Harris-Hawk-Optimization-Based Deep Recurrent Neural Network for Securing the Internet of Medical Things

Abstract

The healthcare industry has recently shown much interest in the Internet of Things (IoT). The Internet of Medical Things (IoMT) is a component of the IoTs in which medical appliances transmit information to communicate critical information. The growth of the IoMT has been facilitated by the inclusion of medical equipment in the IoT. These developments enable the healthcare sector to interact with and care for its patients effectively. Every technology that relies on the IoT can have a serious security challenge. Critical IoT connectivity data may be exposed, changed, or even made unavailable to authenticated users in the case of such attacks. Consequently, protecting IoT/IoMT systems from cyber-attacks has become essential. Thus, this paper proposes a machine-learning- and a deep-learning-based approach to creating an effective model in the IoMT system to classify and predict unforeseen cyber-attacks/threats. First, the dataset is preprocessed efficiently, and the Harris Hawk Optimization (HHO) algorithm is employed to select the optimized feature. Finally, machine learning and deep learning algorithms are applied to detect cyber-attack in IoMT. Results reveal that the proposed approach achieved an accuracy of 99.85%, outperforming other techniques and existing studies.

1. Introduction

The healthcare industry is the foremost provider of revenue and employment, which is increasing daily [1]. A patient’s diseases and abnormalities can only be diagnosed after going to a hospital for physical analysis. Ultimately, it increases the healthcare cost, and there need to be more healthcare facilities in rural and remote areas. Technology improves over time; the health condition of the patient can now be diagnosed and monitored using a miniaturized device such as a smartwatch, on-body sensors, or smart homes [2,3,4]. IoT technology enables intelligent identification, tracking, deployment, monitoring, and management in addition to data exchange and transfer by connecting anything to the internet utilizing a specific protocol and data sensor systems [5,6]. The IoT has sparked much interest in the Healthcare Information Technology (IT) community in recent decades. Though the healthcare industry is efficient, IoT provides many options to improve it [7,8]. Various networks can connect modern medical devices and sensors, giving access to critical information regarding patients’ situations. This information can be used for various things, such as improving the automation and mobility of the diagnostic and therapeutic procedure, remote patient monitoring, and predicting disease and recovery through a broader understanding of symptoms [9].

IoT-enabled devices are being employed in several medical disciplines, especially with the widespread use of wireless medical sensors, equipment, and robotic systems as part of the latest phase of digitalized healthcare called Healthcare 4.0. Early diagnosis, disaster situations, remote patient monitoring, and real-time checks have benefited from the Internet of Medical Things. Integrating medical equipment into the IoT has aided in developing the IoMT [10,11,12]. The IoMT can improve diagnostic accuracy, reduce errors, and minimize healthcare costs by allowing individuals to submit healthcare data to physicians via technology. Due to the effects of the global pandemic, COVID-19 has mandated that medical services be made available online to everyone in any remote area; limiting in-person medical advice will stop the virus from spreading [13,14,15].

Ensuring security becomes paramount when human lives are at risk, especially when accountability is placed on managing equipment and embedded systems in upcoming enterprises [16,17]. In recent years, the healthcare industry has increasingly become a prime target for cyber-criminals due to the vast amounts of sensitive personal and medical information stored within healthcare systems [18]. The rise of electronic health records (EHRs), telemedicine, and other digital healthcare technologies has made healthcare data more accessible [19]. However, it has also created new avenues for cyber-attacks. As a result, security is a significant issue that must be addressed entirely for IoT to achieve full adoption and exponential growth [20,21,22]. Furthermore, the security threats to these systems can result in significant issues [22,23,24,25,26]. For example, when a linked insulin pump receives an incapacitated command, it may deliver excessive insulin into the patient’s bloodstream [27]. Lately, more intelligent cyber-attacks are being attempted and traditional security methods are no longer in effect. As a result, researchers have turned their attention to another aspect of defending systems from cyber-attacks [18,28,29].

Various machine- and deep-learning approaches have been proposed for the prediction of security threats on multiple datasets: TON-IOT [30,31,32], UNSW-NB15 [33], intrusion detection dataset [34,35,36], etc. However, these approaches lack performance and are limited in that they do not consider multi-label attack datasets [37]; malicious activities such as DDoS and ransomware, and removal of redundant and irrelevant features [31]; feature selection techniques for feature optimization [31]; or low accuracy [34,38].

