1. Introduction

With the rise of the Internet, there has been an immense surge in Internet-based services [1]. As a result, many of the physical systems or devices that are connected to the Internet can easily be operated and managed remotely. Client behaviour can then be monitored and documented, future decisions can be predicted, and useful services provided [2]. The Internet of Things (IoT) is used in a variety of fields, including the smart home, smart city, smart healthcare, smart factories, smart supply chain, and smart retail. Figure 1 depicts a few of IoT applications that may be found in everyday life. The goal of such a smart environment is to make people’s lives more productive and add value by addressing issues related to living conditions [3]. However, because of increased interconnectedness, the network has become more complicated, making network security more difficult to sustain. Intruders consider security lapses to be an invitation to discover and exploit vulnerabilities in IoT networks. However, network security breaches can result in significant financial losses for businesses and consumers. Hence, it is essential to design a system that will ensure the security of the IoT network. Many tools and techniques are available to combat various cyber-attacks, such as spam filters, firewalls, anti-malware, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and so on [4].

To ensure the security of an IoT network, an IDS can be an extremely effective and crucial solution. There are three key phases in the operation of an IDS. The first of these is monitoring, which is based on network or host sensors. The second phase is analysis, which involves feature extraction and pattern recognition. Finally, the third phase is detection, which detects any anomalies in a network.

Intrusion detection systems can be classified into two main groups: signature-based intrusion detection systems (SIDS) and anomaly-based intrusion detection systems (AIDS). Traditional SIDS methods involve examining network packets and attempting to match patterns to a signature database. A machine-learning (ML) approach is used in AIDS to train the model in normalised behaviour. Network activities are then compared with that normal behaviour. Anomaly-based intrusion detection systems are considered as a dynamic approach to anomaly detection, applying behaviour-oriented detection.

The AIDS strategy has in fact received more attention than any other approach [5]. The capacity to detect unknown or zero-day attacks is the main benefit of AIDS. The majority of researchers choose anomaly detection, since it appears to be the most viable means [6,7]. However, designing efficient IDS for IoT devices remains challenging, due to the following reasons:

• (a). Cyber-security datasets

  The majority of existing datasets are outdated and may be inefficient for grasping the behavioural patterns of modern cyber-attacks. Moreover, there is a dearth of knowledge about the characteristics of recent attacks and their patterns of occurrence.

• (b). Handling quality problems in Cyber-security datasets

  Cyber-security datasets may be incomplete, unbalanced, noisy, or contain inconsistent instances related to a particular security incident. The quality of the learning process, and performance of ML-based models is affected by such dataset issues [8].

• (c). Low processing ability

  Internet of Things devices are lightweight and energy-constrained with low computational capacity. However, teal-time data-processing is required by ML algorithms, which presents a problem to the implementation of such resource-constrained devices.

• (d). Low memory capacity

  Data is created in diverse ways in the IoT context, necessitating huge memory in IoT devices. As a result, being able to offer an efficient solution for varied data poses a hurdle.

Moreover, employing all features in the design of an IDS can lead to the introduction of redundant and irrelevant features into the model. Therefore, feature optimization must be used to achieve good IDS performance [9]. There are three main approaches to feature optimization. The filter-based approach evaluates features according to predefined metrics, often using information theory. In contrast, a wrapper and embedded approach will evaluate features using an ML algorithm. In this current study, a wrapper-based feature optimization technique was used, specifically IDSBPSO as it gives efficient results as compare to other feature optimization methods [10]. SBPSO is a recently proposed BPSO variant that updates a particle’s position, using the flipping probability rather than velocity. In SBPSO, a stickiness parameter is employed to maintain the momentum that is characteristic of PSO, meaning that a particle will tend to adhere to the position to which it has recently moved. PSO is a population-based stochastic optimization algorithm. Due to its easy feature-coding, computational reasonability, few parameters, and less demanding execution to address and select critical feature problems, the PSO algorithm is considered efficient and robustness to control parameters. There are various publicly available datasets for IoT networks, which include DARPA98, KDDCUP99, CAIDA (2007), ISCX 2012, ADFA-WD (2014), ADFA-LD (2014), CISIDS 2017, DS2OS (updated 20218), BOT-IoT (updated 2020) UNSW-NB15, and IoTID20.

The following are the contributions of the paper:

• The proposed IDSBPSO is based on a novel approach of dynamic bit-masking strategy to reduce the search space of the SBPSO. This approach iteratively applies a mask to features after a certain number of generations, in order to prevent those features from evolving further. Using such a method throughout the evolutionary process can significantly reduce the search space, allowing the IDSBPSO to identify better solutions within a smaller search space.

• Some parameters are set to dynamic, in order to investigate how this strategy can help balance exploration with exploitation, thereby further improving the searchability of SBPSO for the problems of optimising feature selection.

• The proposed strategy would be implemented on two IoT network datasets for feature optimization, since this strategy is proposed for the design of an anomaly detection system for IoT networks, as a means of reducing the computational cost of such networks when using devices of a constrained nature.

