Enhanced Chimp Optimization-Based Feature Selection with Fuzzy Logic-Based Intrusion Detection System in Cloud Environment

Abstract

Cloud computing (CC) refers to an Internet-based computing technology in which shared resources, such as storage, software, information, and platform, are offered to users on demand. CC is a technology through which virtualized and dynamically scalable resources are presented to users on the Internet. Security is highly significant in this on-demand CC. Therefore, this paper presents improved metaheuristics with a fuzzy logic-based intrusion detection system for the cloud security (IMFL-IDSCS) technique. The IMFL-IDSCS technique can identify intrusions in the distributed CC platform and secure it from probable threats. An individual sample of IDS is deployed for every client, and it utilizes an individual controller for data management. In addition, the IMFL-IDSCS technique uses an enhanced chimp optimization algorithm-based feature selection (ECOA-FS) method for choosing optimal features, followed by an adaptive neuro-fuzzy inference system (ANFIS) model enforced to recognize intrusions. Finally, the hybrid jaya shark smell optimization (JSSO) algorithm is used to optimize the membership functions (MFs). A widespread simulation analysis is performed to examine the enhanced outcomes of the IMFL-IDSCS technique. The extensive comparison study reported the enhanced outcomes of the IMFL-IDSCS model with maximum detection efficiency with accuracy of 99.31%, precision of 92.03%, recall of 78.25%, and F-score of 81.80%.

1. Introduction

Cloud computing (CC) is familiar and is obtaining attention from individual users and organizations. However, the transition to the cloud platform could be more direct, and there are many operational and security difficulties [1]. Guaranteeing the security of information outsourcing to the cloud is significant because of the trend of storing more data in the cloud. Virtual machines (VMs) and hypervisor technologies are also a security threat, as these VM and hypervisor technologies are prone to VM-level attacks [2,3]. Such a mechanism has some on-site computer institutions with more software and hardware systems [4,5]. Susceptibilities in the VM structure are used by invaders for exfiltrating data or conducting assaults, such as distributed denial of service (DDoS). This occurs because of the inherent weaknesses in the internet protocol stack. Moreover, numerous novel assaults have recently appeared that use metamorphisms and polymorphism to avoid recognition [6]. In an IaaS cloud atmosphere, data regarding the victims’ machines are easily exploited and acquired, enabling assaults on VMs.

The cloud structure is open and fully dispersed, making it a vulnerable target for invaders [7,8]. Thus, the security of cloud platforms is at risk, where conventional network assaults, along with cloud-specific assaults, threaten cloud users (may be organizations or individuals). Conventional network security measures and firewalls are better for stopping several outsider assaults. Still, assaults within the network, along with certain complex outsider assaults cannot be managed efficiently through these systems [9]. This is where intrusion detection systems (IDSs) come into play. The role of IDS in the security of the cloud is highly significant, as it serves as an additional defensive layer of safety. Apart from identifying only familiar assaults, it can find variants of unknown and familiar assaults [10,11]. An intrusion is an attempt to bypass the security mechanism or to negotiate the confidentiality, integrity, and availability (CIA) of a network or computer [12]. Intrusions are activated by aggressors trying to access cloud resources over the Internet, legal users trying to obtain privileges not provided to them formally, and users who misuse their rights to access resources [13]. Intrusion detection (ID) observes the actions in a network or computer and scrutinizes them for signs of intrusion. IDS could be hardware or software, or an integration of both to automate the ID process [14]. It captures data from the network or under observation and informs the network manager by logging or mailing intrusion events. However, the warnings made by IDS are rarely related to actual intrusion because false positives and negatives influence the IDS performance [15]. Though several IDS models are available in the literature, improvement is still needed for the detection efficiency. In addition, feature selection (FS) techniques are essential to eliminate irrelevant features that raise false alarms and increase the accuracy of the system.