The proposed methodology consists of three steps: first, pre-processing the dataset (one-hot encoding and data normalization); second, removing irrelevant features by using HHO; and third, applying a base classifier (RF and SVM), ensemble classifier (Bagging and Boosting), and deep learning techniques (RNN) for classification. This research makes the following contributions:

• This research proposed a new technique that constructs machine learning and deep learning techniques in combination with the HHO algorithm for detecting cyber-attacks in IoMT.
• HHO is used for feature selection due to its quick coverage ability; it also hardly gets stuck in local minima. It improves the model performance compared with other optimizers.
• Results reveal that the proposed approach attains an accuracy of 99.85%, outperforming other techniques and existing studies, and provides an efficient model for detecting cyber-attacks in IoMT devices, preventing serious issues between end-users.

The remainder of the research paper is organized as follows: Section 2 presents a literature review of machine learning and deep learning techniques for detecting cyber-attacks in IoMT. Section 3 provides the proposed approach for cyber-attack detection in IoMT. Section 4 demonstrates the experimental result and discussion. Section 5 includes the conclusion of the work and future work.

2. Literature Review

This section’s literature review comprises the proposed secured models based on machine learning and deep learning algorithms.

2.1. Machine Learning Techniques

Several machine learning techniques deal with security problems in the Internet of Things medical devices. Authors in [30] presented the IoMT framework to detect cyber-attacks on medical devices. The novel IoMT framework was proposed to hybridize the ELM and Bayesian optimization. The proposed technique secures patient data by providing security to IoMT devices. The proposed hybridization technique was implemented on the ToN-IoT dataset, and the experimental results indicate that the best results are recall 0.990, precision 0.990, F1-score 0.990, F2-score 0.989, F-beta scores 0.986, and an AUC–ROC value of 0.870. Authors in [33] proposed the machine-learning-based intrusion detection system to detect IoT network attacks. In the first phase of the proposed technique, the features were scaled to control the information leakage. This dataset combines nine attacks, including network traffic group activities and recent attacks. In the last phase, machine learning models are used for analysis. The proposed technique achieved the best results with an accuracy of 99.9% and MCC of 99.97%. The Principal Component Analysis (PCA) technique limits dimensionality in the next phase.

The novel Smart Healthcare Checker (Checker) framework was proposed for threat analysis in [37]. The proposed framework identifies the potential attacks and the corresponding effect of the IoMT Smart Healthcare Systems (SHS). Machine learning techniques such as DT, LR, ANN, DBSCAN, and K-means were implemented on the synthetic and UQVS dataset and achieved the best results regarding accuracy, precision, recall, and f1-score with values of 0.97, 0.92, 0.93, and 0.92, respectively. Authors in [39,40,41] proposed frameworks based on cloud cyber-attack detection and other tasks on the cloud. Authors in [31] combined the NB, DT, and RF in the first phase of the proposed framework design. The second phase used the classification result of XGBoost to identify the attacks. The third phase presented the fog-cloud-based deployment architecture [42]. The proposed framework was implemented on the ToN-IoT dataset. The experimental result indicates that the proposed framework achieved an accuracy of 96.35%, a detection rate of 99.98%, and decreased the false alarm rate by up to 5.59%.

Authors in [43] introduced an automated approach for detecting cybersecurity attacks in the healthcare environment. The proposed approach utilized Recursive Feature Elimination (RFE) in conjunction with Multilayer Perceptron (MLP) optimization to enhance the accuracy and efficiency of attack detection. RFE was employed to select the most relevant features from the dataset, reducing dimensionality and eliminating noise, which improves the detection algorithm’s effectiveness. MLP optimization refines the neural network architecture, enhancing its ability to learn and classify attack patterns accurately. The experimental results demonstrated that using RFE and MLP significantly improves the attack detection accuracy, outperforming traditional detection methods. The researchers in [44] presented an approach to detect cyber-attacks in IoMT via secure ensemble learning. Furthermore, the fog-cloud framework distributes the computation and storage tasks between fog nodes and cloud servers, optimizing resource utilization and minimizing response time. This distributed architecture enables real-time detection and response to cyber-attacks, ensuring the timely protection of IoMT systems. The proposed system achieved high detection accuracy and low false alarm rates.

