A Hybrid Modified Deep Learning Architecture for Intrusion Detection System with Optimal Feature Selection

Abstract

With the exponentially evolving trends in technology, IoT networks are vulnerable to serious security issues, allowing intruders to break into networks without authorization and manipulate the data. Their actions can be recognized and avoided by using a system that can detect intrusions. This paper presents a hybrid intelligent system and inverted hour-glass-based layered network classifier for feature selection and classification processes, respectively. To accomplish this task, three different datasets have been utilized in the proposed model for identifying old and new attacks. Moreover, a hybrid optimization feature selection technique has been implemented for selecting only those features that can enhance the accuracy of the detection rate. Finally, the classification is performed by using the inverted hour-glass-based layered network model in which data are up-sampled with the increase in the number of layers for effective training. Data up-sampling is performed when small subset of datapoints are observed for any class, which in turn helps in improving the accuracy of the proposed model. The proposed model demonstrated an accuracy of 99.967%, 99.567%, and 99.726% for NSL-KDD, KDD-CUP99, and UNSW NB15 datasets, respectively, which is significantly better than the traditional CNID model. These results demonstrate that our model can detect different attacks with high accuracy and is expected to show good results for new datasets as well. Additionally, to reduce the computational cost of the proposed model, we have implemented it on CPU-based core i3 processors, which are much cheaper than GPU processors.

1. Introduction

People now use a range of internet-connected devices on a daily basis in every aspect of their lives, giving rise to the IoT (Internet of Things). In recent times, the IoT framework continues to be employed in developing smart environments with a variety of applications and associated benefits, including smart cities and intelligent houses. By addressing issues with living conditions, electricity usage, and manufacturing requirements, such smart environments aim to increase human productivity and comfort. The significant expansion of IoT-based programs and services across various networks is directly related to this goal. This global web is being used more often, which has led to an increase in network attacks, which are essentially a sort of internet security concern. These exploits can acquire confidential data preserved in systems and hence are dangerous [1]. Methods of detection and prevention of intrusions, including firewalls, access controls, and models based on encryption, have not been able to shield information systems and networks from cyber-attacks that are becoming more and more sophisticated. In order to detect, recognize, and monitor attacks, intrusion detection systems (IDSs) have grown to be a crucial component of security architecture [2]. ID system can be defined as technique for watching and monitoring occurrences in a smart city based on IoT networks. ID systems are being utilized for identifying signs of security breaches, and event-based methods are used for monitoring and tracking network activities. Basically, IDS add a defensive structure for invasions and attacks from both inside as well as outside the system or network, rather than replacing a specific security tool [3]. On the basis of their place of deployment in the network, ID systems can be broadly grouped into three categories of host-based ID systems (HIDSs) [4], network-based ID systems (NIDSs) [5], and network node ID systems (NNIDSs) [6]. Among the three ID systems, an HIDS is compatible and operable almost on all systems and other systems of the organization, while an NIDS is specifically used and designed to handle locations where the likelihood of exposure is higher. On the other hand, NNIDSs are similar to NIDSs [7,8]; however, it only works on one server at once. Moreover, IDSs based on misuse and anomalies are the two primary techniques utilized for detecting intrusions. Misuse ID systems, sometimes also referred as signature- or knowledge-oriented IDs, rely on patterns for identifying intrusions that resemble known threats. To identify potential invasions, these trends or signatures are matched to recorded data. However, anomaly ID systems, sometimes referred to as behavior-based systems, hinge on compiling a profile that depicts a system’s typical behavior over time by keeping track of its operations [9]. Consequently, any deviation from that profile is regarded as abnormal.

Jim Anderson first put forth the concept of IDS in the year 1980 [10]. Systems for intrusion detection and prevention have been developed and upgraded in a wide range of ways ever since to satisfy today’s needs of privacy and security. However, over the ensuing 10 years, technological advances have evolved so quickly that the number of devices and apps it can enable has dramatically increased. As a consequence of this, a significant amount of vital information is generated and circulated among the network’s nodes. The integrity of such data nodes is becoming a difficult issue, due to the proliferation of numerous new attacks, raised either by modifications of existing attacks or as entirely new attacks. Each and every data node present in the network is susceptible to security risks [11]. Considering for example, a particular data node contains crucial and confidential information about the company. As a result of this, any tampering of the node’s specific information might severely damage the organization’s worth in the marketplace and financial commitments. Current ID systems have demonstrated ineffectiveness in identifying new attacks and lowering false detection rate. This inevitably leads to a need for a reliable, efficient, and affordable ID system that ensures integrity and safety for the network [12].