This paper presents improved metaheuristics with a fuzzy logic-based intrusion detection system for the cloud security (IMFL-IDSCS) technique. The IMFL-IDSCS technique uses the enhanced chimp optimization algorithm-based feature selection (ECOA-FS) method for choosing optimal features. The adaptive neuro-fuzzy inference system (ANFIS) method is enforced to recognize intrusions. Finally, the hybrid jaya shark smell optimization (JSSO) algorithm is used to optimize the membership functions (MFs). A widespread simulation analysis is performed to examine the enhanced outcomes of the IMFL-IDSCS technique. In short, the major contributions of the study are given as follows:

• An intelligent IMFL-IDSCS technique comprising ECOA-FS, ANFIS classification, and JSSO-based parameter optimization is presented for intrusion detection. To the best of our knowledge, the presented IMFL-IDSCS technique does not exist in the literature.
• A new ECOA-FS technique is designed for the selection of the optimal subset of features to accomplish enhanced classification performance.
• JSSO is employed with the ANFIS model for the classification of intrusions into different class labels.
• The performance of the proposed model is validated on the benchmark NSL-KDD dataset.

The rest of the paper is organized as follows. Section 2 provides the related works, and Section 3 introduces the proposed model. Later, Section 4 offers experimental validation and Section 5 draws the conclusions.

2. Related Works

A DNN with game theory for cloud security (GT-CSDNN) was modeled in [16]. The proposed method includes defender and attacker techniques when utilizing the game theory method. Moreover, the deep neural network (DNN) network leverages the devised game theory method to categorize regular data and attacks. The GT-performance CSDNNs are evaluated by using the CICIDS—2017 data. The collected data can be normalized, and the improved whale algorithm (IWA) was employed to evaluate the attack’s optimal points and normal data. Shyla and Sujatha [17] suggested an innovative IDS recognized on an integration of a leader-oriented k-means clustering (LKM), an optimal fuzzy logic (FL) system. Initially, input data were assembled into clusters by using the LKM. Afterwards, cluster datasets were afforded to the FL system (FLS). In this study, abnormal and normal data were examined by the FLS, and FLS training can be performed through grey wolf optimizer (GWO) by maximizing the rules.

Mishra et al. [18] devised a VM Introspection (VMI) related security structure model for fine granular monitoring of VMs for identifying renowned assaults and their variants. VMGuard enforces the software breakpoint injection approach, which is agnostic and is employed for trapping the accomplishment of programs. Inspired by text mining methods, VMGuard provides a ‘Bag of n-grams (BonG)’ method compiled with the term frequency–inverse document frequency (TF-IDF) approach for selecting and extracting attack features and normal traces. After implementing the random forest (RF) method for generating generic conduct for distinct groups of intrusion of the monitored VM, Aoudni et al. [19] introduced HMM_TDL, a DL method for preventing and detecting assault in the cloud environment. The devised approach can be performed in three states, incorporating a hidden Markov model (HMM) for attack detection. The HMM method sends hyper-alerts to the database for assault prevention.

In Ref. [20], an anomaly-related network IDS (NIDS) was modeled, analyzing and monitoring the network traffic flow that targeted a cloud platform. A network administrator must be informed regarding the nature of such traffic to block and drop any intrusive network connection. The binary-related particle swarm optimization (BPSO) was implemented to select the most related network features, whereas the standard-based PSO (SPSO) was enforced for tuning support vector machine (SVM) control parameters. Velliangiri and Premalatha [21] evaluated and presented a radial basis function neural network (RBF-NN) detector for detecting DDoS assaults. The resultant network can be frequently insufficient or needlessly intricate, and a suitable network structure is configured merely by the trial-and-error technique. This study devises the bat algorithm (BA) for configuring RBF-NN mechanically.

Sathiyadhas and Soosai Antony [22] presented an effectual dragonfly-improved invasive weed optimizer-based Shepard CNN (DIIWO-based ShCNN) for detecting the intruder and for mitigating the attack from the cloud paradigm and it can further detect the intruder with ShCNN. In [23], an effectual IDS was suggested by the presented sail fish dolphin optimizer-based Deep RNN (SFDO-based Deep RNN) that was employed for identifying an anomaly from the cloud framework. The established SFDO was formed by combining sail fish optimizer (SFO) and the dolphin echolocation (DE) technique. Virtual machine (VM) migration and cloud data management can be obtained utilizing ChicWhale technique.