2.2. Deep Learning Techniques

Authors in [5] proposed the classification model constructed on RNN and machine learning algorithms to classify unexpected cyber-attacks. The proposed model outperforms similar models with an accuracy of 99.76%. Authors in [38] proposed different deep learning models for the intrusion detection system to expose interrupting tasks in the computing environment. The proposed model was implemented on the UNSW-NB15 dataset and achieved an accuracy of 99.26%.

Authors in [34] proposed the Instruction Detection System and Prevention System (IDPs) to protect healthcare communication. Conventional healthcare systems usually adopted HTTP, while IoMT adopted TCP, an industrial protocol. The results indicate that the proposed system IDPS achieved an accuracy of 0.831 and a mitigation accuracy of 0.923. Authors in [20] proposed a framework to detect IoMT malware. Hybrid approaches are Convolutional Neural Network (CNN)–Long Short-Term Memory (LSTM), CNN–Gated Recurrent Unit (GRU), and GRU-LSTM; CNN-LSTM performed well with 99.83% accuracy on the IoT dataset with a lower time complexity of 1.2 s. A Hybrid PCA-GWO technique with a DDN classifier model was proposed for analyzing the pounce using the kaggle dataset. The hybrid approach was used to reduce redundant features and extract them for classification. Machine learning and deep learning techniques—KNN, NB, RF, SVM, and deep neural networks—were used with a hybrid approach and their performance in terms of accuracy increased by 15% [45]. Authors in [46] focused on applying deep learning techniques for detecting Distributed Denial-of-Service (DDoS) attacks in the IoT framework. They proposed a deep-learning-based detection method that utilized a CNN architecture to extract optimal features from network traffic data. The experimental results revealed that the proposed approach achieved a higher accuracy in detecting DDoS attacks in IoT networks. The method’s ability to automatically learn discriminative features from raw network traffic data enables it to effectively identify anomalous patterns associated with DDoS attacks. Moreover, the deep-learning-based approach exhibits robustness against various attack scenarios, showcasing its potential for real-world deployment.

Authors in [47] designed a deep-learning-based architecture to capture both spatial and temporal dependencies in network traffic data, enabling the detection of complex and evolving intrusion patterns. The DCNN component extracts high-level spatial features from network data using convolutional layers, while the BiLSTM component captures sequential dependencies by processing the data bi-directionally. By utilizing parallel processing capabilities and optimizing memory usage, the IDS efficiently handles large-scale network traffic, making it suitable for real-time intrusion detection in high-speed networks. Authors in [48] proposed an ensemble of deep learning models to hunt cyber threats in the Industrial Internet of Things (IIoT). The proposed model combines multiple deep learning algorithms to enhance the detection and classification of cyber threats in IIoT environments. The ensemble model comprises CNN, LSTM, and Autoencoder (AE) models that are trained and integrated into a single model. The model is designed to capture spatial and temporal dependencies in IIoT data, enabling the detection of complex and evolving cyber threats. The results revealed that the model outperforms individual deep learning models, achieving high detection accuracy.

Some gaps can be used for identifying security threats in IoMT devices, such as ensemble classifiers and deep learning approaches; multiple datasets can be used for checking the extrapolation of these techniques, such as BoT-IoT and UNSWNB-15; and feature selection techniques for feature optimization to remove irrelevant and repeated features can be used so that a multi-classification label attack can be identified.

3. Proposed Methodology

This section explains the proposed approach and algorithms for classifying cyber-attacks in IoMT devices. The proposed approach has the following phases: Select the dataset. In the second pre-processed dataset, the third phase applies the feature selection algorithm HHO to remove the redundant or irrelevant features. Lastly, machine learning (RF, SVM, Bagging, and Boosting) and deep learning algorithms (RNN) are applied to compare the proposed approach. The proposed approach is explained in Figure 1.