The proposed FS model will be tested on the 2 datasets, IoTID20 and UNSW-NB15. The proposed model obtain comparable or higher accuracy with reduced computational cost and less number of features compared to benchmark PSO based methods. The remainder of this paper is organised as follows: the literature review is presented in Section 2; Section 3 discusses the proposed framework architecture; Section 4 describes the implementation and evaluation of the results of the system experiments, and Section 5 concludes the paper, also making recommendations for future work.

2. Literature Review

Internet of Things network security remains a consistent research topic for security analysers. Hence, numerous IDSs have been proposed, based on various types of feature optimization and reduction methodologies. In [11], the authors propose a novel two-tier classification model based on ML methodologies, for example, the Naive Bayes, K nearest neighbors (KNN) classifier with certainty factor voting, and linear discriminant analysis (LDA) for feature reduction. This model has a high detection rate for sophisticated attacks like User to Root (U2R) and Remote to Local (R2L), namely 34.81% and 67.16%, respectively. Conversely, in [12], the authors propose an effective deep learning approach: a self-taught learning (STL) IDS. The NSL-KDD dataset was used in the above-mentioned study, but the authors suggest a hybrid method for more accurate results. In [13], the authors suggest a feature selection technique using filter and wrapper methods, but these are computationally expensive. Meanwhile, in [14], the authors propose three IDS on K-means clustering, a decision tree, and a hybrid of these methods to achieve a maximum detection rate of 70–93%.

In [15], however, the authors propose a hybrid deep network, combining Convolutional Neural Network (CNN) with a gated recursive unit to detect intrusion. A PSO algorithm was utilised in the resulting study to select relevant features from the data, and a developing system successfully performed the feature selection and classification process automatically. Meanwhile, in [16], the authors present a semi-supervised ML technique for distributed denial of service (DDoS) detection, based on network entropy estimation, co-clustering, information gain ratio, and an extra-tree algorithm. This demonstrated good accuracy but with increased complexity. Conversely, in [17], the authors employed a variety of feature selection strategies, including a correlation coefficient, gain ratio, and information gain. The suggested experiment was carried out on random forest, rotation forest, and random committee classifiers.

Meanwhile, in [18], the authors present a feature selection-based IDS. The feature classification algorithm was based on a linear correlation coefficient. The cuttlefish algorithm was also used in this method to select features based on filter and wrapper, respectively. The FCC-CFA (feature grouping according to the linear correlation coefficient-cuttlefish algorithm) approach was created to extract the optimal subset of features from the dataset. This is a hybrid form of filter and wrapper method, retaining the advantages of each. The KDD Cup99 dataset was then used to test the suggested approach. The results of utilising the FGLCC-CFA algorithm revealed that compared with the CFA and FGLCC algorithms, the hybrid method was able to improve the accuracy and detection rate, while also reducing the number of false alarms.

In contrast, using a two-phase approach, the authors in [19] propose a hybrid intrusion detection model. Here, the first phase consisted of feature selection and the second, detecting an attack. A wrapper method called MGA-SVM was applied in the first phase. With multi-parent crossover and multi-parent mutation, this model combines the characteristics of SVM and GA (MGA). In the second phase, an artificial neural network (ANN) was used to detect attacks, and PSO was employed to improve the suggested model’s performance. The proposed name of this model is therefore MGA-SVMHGS-PSO-ANN. It has a high detection accuracy of 99.3%, according to data from the NSL-KDD dataset.

On the other hand, specifically for lightweight IoT devices, the performance of a lightweight ML-based IDS was tested in [20], using a new feature selection technique. The technique was verified with a public dataset, acquired from an IoT environment for this work. In the above model, a new feature selection approach, referred to as correlated-set thresholding on gain-ratio (CST-GR), is proposed to create a lightweight system, while also positively affecting the detection rate.

In [21], however, the authors propose supervised ML algorithms to create a three-layer intrusion detection system, capable of detecting a variety of cyber-attacks in IoT networks. The resulting solution was tested in a smart home scenario with eight IoT gadgets. In [22], the authors designed a bottom-up EI architecture and proposed novel data driven dynamical control strategy. Moreover, Intelligent controllers augmented by deep reinforcement learning (DRL) techniques are adopted and the concept of curriculum learning (CL) is integrated into DRL to improve the sample efficiency and accelerate the training process. Similarly, in [23], the authors created a novel hybrid intrusion detection system (HIDS) for IoT threats. The developed HIDS ensemble was utilised to secure IoT devices by merging SIDS with AIDS. The results of the generated model revealed that the HIDS was superior in its performance. Conversely, the model could not detect various types of attack on the IoT system.

According to the research cited above, various FS methods have been used in the past but when the data dimensionality increases then it cause serious challenge for optimisers, as search space increases dramatically. Choosing the right characteristics to maximise classification accuracy for anomaly detection in IoT networks, while at the same time reducing computational cost and prediction time, would still appear to be a work in progress. Various research exists on the design of anomaly detection systems for IoT networks, but these either use benchmark PSO-based methods, or a hybrid of optimization algorithms for feature selection. To close the gap in the literature, this study therefore provides an intelligent system, which uses novel approach to reduce search space and increase the exploration and exploitation ability of optimizer to select optimal features, while obtaining comparable or higher accuracy with reduced computational cost and prediction time.