Geetha and Deepa [24] examined a Fisher kernel-based PCA dimensional reduction technique and GWO-based weight dropped Bi-LSTM technique (FKPCA-GWO WDBiLSTM) for IDS. Primarily, combined with the data record for PCA, the Fisher kernel with Fisher score was offered as input for achieving linearly separable dimensionality reduction. Secondarily, the WDBiLSTM network was utilized for retaining the long-term dependency but removing the feature from forward and backward directions. A novel DL approach dependent upon CNNs and RNNs for IDS was established for cloud security in [25]. With our DL technique, some detected and not accepted traffic was prevented in obtaining the server from the cloud.

3. The Proposed Model

In this study, a novel IMFL-IDSCS method was derived to detect intrusions in the distributed CC platform and secure it from probable threats. Figure 1 represents the workflow of the IMFL-IDSCS approach. IDS was deployed in the CC platform. There is an individual IDS controller for the cloud service provider (CSP). It is noticeable that if there exists a single IDS in the whole network, the load on it rises as the number of hosts rises. Besides that, it can be challenging to monitor dissimilar types of intrusions or assaults that act on every host presented in the network. To resolve these limitations, the study presents a framework, where the mini-IDS instance is deployed between every user of the cloud and the CSP. Consequently, the load on every IDS sample would be lower than that of an individual IDS; thus, smaller IDS instances would be capable of conducting their work in a special way. The number of packets dropped would be decreased because of the decreased load that individual IDS instances would have. The IDS controllers would give all those IDS instances. If the client wants to access any services granted by CSP, IDS controllers must give IDS instances to that client. That instance would monitor all user activity, and once the client ends the session, a log of that session would be transmitted by the IDS instance to the IDS controller, which would be saved in cloud logs. Knowledge Base was saved in cloud logs and has data regarding the paradigm of user activity based on the data saved in the cloud. Whenever an IDS instance was granted to a specific user, IDS controllers from Knowledge Base would query data regarding the last activity. These activity patterns detect intrusion from the user’s working pattern. Additionally, it uses various rules for multiple users such that each feature of IDS does not need to be positioned if specific users need only a few. The abovementioned IDS instance should be positioned on the application, system, and platform layers.

3.1. Process Involved in ECOA-FS Technique

Initially, the IMFL-IDSCS technique used the ECOA-FS approach for choosing optimal features. COA is a mathematical model that can be reliant on intelligent diversity [26]. Chase, drive, attack, and block are the distinct strategies of chimps that can realize obstacles, the attacker, the driver, and the chaser. These hunting behaviors are concluded in two stages. Exploration and exploitation are the two stages of COA. The initial stage comprises chasing, driving, and blocking the prey. The next phase has attacked the prey. At the same time, the driving and chasing behaviors are illustrated in Equations (1) and (2):

$$d=\left|c\cdot x_{prey}\left(t\right)-m\cdot x_{chimp}\left(t\right)\right|$$

(1)

$$x_{chimp}\left(t+1\right)=x_{prey}\left(t\right)-a\cdot d$$

(2)

Now, $X_{prey}$ stands for the vector of prey location, $x_{chimp}$ indicates the vector of chimp place, $t$ represents the number of current iterations, and $a,c,$ and $m$ imply the coefficient vector. This is accomplished in Equations (3)–(5):

$$a=2\cdot fc\cdot r_1-fc$$

(3)

$$c=2\cdot r_2$$

(4)

$$m=chaoti{c}_{-}value$$

(5)

Whereas $fc$ indicates the non-linear decrease in 2.5 to $0,$ $r_1$ and $r_2$ indicate arbitrary value ranges from zero to one, and $m$ denotes chaotic vector. The dynamic coefficient $fc$ prefers dissimilar curves and slopes. Hence, the chimps used different abilities to search for prey. They upgraded the location dependent upon other chimps, and the mathematical modeling can be given in Equations (6)–(8):

$$\begin{array}{c}{d}_{Attacker}=\left|c_2{x}_{Attacker}-m_{1}x\right|\hfill \\ d_{Barrier}=\left|c_2{x}_{Barrier}-m_{2^{\chi }}\right|\hfill \\ d_{Chaser}=\left|c_3{x}_{Chaser}-m_{3}x\right|\hfill \\ d_{Driver}=\left|c_4{x}_{Driver}-m_{4}x\right|\hfill \end{array}$$