A typical ID system is installed in the core of network in order to monitor all the incoming traffic that is sent to the network. The IDS analyzes this data, removes unnecessary data from it and removes or fills null or NAN values to obtain a more informed dataset. Following that, the pre-processed data are examined and categorized in accordance with various severity indicators. If the data are normal, no further changes are needed; otherwise, a report is sent to raise alerts and necessary action is taken by administration. Recently, several scholars have been using artificial intelligence [13,14] and data mining methodologies for obtaining improved anomaly detection rates. Data collection is considered one of the significant and crucial steps for enhancing the accuracy of ID systems. However, as mentioned earlier, with the advancement in technology, intruders are also trying to find innovative ways to access data; therefore, training ID systems on a single dataset is not effective and is susceptible to errors [15,16]. It has been observed that the accuracy rate certainly increases when multiple datasets are used in the ID network; however, it may also result in increasing complexity. In order to overcome these limitations, feature extraction and selection techniques can be employed in the ID system. In addition to this, ID is also considered as classification problem in which every audit trail must be classified either as intrusion of specific kind or normal data. Decision Trees (DT) [17], Neural, SVM-based networks [18,19], and Rule Induction Methods [20] are just some examples of some of the frequently used classifiers for categorizing intrusion detection databases. However, the performance of these systems is degraded when computer invasions are substantially more uncommon than typical behavior. Therefore, choosing an appropriate and sufficient dataset and classifier for ID system are two major hurdles for creating effective IDS.

The main motivation behind the given work is to develop a model that will be able to detect a variety of attacks with better accuracy. As we have seen, technology is developing at a faster pace, offering various advantages along with some security issues. With the passing of time, attackers are also trying to find new and innovative ways of gaining access to the sensitive and confidential information of organizations. Later on, these hackers use this information for their personal benefits, which eventually may disrupt the organization’s reputation. Therefore, it has become the need of hour to develop an effective ID system that detects new attacks precisely.

The main contribution of our research is to develop a unique and highly accurate ID system that can identify various attacks. Some of the major contributions are:

-

To make the proposed system dynamic and effective, three datasets are utilized in proposed work, rather than one. Moreover, the model can be trained on new datasets as well to detect modern day attacks.

-

To propose an intelligent FS technique for selecting only crucial features in the network for making the intrusion detection process easier.

-

To develop an inverted hour glass based classification model comprising of various layers for identifying and classifying incoming data as normal or intruded.

The following sections of this research article are as follows: Section 2 reviews some of the trending and latest publications using ML- and DL-based classifiers. Section 3 contains an overview and step-by-step working of the proposed ID model, then the results obtained with the proposed model are given in Section 4. Finally, a conclusion of the entire paper is given.

2. Literature Review

Over the years, a large number of researchers have used various ML- and DL-based classifiers in their work for identifying and categorizing various attacks in an IoT network. In this section, some of the recent publications of various authors have been reviewed and analyzed in order to check how these models are performing. The various keywords used in this paper are “ML based IDS classification”, “DL based IDS classification”, “IDS in IoT”, and so on. Moreover, these keywords have been used in different journal sites like, “Springer”, “Elsevier”, “Scopus”, “Hindwai”, “IEEE”, “TKDE”, and so on, in order to obtain the most effective papers in this field. Arushi et al. [21] utilized and examined the performance of three ML classifiers, NB, SVM, and KNN, in their work for minimizing the processing time. The performance of these systems was validated in terms of the confusion matrix to calculate its precision, followed by recall and F1-measure. Similarly, Al-Enazi et al. [22] proposed an ID system wherein they used LR, combined RF, Sequential Minimal Optimization (SMO), and NB classifiers for enhancing the accuracy of system. Moreover, they also utilized a stacking method on a UNSW-NB15 dataset to make the model resistant to modern attacks, cheap, and less complex. The suggested scheme achieved 97.88% accuracy to prove its effectiveness. Sayed et al. [23] compared and examined the performance of various classifiers in their work in order to select the most appropriate classifier for detecting intrusions in a network. The authors revealed that simple and basic classifiers like NB- and Tree-based classifiers like NB tree and Best First Tree showed better results than J46 and RF Decision Tree models. Through extensive experimentation, it was observed that classifiers like NB and Best First Tree were able to achieve an accuracy rate of 90% in detecting and classifying intrusions. Gulab et al. [24] reviewed and analyzed the performance of various classifiers, which included SVM, KNN, RF, and NB reduction and categorization techniques. The major goal of the authors in this paper was to determine the impact of selected features on the accuracy of classifiers. Nadiammai et al. [25] proposed the Variational Auto Encoder scheme termed (ICVAE) along with DNN for identifying and detecting intrusions in a network. The efficacy of the suggested ICVAE-DNN approach was analyzed on two datasets of NSL’s KDD and UNSW’s dataset. The results revealed that suggested scheme was outperforming existing models in terms of certain factors. Maseer et al. [26] proposed a model wherein they integrated data mining techniques like the EDADT algorithm along with a hybrid ID system and a semi supervised and varying HOPERAA algorithm in order to solve issues like data categorization, human interaction, and the absence of labelled data and efficacy of DDOS attacks. The suggested scheme was evaluated on KDD Cup databases and was found to outperform existing models in terms of accuracy and FPR. Yazan et al. [27] reviewed and examined the performance of 10 classifiers for detecting intrusions in a network. The authors also examined the tuning and training parameters of each classifier for achieving higher evaluation results. Moreover, the authors tested the efficacy of these models on an unbiased dataset of CICIDS2017 comprising real-world attacks. The results revealed that KNN, DT, and NB classifiers showed more promising results than other classifiers.