3. The Proposed Model

This section proposes an enhanced approach to the design of an efficient and accurate IDS for IoT networks, using an IDSBPSO as an approach to feature selection. Particle swarm optimization (PSO) is a population-based stochastic optimization algorithm, proposed by Eberhart and Kennedy in 1995 [24]. Because of its easy feature-coding, computational reasonability, few parameters, and less demanding execution to address and select critical feature problems, the PSO algorithm is considered efficient [25]. The originally proposed PSO was a continuous one (CPSO), used to tackle a variety of continuous issues. The main drawback of PSO is that if a particle gets stuck in a local minimum (optimal), all the other particles will converge to that local minimum, resulting in erroneous solutions. Thus, before expanding the network, it is necessary to preserve particle diversity [26].

Particles are employed in the PSO method to represent solutions from the population of particles in the relevant space. This population is referred to as a swarm. Each particle in the swarm is represented by vector $x_i=(x_i{,}_1,x_i{,}_2,$…$,x_i{,}_d)$, where d represents the number of features in the dataset, and each particle has d dimensional velocity $v_i=(v_i{,}_1,v_i{,}_2,$…$,v_i{,}_d)$. To enhance efficiency, PSO works randomly and travels in the search space to find relevant features by updating velocity and position with iterations. At each iteration, the particles’ velocity and position are updated according to $pbest$ and $gbest$, which are the best personal and global fitness values up until that iteration. According to [27], the position and velocity of particles is updated as in (1) and (2).

(1)$v_{i,d}^{k+1}=w{v}_{i,d}^k+c_1{r}_1(pbes{t}_{i,d}^k-x_{i,d}^k)+c_2{r}_2(gbes{t}_{i,d}^k-x_{i,d}^k)$

(2)$x_{i,d}^{k+1}=x_{i,d}^k+v_{i,d}^{k+1}$

Velocity has three components, as illustrated in (1). The first component is momentum, depicting the influence of the present direction. Varying particles usually have different momentums, which help keep the swarm diverse, especially when everyone shares their finest experiences. Furthermore, momentum is the only factor that will allow a particle to continue seeking better solutions, once it has arrived at the best point discovered by the swarm so far. Conversely, the other two are cognitive and social components which guide particles towards an optimal experience, as well as that of each particle’s neighbours.

Binary PSO was developed to solve combinatorial problems, including job-shop scheduling and feature selection. In BPSO, rather than adding velocity to position, in order to obtain a new position, velocity is used to determine the probability of achieving the corresponding updated position values [27], which can be seen in (3).

(3)$x_d^{k+1}=\left\{\begin{array}{cc}1\hfill & rand\left(\right)\le s\left(v_{i,d}^{k+1}\right)\hfill \\ 0\hfill & otherwise\hfill \end{array}\right.$

(4)$s\left(v_d^{k+1}\right)=1/e^{-v_d^{k+1}}$

Sticky BPSO (SBPSO) is a recently proposed BPSO variant that updates a particle’s position, using the flipping probability rather than velocity. In SBPSO, a stickiness parameter is employed to maintain the momentum that is characteristic of PSO, meaning that a particle will tend to adhere to the position to which it has recently moved [28]. This is illustrated in (5).

(5)$x_d^{k+1}=\left\{\begin{array}{cc}1-x_{i,d}^k\hfill & rand\left(\right)\le p_{i,d}^{k+1}\hfill \\ x_{i,d}^k\hfill & otherwise\hfill \end{array}\right.$

(6)$p_{i,d}^{k+1}=n_s(1-s{t}_{i,d}^k)+n_p\times |pbes{t}_{i,d}-x_{i,d}^k|+n_g\times |gbes{t}_d-x_{i,d}^k|$

(7)$s{t}_{i,d}^k=\left\{\begin{array}{cc}{s}_{i,d}^k-1⁄M\hfill & x_{i,d}^{k+1}=x_{i,d}^k,s\left(v_{i,d}^k\right)>0\hfill \\ 1\hfill & x_{i,d}^{k+1}\ne x_{i,d}^k\hfill \end{array}\right.$

(8)$n_s=n_{s_{max}}-k/k_{max}\times (n_{s_{max}}-n_{s_{min}})$

(9)$n_p=n_{p_{min}}+k/k_{max}\times (n_{p_{max}}-n_{p_{min}})$

(10)$n_g=n_{g_{max}}-k/k_{max}\times (n_{g_{max}}-n_{g_{min}})$

Traditionally, during the evolutionary process, a BPSO algorithm searches in a fixed d-dimensional space (where d represents the number of original features). When d is large, setting a high number of particles or generations in the PSO algorithms demands significant processing resources. As a result, it is advantageous to include a search space reduction strategy, which can lower the computational resources required for the PSO applied to the feature selection task.