(6)

$$\begin{gathered} {\chi }_{2^{=x_{Barrier}-a_2\left(d_{Barrier}\right)}}{\chi }_{1^{=x_{Aiiacker}-a_1\left(d_{Aiiacker}\right)}} \\ {x}_4=x_{Driver}-a_4\left(d_{Driver}\right)x_3=x_{Chaser}-a_3\left(d_{Chaser}\right) \end{gathered}$$

(7)

$$\begin{gathered} x\left(t+1\right)=\frac{x_1+x_2+x_3+x_4}{4} \\ \begin{array}{c}{x}_1=x_{Attacker}-a_1\left(d_{Attacker}\right)\\ x_2=x_{Barrier}-a_2\left(d_{Barrier}\right)\\ x_3=x_{Chaser}-a_3\left(d_{Chaser}\right)\\ x_4=x_{Driver}-a_4\left(d_{Driver}\right)\end{array} \end{gathered}$$

(8)

In ECOA, the extremely disruptive polynomial mutation was a revised edition of the polynomial mutation method. It resolves the constraint that the polynomial mutation method fell as the local optima when the parameter was near the boundary, as shown in Equations (9) and (12):

$${\delta }_1=\frac{{\chi }_i-lb}{ub-lb}$$

(9)

$${\delta }_2=\frac{ub-x_i}{ub-lb}$$

(10)

$${\delta }_k=\{\begin{array}{l}{[\left(2r\right)+\left(1-2r\right)\ast {(1-{\delta }_1)}^{{\eta }_m+1}]}^{\frac{1}{{\eta }_m+1}-1},r\le 0.5\hfill \\ 1-{[2\left(1-r\right)+2\left(r-0.5\right)\ast {(1-{\delta }_2)}^{{\eta }_m+1}]}^{\frac{1}{{\eta }_m+1}}, otherwise\hfill \end{array}$$

(11)

$$x_i=x_i+{\delta }_k\left(ub-lb\right)$$

(12)

Whereas $ub$ and $lb$ determine the upper and lower limits of search spaces, $r$ indicates the arbitrary value ranges within [0, 1] and ${\eta }_m$ indicates the distribution exponential that can be a non-negative number.

Unlike the traditional ECOA, the solution update occurs in the search region in the direction of the continual value position. However, in BECOA, the search region is determined as the $n$ dimension Boolean lattice. Moreover, the solution is upgraded through the corner of the hypercube. In addition, for choosing features, 1 characterizes the feature selection, or 0. Furthermore, the BECOA derives a fitness function from determining solutions for retaining tradeoffs amongst a pair of objectives, as defined in Equation (13):

$$fitness=\alpha {\Delta }_R\left(D\right)+\beta \frac{\left|Y\right|}{\left|T\right|}$$

(13)

${\Delta }_R\left(D\right)$ shows the classifier’s error, $\left|Y\right|$ indicates the subset size, and $\left|T\right|$ represents the overall features present in the data. In addition, $\alpha$ shows a parameter $\in \left[0, 1\right]$ associated with the weight of the classifier error level, and $\beta =1-\alpha$ indicates the importance of the reduction feature.

