EHFOA-ID: An Enhanced HawkFish Optimization-Driven Hybrid Ensemble for IoT Intrusion Detection
Abstract
1. Introduction
- Overall Framework Contribution:
- 2.
- Methodological Innovations:
- 3.
- Experimental Strengths and Validation:
2. Related Works
2.1. Machine Learning-Based IoT Intrusion Detection
2.2. Deep Learning, Hybrid, and Ensemble Approaches
2.3. Active Learning Strategies and Research Gaps
2.4. Summary of Gaps and Motivation
3. Proposed Method
3.1. Enhanced HawkFish Optimization Algorithm
| Algorithm 1. EHFOA-ID Optimizer |
| Input: D—training dataset MaxIter—maximum number of iterations N—population size (number of hawkfish) α, β—accuracy and feature reduction weights λ0—initial movement scaling factor p—percentage of worst individuals to reinitialize Output: X_best—optimal feature subset and hyperparameters 1: Initialize population {X_i|i = 1…N} randomly 2: Evaluate fitness F_i for each hawkfish using Equation (1) 3: Determine global best solution X_best 4: for t = 1 to MaxIter do 5: Compute adaptive movement factor λ_t using Equation (3) 6: for each hawkfish X_i do 7: if rand() < 0.5 then 8: //Guided exploitation 9: Update position using: 10: X_i ← X_i + λ_t (X_best − X_i) (Equation (2)) 11: else 12: //Lévy flight exploration 13: X_i ← X_i + η · Lévy(γ) (Equation (4)) 14: end if 15: Enforce boundary constraints on X_i 16: Evaluate fitness F_i again 17: end for 18: Update X_best as the solution with minimal F_i 19: //Diversity preservation 20: Compute population similarity ρ 21: if ρ > ρ_max then 22: Reinitialize worst p% of hawkfish using: 23: X_j ← X_rand + ε · N(0,1) (Equation (5)) 24: end if 25: end for 26: return X_best |
3.2. Deep Ensemble Architecture
- (A).
- SE-Res1D-CNN for Spatial Feature Extraction
- (B).
- BiLSTM-Attention for Temporal Dependency Modeling
| Algorithm 2. BiLSTM-Attention Mechanism with Normalized Weights |
Input:
|
- (C).
- Transformer Encoder for Global Context Extraction
| Algorithm 3. Deep Ensemble Classification Process |
| Input: X_opt—optimized feature subset (from EHFOA-ID) θ_CNN—trained SE-Res1D-CNN parameters θ_LSTM—trained BiLSTM-Attention parameters θ_TR—trained Transformer encoder parameters M—trained meta-learner classifier Output: y_pred—intrusion prediction (Normal/Attack Type) 1: Preprocess input instance x using normalization and encoding 2: Extract optimized feature vector z = x[X_opt] 3: //Forward pass through deep ensemble 4: SpatialEmbedding ← SE-Res1D-CNN(z; θ_CNN) 5: TemporalEmbedding ← BiLSTM-Attention(z; θ_LSTM) 6: ContextualEmbedding ← TransformerEncoder(z; θ_TR) 7: //Feature fusion 8: F_fused ← Concat(SpatialEmbedding, TemporalEmbedding, ContextualEmbedding) 9: //Final decision 10: y_pred ← M(F_fused) 11: return y_pred |
3.3. Feature Fusion and Meta-Learner
4. Simulation and Results
4.1. Experimental Setup
4.1.1. Implementation Environment
4.1.2. Datasets
4.1.3. Parameter Settings
4.2. Experimental Results and Analysis
4.2.1. Testing Scenarios
4.2.2. Evaluation Metrics and Results
4.3. Discussion
- Detection of rare attack classes remains constrained by severe class imbalance and limited behavioral signatures in minority samples.
- Extremely high-dimensional and noisy datasets may still cause instability in edge cases despite optimized feature selection.
- Evaluation on a limited number of public datasets may not fully capture the diversity of real-world IoT traffic and attack patterns.
- The deep ensemble architecture remains largely a black-box model, limiting interpretability in transparency-critical applications.
- In highly sparse or noisy IoT datasets, Lévy flight exploration and adaptive scaling may occasionally produce overly large or unstable search steps, which can increase sensitivity to noise and lead to suboptimal exploration of meaningful feature–hyperparameter regions, requiring careful parameter control to maintain optimization stability.