In this study, the dynamic bit-masking strategy was combined with DSBPSO. This first involved extracting information from the $pbests$ of particles to determine which bits should be masked. During the evolutionary process, the number of selected traits of all particles decreases. Even before the halting criterion is met, noisy or irrelevant features can be determined. After a certain number of generations, if a feature (bit) is not selected by all $pbests$ in the swarm, it is very probable that this feature is useless, since solutions containing this feature are very likely to be eliminated for their poor fitness. The parameter that decides when a mask should be updated is $\mu$. In this study, the mask update approach was adopted, because a bit is masked if it is not selected by all pbests in the swarm. This can be seen in Algorithm 1.

In this algorithm, the $pbests$ of particles are represented by a set, $P\_B$, and the mask is denoted by $U\_B$, given that each element in this set corresponds to an unmasked bit. The $U\_B$ set is updated by obtaining information from the pbest of each swarm. A bit is removed from $U\_B$ if it is not selected by all $pbests$ in the swarm. During the algorithm’s evolutionary phase, the set is updated. Some bits in $U\_B$ are masked each time the mask- update mechanism is run. The mask-update approach ensures a reduced search space, because only the bits in $U\_B$ can evolve. The position-updating mechanism can then be rewritten as in (11) [28].

(11)$x_{i,d}^{k+1}=\left\{\begin{array}{cc}1-x_{i,d}^k\hfill & rand\left(\right)<x_{i,d}^{k+1},d\in U\_B\hfill \\ x_{i,d}^k\hfill & rand\left(\right)\ge x_{i,d}^{k+1},d\in U\_B\hfill \\ 0\hfill & d\notin U\_B\hfill \end{array}\right.$

According to the third condition, if $d\notin U\_B$, the position of that particle is assigned a value of 0, meaning that it is eliminated from the search space to reduce computational time and resources. This improvement can be seen in Figure 2, where the grey blocks show the improved SBPSO strategies.

The overall IDSBPSO-based feature selection procedure can be seen in Algorithm 2. The proposed approach first adopts a search space reduction strategy to reduce the number of features involved in the iteration update, and the mask is updated every $\mu$. K iterations, with K as the maximum number of iterations.

Figure 3 depicts the framework of the proposed model for a network IDS using IDSBPSO. The proposed system comprises a number of phases to obtain good accuracy and network suitability, as explained in this section.

The two IoT datasets included IoTID20 and UNSW-NB15. The IoTID20 dataset was generated in 2020 [29] and contains a total of 83 network features. These network features can be seen in Table 1. There are also three label features in this dataset: binary, category, and sub-category, and four main attacks: Scan, Mirai, denial of service (DoS), and man in the middle (MITM). These attacks and their subcategories can be seen in Table 2.

The UNSW-NB15 is an advanced dataset used for IDS research. It is widely referenced in the literature. The UNSW-NB15 contains 42 network features, as listed in Table 3. There are two label features in this dataset: binary and category. Moreover, nine attacks may be seen in Table 4. Authentication, confidentiality, integrity, and availability are among the security needs targeted by these attacks. Accurate detection of these attacks is critical, as the consequences for IoT applications can be disastrous [30].

Real-life datasets are high-dimensional because they incorporate vibrant information, received from a variety of IoT devices and sensors. When creating an ML model, it is essential to choose a set of meaningful, non-redundant features, because the quality of the features will reduce the performance of the ML classifier [31,32] and the data will be unsuitable for IoT devices to work on. For this purpose, IDSBPSO-based feature optimization was used in this study. The feature optimization problem may be formulated in different ways. In many cases, there is a need to optimise features to reduce computational cost, while also increasing performance accuracy to enhance the generalisation capability. When choosing the best optimization technique based solely on prediction accuracy, performance will vary between the training and test sets [33]. Therefore, there are two main goals in feature selection: to improve classification performance and reduce the number of selected features. In [34], the aggregate fitness function is used to select best features with no change in accuracy, which can be shown in (12).

(12)$l=a\times l_1+(1-a)\times l_2$

(13)$l_2=p/n$

(14)$C\left(x\right)=sign\sum _{j=1}^m\left(C_j\left(x\right)\right)$

Random forest has the following advantages:

• It demonstrates excellent performance in accuracy on structured data.

• It is computationally efficient and can run on large-scale datasets with high dimensions.

• In most cases, it does not overfit and is robust against noise.

• It can handle unbalanced datasets.

4. Implementation and Evaluation of Results

This section discusses the experimental setup, evaluation metrics used to check the proposed model’s performance, parameter setup, and experimental results, ending with an evaluation of the results of the proposed model.

• (a). Experimental Setup

  The suggested model’s performance was evaluated on a Dell computer, running Microsoft Windows 10 Professional with Intel (R) Core (TM) i7-6500U and CPU at 2.50GHz 2.60 GHz, 2 cores and 4 logical processors, and 16 GB RAM. Feature selection and classification algorithms were implemented in the Python programming language (version 3.8). Anaconda Navigator was installed on the above-mentioned machine for the experimental setup.

