Blockchain-Assisted Machine Learning with Hybrid Metaheuristics-Empowered Cyber Attack Detection and Classification Model

Abstract

Cyber attack detection is the process of detecting and responding to malicious or unauthorized activities in networks, computer systems, and digital environments. The objective is to identify these attacks early, safeguard sensitive data, and minimize the potential damage. An intrusion detection system (IDS) is a cybersecurity tool mainly designed to monitor system activities or network traffic to detect and respond to malicious or suspicious behaviors that may indicate a cyber attack. IDSs that use machine learning (ML) and deep learning (DL) have played a pivotal role in helping organizations identify and respond to security risks in a prompt manner. ML and DL techniques can analyze large amounts of information and detect patterns that may indicate the presence of malicious or cyber attack activities. Therefore, this study focuses on the design of blockchain-assisted hybrid metaheuristics with a machine learning-based cyber attack detection and classification (BHMML-CADC) algorithm. The BHMML-CADC method focuses on the accurate recognition and classification of cyber attacks. Moreover, the BHMML-CADC technique applies Ethereum BC for attack detection. In addition, a hybrid enhanced glowworm swarm optimization (HEGSO) system is utilized for feature selection (FS). Moreover, cyber attacks can be identified with the design of a quasi-recurrent neural network (QRNN) model. Finally, hunter–prey optimization (HPO) algorithm is used for the optimal selection of the QRNN parameters. The experimental outcomes of the BHMML-CADC system were validated on the benchmark BoT-IoT dataset. The wide-ranging simulation analysis illustrates the superior performance of the BHMML-CADC method over other algorithms, with a maximum accuracy of 99.74%.

1. Introduction

The extreme consumption of the Internet in numerous fields is motivating technologists and researchers [1]. Moreover, the usage of intelligent systems can assist users and various applications, ensuring proficient computation, and maintaining the quality of service throughout the networks [2]. The conventional techniques were less efficient, providing average performance and time consumption, and were not suitable for offering solutions in complex, multi-purpose, or real-time difficulties [3]. Consequently, the requirement of a proficient attack identification system can decrease the destructive special effects of cyber threats [4]. Cyber security involves security mechanisms and combinations of different technological developments to protect information, destruction of data and networks, and programs against dissimilar attack activities like modification of information, unauthorized access, and robbery through the network or Internet [5]. Components of cybersecurity consider mostly network security systems and host protection. Presently, it is utilized for protecting various fields, namely the Internet of Things (IoTs), cloud computing (CC), and wireless sensor networks (WSNs) [6]. Several security estimations are obtainable for providing that security to the networks or models, like firewalls, IDS, and anti-virus software. Nevertheless, cyber threats are regularly harmful and interrupt internet services day by day. This encourages numerous researchers to provide their broad offers to pattern security systems [7].

Effective cyber attack detection and prevention contribute to sustainability by minimizing economic losses, reducing electronic waste, maintaining trust, improving energy efficiency, promoting responsible digital transformation, ensuring supply chain resilience, and preventing potential environmental damage [8]. Cyber attack detection and sustainability share common principles of proactive risk management, ethical responsibility, resilience, and the well-being of individuals, organizations, and the planet. By integrating robust cybersecurity practices into the fabric of sustainable initiatives, society can work toward a safer, more secure, and environmentally responsible future [9]. In addition, sustainable businesses prioritize long-term viability, and cyber attack detection plays a vital role in maintaining operational continuity. By preventing and swiftly responding to cyber threats, organizations can avoid costly disruptions, financial losses, and reputational damage [10]. Furthermore, detecting and mitigating attacks promptly can reduce resource consumption, including energy, time, and human effort. By conserving resources, both within organizations and in the broader context, cyber attack detection aligns with principles of environmental sustainability. Moreover, detecting and preventing attacks reduces unnecessary network and system activity, contributing to lower carbon emissions and a smaller environmental footprint [11]. Finally, sustainable practices include ethical considerations, and protecting user data and privacy is a fundamental ethical responsibility. Cyber attack detection helps safeguard personal information, fostering trust between businesses and their customers. This trust is crucial for sustaining healthy relationships and long-term business success.

The widely different techniques applied for detecting attacks extensively are classified into three main kinds, such as misuse-based, hybrid-based, and anomaly-based identification [12]. In the detection technique of misuse-based cyber attacks, they can be examined with pre-recorded attack signatures, and the technique is utilized significantly for detecting the identified attacks. It is helpful to identify the well-known attacks with the fewest false alerts or alarms. The technique needs a few conversions of the rules of attacks and signatures on the datasets [7]. Researchers have been encouraged to use decentralized IDSs that incorporate various machine learning (ML) methods comprising optimization algorithms, deep learning (DL), and artificial neural networks (ANNs), on account of current developments in intelligent machines. Generally, ANNs are limited in their capability to handle the complexities of IDS systems [13]. DL is a subcategory of ML that contains the unsupervised and supervised learning approaches, and it is based on the number of layers of ANNs [14]. Every layer consists of certain neurons with activated functions that are applied to generate non-linear results. The technology is motivated by the biological neuron structures of the brain, but it is broadly relevant to communication models and data processing in the natural nervous system [15]. DL algorithms acquire crucial abstract illustrations from the original information over the usage of the multiple-level learning technique hierarchically.

