an AE is utilized as the input to the following AE layers. All the layers are trained by an AE by reducing the reconstruction error that perform as a single layer at a time. The reconstructing error $($loss function $\left(x,z\right)$) is evaluated in different methods. In our work, we apply cross-entropy for measuring the reconstructing error, as demonstrated in Equation (12), where $x_k$ and $z_k$ denotes the $k^{th}$ component of $x$ and $z$, correspondingly.

$$L\left(x,z\right)=-{\displaystyle \sum }_{k=1}^d[x_{k}ln{z}_k+\left(1-x_k\right)ln\left(1-z_k\right)]$$

(12)

The reconstructing error is minimalized by the Gradient Descent mechanism. The weight in Equations (10) and (11) need to be upgraded based on the following equations, where $0$ indicates the learning rate:

$$W=W-\mathsf{\alpha }\frac{\partial L\left(x,z\right)}{\partial W}.$$

(13)

$$b=b-\mathsf{\alpha }\frac{\partial L\left(x,z\right)}{\partial b}.$$

(14)

$$b^{\prime }=b^{\prime }-\mathsf{\alpha }\frac{\partial L\left(x,z\right)}{\partial b’}.$$

(15)

Once the layer is pre-trained, the network enters the supervised finetuning phase. In the supervised finetuning phase, add an LR layer to the resultant layer. In this work, probability that the $x$ input vector (Layer 4) belonging to $i$-$th$ class is determined in the above equation, where $y$ represents the predicted class of input vector $x. W$ and $b$ denote the weight matrices and the bias vector, correspondingly, $W_j$ and $W_j$ denote the $i^{rh}$ and $j^{rh}$ row of matrixes $W,$ correspondingly, $b_i$ and $b_j$ denote the $i^{th}$ and $j^{th}$ elements of vector $b$, correspondingly, and $soft\max$ refers to the nonlinearity function. The class with the maximum probability was assumed as the prediction label $y_{pred}$ of $x$ input vector, as determined in Equation (17). The predictive error of sample dataset $D\left(Loss\left(D\right)\right)$ is evaluated according to the true label, as demonstrated in Equation (18), where $y_i$ indicates the true label of $x_i.$ $Loss\left(D\right)$ is minimalized by the Gradient Descent model that is the same as the procedure of minimalizing the abovementioned reconstruction error:

$$P\left(Y=i|x, W, b\right)=soft\max \left(Wx+b\right)=\frac{e^{W_{i}x+b_j}}{{{\displaystyle \sum }}_j{e}^{W_{j}x+b_{\mathrm{j}}}}.$$

(16)

$$y_{pred}=\mathrm{argmax} \left(P\left(Y=i|x, W, b\right)\right)$$

(17)

$$Loss \left(D\right)=-{\displaystyle \sum }_{i=0}^D\mathrm{In} (P(V=y_i|x_i, W, b))$$

(18)

3.4. Hyperparameter Tuning Using CSO Algorithm

Here, the CSO algorithm was executed for the parameter optimization of the DSAE approach and thereby enhances the classifier results. Meng et al. [26] suggest the CSO technique. A novel SI optimized technique was presented for simulating the hierarchy and foraging performance of chickens. The population was separated into many subgroups. All the subgroups contain cock, chick, and hen. The CSO technique follows the subsequent principles:

(1)

The whole population contains many sub-populations, each of which comprises cock, amount of hens, and many chicks.

(2)

The fitness value (FV) of all the particles from the population was computed. The particle is classified depending upon the FV. Some particles with optimum FVs were chosen as cocks, some particles with worse FVs were chosen as chickens, and remaining particles were chosen as hens.

(3)

In specific hierarchy, the dominance connection and mother–child connection remained unaffected. However, as the chicks produced, the population connection was modified. The hierarchy control connection and maternal connection of chicken swarms were variations all the $G$ time.

(4)

The cock controls the flock, the hen follows the cock from its individual populations and the chick food was nearby the hens. The hen arbitrarily combines a subpopulation. The connection among mother as well as child from the flock was arbitrarily introduced. The cock with main searching range and an optimum searching capability was led from the flocks. The chick particle has the worse foraging capability and minimum foraging range. The foraging capability and searching range of hen particles were amongst cock as well as chick particles.