Sun et al. [28] proposed an ID system wherein they used an optimization approach termed Spider Monkey Optimization (SMO) in conjunction with a polynomial network which is also known as SDPN, where this network is stacked for enhancing the intrusion detection rate. The suggested model was able to identify attacks like DoS, U2L, and R2L and achieved good results for these attacks in the context of accuracy, precision, recall, and Fscore. Khan et al. [29] offered a hybrid CNN- and LSTM-based ID system in which spatial and temporal features were extracted, resulting in an effective ID system. Moreover, they also utilized the weight optimization technique in their work for minimizing the effect of unbalanced samples. The model was tested on a CICIDS2017 dataset wherein an accuracy of 98.67% was attained. Jiyeon et al. [30] combined the ML library (MLlib) and a convolutional auto encoder (Conv-AE) in order to detect anomalies and misuse attacks in an IOT network. The efficacy of the system was validated on heterogeneous data of CSE-CIC-IDS2018 in terms of accuracy, FAR, DR, etc. Said et al. [31] proposed a model based on a CNN for detecting attacks. The proposed model was evaluated and compared with traditional RNN models on two datasets of KDD Cup99 as well as CSE-CID-IDS2018 datasets to prove its superiority. Moreover, Qiu et al. [32] proposed an effective hybrid CNN-based ID approach for identifying and categorizing incoming traffic in the network. The authors used a weight-matrix-based SD-Reg regularizer for overcoming overfitting problems in detection models. The performance was analyzed on an In SDN dataset. Sriram et al. [33] proposed a DCNN-based ID system for identifying and categorizing network data in normal circumstances and during attacks. The efficacy of the suggested model was evaluated on a KDD-Cup99 dataset. Through extensive investigation, the efficiency of the proposed DCNN approach was evaluated. Khan et al. [34] proposed a convolutional RNN for identifying the network data under normal circumstances or during an attack. The local and temporal features were obtained via the CNN and RNN, respectively. The effectiveness of the suggested scheme was analyzed on CSE-CIC-DS2018 and achieved an accuracy of rate 97.75% for 10-fold cross-validation. Punam et al. [35] addressed the class imbalance issues of ID systems by introducing a Siamese NN in their work. The suggested model was able to detect different categories of attacks without using any class-balancing technique. The outcomes of the suggested scheme were compared with DNN and CNN models in terms of recall values. V. Sharma et al. [36] proposed an effective self-healing-based neuro fuzzy technique for detecting and mitigating attacks with high accuracy. They examined the performance of the suggested approach on DARPA 98, synthetic and real-time datasets.

After conducting a literature review, it can be concluded that IDSs are a crucial tool for ensuring the security and integrity of computer networks. The development of IDSs has become increasingly important due to the rising number of cyber-attacks and the growing complexity of computer networks. The challenges associated with IDS development include ensuring the accuracy of intrusion detection, minimizing false alarms, and dealing with the large amount of data generated by an IDS. The majority of the current IDSs face challenges in reducing false alarm rates (FAR) which directly affect the accuracy of system. Even though some authors in the literature were able to achieve high accuracies but at the cost of high computational complexity and information loss which makes these systems ineffective. Moreover, most of these systems were using only one dataset due to which they were able to identify only some specific type of intrusions and no new attack could be identified by these systems. In addition to this, most of the researchers are using conventional ML algorithms which undergo through under-fitting and over-fitting issues which lead to poor performance of the model. Overall, an IDS is a valuable tool for detecting and responding to security threats, and it is important to continue to develop and improve this technology to ensure the safety and security of computer networks.

3. Present Work

In order to overcome the shortcomings discussed in the previous sections, a novel and highly accurate network-based IDS model is proposed in this research, in which multiple datasets and an inverted hour-glass-based layered network architecture are used for detecting intrusion in a smart-city-based IoT network. These smart cities comprise various sensors that work together to perform specific operations. However, to make the process automatic, these sensors are connected to an IoT network, which is susceptible to various threats and attacks. These kinds of attacks have the potential to seriously harm an IoT network’s capabilities for smart environments and IoT services. To detect these attacks, we have developed an effective layered ID system with reduced execution and processing times, while improving intrusion detection accuracy. To accomplish this objective, the proposed ID network goes through various phases, and at each phase, data are processed in such a way that it increases the efficacy of model. Nonetheless, until now, there was not a single intrusion detection system that could detect all new attacks, as with the advances in technology, attackers are also updating their tactics for gaining access to confidential information. Keeping this fact in mind, we have used three datasets of different years, including KDD-cup99, NSLKDD, and UNSW NB15. One of the ideas behind working with these datasets is to illustrate the concept that if the proposed network is trained on new datasets, it will produce effective results under new attacks. It must be noted here that the three datasets were individually provided to the proposed model for training, and then the results obtained with each dataset were examined to assess the efficacy of the suggested approach. However, after conducting the literature review, it was determined that using multiple datasets increases the complexity of a detection model. In order to address this issue, Yellow Saddle Goatfish (YSGA) and particle Swarm Optimization (PSO) algorithms were hybridized along with the Decision Tree (DT) model for extracting and selecting only important and crucial features from available datasets. This not only reduces the complexity of proposed model but also reduces its execution time. In addition to this, we have seen that existing ID models use only ML- or DL-based classifiers that are not trained properly on unbalanced datasets, thereby impacting their accuracy as well. Hence, in the proposed approach, we are going to develop an inverted hour-glass-based layered network architecture that can handle a mammoth volume of data and categorize incoming data traffic into normal and intrusions effectively.