• (b). Evaluation Metrics

  The performance of the proposed ML model may be evaluated using the following parameters: accuracy $\left(AC\right)$, precision $\left(PR\right)$, recall $\left(RC\right)$, and F1-score $\left(F1S\right)$ [36]. The $F1S$ is the harmonic mean of $PR$ and $RC$. Meanwhile, $AC$, $PR$, $RC$, and $F1S$ are computed as follows:

  (15)$AC=\frac{TP+TN}{TP+TN+FP+FN}$

  (16)$PR=\frac{TP}{TP+FP}$

  (17)$RC=\frac{TP}{TP+FN}$

  (18)$F1S=\frac{2\times (PR\times RC)}{PR+RC}$

  where each element in the above equations can be defined as follows:

  • True Positive (TP): indicating that both the actual and predicted values are positive.

  • True Negative (TN): indicating that both the actual and predicted values are negative.

  • False Positive (FP): indicating that the actual value is negative, but the model predicted positive.

  • False Negative (FN): indicating that the actual value is positive, but the model predicted negative.

  In addition, computational time was used as an evaluation parameter to verify the efficiency of the proposed model, as the model is being proposed for energy constrained IoT devices.

• (c). Parameter Setup

  In IDSBPSO, the swarm size (total no. of particles to select best solution) was set at L = 20, the maximum number of generations was set at K = 50, and the step parameter (determines the stickness ability) was set at M = 50, as used in [37]. The parameter for updating mask $\mu$ was 0.25, given that this has been found to produce good results. Moreover, inertial weight $n_s$ decreases from 0.9 to 0.2 and is calculated using (8). The acceleration constant np increases from 0.5 to 2.5 and decreases from 2.5 to 0.5 for $n_g$, using (9) and (10).

• (d). Experimental Results

  The experiment was carried out on the IoTID20 and UNSW-NB15 dataset, using the train test split validation method to conduct a detailed performance evaluation of the ML algorithms. The IoTID20 dataset contained 625,783 instances and the UNSW-NB15 dataset contained 2,540,044. Out of this data, 70% was used for training and 30% for validating the model. The binary classification of performance based on $AC$, $PR$, $RC$, and $F1S$ for both datasets can be seen in Table 5 for the normal and malicious network traffic using the proposed method. From the table, it is clear that for both network traffic datasets, the malicious behaviour is detected with almost 100% accuracy over the 20 runs.

  Figure 4 illustrates the confusion matrix for the binary classification performance for both the IoTID20 and UNSW-NB15 datasets. From Figure 4, it is clear that FN and FP rates are very low which indicates good accuracy and low false alarm rate. While Figure 5 shows that the particle converges to optimal features rapidly with updated number of iterations using proposed IDSBPSO for both datasets.

  Meanwhile, Table 6 shows the category classification performance of the proposed model, using the evaluation parameters: $AC$, $PR$, $RC$, and $F1S$. From the table, it is clear that for both network traffic datasets, mostly attacks are detected with good accuracy except Mirai Ack flooding, Analysis, Backdoor, DoS, and Worms.

  In addition, Figure 6 and Figure 7 show the confusion matrix for the category classification performance for both the IoTID20 and UNSW-NB15 datasets, respectively. From the figures, it is clear that in IoTID20 dataset, attacks are detected with good accuracy except Mirai Ack flooding, While in UNSW-NB15 attacks such as Analysis, Backdoor, DoS, and Worms are detected with low accuracy of classification. Similarly, Figure 8 shows that the particle converges to optimal features rapidly for both the datasets with the updated number of iterations using the proposed IDSBPSO.

  Figure 9 subsequently shows the number of selected features from the total number of features in both the IoTID20 and UNSW-NB15 datasets. There are total 83 features in IoTID20 datasets out of which only 30 optimal features are selected for training the model. Similarly, in UNSW-NB15, there are total 42 features out of which 15 have been selected. Figure 10 then illustrate the random forest prediction time in the proposed model for both the binary and category classification of the IoTID20 and UNSW-NB15 datasets. As UNSW-NB15 dataset is larger as compared to IoTID20 dataset, therefore model takes more prediction time on it.

• (e). Evaluation of Results

  Table 7 and Table 8 show the results of comparing the IDSBPSO with PSO-based benchmark methods. These PSO-based benchmark methods include SBPSO [37], DSBPSO [27], Up BPSO (UBPSO) [38], Quantum BPSO (QBPSO) [39], Sequential Forward Selection (SFS) [40] and Sequential Backward Selection (SBS) [40]. The results represent the mean value of 20 runs. The results in bold indicate improved computational time. As it can be seen in the table that IDSBPSO takes less time for FS as compared to other state of the art PSO based methods with almost similar accuracies and number of selected features for both datasets. Also the results indicate the improvement in computational time of IDSBPSO for both datasets.