5. Conclusions and Future Work
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Zhukabayeva, T.; Zholshiyeva, L.; Karabayev, N.; Khan, S.; Alnazzawi, N. Cybersecurity Solutions for Industrial Internet of Things–Edge Computing Integration: Challenges, Threats, and Future Directions. Sensors 2025, 25, 213. [Google Scholar] [CrossRef]
- Wang, J.M.; Yang, K.; Li, M.J. NIDS-FGPA: A federated learning network intrusion detection algorithm based on secure aggregation of gradient similarity models. PLoS ONE 2024, 19, e0308639. [Google Scholar] [CrossRef]
- Elouardi, S.; Motii, A.; Jouhari, M.; Amadou, A.N.H.; Hedabou, M. A survey on Hybrid-CNN and LLMs for intrusion detection systems: Recent IoT datasets. IEEE Access 2024, 12, 180009–180033. [Google Scholar] [CrossRef]
- Yassine, H.A.K.; El Saleh, M.; Nakhal, B.E.; El Chakik, A. Centralized Two-Tiered Tree-Based Intrusion-Detection System (C2T-IDS). IoT 2025, 6, 67. [Google Scholar] [CrossRef]
- Baich, M.; Sael, N. Enhancing Machine Learning Model Prediction with Feature Selection for Botnet Intrusion Detection. Eng. Proc. 2025, 112, 55. [Google Scholar] [CrossRef]
- Almalawi, A. CLAIRE: A Four-Layer Active Learning Framework for Enhanced IoT Intrusion Detection. Electronics 2025, 14, 4547. [Google Scholar] [CrossRef]
- Dissanayake, I.; Welhenge, A.; Weerasinghe, H.D. A Machine Learning Approach to Detect Denial of Sleep Attacks in Internet of Things (IoT). IoT 2025, 6, 71. [Google Scholar] [CrossRef]
- Kumar, D.; Pawar, P.P.; Addula, S.R.; Meesala, M.K.; Oni, O.; Cheema, Q.N.; Haq, A.U.; Sajja, G.S. AI-Powered Security for IoT Ecosystems: A Hybrid Deep Learning Approach to Anomaly Detection. J. Cybersecur. Priv. 2025, 5, 90. [Google Scholar] [CrossRef]
- Abou Elasaad, M.M.; Sayed, S.G.; El-Dakroury, M.M. AegisGuard: A Multi-Stage Hybrid Intrusion Detection System with Optimized Feature Selection for Industrial IoT Security. Sensors 2025, 25, 6958. [Google Scholar] [CrossRef] [PubMed]
- Mutambik, I. AI-Driven Cybersecurity in IoT: Adaptive Malware Detection and Lightweight Encryption via TRIM-SEC Framework. Sensors 2025, 25, 7072. [Google Scholar] [CrossRef]
- Jeffrey, N.; Tan, Q.; Villar, J.R. Using Ensemble Learning for Anomaly Detection in Cyber–Physical Systems. Electronics 2024, 13, 1391. [Google Scholar] [CrossRef]
- Xin, Q.; Xu, Z.; Guo, L.; Zhao, F.; Wu, B. IoT Traffic Classification and Anomaly Detection Method based on Deep Autoencoders. Appl. Comput. Eng. 2024, 69, 64–70. [Google Scholar] [CrossRef]
- Sharma, A.; Rani, S.; Shabaz, M. An Optimized Stacking-Based TinyML Model for Attack Detection in IoT Networks. PLoS ONE 2025, 20, e0329227. [Google Scholar] [CrossRef]
- Soltani, N.; Zhang, J.; Salehi, B.; Roy, D.; Nowak, R.; Chowdhury, K. Learning from the Best: Active Learning for Wireless Communications. IEEE Wirel. Commun. 2024, 31, 177–183. [Google Scholar] [CrossRef]
- Arya, H.; Kandhoul, N.; Dhurandher, S.K.; Woungang, I. Adaptive sliding window and LightGBM-based DDoS attack detection framework for IoT networks. Peer-to-Peer Netw. Appl. 2026, 19, 16. [Google Scholar] [CrossRef]
- Li, J.; Othman, M.S.; Chen, H.; Yusuf, L.M. Optimizing IoT Intrusion Detection System: Feature Selection versus Feature Extraction in Machine Learning. J. Big Data 2024, 11, 36. [Google Scholar] [CrossRef]
- Alkharsan, A.; Ata, O. HawkFish Optimization Algorithm: A Gender-Bending Approach for Solving Complex Optimization Problems. Electronics 2025, 14, 611. [Google Scholar] [CrossRef]
- Available online: https://www.kaggle.com/mrwellsdavid/unsw-nb15 (accessed on 5 October 2025).