Now the question is, why should someone use our suggested network-based IDS approach instead of existing ID systems? The answer to this question is simple, as we found from our literature review that conventional ID systems are not producing adequate results. Therefore, we utilized the three different datasets used in existing models in order to increasing our model’s ability to detect various attacks. Additionally, as our proposed system is a network-based IDS, it has the ability to monitor the traffic of all the systems in the network, compared with HIDSs, which are relegated to single system. Moreover, the proposed approach is also able to detect attacks that may originate from trusted sources through its ability to analyze network traffic patterns and anomalies. The given model monitors all incoming and outgoing traffic across a network segment, regardless of the source’s trust level. When a trusted source starts behaving suspiciously, such as sending an unusually high volume of data or attempting to exploit vulnerabilities in network services, it raises alerts or takes predefined actions to mitigate the threat, making it more effective and reliable. The testing results obtained revealed that the proposed ID approach is more effective and accurate than existing models and hence can be used in place of traditional ID models.

4. Materials and Methods

The proposed layered ID system goes through phases like data collection, pre-processing, Feature Selection (FS), Classification, Performance Evaluation, Model Monitoring, and Maintenance. The technical innovation of this paper lies in its intelligent hybrid FS technique and DL-based inverted hour glass model. The proposed hybrid feature selection technique not only selects important features based on their informational patterns but also evaluates their accuracy by using an ML classifier. The feature set with highest accuracy has the ability to precisely identify and classify normal and intruded data. Similarly, a DL-based classification model is developed for handling the large data volumes and data imbalance issues that arise from using multiple datasets. Figure 1 shows the suggested intrusion detection model’s flow diagram, which is followed by a brief explanation of each stage.

Initially, necessary information is collected from three databases. As we know, the data present in these sets are not balanced and normalized, which means that they cannot be directly used for training a learning model. Therefore, in order to achieve data normalization and balancing, we have implemented pre-processing technique on raw data samples. The output of the pre-processing technique is processed and normalized data, upon which, further advanced techniques like FS and classification are employed. In the proposed work, features are extracted from hybrid YSGA-PSO-DT model and classification is performed through inverted hour-glass-based layered network architecture. The detailed working of each phase is explained in this section.

Data Collection: The very first step that is followed in almost every ID technique is to collect all the necessary and related data. However, our proposed approach is different from traditional ID approaches in the fact that we are use three standard datasets in our work rather than just one, in order to increase systems ability for detecting frequently occurring attacks. Many experts have used these datasets in their work individually or hybridized for detecting intrusions in an IoT network, but they still have not achieved effective results. The important factor for including three datasets in the proposed work is to train the model in more effective ways so that it can detect old and new attacks with similar accuracy. Some brief information about each dataset is given below.

KDD-Cup99 Database [37]: It is one of the widely used databases and contains a total of 7 million attack records. Out of these 7 million records, 5 million are reserved for training the model, while the remaining 2 million records are used for testing the efficacy of model. The dataset contains information about normal data, DoS, Probe, R2L, and U2L attacks. Moreover, the training and testing data distribution for five labeled groups is highly unbalanced in this dataset.

NSL-KDD Database [38]: Another important and frequently used database for detecting intrusions in an IoT network is NSL-KDD dataset. This database’s 41 characteristics are organized among three different categories: basic, one as content, and one as traffic attributes. The collection of information has no duplicated records in training as well as testing information, which frequently contributes to improved preciseness. There are 125,973 records for training whereas for testing 22,554, there are records. Additionally, the aforementioned data set includes four other types of attacks; one of them is DoS, another is probing, as well as U2R and R2L.

UNSW-NB15 Dataset [39]: The third and final dataset that has been used in our work is UNSW-NB15 dataset. It has a total of 42 characteristics that are categorized into 10 classes as follows: the first is Normal, the second is Fuzzers, next to it are Analysis, Backdoors, and DoS. Exploits, generic, Reconnaissance are also part of these classes. Finally, Shellcode and Worms are 9th and 10th classes of dataset. The total number of samples present in training and testing data is 175,341 and 82,332, respectively. Furthermore, it must be noted here that the training and testing data present in this database are also highly unbalanced, and the training set contains 42.24% redundant data.