3.1. Experimental Dataset

The Network Security Layer–Knowledge Discovery Database (NSL-KDD) dataset served as the input for this investigation [49]. Tavallaee et al. presented the NSL-KDD dataset after criticizing the underlying issues with KDD’99, as machine learning techniques are inclined to understand high-frequency attacks; KDD’99 has a lot of duplicate data, which can impair test-process assessment findings and restrict it from rare instruction records, which are typically more harmful to networks. The NSL-KDD dataset includes 41 features of the network stream and label that show the classes of attack or regular.

3.2. Dataset Preprocessing

The dataset is preprocessed using two techniques: one-hot encoding and data normalization. Any raw data must first be encoded, a starting phase in the pre-processing process. The method of “one-hot-encoding” is frequently used when working with categorical data [50]. Compared with other encoding methods, label encoding is more straightforward, although some numerical values might be misinterpreted due to specific problems with the order by the algorithm [45]. In consequence, the ordering problem is addressed by one-hot encoding. One-hot encoding defines a binary representation of a nominal feature in which a categorical value is replaced with a binary value for every distinct nominal value. The protocol type in a used dataset, such as in our case, is encoded into three binary variables: TCP (1, 0), UDP (0, 1), and ICMP (0, 1). The benefit of data normalization is that it can make some machine learning algorithms run faster. According to the authors in [51], the mean range [0, 1] and statistical normalization are typically the two attribute normalization techniques most effective for NSL-KDD preprocessing. Z-score normalization is employed to get all values in our model into the [0, 1] range. After applying pre-processing techniques such as one-hot encoding (on protocol type, TCP, UDP, and ICMP) and data normalization (applied on all features to get all values in the range of 0 and 1), the full features in the NSL-KDD dataset are 117 instead of 41. Then, HHO is applied with machine learning (ML) algorithms for feature selection.

3.3. Harris-Hawk-Optimization-Based Feature Selection

Feature selection is a significant step of pre-processing for performing classification tasks. To achieve effective learning, feature selection (FS) is a technique for selecting and removing a subset of essential attributes from a large amount of redundant and unnecessary information [52]. Feature selection is an approach for deleting unrelated and unnecessary features to improve the training result in detecting learning performance and model project duration [53]. Feature selection can help remove some computations in contrast to replica complexity [54]. We use HHO for feature selection.

HHO is a latterly developed metaheuristic algorithm that draws inspiration from swarm intelligence. Heidari et al. suggested it in 2019 [55] to emulate the behavior of Harris Hawks in the wild, who use unique pursuit techniques to capture their prey. HHO is categorized as a population-based algorithm in which a group of hawks work together while pursuing prey in various ways. There are two main phases of the Harris Hawk—namely, exploitative and explorative—in which hawks plan to find the target, jump abruptly, and use various attack strategies [56]. The HHO algorithm can be used to implement any optimization problem. The primary working exploitation and exploration phases are illustrated in Figure 2, which depend on the prey energy level (E) and activity chances (q and r). Further details of these activities’ chances are given in [55].

3.3.1. Exploration Phase

The Harris Hawks have exceptional sight for locating and monitoring their prey but frequently struggle to locate it. Therefore, the hawks locate the area to look for prey. Consequently, the hawks pole on a location and watch their prey using two informal observational strategies. When $q<0.5$, the hawks perch where other hawks and the prey are; otherwise, they randomly perch on any largest tree when $q\ge 0.5$. For all strategies, there are equivalent possibilities. As per the energy the prey is exerting, the HHO technique can transform from an exploration phase to an exploitation phase.

$$E=2Eo\frac{1-t}{T}$$

(1)

Equation (1) above states that the energy of the prey (E) minimizes with iterations, where T is the total iterations, t is the show’s iteration, and $Eo$ is the starting energy of the prey. For every iteration, $Eo$ is the random number starting with (−1, −1). So, when the $Eo$ value rises from 0 to 1, the prey grows more powerful [55,56,57].

3.3.2. Exploitation Phase

Prey typically has an easy time evading dangerous situations. So, the hawks use a variety of chasing techniques. According to the hawks’ plan, four main techniques are employed throughout the exploitation phase. Assume that r represents the probability that the prey will either be unable to escape $(r\ge 0.5)$ or able to do so $(r<0.5)$. To surround the prey, soft and hard besieges are executed. Based on the energy (E) of the prey, the hawks surround it in various places. Collectively, the hawks attack prey to increase the chances of catching the prey. As soon as the prey releases energy, the hawks increase their besiege to capture the prey. When $\left|E\right|\ge 0.5$, soft besiege is employed, and when $\left|E\right|<0.5$, hard besiege is employed [55,56,57].