3.2. ANFIS-Based Intrusion Detection Model

In this phase, the ANFIS model is applied to recognize intrusions. ANFIS, developed by Jang, integrates the benefits of neural networks (NNs) and fuzzy systems [27]. It employs an NN learning algorithm to automatically extract the input and rules of the sample dataset automatically, thus forming an ANFIS that includes five layers. Figure 2 demonstrates the infrastructure of ANFIS. ANFIS is a kind of artificial intelligence (AI) method which integrates the strength of fuzzy logic or artificial neural network (ANN) techniques. ANFIS is a hybrid method which utilizes a fuzzy inference system (FIS) embedding in an NN structure. The FIS module of ANFIS was utilized for representing the linguistic rules which describe the connections amongst inputs and outputs in a provided system. The NN module was utilized for adjusting the parameter of the FIS, namely the rule weights and the membership function parameters, based on the input–output training dataset. This enables the ANFIS to “learn” the relation between inputs and outputs, and to make prediction regarding new input value. ANFIS is used for a large number of tasks, involving time series prediction, control, and function approximation. It is an advanced type of fuzzy logic system that is able to learn and adapt by utilizing a learning mechanism. The learning method adjusts the parameter of the fuzzy system to enhance the performance based on the training dataset. The adaptive components of ANFIS make it especially pertinent for the application where the fundamental system is subjected to changes over time, viz., in modeling the dynamic system.

It is an extension of the conventional fuzzy system and has an analogous structure that comprises the fuzzy inference, input and output layers. Briefly, the ANFIS integrates the capability to characterize vague or uncertain knowledge of the FIS with the capability to learn from information of the NNs. Therefore, it leverages the knowledge of human expertise and data from the environments to increase performance.

Layer 1: Each node is an adaptive node. The output of layer 1 is the fuzzy membership grade of inputs, as shown in Equations (14) and (15):

$$O_i^1={\mu }_{A_i}\left(x\right)i=1,2$$

(14)

$$O_i^1={\mu }_{B_{i-2}}\left(y\right)i=3,4$$

(15)

where ${\mu }_{A_i}\left(x\right),$ ${\mu }_{B_{i-2}}\left(y\right)$ adopts the fuzzy membership function.

Layer 2: The nodes are fixed. They are labeled with $M$, specifying that they play simple multipliers as given in Equation (16):

$$O_i^2={\omega }_i={\mu }_{A_i}\left(x\right){\mu }_{B_i}\left(y\right)i=1,2$$

(16)

Layer 3: The nodes are fixed nodes. They are labeled with $N,$ representing that they execute the normalization to the firing strength from the preceding layer as defined in Equation (17):

$$O_i^3={\omega }_i=\frac{{\omega }_i}{{\omega }_1+{\omega }_2}i=1,2$$

(17)

Layer 4: The node is adaptive. The output of all nodes is the product of the normalized firing strength and the first-order polynomial (first-order Sugeno model), as given in Equation (18):

$$O_i^4={\overline{\omega }}_i{f}_i={\overline{\omega }}_{\mathrm{i}}\left(p_{i}x+q_{i}y+r_i\right)i=1,2$$

(18)

Layer 5: There is one fixed node labeled with $S$. This node is played as a summation of each incoming signal:

$$O_i^5={{\displaystyle \sum }}_{i=1}^2{\overline{\omega }}_i{f}_i=\frac{{{\displaystyle \sum }}_{i=1}^2{\omega }_i{f}_i}{{\omega }_1+{\omega }_2}$$

(19)

The final output of ANFIS is defined in Equation (20):

$$\begin{array}{cc}{f}_{out}\hfill & ={\overline{\omega }}_1{f}_1+{\overline{\omega }}_2{f}_2=\frac{{\omega }_1}{{\omega }_1+{\omega }_2}{f}_1+\frac{{\omega }_2}{{\omega }_1+{\omega }_2}{f}_2\hfill \\ \hfill & =\left(\overline{\omega }x\right)p_1+\left(\overline{\omega }x\right)q_1+\left(\overline{\omega }x\right)r_1+\left(\overline{\omega }x\right)p_2+\left(\overline{\omega }x\right)q_2+\left(\overline{\omega }x\right)r_2\hfill \end{array}$$

(20)

3.3. Parameter Tuning Using JSSO Algorithm

Finally, the JSSO algorithm is used to optimize the MFs. The traditional SSO technique is found to be effective in resolving real-time optimization challenges. The presented method gives the productive means of changing parameters [28]. It gives the best exploration capability for the primary searching method. However, it has the limitation that it suffers from lower convergence speed and requires higher convergence time. This challenge minimizes the population range to escape from the local optima. The abovementioned problems are considered to develop the new method with the integration of JA. The traditional jaya algorithm (JA) has different features; it can be simple for the developer, and only one phase has fewer variables. The traditional JA is exploited for multi-objective optimized problems. It is capable of finding the optimal value in a lesser period. This feature is taken into account to perform the new technique named $J$-SSO. Rather than rotational movement, JA updating is used. In this work, the new equation is expressed for the gradient of the main function of SSO represented by $\nabla \left(of\right)$, as provided in Equation (21):

$$\nabla \left(of\right)=\frac{abs\left(o{f}_{gbest}-of\left(j\right)\right)}{o{f}_{gbest}}$$