Handling Data Quality Issues: This is the second stage of proposed work, where the data obtained from three datasets are analyzed and normalized by using data cleaning techniques. As discussed earlier, the data present in three utilized databases are not normalized and balanced, and if they are used directly, they will directly impact the accuracy of proposed model. Therefore, in our approach, we have implemented data cleaning technique for removing unnecessary and redundant data from datasets in order to balance them. The data cleaning technique is implemented on training and testing sets to delete the redundant, unnecessary data as well as NAN values. Moreover, data normalization technique has also been implemented that scales the values of data in between 0 and 1, to make sure that all features have equal importance during the analysis. In addition to this, zero imputation technique has been implemented in the pre-processing stage in order to make sure that missing values do not affect subsequent analysis. This method fills in the information absences and ensures that the dataset maintains its structure by replacing any missing values in the dataset with zero. One of the major benefits of applying pre-processing technique is that it preserves only informative and useful information in the dataset and eliminates unnecessary data, which reduces the complexity of a model considerably.

Implementing Hybrid Feature Selection Technique: After the normalizing the data, the next step is to select key features. Feature selection is one of the crucial stages wherein only those features are selected that are relevant and valuable for identifying attacks in the network. So, it is important to utilize an effective and efficient FS technique so that performance of suggested approach is boosted. From the literature review, it was observed that a number of feature selection techniques have been implemented by authors; however, the problem is that the majority of these systems have limited feature space due to which, they are unable to capture all relevant information needed to detect attacks, which in turn increases the computational complexity and reduces detection accuracy rate. In our work, we have combined two optimization algorithms, Yellow Saddle Goatfish (YSGA) and Particle Swarm Optimization (PSO) along with the ML-based Decision Tree (DT) algorithm. Here, the question is how the proposed technique selects only effective features from the available feature set. As current feature set may contain attributes that do not follow any patterns or have any relation among themselves. Additionally, they might depict same value range for different classes, resulting in biased results. To overcome this issue, proposed technique selects only those features from original feature set that contain patterned information. This is achieved by feeding optimized set of features to DT classifier for evaluating their accuracy and finally, the set with higher accuracy is selected. The detailed description of the process is given below.

The uniqueness of our work lies in the hybridization of two optimization methods with the ML classification algorithm, which aids in choosing the ideal number of characteristics and enhancing the model’s accuracy. By altering the original characteristics into a lower-dimensional space while keeping the most significant and vital features in the dataset, it also lowers the dataset’s density. The fitness function used in the scheme is as follows:

$$fitness=\frac{1}{accuracy}$$

(1)

The fitness value for selecting the most relevant features is calculated using the DT algorithm, which evaluates the classification accuracy of a particular set of features. The hybrid optimization approach can be formulated as

$${{\displaystyle X}}_t=YSGA(PSO({{\displaystyle X}}_{(t-1)}))$$

(2)

where, X_t and X_(t−1) are the feature subsets at time t and (t − 1).

The YSGA algorithm searches for the most promising feature subset, and then the PSO algorithm is applied to refine the search space, resulting in a better feature subset in every iteration. Moreover, the DT is used in the proposed model for calculating the fitness value that determines for which features the accuracy for detecting intrusions is higher. At the end of feature selection phase, a final feature set is obtained that has best fitness value. The configuration factors used in the proposed method are given below in

Table 1. Proposed optimization algorithm’s setup factors.

Sr. No.	Factors	Values
1	Population Size	10
2	Iterations Count	50
3	Constant C1	2
4	Constant C2	2
5	Weight Value (w)	0.4
6	Constant alpha	−1

.

The population size in the algorithm determines the count of features in the given datasets. It was decided to keep the population at size 10 because features are limited in the dataset; therefore, it is inappropriate to use a larger population size. Moreover, iteration count is 50 because we were obtaining optimum results within the 50 iterations, so again, it is ineffective and unnecessary to run the model for further iterations. Likewise, constants C1 and C2 are utilized for controlling the search behavior of the algorithm and the value is kept at 2 for balancing the personal and collective knowledge of swarms. Moreover, weight value determines how much weight of previous results must be considered in the next iteration; we have decided to keep the weightage value below 0.5 in order to increase the probability of obtaining a new result. Additionally, constant alpha of −1 is used in the proposed model for focusing on exploration more than exploitation.

Proposed Classification Model: In the proposed model, inverted hour-glass-based layered network architecture is proposed for classifying and categorizing incoming data traffic as regular or intrusions of specific kind. The main reason for using this architecture in the proposed work is to provide a network which ensures best results for tasks that demand more detailed and precise analysis of the input data, with main focus on capturing more suitable set of features from the available datasets. We have seen in literature that, existing ML- and DL-based classifiers were not able to handle large datasets very effectively, which leads to inaccuracy and inefficiency. This issue is handled in the inverted hour-glass-based layered network system by up-sampling it, with the increase in network layers. Basically, the data are up-sampled by increasing the instances of classes that are lower in number, thus addressing the problem of data imbalance and adjusting the dataset size. By doing so, the training efficacy of the model increases, which in turn increases the detection rate of model. The suggested inverted hour-glass-based layered network is better than conventional layered models in the fact that sum of features is four times that in our architectures, which makes it more effective and easier to implement. The layered classifier receives the data and matches it with the feature set data; if data match, it is considered an attack and an alarm is generated to administration for taking proper action; otherwise, data are normal and hence, no action is needed.