In the tables, it can be seen that the proposed IDSBPSO performs better in terms of accuracy rate and computational cost compared to most of the other PSO-based feature selection methods. IDSBPSO shows slightly more computational cost compared to SFS and SBS but has higher accuracy. This denoted that IDSBPSO is less efficient in terms of computational cost compared to SFS and SBS but better in terms of accurate prediction compared to SFS and SBS. The proposed model obtains a slightly lower accuracy compared with SBPSO and DSBPSO. This means that in some instances, IDSBPSO may remove some informative features, resulting in decreased accuracy compared to SBPSO and DSBPSO. It can be seen from the accuracy results of IoTID20 and UNSW-NB15 datasets that accuracy on UNSW-NB15 is greater compared to IoTID20 dataset. As UNSW-NB15 is a larger dataset compared to IoTID20 dataset so it may be possible that the proposed approach incorrectly mask some main features from already smaller dataset.

In short, the proposed IDSBPSO algorithm obtains higher accuracy while selecting fewer features with reduce computational cost compared with most of the state of the art PSO-based FS methods.

5. Conclusions

In this paper, an improved binary PSO algorithm called IDSBPSO is proposed for feature selection in classification. To improve feature selection performance, two mechanisms were adopted for IDSBPSO: a search space reduction strategy and a dynamic strategy to manage the contributions of momentum, pbest, and gbest to the movement of particles, thereby resulting in a balance between exploration and exploitation during the evolutionary process. The proposed method is used to design an anomaly based intrusion detection system for IoT networks due to its less demanding computational cost. Comparison was made on the basis of accuracy, precision, detection rate, F1 score, and computational time. The experimental results for two IoT network datasets demonstrated the effectiveness and efficiency of IDSBPSO. In most cases, IDSBPSO outperformed benchmark PSO-based feature selection methods by obtaining better or similar accuracy with less number of features. In particular, IDSBPSO significantly reduced computational time, compared with benchmark PSO-based feature selection methods, as it is designed for energy-constrained IoT devices.

Although the proposed IDSBPSO algorithm significantly reduced computational time, compared with the benchmark PSO algorithms it was still found to consume a significant amount of computational time, because a wrapper-based technique require extensive computational time. Category classification accuracy of some attacks is not good. The proposed approach works better for large dimensional datasets while it is not more suitable for those datasets with less dimensions as it removes some informative features from them, which results in lower accuracy. Thus, in future, the authors will seek to improve the accuracy of subcategory classification and further reduce computational time. Moreover, IDSBPSO will be used in other applications, as this research was restricted solely to IoT network security. The performance of the proposed algorithm may also be tested using various other classifiers.

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Enlarge this image.

Figure 1. Potential IoT applications.

Enlarge this image.

Figure 2. Flowchart for the IDSBPSO.

Enlarge this image.

Figure 3. Working architecture of enhanced IDS, using IDSBPSO.

Enlarge this image.

Figure 4. Confusion matrix for binary classification. (a) IoTID20 dataset; (b) UNSW-NB15 dataset.

Enlarge this image.

Figure 5. Convergence curve for binary classification. (a) IoTID20 dataset; (b) UNSW-NB15 dataset.

Enlarge this image.

Figure 6. Confusion matrix for the multiclass classification of IoTID20.

Enlarge this image.

Figure 7. Confusion matrix for the multiclass classification of UNSW-NB15.

Enlarge this image.

Figure 8. Convergence curve for multiclass classification. (a) IoTID20 dataset; (b) UNSW-NB15 dataset.

Enlarge this image.

Figure 9. No. of selected features out of total features of IoTID20 and UNSW-NB15.

Enlarge this image.

Figure 10. Prediction time (min) for IoTID20 and UNSW-NB15. (a) Binary classification; (b) Category classification.

References

1. Gupta, A.; Tewari, B.B. Security, privacy and trust of different layers in Internet of Things framework. Future Gener. Comput. Syst.; 2020; 108, pp. 909-920.

2. Tewar, A.; Gupta, B.B. A novel ECC-based lightweight authentication protocol for Internet of Things devices. Int. J. Higperformance Comput. Netw.; 2019; 15, pp. 106-120. [DOI: https://dx.doi.org/10.1504/IJHPCN.2019.103548]

3. Thakare, A.; Lee, E.; Kumar, A.; Nikam, V.B.; Kim, Y.G. PARBAC: Priority-attribute-based RBAC model for azure IoT cloud. IEEE Internet Things J.; 2020; 7, pp. 2890-2900. [DOI: https://dx.doi.org/10.1109/JIOT.2019.2963794]

4. Ferrag, M.A.; Maglaras, L.; Ahmim, A.; Derdour, M.; Janicke, H. RDTIDS: Rules and decision tree-based intrusion detection system for internet-of things networks. Future Internet; 2020; 12, 44. [DOI: https://dx.doi.org/10.3390/fi12030044]

5. Almomani, I.; Qaddoura, R.; Habib, M.; Alsoghyer, S.; Al Khayer, A.; Aljarah, I.; Faris, H. Android ransomware detection based on a hybrid evolutionary approach in the context of highly imbalanced data. IEEE Access; 2021; 9, pp. 57674-57691. [DOI: https://dx.doi.org/10.1109/ACCESS.2021.3071450]