Soft besiege: When $\left|E\right|\ge 0.5$ and $r\ge 0.5$, the prey has sufficient energy to run away through a chance bounce. The Harris Hawks silently surround the prey simultaneously, exhausting it to the point that they can suddenly pounce. From the actual dataset, a small number of features J is created (which show the prey movement in nature) and the different number of features from prey are replicated to the chosen hawks.

Hard besiege: When $\left|E\right|<0.5$ and $r\ge 0.5$, the prey has the lowest energy status and cannot run comfortably. The Harris Hawk’s present position is upgraded using Equation (2):

$$X\left(i,d\right)=Xrb\left(0,d\right)-E\times abs(\Delta X)$$

(2)

The prey’s single feature is replicated for the present hawk in the proposed model for the hard besiege. This step is represented by Figure 3. $\Delta X$ shows the dissimilarity between the prey’s location and the hawk’s iterations.

Soft besiege (SB) with progressive rapid dives: When $r<0.5$ and $\left|E\right|\ge 0.5$, the prey can quickly run and the SB may be executed before the sudden attack. The levy distribution with excellent perturbation is used to design this prey sample in the HHO algorithm. Following the prey energy level, select the features that differ from the present hawk through the given solution. The greedy selection technique chooses the finest features at the point and resolves the issues that later arise. The classifiers become more efficient due to this technique.

Hard besiege (HB) with progressive rapid dives: The hard besiege is applied when $r<0.5$, $\left|E\right|<0.5$, and the prey cannot run away. This overall scenario is related to the SB. Hawks gradually reduce the distance from the prey. According to the prey energy status, select the different features from the prey, which are replicated to the hawk randomly selected by the population. To decrease the high disturbance level, a few features are chosen.

Algorithm 1 presents the working HHO. In the first step, the population of hawks is initialized. Next, each hawk’s fitness value is evaluated, the location of the hawk is designated, and a new energy level is assigned. When updating the energy level of the prey using Equation (1), exploration (EP) and exploitation phases are executed. If hawks are in the exploitation phase, then four strategies—SB, HB, SB with progressive rapid dives, and HB with progressive rapid dives—are applied according to the energy status of the prey and the probability of prey escaping. In the end, the updated hawk’s fitness value is computed and the best result is found.

Algorithm 1 HHO’s pseudo code.

1: Input: N is the Population size, T is the total No. Of iterations, and t is the current iteration.   2: Output: Best Feature for assessing the performance of the model   3: Initialize the population of hawks Xi $(i=1,2,3,\cdots ,N)$   4: While (end)   5: Evaluate the Hawks’ new fitness value, discover the ideal location, and designate it as the prey’s location (Xrb))   6: For (every hawk (Xi))   7: Update $Eo$, Update the energy level of prey using Equation (1)   8: if ($\left|E\right|\ge 1$)   9: Then (Execute the EP) 10: If (($\left|E\right|<1$) 11: Then (Execute the EP) 12: If ($\left|E\right|\ge 0.5andr\ge 0.5$) Then Execute the SB 13: Else if ($\left|E\right|<0.5andr\ge 0.5$) Then Execute the HB by updating the hawk’s position using Equation (2) 14: Else if ($\left|E\right|\ge 0.5andr<0.5$) Then Execute SB with progressive rapid dives Else if ($\left|E\right|<0.5andr<0.5$) 15: Then Execute HB with progressive rapid dives Compute the updated hawk’s fitness value 16: Result ← Best feature subset 17: Return Results

3.4. Classification Algorithms

Machine learning is a method that relies on patterns and makes decisions by learning from previous outcomes. Machine learning applications fall under the categories of classification or regression issues [45]. In this detection of cyber-attack in IoMT devices, in this study, some classifiers such as RF, SVM, and ensemble classifiers (Bagging and Boosting), as well as deep learning classifiers such as Recurrent Neural Networks, are applied for the detection of cyber-attack.