For the proposed model, the extracted features are split into a set of training and test sets in a 70:30 ratio. The technical layout of proposed layered network is as follows:

-

Input Layer: The input layer of the network accepts the input data, which in this case, is an image. The input data are formed into a matrix to form an image structure to feed to the given network.

-

Convolutional Layer: The next layer of the network is a convolutional. The contribution of this layer is to apply filters to data that are received at input layer, which further generates a feature map.

-

Batch Normalization: Next to this, batch normalization layer starts its work by normalizing the data received from convolutional layer. Another advantage of using this layer is to stabilize the training process as well as to speed up convergence.

-

ReLU Activation: for adding the non-linearity into the network, rectified linear unit is added as activation function that assists network in learning more complex features.

-

Convolutional Block: The next layer is a block of convolutional layers, which applies several convolutional filters to the output of the previous layer, followed by batch normalization and ReLU activation.

-

Additional Convolutional Layer: After the block of convolutional layers, an additional convolutional layer is applied to further extract features from the input image.

-

Additional ReLU Activation. An additional rectified linear function is added beyond the previous layer.

-

Additional Convolutional Layer: Another convolutional layer is applied after the previous layer to extract more complex features.

-

Copy of Convolutional Block: The previous three layers (i.e., layers 5–8) are repeated twice, with the number of filters increasing from 4 to 16 in each copy.

-

Average Pooling Layer: After the copy of the convolutional block, for reducing dimensionality of the fed data, a pooling layer is added.

-

Fully Connected Layer: A fully connected layer is then used to build a connection between fed input to the output layer.

-

SoftMax Layer: In addition to this, SoftMax layer is added to normalize the output of the previous layer into a probability distribution over the output classes.

-

Classification Layer: The final layer of the network is the classification layer, which predicts the class of the input image based on the probabilities generated by previous layer.

Overall, this deep neural network architecture consists of multiple layers for filtration, normalization, and for stabilizing the outputs. To increase the total number of filters in the network’s structure, a block of convolutional layering is repeated twice. The resultant output is subsequently passed via a fully connected layer, a SoftMax layer, and a classification layer to determine the class of the fed network data.

After defining the architecture of the deep neural network for feature-based classification, the sunsequent phase is to train the network on a dataset of labeled features. The three datasets are passed separately to the architecture for training purposes and based on this training, results are evaluated, which determine the ability of the proposed system to detect intrusions on different datasets. The network is given a variety of input features throughout the training stage, and the relative weights within the network are adjusted depending on the discrepancies between the projected output and its actual result. This process is repeated over many iterations, with the network gradually improving its performance on the training information set. The configuration of designed network for training and testing is as follows in

Table 2. Configuration parameters for network.

Sr. No.	Factors	Values
1	Optimizer	Stochastic Gradient Descent with momentum
2	Epochs	90
3	Mini batch size	128
4	Learning rate	0.1
5	Learning drop factor	0.1
6	Learning drop Rate	15
7	Verbose frequency	27
8	Shuffle	Every epoch
9	Plots	Training progress
10	Verbose	False
11	Validation data	{X validation, Y Validation}
12	Validation Frequency	27
13	Learn rate schedule	Piecewise
14	Kernel size	3 × 3
15	Filters	4, 8, 16

.

As specified in Table 2, we have used SGDM optimizer in our work because it helps in accelerating convergence by smoothing out the gradient updates. Additionally, the batch size value is 128 because larger mini-batch sizes ensure faster convergence. Additionally, factors like learning rate, drop factor, and drop rate were chosen based on experimentation results for fine tuning the learning process. Moreover, the kernel size is 3 × 3 because it is one of the widely used sizes for capturing local features effectively. Finally, we are upgrading filter size from 4 to 8 to 16 because of the demand of the designed architecture wherein data are up-sampled for abstracting more informative information.

Once the network has been trained, it is evaluated on test set to obtain a final estimate of its accuracy. The evaluation metrics used in deep learning include accuracy, precision, false acceptance ratio (FAR). These metrics help to assess the performance of the network.

Performance Evaluation: In the last phase of the proposed ID approach, the effectiveness and efficacy of the model is analyzed and validated by comparing it with a few state-of-the-art ID systems. The outcomes are obtained for three databases with specific features in terms of various evaluation parameters that are discussed below.

Model Monitoring and Maintenance: Since every day, hackers are trying new and innovative ways to gain access to systems, the performance of an IDS model is affected. This is because current IDS models are trained on specified datasets containing information about specific attacks, which makes it difficult for the model to identify any new type of the attack. This issue was resolved in proposed ID system wherein three datasets instead of one have been used in order to increase the detection rate accuracy. The proposed system has been evaluated on different datasets in order to increase the probability of identifying variety of attacks. This makes our model effective and adaptive in real-time scenarios and any change to the current datasets can be reflected on the results as well. The proposed model can be deployed in real-world scenarios and updated dataset can be used for training the model, which in turn will show effective results, as the proposed model detects new attacks with great accuracy, which makes it dynamic.