- Available online: https://www.kaggle.com/paresh2047/uci-semcom (accessed on 5 October 2025).
- Selvakumar, B.; Sivaanandh, M.; Muneeswaran, K.; Lakshmanan, B. Ensemble of feature augmented convolutional neural network and deep autoencoder for efficient detection of network attacks. Sci. Rep. 2025, 15, 4267. [Google Scholar] [CrossRef]
- Nassreddine, G.; Nassereddine, M.; Al-Khatib, O. Ensemble Learning for Network Intrusion Detection Based on Correlation and Embedded Feature Selection Techniques. Computers 2025, 14, 82. [Google Scholar] [CrossRef]
- Solanki, M.; Gupta, S. A novel intrusion detection framework using ensemble learning in MQTT IoT applications. Ann. Math. Artif. Intell. 2025, 93, 1–23. [Google Scholar] [CrossRef]
- Uppal, M.; Gulzar, Y.; Gupta, D.; Uppal, J.; Kumar, M.; Saini, S. Enhancing accuracy through ensemble based machine learning for intrusion detection and privacy preservation over the network of smart cities. Discov. Internet Things 2025, 5, 11. [Google Scholar] [CrossRef]
- Bibers, I.; Arreche, O.; Alayed, W.; Abdallah, M. Ensemble-IDS: An Ensemble Learning Framework for Enhancing AI-Based Network Intrusion Detection Tasks. Appl. Sci. 2025, 15, 10579. [Google Scholar] [CrossRef]










| Ref. | Author(s) | Year | Methodology/Model | Strengths | Limitations |
|---|---|---|---|---|---|
| [4] | Yassine et al. | 2025 | Centralized Two-Tiered Tree-Based IDS (C2T-IDS) | Hierarchical detection; scalable centralized design | Relies on hand-crafted features; limited adaptability |
| [5] | Baich & Sael | 2025 | Feature selection + ML for botnet detection | Improved prediction via optimized features | Manual optimization; may not scale for large IoT datasets |
| [6] | Almalawi | 2025 | CLAIRE—Four-layer active learning IDS | Reduces labeling cost; improves learning efficiency | Sensitive to selection strategy; affected by imbalance |
| [7] | Dissanayake et al. | 2025 | ML model for Denial-of-Sleep attack detection | Lightweight; suitable for constrained IoT devices | Limited to energy-related attacks; poor generalization |
| [8] | Kumar et al. | 2025 | Hybrid deep learning anomaly detector | Strong spatial-temporal representation | High computational cost; complex tuning |
| [9] | Abou Elasaad et al. | 2025 | AegisGuard multi-stage hybrid IDS | Optimized features; robust for Industrial IoT | Requires domain-specific adjustments |
| [10] | Mutambik | 2025 | TRIM-SEC malware detection + encryption | Adaptive malware detection; lightweight primitives | Focuses on malware only; limited traffic analysis |
| [11] | Jeffrey et al. | 2024 | Ensemble learning for CPS anomaly detection | Robustness via classifier combinations | Lacks deep feature extraction |
| [12] | Xin et al. | 2024 | Deep autoencoder for IoT anomaly detection | Learns latent traffic representations | Reconstruction-based models fail on subtle attacks |
| [13] | Sharma et al. | 2025 | Stacking-based TinyML attack detector | Edge-friendly; low footprint | Limited modeling capacity for complex patterns |
| [14] | Soltani et al. | 2024 | Active learning strategies for wireless systems | Improves training efficiency; adaptive sampling | Not designed specifically for IDS tasks |
| [15] | Arya et al. | 2025 | Adaptive sliding window + LightGBM | Effective for DDoS bursts; real-time adaptation | Hand-tuned windows; lacks deep temporal modeling |
| Proposed | 2025 | EHFOA-ID optimized hybrid deep ensemble | Automated feature–hyperparameter optimization; multi-view spatial–temporal–contextual learning; strong generalization | Higher computational cost; limited interpretability |