In CSO, there were $N$ particles from the entire chick flock. The amount of roosters can be determined as $N_r$. The amount of hens was determined as $N_h$, and the amount of chickens was $N_c$. Distinct types of chickens are distinct place upgrade formulas if they can be determined as food [20]. The roosters are one of the adjustable individuals from chickens and, most apparently, for defining food from the entire population.

The formula for place upgrade of cock particles is depicted in Equation (19):

$$\begin{gathered} P_i^j\left(t+1\right)=P_i^j\left(t\right)\ast \left(1+Randn\left(0,{\sigma }^2\right)\right) \\ {\sigma }^2=\{\begin{array}{ll}1\hfill & W_i<W_k\hfill \\ \exp \left(\frac{\left(W_k-W_i\right)}{\left|W_i\right|+\epsilon }\right)\hfill & others\hfill \end{array} \end{gathered}$$

(19)

In which, the $k\in \left[1,c_n\right]$, and $k\ne i.$ $Randn\left(0,{\sigma }^2\right)$ means the Gaussian distribution with mean value of $0$ and standard deviation of ${\sigma }^2$. An individual place of $P_i^j\left(t\right)$ is the value of $j^{th}$ dimensional of $i^{th}$ individual at $t^{th}$ iterations. $\epsilon$ is some lesser constant; $k$ refers to the random cock from every cock except $i^{th}$ cock; $W_i$ refers the FV equivalent to $i^{th}$ cock; $W_k$ denotes the FV equivalent to $k^{th}$ cocks. The hens are maximal proportion of individuals from the entire chick population. Their place upgrade formulation is depicted in Equation (20):

$$\begin{gathered} P_i^j\left(t+1\right)=P_i^j\left(t\right)+K_1\ast Random \ast \left(P_{r1}^i\left(t\right)-P_i^j\left(t\right)\right)+K_2\ast Random \ast \left(P_{r2}^j\left(t\right)-P_i^j\left(t\right)\right) \\ {K}_1=\frac{\exp \left(W_i-W_{r_1}\right)}{\left|W_i\right|+\epsilon } \\ {K}_2=\exp \left(W_{r_2}-W_i\right) \end{gathered}$$

(20)

whereas $Random$ stands for the arbitrary number amongst $\mathrm{zero}$ and one, which follows the standard normal distribution. $r_1$ represents the cock from the group but $i^{th}$ hen was placed. $r_2$ demonstrated that some cock excepting the cock from the set of $i^{th}$ hen. Therefore $r_1$ is distinct in $r_2$. The chick follows the hen searching and chick place upgrade equation demonstrated in Equation (21):

$$P_i^j\left(t+1\right)=P_i^j\left(t\right)+FL\ast \left[P_m^j\left(t\right)-P_i^j\left(t\right)\right]$$

(21)

In which $FL$ refers to the average amount equally distributed from zero and two. $P_m^j\left(t\right)$ implies the hen place equivalent to $i^{th}$ chick. The CSO system determines an FF to accomplish superior classifier performances. It determines a positive integer for exemplifying the best efficiency of candidate results. In this scenario, the reduced classification error rate has been supposed that FF is providing in Equation (22). An optimum outcome is a decreased error rate and a worse solution accomplishes an improved error rate:

$$\begin{gathered} fitness\left(x_i\right)=ClassifierErrorRate\left(x_i\right) \\ \hspace{1em}\hspace{1em}=\frac{number of misclassified samples}{Total number of samples}\ast 100 \end{gathered}$$

(22)

4. Results and Discussion

The experimental validation of the SFSA-DLIDS model is tested using two benchmark datasets, namely, NSLKDD 2015 [27] and CICIDS 2017 [28] datasets.

Table 1. Dataset details.

Class	No. of Samples
	NSLKDD 2015	CICIDS 2017
Normal	67,343	50,000
Anomaly	58,630	50,000
Total	125,973	100,000

illustrates the details on two benchmark datasets. The NSLKDD 2015 dataset holds samples under two classes. It includes 67,343 samples under normal class and 58,630 samples under anomaly class. In addition, the CICIDS 2017 dataset holds 50,000 samples under normal class and 50,000 samples under anomaly class.