3.4.1. Recurrent Neural Network (RNN)

RNN uses sequential data and carries out a similar task for every classification component, with the result depending on the estimation that came previously [58]. RNNs are particularly well suited for modeling sequences because of their cyclic connectivity [5]. Transformers have shown superior performance in certain tasks involving sequential data. However, there are still reasons to use RNNs in certain contexts due to their simplicity, effectiveness in modeling long-term dependencies, and interpretability.

3.4.2. Random Forest

RF is a group learning technique, and RF classification can improve accuracy. Multiple decision trees are used to make up an RF. RF has a reduced classification error in contrast to conventional classification approaches. The RF generates many classification trees. A tree classification approach is used to create the tree and distinct bootstrap samples from the source data are used [59]. When a forest is established, each tree has a new object that must be categorized. A distinctive sample from the source data and a strategy for classifying trees are used by random forest to generate each tree.

3.4.3. Support Vector Machine

SVM employs a kernel to resolve the non-linear separable problem by projecting the elements into a multi-resolution region. SVM aims to discover the best hyper-plane amongst dataset classes by widening the distance between their nearest points. The maximal distance between the two classes is provided by the maximum hyperplane gap [57]. In some learning algorithms, over-fitting problems arise, and the SVM classifier resolves this.

3.4.4. Bagging

Bagging is an ensemble technique used to enhance the performance of a machine learning algorithm. Bagging is also known as bootstrap aggregation, creating samples sequentially and concurrently. Bagging often trains parallel, similar weak learners before combining them using specific averaging techniques. In Bagging, a base learner is trained on every set of replacement training instances after numerous base learners are hypothesized on every set using a random selection of training instances [60].

3.4.5. Boosting

Boosting is a classification error reduction method aiming to outperform many other classification methods. Boosting is also used to enhance machine learning algorithm performance and utilize the sequential ensemble method. The ensemble learner can enhance weak learners and transform them into strong learners by using the Boosting approach [61]. A strong learner is optimal and achieves near-perfect (moderate) performance. A group of learners is sequentially trained and combined for prediction. Every base model depends on the base model before it [60].

4. Result and Discussion

In this section, we thoroughly analyze and demonstrate the performance of the proposed approach. We assess the proposed approach using multiple parameters to determine its superiority over current methodologies and its suitability for detecting cyber-attacks in IoMT devices. This research approach is implemented on the NSL-KDD dataset, providing better outcomes than existing techniques. After preprocessing, the features selected by the machine learning classifiers from the dataset are as follows: RF selects 71 features, SVM chooses 32 features, Bagging selects 46 features, and Boosting chooses 44 features.

4.1. Evaluation Measurements

The result of the proposed approach is assessed on these evaluation measurements, namely, accuracy, precision, recall, and f1-score.

Accuracy: Calculates the ratio of true positives (TP), false positives (FP), false negatives (FN), and true negatives (TN) to measure a model’s efficiency. Equation (3) presents the accuracy estimate.

$$Accuracy=\frac{TP+TN}{TP+TN+FP+FN}$$

(3)

Precision: The ratio of true positives versus all positives (true and false) in the data. This is also known as the positive predicted value. Equation (4) presents the formula to calculate the precision.

$$Precision=\frac{TP}{TP+FP}$$

(4)

Recall: The ratio of TPs versus true positives and FNs. These can also be considered as TP rate, sensitivity, and probability of detection. Equation (5) presents the formula to calculate the recall.

$$Recall=\frac{TP}{TP+FN}$$

(5)

F1-score: F1-score is the recall and precision weighted average, as shown in Equation (6).

$$F1\text{-}Score=\frac{2\times Precision+Recall}{Precision+Recall}$$

(6)

4.2. Result and Analysis of the Experiment

The proposed employed machine learning (RF, SVM, Bagging, and Boosting) and deep learning algorithms. The proposed approaches’ results are explained in

Table 1. Proposed approach results of different classification algorithms. Key: Accuracy—AC, Precision—PR, Recall—RE, F1-Score—F1.