| Dataset | Total Samples | Features | Normal Samples | Anomalous/Attack Samples | Data Type | Notes |
|---|---|---|---|---|---|---|
| UNSW-NB15 | 257,673 (175,341 train + 82,332 test) | 49 | 95,053 | 162,620 | Network flow features | Includes 9 attack families |
| UCI SECOM | 1567 | 591 | 1046 | 521 | Sensor time-series snapshots | High-dimensional and noisy |
| Parameter | Symbol | Value | Description |
|---|---|---|---|
| Population size | 40 | Number of candidate solutions (hawks/fish agents) | |
| Maximum iterations | 50 | Total optimization cycles | |
| Exploration coefficient | 1.8 | Controls long-range exploration movements | |
| Exploitation coefficient | 0.6 | Controls short-range refinement around promising regions | |
| Lévy flight intensity | 1.5 | Governs frequency and scale of Lévy jumps | |
| Energy decay rate | 0.05 | Reduces male agent energy to prevent excessive movement | |
| Diversity threshold | 0.15 | Minimum diversity required before triggering reinitialization | |
| Top-female ratio | 0.25 | Proportion of highest-fitness females attracting males | |
| Reinforcement gain | 0.3 | Strengthening factor for call-based movement learning | |
| Randomization factor | 0.1 | Injects controlled noise for preventing local minima | |
| Fitness weighting (accuracy term) | 0.7 | Weight assigned to validation accuracy in fitness | |
| Fitness weighting (feature cost term) | 0.3 | Weight assigned to feature-subset size penalty |
| Component | Hyperparameter | Value | Justification |
|---|---|---|---|
| SE-Res1D-CNN | Number of convolutional blocks | 3 | Provides hierarchical local feature extraction for packet-level/feature-level gradients |
| Filters per block | [64, 128, 256] | Increasing depth captures richer spatial representations | |
| Kernel sizes | [3, 5, 7] | Multi-scale receptive fields for diverse attack signatures | |
| SE reduction ratio | 16 | Standard value ensuring channel recalibration stability | |
| Activation | ReLU | Fast, stable, widely adopted for CNN-based IDS | |
| Dropout | 0.3 | Reduces overfitting while retaining sufficient signal | |
| BiLSTM-Attention | LSTM units | 128 | Captures long-term dependencies in sequential IoT traffic |
| Attention dimension | 64 | Balances expressiveness and computational cost | |
| Dropout | 0.25 | Prevents overfitting on sequential patterns | |
| Transformer Encoder | Number of heads | 4 | Allows multi-perspective contextual modeling |
| Embedding dimension | 128 | Matches LSTM unit size for stable fusion | |
| Feed-forward dimension | 256 | Expands representation power while remaining efficient | |
| Encoder blocks | 2 | Sufficient for medium-scale IDS datasets | |
| Dropout | 0.2 | Controls transformer overfitting risk | |
| Meta-Learner (Dense Fusion Layer) | Dense units | 128 → 64 | Compresses concatenated features into a discriminative space |
| Activation | ReLU | Standard for fully connected layers | |
| Output layer | Softmax | Required for multi-class prediction | |
| Training Setup | Batch size | 64 | Balanced choice for memory usage and stability |
| Optimizer | Adam | Robust convergence for deep architectures | |
| Learning rate | 0.001 | Standard rate producing stable gradients | |
| Epochs | 50 | Matches convergence behavior shown in training curves |
| Scenario | Optimizer | Iteration 1 | Iteration 10 | Iteration 20 | Iteration 30 | Iteration 40 | Final Fitness |