5. Results and Discussion

This section analyzes the findings from three databases and compares them with conventional models in terms of the different performance factors. It must be noted that we have compared only the numbers of results in their respective published papers and not implemented the traditional models individually. So, each dataset comparison is purely based on numbers and not implementation-based. The proposed model was implemented in MATLAB software and installed in a CPU-based intel core i3 processor. Moreover, we used a windows 10 operating system with 8 GB RAM and 500 GB Hard disk drive.

The comparison graph obtained for the accuracy, precision, and FAR for the KDD-CUP99 dataset is given in Figure 2. The x- and y-axes of the graph correspond to various parameters and their specific values. The graph reveals that standard models like GRU-RNN, DBN, and CNID have accuracy and precision values of 92.41%, 95%, 98%, and 97.2%, 97.4%, 99.98%, respectively. Additionally, the accuracy value in other traditional models like PSO+MCLP [40] and PSO+NN [40] was 99%, while it was 94% in ANN (FNN-LSO) [40] and 85%, 84%, 87%, and 90% in Adaptive ensemble [41], autoencoder [42], DLHA [43], and DLNID [44] models, respectively. On the contrary, precision value was attained in only a few other traditional models like Adaptive ensemble, Autoencoder, DLHA, and DLNID, which were only 86%, 87%, 88%, and 86%, respectively. However, the value of accuracy was increased by around 0.367 (With respect to PSO+NN model) and settled at 99.567% in our approach. Moreover, the value of FAR should be minim inal models to depict their efficacy, but that was 1.94%, 2.23%, 0.5%, 7.9%, 3.42%, and 0.02% in the conventional PSO+MCLP, ANN (FNN-LSO), PSO+NN, GRU-RNN [45], DBN [45], and CNID [45] models, whereas it was just 0.001 in our approach. In addition to this, the F1-score of the proposed model was 99.76, which means it shows the least false positive and false negative values. These figures prove the superiority of our proposed approach over other existing models on the KDD-CUP99 dataset. The exact values for each parameter are demonstrated in

Table 3. Values obtained on KDD-CUP99 dataset.

Algorithm	KDD-CUP Dataset
	Accuracy	Precision	FAR
PSO+MCLP [40]	99.13	-	1.94
ANN (FNN-LSO) [40]	94.02	-	2.23
PSO+NN [40]	99.20	-	0.5
Adaptive Ensemble [41]	85.20	86.50	-
Autoencoder [42]	84.24	87.00	-
DLHA [43]	87.55	88.16	-
DLNID [44]	90.73	86.38	-
GRU-RNN [45]	92.41	97.29	7.92
DBN [45]	95	97.42	3.24
CNID [45]	98.02	99.98	0.02
Proposed	99.567	99.67	0.001

.

Similarly, we analyzed the effectiveness of proposed layered network architecture by comparing its performance on the NSL-KDD dataset in terms of accuracy, precision, and FAR. The comparison graph for the same is given in Figure 3. The graph reveals that the standard GRU-RNN [45] model shows the least values for accuracy (89%) followed by DBN [45], LDA [46] with an accuracy of (92.66%) and (93%), whereas it was 98.72% as a maximum value with the standard HFS-LGBM [47] model. However, this accuracy value was outperformed by the proposed model, which attained the highest accuracy of 99.967%, an improvement of 1.247% compared to the best-performing standard model (HFS-LGBM). Likewise, the XgBoost [47] standard model showed lowest precision value of 93.35%, while it was 98.78% in our proposed model. Additionally, the FAR values were high with 2.58% in GRU-RNN, 1.74% in DBN [45], and 0.87% in the CNID [45] models. On the other hand, when we analyzed the performance of the proposed approach on the NSL-KDD dataset, we observed the lowest FAR score (0.0004%). Additionally, the F1-Score value obtained with the NSLKDD dataset was 98.79% in the proposed model, which demonstrates its efficacy.

Table 4. Values obtained with NSLKDD dataset.

Algorithm	NSLKDD Dataset
	Accuracy	Precision	FAR
LR [46]	94.00	94.00	0.05
LDA [46]	93.00	94.00	0.05
KNN [46]	98.00	98.00	0.01
CART [46]	98.00	98.00	0.01
SVM [46]	96.00	96.00	0.02
PCC-CNN [46]	98.00	95.00	0.01
XgBoost [47]	96.31	93.35	-
LightGBM [47]	98.69	95.53	-
HFS-LGBM [47]	98.72	97.45	-
GRU-RNN [45]	89.58	97.02	2.58
DBN [45]	92.66	97.43	1.74
CNID [45]	97.09	99.98	0.87
Proposed	99.967	99.67	0.0004

shows the precise values for the above parameters on the NSL-KDD dataset.