(21)

The term $o{f}_{gbet}$ represents a better solution’s fitness function, and the existing solution’s fitness function is denoted as $0$. Therefore, if the attained solution reaches the values of $\nabla \left(of\right)<0.5$, then the location updating can be performed by SSO forward movement. Otherwise, the location updating can be performed using $JA$. The pseudocode of $J$-SSO is demonstrated in Algorithm 1. The hybrid optimized technique is stimulated by integrating different optimized techniques or rules. It is proved that the best outcomes are for the fixed search problem. The hybrid optimized algorithm is demonstrated to attain the best convergence using different optimization principles.

Algorithm 1:$\mathrm{J}$-SSO

Initialization of the shark population Set the determined user variables Initialization phase counter as i = 1 for i = 1:i_max    if ∇(of) < 0.5       Upgrade velocity vector following SSO       Upgrade location following SSO    Else       Upgrade solution following JA    end if end for i    Set i = i + 1    Selection of the better location of sharl at a final phase that has the maximum value End

The JSSO technique derives a fitness function to attain improved classification performance. It determines a positive integer to represent the better performance of the candidate solutions. In this study, the minimization of the classification error rate is considered the fitness function, as given in Equation (22):

$$fitness\left(x_i\right)=\frac{number of misclassified samples}{Total number of samples}\ast 100$$

(22)

4. Results and Discussion

The proposed model is simulated using Python 3.6.5 tool on PC i5-8600k, GeForce 1050Ti 4GB, 16GB RAM, 250GB SSD, and 1TB HDD. The parameter settings are given as follows: learning rate, 0.01; dropout, 0.5; batch size, 5; epoch count, 50; and activation, ReLU. In this section, the intrusion classification performance of the IMFL-IDSCS model is inspected on the NSL-KDD dataset.

Table 1. Details of the dataset.

Class	No. of Samples
Denial of service attack (Dos)	45,927
Unauthorized access from a remote host (R2l)	995
Port monitoring or scanning (Probe)	11,656
Unauthorized local super user privileged access (U2r)	52
Not an Attack (Normal)	67,343
Total number of samples	125,973

defines the detailed description of the dataset.

4.1. Result Analysis

The confusion matrices of the IMFL-IDSCS model on intrusion classification are demonstrated in Figure 3. The outcomes exhibit that the IMFL-IDSCS approach properly categorized all intrusions and normal samples. With 80% of the training (TR) set, the IMFL-IDSCS model identified 36,302 into DoS, 549 into R2l, 8768 into Probe, 2 into U2R, and 53,414 into normal. Eventually, with 20% of testing (TS) set, the IMFL-IDSCS approach identified 9130 into DoS, 127 into R2l, 2324 into Probe, 3 into U2R, and 13,177 into normal. Meanwhile, with 70% of TR set, the IMFL-IDSCS technique identified 31,838 into DoS, 479 into R2l, 8007 into Probe, 0 into U2R, and 46,461 into normal. Finally, with 30% of the TS set, the IMFL-IDSCS method identified 13,581 into DoS, 212 into R2l, 3407 into Probe, 0 into U2R, and 20,004 into normal.

Table 2. Result analysis of IMFL-IDSCS system under 80:20 of TR/TS databases.