Figure 3 indicates the confusion matrices produced by the SFSA-DLIDS approach on the test NSLKDD 2015 dataset. With 70% of training (TR) dataset, the SFSA-DLIDS model has recognized 46,762 samples into normal class and 40,054 samples into anomaly class. In addition, with 30% of the testing (TS) dataset, the SFSA-DLIDS method has recognized 20,147 samples into normal class and 17,062 samples into anomaly class. Additionally, with 20% of TS dataset, the SFSA-DLIDS approach has identified 13,390 samples into normal class and 11,665 samples into anomaly class.

Table 2. Result analysis of SFSA-DLIDS approach with various measures on NSLKDD 2015 dataset.

Class Labels	Accuracy	Precision	Recall	F-Score
Training Phase (70%)
Normal	97.74	98.76	96.67	97.71
Anomaly	97.74	96.76	98.80	97.77
Average	97.74	97.76	97.74	97.74
Testing Phase (30%)
Normal	97.86	98.94	96.79	97.85
Anomaly	97.86	96.82	98.95	97.87
Average	97.86	97.88	97.87	97.86
Training Phase (80%)
Normal	99.35	99.34	99.36	99.35
Anomaly	99.35	99.37	99.34	99.35
Average	99.35	99.35	99.35	99.35
Testing Phase (20%)
Normal	99.32	99.39	99.28	99.33
Anomaly	99.32	99.26	99.37	99.32
Average	99.32	99.32	99.33	99.32

and Figure 4 showcase the overall classification output of the SFSA-DLIDS model on the test NSLKDD 2015 dataset. The results implied that the SFSA-DLIDS model has resulted to enhanced results under all aspects. For instance, with 70% of TR data, the SFSA-DLIDS model has offered average $acc{u}_y$ of 97.74%, $pre{c}_n$ of 97.76%, $rec{a}_l$ of 97.74%, and $F_{score}$ of 97.74%. Simultaneously, with 30% of TS data, the SFSA-DLIDS approach has rendered average $acc{u}_y$ of 97.86%, $pre{c}_n$ of 97.88%, $rec{a}_l$ of 97.87%, and $F_{score}$ of 97.86%. Concurrently, with 20% of TS data, the SFSA-DLIDS method has provided average $acc{u}_y$ of 99.32%, $pre{c}_n$ of 99.32%, $rec{a}_l$ of 99.33%, and $F_{score}$ of 99.32%.

The training accuracy (TA) and validation accuracy (VA) acquired by the SFSA-DLIDS approach on NSLKDD 2015 dataset is demonstrated in Figure 5. The experimental outcome denoted that the SFSA-DLIDS algorithm attained maximal values of TA and VA. In specific, the VA is higher than TA.

The training loss (TL) and validation loss (VL) obtained by the SFSA-DLIDS methodology on NSLKDD 2015 dataset are accomplished in Figure 6. The experimental outcome represented that the SFSA-DLIDS technique exhibited minimal values of TL and VL. Particularly, the VL is less than TL.

Figure 7 represents the confusion matrices generated by the SFSA-DLIDS algorithm on the test CICIDS 2017 dataset. With 70% of TR dataset, the SFSA-DLIDS methodology recognized 33,748 samples into normal class and 34,669 samples into anomaly class. Moreover, with 30% of TS dataset, the SFSA-DLIDS approach recognized 14,607 samples into normal class and 14,752 samples into anomaly class. Along with that, with 20% of TS dataset, the SFSA-DLIDS method recognized 10,026 samples into normal class and 9839 samples into anomaly class.

Table 3. Result analysis of SFSA-DLIDS approach with various measures on CICIDS 2017 dataset.