Furthermore, we have also examined and validated the effectiveness of the proposed approach over other traditional models in terms of accuracy and precision with the UNSW-NB15 dataset (as shown in Figure 4). The results demonstrate that the traditional SVM [48] model exhibited the lowest accuracy and precision values of 94% and 95%, followed by other models such as LightGBM [49] and CatBoost [50] with an accuracy of 97.77% and 98.08% and precision of 99.16% and 98.99%, while they were 99.7% and 99.13% in our proposed model, respectively. Moreover, the proposed model attained a high F1-Score of 99.13% with the lowest FAR of 0.0087% with the UNSW-NB15 dataset. The specific values of these parameters for other models is shown in

Table 5. Values obtained with UNSW-NB-15 dataset.

Algorithm	UNSW-NB15 Dataset
	Accuracy	Precision
SVM [48]	94.138	95.69
LR [48]	95.77	97.31
XgBoost [48]	97.37	98.82
LightGBM [49]	97.77	99.16
CatBoost [50]	98.08	98.99
Catboost-Optuna [48]	98.70	99.503
Proposed	99.967	99.67

.

In addition to this, the superiority of the proposed layered ID network architectural model is validated on the UNSW-NB15 dataset in determining its ability to identify and categorize modern attacks. The results obtained for the same are depicted in

Table 6. Comparison values for accuracy with UNSW-Nb15 Dataset.

Algorithm	BPNN [51]	HYSGPSO-DL
Fuzzers	90.4	99.167
Analysis	86.48	99.167
Backdoors	89.82	99.367
DOS	86.57	100
Exploits	87.8	100
Generic	97.97	100
Reconnaissance	89.85	100
Shellcode	90.75	100
Worms	89.22	99.833

. Table 6 demonstrates the superiority of the proposed model, which achieved the maximum accuracy of 100% in detecting attacks like DoS, Exploits, Generic, Reconnaissance, and Shellcode in comparison to the existing BPNN approach [51].

From the given graphs and tables, it can be concluded that the proposed layered network has outperformed all conventional models on three datasets in terms of accuracy, precision, and FAR.

Collaborative Analysis

After analyzing the proposed scheme for three different algorithms, it is also important to analyze the schemes collaboratively for all three datasets. The classification reports for the three datasets showed that the suggested method has a KDD-CUP99 dataset accuracy of 99.567%, whereas it is 99.967% for the NSL-KDD dataset. Additionally, when simulated with the UNSW-NB15 dataset, the accuracy percentage achieved is 99.726%. Furthermore, for precision, the simulated results achieved 99.67, 98.78, and 99.13% for the three datasets (in same order as mentioned given accuracy). Finally, for FAR factors, the scheme achieved 0.001, 0.0004, and 0.0087 (in same order). These results are proof that our proposed model can detect and classify attacks with an accuracy of 99.726% with the UNSW-NB15 dataset, which is a newer database among the three utilized repositories. In future, if the proposed model is trained on some other updated databases of newer attacks, it is expected that the detection rate will be higher.

In addition to this, unlike previous IDSs that were based on GPUs (expensive), our model is able to generate highly accurate results on a CPU core i3 processor, which is far cheaper than GPU systems, reducing its overall computational cost. Moreover, the execution time of our proposed approach is also shorter than previous models, as we have selected features by employing an intelligent hybrid feature selection technique which enables the classification model to generate results quickly.

The scientific contribution of the work on the IDS system is focused on addressing the challenges associated with the use of multiple datasets, the selection of qualitative features, and finally, the detection of intrusion in network traffic, even though using multiple datasets increases the chance of detecting intrusions but selecting relevant features from multiple datasets and ensuring their compatibility can be a challenge because of data heterogeneity and class imbalance issues. Overall, this work represents an important contribution to the field of detecting intrusions, demonstrating the potential for more advanced algorithms and techniques to improve the accuracy and efficiency of these systems in real-world scenarios.

6. Conclusions

A highly accurate and effective network intrusion detection model for smart-city-based IoT systems, in which multiple databases have been utilized, has been presented in this research article. Using MATLAB software, we have analyzed the efficacy and usefulness of the proposed layered ID approach. The results were obtained on three different datasets including KDD Cup 99, NSLKDD, and UNSW NB15 for accuracy, precision, and false acceptance rate. The simulation outcomes revealed that the proposed approach shows promising results on three databases compared to existing models. The proposed ID system was able to attain an accuracy of 99.530% on KDD Cup 99, whereas it was 99.9671% on NSLKDD and 99.130% for the UNSW NB 15 dataset. Moreover, the superiority of the proposed approach demonstrated by its FAR, which was only 0.0018 and 0.00043% on the KDD Cup 99 and NSL-KDD datasets, respectively. Furthermore, the proposed model has yielded effective results with the UNSW-NB15 dataset, having attained an accuracy of 99.7%. In addition to this, the productiveness of the suggested scheme has been analyzed on the UNSW-NB15 database for identifying various types of attacks, whose values were 100% for identifying and labeling attacks like Dos, generic, Reconnaissance, and Shellcode. These figures prove the superiority and efficiency of our proposed ID approach over other detection techniques.