6. Karami, A.; Guerrero-Zapata, M. A fuzzy anomaly detection system based on hybrid PSO-Kmeans algorithm in content-centric networks. Neurocomputing; 2015; 149, pp. 1253-1269. [DOI: https://dx.doi.org/10.1016/j.neucom.2014.08.070]

7. Amouri, A.; Alaparthy, V.T.; Morgera, S.D. A machine learning based intrusion detection system for mobile Internet of Things. Sensors; 2020; 20, 461. [DOI: https://dx.doi.org/10.3390/s20020461]

8. Sarker, I.H.; Kayes, A.S.M.; Badsha, S.; Alqahtani, H.; Watters, P. Cybersecurity data science: An overview from machine learning perspective. J. Big Data; 2020; 7, 41. [DOI: https://dx.doi.org/10.1186/s40537-020-00318-5]

9. Keserwani, P.K.; Govil, M.C.; Pilli, E.S.; Govil, P. A smart anomaly-based intrusion detection system for the Internet of Things (IoT) network using GWO–PSO–RF model. J. Reliab. Intell. Environ.; 2021; 7, pp. 3-21. [DOI: https://dx.doi.org/10.1007/s40860-020-00126-x]

10. Khraisat, A.; Alazab, A. A critical review of intrusion detection systems in the Internet of Things: Techniques, deployment strategy, validation strategy, attacks, public datasets and challenges. Cybersecurity; 2021; 4, 18. [DOI: https://dx.doi.org/10.1186/s42400-021-00077-7]

11. Pajouh, H.H.; Dastghaibyfard, G.H.; Hashemi, S. Two-tier network anomaly detection model: A machine learning approach. J. Intell. Inf. Syst.; 2017; 48, pp. 61-74. [DOI: https://dx.doi.org/10.1007/s10844-015-0388-x]

12. Al-Qatf, M.; Lasheng, Y.; Al-Sabahi, K. Deep learning approach combining sparse autoencoder with SVM for network intrusion detection. IEEE Access; 2018; 6, pp. 52843-52856. [DOI: https://dx.doi.org/10.1109/ACCESS.2018.2869577]

13. Ghazy, R.A.; El-Rabaie, E.S.M.; Dessouky, M.I.; El-Fishawy, N.A.; El-Samie, F.E.A. Feature selection ranking and subset-based techniques with different classifiers for intrusion detection. Wirel. Pers. Commun.; 2020; 111, pp. 375-393. [DOI: https://dx.doi.org/10.1007/s11277-019-06864-3]

14. Shukla, P. ML-IDS: A machine learning approach to detect wormhole attacks in Internet of Things. Intelligent Systems Conference (IntelliSys); Springer: Berlin/Heidelberg, Germany, 2017; pp. 234-240.

15. Ullah, A.; Javaid, N.; Samuel, O.; Imran, M.; Shoaib, M. CNN and GRU based deep neural network for electricity theft detection to secure smart grid. International Wireless Communications and Mobile Computing (IWCMC); IEEE: Piscataway, NY, USA, 2020; pp. 1598-1602.

16. Idhammad, M.; Afdel, K.; Belouch, M. Semi-Supervised machine learning approach for DDoS detection. Appl. Intell.; 2018; 48, pp. 3193-3208. [DOI: https://dx.doi.org/10.1007/s10489-018-1141-2]

17. Latah, M.; Toker, L. Towards an efficient anomaly-based intrusion detection for software-defined networks. IET Netw.; 2018; 7, pp. 453-459. [DOI: https://dx.doi.org/10.1049/iet-net.2018.5080]

18. Mohammadi, S.; Mirvaziri, H.; Ahsaee, M.G.; Karimipour, H. Cyber intrusion detection by combined feature selection algorithm. J. Inf. Secur. Appl.; 2019; 44, pp. 80-88. [DOI: https://dx.doi.org/10.1016/j.jisa.2018.11.007]

19. Hosseini, S.; Zade, B.M.H. New hybrid method for attack detection using combination of evolutionary algorithms, SVM, and ANN. Comput. Netw.; 2020; 173, pp. 107-168. [DOI: https://dx.doi.org/10.1016/j.comnet.2020.107168]

20. Alyahya, S.; Khan, W.U.; Ahmed, S.; Marwat, S.N.K.; Habib, S. Cyber secure framework for smart agriculture: Robust and tamper-resistant authentication scheme for IoT devices. Electronics; 2022; 11, 963. [DOI: https://dx.doi.org/10.3390/electronics11060963]

21. Anthi, E.; Williams, L.; Słowinska, M.; Theodorakopoulos, G.; Burnap, P. A supervised intrusion detection system for smart home IoT devices. IEEE Internet Things J.; 2019; 6, pp. 9042-9053. [DOI: https://dx.doi.org/10.1109/JIOT.2019.2926365]

22. Hua, H.; Qin, Z.; Dong, N.; Qin, Y.; Ye, M.; Wang, Z.; Chen, X.; Cao, J. Data-Driven dynamical control for bottom-up energy internet system. IEEE Trans. Sustain. Energy; 2022; 13, pp. 315-327. [DOI: https://dx.doi.org/10.1109/TSTE.2021.3110294]

23. Khraisat, A.; Gondal, I.; Vamplew, P.; Kamruzzaman, J.; Alazab, A. A novel ensemble of hybrid intrusion detection system for detecting Internet of Things attacks. Electronics; 2019; 8, 1210. [DOI: https://dx.doi.org/10.3390/electronics8111210]

24. Kennedy, J.; Eberhart, R. Particle swarm optimization. Proceedings of the ICNN’95—International Conference on Neural Networks; Perth, Australia, 27 November–1 December 1995; Volume 4, pp. 1942-1948.