Class Labels	Accuracy	Precision	Recall	F-Score
Training Phase (70%)
Normal	98.45	97.79	99.35	98.56
Anomaly	98.45	99.24	97.42	98.32
Average	98.45	98.51	98.39	98.44
Testing Phase (30%)
Normal	98.46	97.79	99.37	98.57
Anomaly	98.46	99.26	97.40	98.32
Average	98.46	98.52	98.39	98.45
Training Phase (80%)
Normal	99.48	99.49	99.54	99.52
Anomaly	99.48	99.47	99.42	99.44
Average	99.48	99.48	99.48	99.48
Testing Phase (20%)
Normal	99.44	99.47	99.49	99.48
Anomaly	99.44	99.41	99.40	99.40
Average	99.44	99.44	99.44	99.44

and Figure 8 show the overall classification output of the SFSA-DLIDS technique on the test CICIDS 2017 dataset. The results portrayed that the SFSA-DLIDS approach resulted to improvised results under all aspects. For example, with 70% of TR data, the 3-DLIDS method rendered average $acc{u}_y$ of 98.45%, $pre{c}_n$ of 98.51%, $rec{a}_l$ of 98.39%, and $F_{score}$ of 98.44%. In the meantime, with 30% of TS data, the SFSA-DLIDS technique presented average $acc{u}_y$ of 98.46%, $pre{c}_n$ of 98.52%, $rec{a}_l$ of 98.39%, and $F_{score}$ of 98.45%. Simultaneously, with 20% of TS data, the SFSA-DLIDS approach offered average $acc{u}_y$ of 99.44%, $pre{c}_n$ of 99.44%, $rec{a}_l$ of 99.44%, and $F_{score}$ of 99.44%.

The TA and VA attained by the SFSA-DLIDS algorithm on CICIDS 2017 dataset are demonstrated in Figure 9. The experimental outcome shows the SFSA-DLIDS algorithm gained higher values of TA and VA. To be specific, the VA is higher than TA.

The TL and VL acquired by the SFSA-DLIDS technique on CICIDS 2017 dataset are exhibited in Figure 10. The experimental outcome denoted the SFSA-DLIDS approach accomplished minimal values of TL and VL. Particularly, the VL is lesser than TL.

For ensuring the enhanced performance of the SFSA-DLIDS model, a comparative examination is made in

Table 4. Comparative analysis of SFSA-DLIDS approach with existing algorithms.

Methods	Accuracy	Precision	Recall	F1-Score
SFSA-DLIDS	99.44	99.44	99.44	99.44
GSAE	97.44	96.44	98.79	97.74
AE-RF	97.55	97.08	98.15	97.66
WISARD	96.22	97.27	96.85	98.75
Forest-PA	96.53	96.99	96.85	97.88
LIB-SVM	96.56	97.38	97.32	97.75
FURIA	98.82	97.83	96.94	98.55

[3,13]. The results implied that the WISARD, Forest-PA, and LIB-SVM models have obtained lower $acc{u}_y$ values of 96.22%, 96.53%, and 96.56% respectively. Followed by the GSAE and AE-RF models which attained slightly enhanced $acc{u}_y$ values of 97.44% and 97.55%, respectively. Though the FURIA model resulted in reasonable $acc{u}_y$ of 98.82%, the SFSA-DLIDS model accomplished maximum $acc{u}_y$ of 99.44%. From the detailed results and discussion, it is obvious that the SFSA-DLIDS model has shown enhanced security in the CPS environment.

5. Conclusions

In this article, an innovative SFSA-DLIDS method was devised for the classification and identification of intrusions from the CPS environment. The presented SFSA-DLIDS model primarily performed a min-max data normalization approach to convert the input data to a compatible format, followed by the SFSA technique which was applied to select a subset of features. Finally, the CSO-DSAE approach was utilized for the identification and classification of intrusions. The design of the CSO algorithm majorly focuses on the parameter optimization of the DSAE model and thereby enhances the classifier results. The experimental validation of the SFSA-DLIDS model was tested using a series of experiments. The experimental results established the enhanced performance of the SFSA-DLIDS method over the existing ones with maximum accuracy of 99.35% and 99.48% on the test NSLKDD 2015 and CICIDS 2017 datasets, respectively. Therefore, the presented SFSA-DLIDS model was implemented as an effectual tool to recognize intrusions in the CPS environment. In future, outlier detection approaches should be integrated for improving the overall detection efficiency of the SFSA-DLIDS technique. In addition, the proposed model can be realized on a big data environment in our future work.