Class	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{R}\mathit{e}\mathit{c}{\mathit{a}}_{\mathit{l}}$	${\mathit{F}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$	MCC
Training Phase (80%)
Dos	98.88	98.00	98.94	98.47	97.59
R2l	99.49	67.53	68.71	68.11	67.86
Probe	99.20	96.13	95.12	95.62	95.18
U2r	99.95	28.57	04.65	08.00	11.51
Normal	99.01	99.29	98.86	99.08	98.01
Average	99.31	77.90	73.26	73.86	74.03
Testing Phase (20%)
Dos	98.81	97.94	98.84	98.39	97.45
R2l	99.47	66.49	64.80	65.63	65.37
Probe	99.20	96.39	95.32	95.85	95.42
U2r	99.98	100.00	33.33	50.00	57.73
Normal	99.09	99.31	98.96	99.14	98.18
Average	99.31	92.03	78.25	81.80	82.83

and Figure 4 provide the comprehensive intrusion recognition results of the IMFL-IDSCS method on 80% of TR and 20% of TS databases.

The figure demonstrates that the IMFL-IDSCS model showed maximum outcome under all classes. For sample, on 80% of the TR database, the IMFL-IDSCS approach provided an average $acc{u}_y$ of 99.31%, $pre{c}_n$ of 77.90%, $rec{a}_l$ of 73.26%, $F_{score}$ of 73.86%, and Mathew correlation coefficient (MCC) of 74.03%. Moreover, on 20% of the TS database, the IMFL-IDSCS approach rendered an average $acc{u}_y$ of 99.31%, $pre{c}_n$ of 92.03%, $rec{a}_l$ of 78.25%, $F_{score}$ of 81.80%, and MCC of 82.83%.

Table 3. Result analysis of IMFL-IDSCS system under 70:30 of TR/TS databases.

Class	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{R}\mathit{e}\mathit{c}{\mathit{a}}_{\mathit{l}}$	${\mathit{F}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$	MCC
Training Phase (70%)
Dos	98.80	97.88	98.85	98.36	97.42
R2l	99.65	82.73	69.93	75.79	75.89
Probe	99.39	95.57	97.99	96.77	96.44
U2r	99.96	00.00	00.00	00.00	00.00
Normal	99.03	99.49	98.69	99.09	98.06
Average	99.37	75.14	73.09	74.00	73.56
Testing Phase (30%)
Dos	98.88	97.93	98.99	98.46	97.58
R2l	99.58	78.23	68.39	72.98	72.94
Probe	99.37	95.54	97.76	96.64	96.30
U2r	99.96	00.00	00.00	00.00	−0.01
Normal	99.10	99.59	98.72	99.15	98.19
Average	99.38	74.26	72.77	73.45	73.00

and Figure 5 provide the overall intrusion recognition outcomes of the IMFL-IDSCS model on 70% of TR and 30% of TS databases. The outcomes exhibit that the IMFL-IDSCS method showed maximum outcome under all classes. For the sample, on 70% of the TR database, the IMFL-IDSCS approach presented an average $acc{u}_y$ of 99.37%, $pre{c}_n$ of 75.14%, $rec{a}_l$ of 73.09%, $F_{score}$ of 74%, and MCC of 73.56%. On 30% of the TS database, the IMFL-IDSCS technique offered an average $acc{u}_y$ of 99.38%, $pre{c}_n$ of 74.26%, $rec{a}_l$ of 72.77%, $F_{score}$ of 73.45%, and MCC of 73%.

The training accuracy (TACC) and validation accuracy (VACC) of the IMFL-IDSCS technique are inspected on ID performance in Figure 6. The figure displays that the IMFL-IDSCS approach showed improved performance with increased values of TACC and VACC. It is seen that the IMFL-IDSCS algorithm reached maximum TACC outcomes.

The training loss (TLS) and validation loss (VLS) of the IMFL-IDSCS methodology are tested on ID performance in Figure 7. The figure displays that the IMFL-IDSCS algorithm revealed better performance with the least values of TLS and VLS. It is seen that the IMFL-IDSCS technique reduced the VLS outcomes.

A clear precision–recall examination of the IMFL-IDSCS method in the test database is portrayed in Figure 8. The results specified that the IMFL-IDSCS methodology had enhanced precision–recall values in class labels.

The detailed ROC study of the IMFL-IDSCS method under the test database is given in Figure 9. The outcomes denoted by the IMFL-IDSCS approach showed its ability to classify different classes under the test database.