|---|---|---|---|---|---|---|---|
| 1 | HFOA | 1.15 | 0.70 | 0.40 | 0.30 | 0.22 | 0.18 |
| EHFOA-ID | 0.98 | 0.25 | 0.10 | 0.05 | 0.02 | 0.01 | |
| 2 | HFOA | 1.12 | 0.68 | 0.38 | 0.27 | 0.20 | 0.16 |
| EHFOA-ID | 0.95 | 0.22 | 0.09 | 0.04 | 0.02 | 0.01 | |
| 3 | HFOA | 1.18 | 0.75 | 0.45 | 0.32 | 0.23 | 0.17 |
| EHFOA-ID | 0.97 | 0.24 | 0.12 | 0.06 | 0.03 | 0.01 |
| Method | Accuracy | Precision | Recall | F1-Score | FAR | AUC |
|---|---|---|---|---|---|---|
| HFOA + Baseline Classifier | 0.89 | 0.87 | 0.85 | 0.86 | 0.11 | 0.91 |
| EHFOA-ID + CNN | 0.91 | 0.90 | 0.89 | 0.89 | 0.09 | 0.93 |
| EHFOA-ID + BiLSTM | 0.92 | 0.91 | 0.90 | 0.90 | 0.08 | 0.94 |
| EHFOA-ID + Transformer | 0.91 | 0.90 | 0.89 | 0.89 | 0.09 | 0.93 |
| EHFOA-ID + Partial Ensemble (CNN + LSTM) | 0.93 | 0.92 | 0.91 | 0.92 | 0.07 | 0.95 |
| EHFOA-ID + Partial Ensemble (CNN + Transformer) | 0.93 | 0.92 | 0.91 | 0.92 | 0.07 | 0.95 |
| EHFOA-ID + Partial Ensemble (LSTM + Transformer) | 0.92 | 0.91 | 0.90 | 0.91 | 0.08 | 0.94 |
| Proposed Full Ensemble (CNN + LSTM + Transformer + Meta-Learner) | 0.96 | 0.95 | 0.95 | 0.95 | 0.04 | 0.98 |
| Reference | Method | Dataset(s) | Accuracy | F-Score | Algorithms Used |
|---|---|---|---|---|---|
| [20] | FA-CNN | NSL-KDD, CICIDS2017 | 0.91 | 0.94 | Feature-Augmented CNN |
| [21] | SMOTE-TOMEK + XGBoost | NSL-KDD, CICIDS2017 | 0.9412 | 0.967 | Resampling + Gradient Boosting |
| [22] | GNB + SVM | MQTT-IoT-IDS2020 | 0.9566 | 0.9778 | Gaussian NB + Support Vector Machine |
| [23] | XGBoost + DT | KDDCup99 | 0.9662 | 0.9667 | Boosting + Decision Tree |
| [24] | Ensemble-IDS | SIMARGL2021 | 0.842079 | 0.848721 | AdaBoost + KNN |
| Proposed | Hybrid Deep Ensemble | UNSW-NB15, SECOM | 0.96 | 0.95 | SE-Res1D-CNN + BiLSTM + Transformer + Meta-Learner |
| Method | Optimization Strategy | Model Architecture | Accuracy | Precision | Recall | F1-Score |
|---|---|---|---|---|---|---|
| Baseline CNN | None | SE-Res1D-CNN | 0.88 | 0.86 | 0.85 | 0.85 |
| Baseline BiLSTM | None | BiLSTM-Attention | 0.89 | 0.87 | 0.86 | 0.86 |
| Baseline Transformer | None | Transformer Encoder | 0.88 | 0.86 | 0.85 | 0.85 |
| HFOA + CNN | HFOA | SE-Res1D-CNN | 0.89 | 0.87 | 0.85 | 0.86 |
| EHFOA-ID + CNN | EHFOA-ID | SE-Res1D-CNN | 0.91 | 0.90 | 0.89 | 0.89 |
| EHFOA-ID + BiLSTM | EHFOA-ID | BiLSTM-Attention | 0.92 | 0.91 | 0.90 | 0.90 |
| EHFOA-ID + Transformer | EHFOA-ID | Transformer Encoder | 0.91 | 0.90 | 0.89 | 0.89 |
| EHFOA-ID + Partial Ensemble | EHFOA-ID | CNN + BiLSTM | 0.93 | 0.92 | 0.91 | 0.92 |
| Proposed EHFOA-ID (Full) | EHFOA-ID | CNN + BiLSTM + Transformer + Meta-Learner | 0.96 | 0.95 | 0.95 | 0.95 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Share and Cite
Alswaid, A.N.; Uçan, O.N. EHFOA-ID: An Enhanced HawkFish Optimization-Driven Hybrid Ensemble for IoT Intrusion Detection. Sensors 2026, 26, 198. https://doi.org/10.3390/s26010198
Alswaid AN, Uçan ON. EHFOA-ID: An Enhanced HawkFish Optimization-Driven Hybrid Ensemble for IoT Intrusion Detection. Sensors. 2026; 26(1):198. https://doi.org/10.3390/s26010198
Chicago/Turabian StyleAlswaid, Ashraf Nadir, and Osman Nuri Uçan. 2026. "EHFOA-ID: An Enhanced HawkFish Optimization-Driven Hybrid Ensemble for IoT Intrusion Detection" Sensors 26, no. 1: 198. https://doi.org/10.3390/s26010198
APA StyleAlswaid, A. N., & Uçan, O. N. (2026). EHFOA-ID: An Enhanced HawkFish Optimization-Driven Hybrid Ensemble for IoT Intrusion Detection. Sensors, 26(1), 198. https://doi.org/10.3390/s26010198