Algorithms	AC%	PR%	RE%	F1%
HHO-RNN	99.8	98.3	98.7	97.6
HHO-RF	97.5	98.2	98.7	98.5
HHO-SVM	96.8	99.7	97.2	98.7
HHO-Bagging	97.5	97.9	98.5	98.2
HHO-Boosting	98.1	96.1	97.9	97.0

. The HHO-RNN model demonstrated exceptional performance with an accuracy of 0.998%, precision of 0.983%, recall of 0.987%, and f1-score of 0.976%. Similarly, the HHO-RF model achieved a high accuracy of 0.975%, precision of 0.982%, recall of 0.987%, and an f1-score of 0.985%. The HHO-SVM model achieved an accuracy of 0.968%, precision of 0.997%, recall of 0.972%, and an f1-score of 0.987%, indicating its effectiveness. Moreover, the HHO-Bagging model achieved an accuracy of 0.998%, precision of 0.983%, recall of 0.987%, and an f1-score of 0.976%. Lastly, the HHO-Boosting model achieved an accuracy of 0.981%, precision of 0.961%, recall of 0.979%, and an f1-score of 0.970%, showcasing its notable performance.

Figure 4 illustrates the proposed model’s results. The results indicate that the HHO-RNN model achieved an outstanding accuracy of 0.998. In terms of precision, the HHO-SVM model exhibited exceptional performance with a precision score of 0.997. Both the HHO-RNN and HHO-RF models demonstrated the highest recall score of 0.987. Additionally, the HHO-SVM model delivered the best f1-score of 0.987, indicating its overall effectiveness and robust performance.

4.3. Comparison of Proposed Approach with Exiting Studies

Table 2. Comparative table with previous methodologies.

Authors	Methods	A%	P%	R%	F1%
Moukafih et al. [32]	Ensemble	89.0%	91.0%	88.0%	90.0%
Saheed et al. [5]	PSO-RF	99.7%	99.7%	-	96.4%
Nguyen et al. [62]	CNN	92.0%	-	-	94%
Proposed Approach	HHO-RNN	99.8%	98.3%	98.7%	97.6%

provides the proposed approach of HHO-RNN with the existing previous techniques. Authors in [32] reported outcomes with accuracy of 89%, precision 91%, recall 88%, and f1-score 90%. Authors in [62] obtained results with accuracy of 92.0% and f1-score of 94%. Authors in [5] reported results with an accuracy of 99.76%, precision 99.75%, and f1-score 96.45%.

Figure 5 shows that the proposed approach in this research outperformed previous approaches; however, in terms of precision, the HH0-RNN model performance decreased by 1.43%. The existing approaches performed well in terms of precision.

Some limitations can be addressed, such as increasing the number of devices and data sources, and the proposed approach may need to be revised. It requires more processing power and storage space to handle the growing volume of data, and the computational resources need to be increased to support real-time processing. The approach may need to be optimized for scalability by incorporating distributed computing and parallel processing techniques to address this limitation. Large-scale IoMT networks generate massive data that require significant computational power to process, analyze, and extract valuable insights. The proposed approach may have greater computational complexity and take too long to analyze the data, leading to delays and decreased real-time applicability. To overcome this challenge, the approach may need to incorporate different deep learning algorithms, which can aid in minimizing computational complexity. Deep learning models such as RNNs can be highly accurate but very complex, making it difficult to understand and explain their decision-making process. To address these challenges, practitioners can use techniques such as feature importance analysis, model visualization, partial dependence plots, layer-wise relevance propagation, and dimensionality reduction to improve the interpretability of the RNN.

5. Conclusions

This study proposed an implicit approach construct on machine learning and deep learning algorithms with the Harris Hawk optimization algorithm for classifying cyber-attacks using the NSL-KDD dataset. Firstly, raw data are preprocessed using one-hot encoding and normalization to normalize the data. Secondly, HHO is applied to optimize the features. The proposed method could be most suitable for IoMT environments where peer-to-peer communication between innovative healthcare equipment is possible using various IP addresses. Lastly, RF, SVM, Bagging, Boosting, and RNN are applied for classification. The results show that the accuracy is enhanced when the classifiers are combined with HHO. Future work will be to scrutinize the proposed approach’s results on the multi-class problem and check the generalizability of the proposed approach on multiple datasets; further, comparing the proposed approach with more existing techniques, examining potential trade-offs between evaluation metrics, and validating the methodology in real-world IoMT environments may be fruitful.