4.2. Discussion

A widespread comparative analysis of the IMFL-IDSCS approach with other CAD techniques is presented in

Table 4. Comparative analysis of IMFL-IDSCS system with other approaches.

Methods	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{R}\mathit{e}\mathit{c}{\mathit{a}}_{\mathit{l}}$	${\mathit{F}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$
IMFL-IDSCS	99.31	92.03	78.25	81.80
LKM-OFLS [17]	89.34	84.64	74.68	78.26
K-means-OFLS [17]	91.43	85.74	75.51	78.33
MLP [29]	91.46	86.61	76.76	74.99
PCA-NN [30]	90.08	84.56	76.06	77.54
FCM-OFLS [31]	93.38	82.74	74.43	75.68

[17]. In Figure 10, a close inspection of the IMFL-IDSCS model with other models, such as LKM with optimal FLS, K-means-OFLS, fuzzy c-means with OFLS (FCM-OFLS), multilayer perceptron (MLP), and principal component analysis with NN (PCA-NN) in terms of $acc{u}_y$ and $F_{score}$, is given. The results imply the enhanced outcome of the IMFL-IDSCS model. For instance, based on $acc{u}_y$, the IMFL-IDSCS model provided a maximum $acc{u}_y$ of 99.31%, whereas the LKM-OFLS, K-means-OFLS, FCM-OFLS, MLP, and PCA-NN models gained reduced performance with $acc{u}_y$ of 89.34%, 91.43%, 93.38%, 91.46%, and 90.08%, respectively. Additionally, based on $F_{score}$, the IMFL-IDSCS approach presented a maximum $F_{score}$ of 81.80%, whereas the LKM-OFLS, K-means-OFLS, FCM-OFLS, MLP, and PCA-NN approaches gained reduced performance with $F_{score}$ of 78.26%, 78.33%, 75.68%, 74.99%, and 77.54%, correspondingly.

In Figure 11, a close inspection of the IMFL-IDSCS method with other ML methods in terms of $pre{c}_n$ and $rec{a}_l$ is given. The outcomes exhibit the enhanced outcome of the IMFL-IDSCS approach. For instance, based on $pre{c}_n$, the IMFL-IDSCS methodology presented maximum $pre{c}_n$ of 92.03%, whereas the LKM-OFLS, K-means-OFLS, FCM-OFLS, MLP, and PCA-NN methods obtained reduced performance with $pre{c}_n$ of 84.64%, 85.74%, 82.74%, 86.61%, and 84.56%, correspondingly. Similarly, based on $rec{a}_l$, the IMFL-IDSCS approach rendered maximum $rec{a}_l$ of 78.25%. In contrast, the LKM-OFLS, K-means-OFLS, FCM-OFLS, MLP, and PCA-NN techniques achieved reduced performance with $rec{a}_l$ of 74.68%, 75.51%, 74.43%, 76.76%, and 76.06% correspondingly. These results highlight the superior outcomes of the IMFL-IDSCS model. The enhanced performance of the proposed model is due to the inclusion of the ECOA-FS model, which decreases the computational burden and increases the classification rate. In addition, the design of the JSSO algorithm for the ANFIS model helps in attaining maximum detection performance.

5. Conclusions

In this study, a new IMFL-IDSCS method was derived to detect intrusions in the distributed CC platform and secure it from probable threats. An individual sample of IDS was deployed for every client, and an individual controller was utilized for data management. In addition, the IMFL-IDSCS technique used the ECOA-FS method for choosing the best features. This was followed by the ANFIS model, which was applied to recognize intrusions. Finally, the JSSO algorithm was used to optimize the MFs. A widespread simulation analysis was performed to examine the enhanced outcomes of the IMFL-IDSCS technique. The extensive comparison study reported the enhanced outcomes of the IMFL-IDSCS model with maximum detection efficiency with accuracy of 99.31%, precision of 92.03%, recall of 78.25%, and F-score of 81.80%. In the future, the performance of the IMFL-IDSCS technique can be improvised by outlier removal approaches. In addition, the proposed model can be extended to the detection of malware, ransomware, and other kinds of attacks in the Android environment.