25. Wu, S.X.; Banzhaf, W. The use of computational intelligence in intrusion detection systems: A review. Appl. Soft Comput.; 2010; 10, pp. 1-35. [DOI: https://dx.doi.org/10.1016/j.asoc.2009.06.019]

26. Bharti, V.; Biswas, B.; Shukla, K.K. A Novel Multiobjective GDWCN-PSO Algorithm and Its Application to Medical Data Security. ACM Trans. Internet Technol.; 2021; 21, pp. 1-28. [DOI: https://dx.doi.org/10.1145/3397679]

27. Nguyen, B.H.; Xue, B.; Andreae, P.; Zhang, M. A new binary particle swarm optimization approach: Momentum and dynamic balance between exploration and exploitation. IEEE Trans. Cybern.; 2019; 51, pp. 589-603. [DOI: https://dx.doi.org/10.1109/TCYB.2019.2944141]

28. Li, A.; Xue, B.; Zhang, M. Improved binary particle swarm optimization for feature selection with new initialization and search space reduction strategies. Appl. Soft Comput.; 2021; 106, 107302. [DOI: https://dx.doi.org/10.1016/j.asoc.2021.107302]

29. Alkahtani, H.; Aldhyani, T.H.H. Intrusion detection system to advance Internet of Things infrastructure-deep learning algorithms. Complexity; 2021; 2, 18. [DOI: https://dx.doi.org/10.1155/2021/5579851]

30. Qaddoura, R.; Al-Zoubi, A.M.; Almomani, I.; Faris, H. Predicting different types of imbalanced intrusion activities based on a multi-stage deep learning approach. Proceedings of the International Conference on Information Technology (ICIT); Amman, Jordan, 14–15 July 2021; 858863.

31. Long, J.; Zhang, S.; Li, C. Evolving deep echo state networks for intelligent fault diagnosis. IEEE Trans. Ind. Inf.; 2020; 16, pp. 4928-4937. [DOI: https://dx.doi.org/10.1109/TII.2019.2938884]

32. Long, J.; Mou, J.; Zhang, L.; Zhang, S.; Li, C. Attitude data-based deep hybrid learning architecture for intelligent fault diagnosis of multi-joint industrial robots. J. Manuf. Syst.; 2020; 61, pp. 736-745. [DOI: https://dx.doi.org/10.1016/j.jmsy.2020.08.010]

33. Sarhani, M.; Vob, S. PSO-Based cooperative learning using chunking. Proceedings of the International Conference on Learning and Intelligent Optimization; Athens, Greece, 24–28 May 2020; pp. 278-288.

34. Sarhani, M.; Vob, S. Chunking and cooperation in particle swarm optimization for feature selection. Annals of Mathematics and Artificial Intelligence; Springer: Berlin/Heidelberg, Germany, 2021; pp. 1-21.

35. Vignolo, L.D.; Milone, D.H.; Scharcanski, J. Feature selection for face recognition based on multi-objective evolutionary wrappers. Expert Syst. Appl.; 2013; 40, pp. 5077-5084. [DOI: https://dx.doi.org/10.1016/j.eswa.2013.03.032]

36. Abdulhamme, R.; Musafer, H.; Alessa, A.; Faezipou, M.; Abuzneid, A. Features dimensionality reduction approaches for machine learning based network intrusion detection. Electronics; 2019; 8, 322. [DOI: https://dx.doi.org/10.3390/electronics8030322]

37. Nguyen, B.H.; Xue, B.; Andreae, P. A novel binary particle swarm optimization algorithm and its applications on knapsack and feature selection problems. Intelligent and Evolutionary Systems; Springer: Berlin/Heidelberg, Germany, 2017; pp. 319-332.

38. Liu, J.; Mei, Y.; Li, X. An analysis of the inertia weight parameter for binary swarm optimization. IEEE Trans. Evol. Comput.; 2016; 20, pp. 666-681. [DOI: https://dx.doi.org/10.1109/TEVC.2015.2503422]

39. Jeong, Y.; Park, J.; Jang, S.; Lee, K.Y. A new quantum-inspired binary PSO: Application to unit commitment problems for power systems. IEEE Trans. Power Syst.; 2010; 25, pp. 1486-1495. [DOI: https://dx.doi.org/10.1109/TPWRS.2010.2042472]

40. Kohavi, R.; John, G.H. Wrappers for feature subset selection. Artif. Intell.; 1997; 97, pp. 273-324. [DOI: https://dx.doi.org/10.1016/S0004-3702(97)00043-X]