This study develops blockchain-assisted hybrid metaheuristics with machine learning-based cyber attack detection and a classification (BHMML-CADC) algorithm. The objective of the BHMML-CADC method lies in its accurate detection and classification of cyber attacks. To accomplish this, the BHMML-CADC method employs BC technology using the Ethereum blockchain for attack detection. In addition, a hybrid-enhanced glowworm swarm optimization (HEGSO) system was used for feature selection (FS). Moreover, cyber attacks can be identified by the design of a quasi-recurrent neural network (QRNN) model. Finally, a hunter–prey optimization (HPO) method can be employed for the optimum selection of the QRNN parameters, which has a rapid convergence rate and a considerable optimization capacity. The experimental outcome of the BHMML-CADC method was validated on benchmark datasets.

2. Related Research

This section briefly examines existing studies related to cyber attack detection techniques using ML and DL models. Babu et al. [16] introduced a permission-based BC technology that exploits the arbiter PUF model for protecting the key pair of IoT devices through a lightweight technique. An integrated detection technique is used for identifying the DDoS on IoT via an ML-based ensemble algorithm. Then, a BC technique was integrated that safely shares the alarm signals to every single node of the IoT, with secure authentication. The authors in [17] performed a BC on cluster head (CH) and base station (BS) for registering the node using authorizations, and to address security challenges. Furthermore, ML classifiers called histogram gradient boost (HGB), were applied on the BS to categorize the node as legitimate or malicious. In addition, a wide range of experiments were conducted by the WSN. Dehghani et al. [18] introduced a selective ensemble DL algorithm using gray wolf optimization (GWO) technique for identifying the FDIA in DC-MG. Initially, to collect adequate information within the typical performance needed for model training, load change was considered to identify datasets for load variation schemes and cyber attacks during the data generation process.

Bhayo et al. [19] devised an ML-based algorithm for the recognition of DDoS attacks in SDN-WISE IoT controllers. The study incorporated ML-based detection techniques into the controller, and set up testbed environments for stimulating the traffic generation of DDoS attacks. Saheed and Arowolo [20] introduced a deep RNN (DRNN) and supervised ML techniques (KNN, RF, DT, and ridge classifiers) that are used to design an effective IDS in IoMT environments for the classification and prediction of unexpected cyber threats. Normalization and pre-processing of data were implemented. Later, we enhanced features through the biologically simulated PSO model. Khan et al. [21] improved the accuracy of UAVs with a decentralized ML structure based on BC. The presented method framework is able to considerably increase the storage and reliability of information for intelligent decision-making amongst different UAVs.

The authors in [22] developed a cyber attack detection technique for IoMT-based network, utilizing ensemble learning and a fog-cloud platform for addressing security challenges. The ensemble method exploits an LSTM network as individual learners, and stacks DTs on top of them to categorize normal events and attacks. Reddy and Shyam [23] developed a new architecture for the mitigation of attack nodes using secured SaaS architecture. The important role of this study was to provide an attack detection system that is performed in DBN, where the weight and the activation function are fine-tuned by the Median Fitness-oriented Sea Lion Optimizer technique (MFSLnO). Once the DBN recognizes the attack nodes, then control is transported to the lightweight bait method that consistently alleviates the attack node without disturbing the connection. Ashraf et al. [24] developed an SDN-based IoT anomaly detection technique that identifies attacks and abnormal behaviors. Three ML approaches, SVM, KNN, and MLP, are utilized to develop an IDS, which is employed at the SDN controller to learn and monitor the behaviors of IoT gadgets, and any other deviations from the behaviors can be considered as an attack. After examining the existing research, it was noticed that the current methods do not focus on the hyperparameter selection method, which largely affects the accuracy of the classification algorithm. In particular, the hyperparameters involving learning rate selection, epoch count, and batch size are important to obtain effective outcomes. A metaheuristic algorithm is applied, since the trial-and-error technique for hyperparameter tuning is an erroneous and difficult process. Thus, the HPO technique is used for the parameter selection of the QRNN model in this research.

3. The Proposed Model

In this study, the BHMML-CADC method was introduced for the detection and classification of cyber attacks. The purpose of the BHMML-CADC technique is to exploit BC technology with FS and an optimal DL model for cyber attack recognition. To accomplish this, the BHMML-CADC technique follows several stages of operations, namely BC technology, pre-processing, HPO-based hyperparameter tuning, QRNN-based detection, and HEGSO-based FS. Figure 1 demonstrates the overall work flow of the BHMML-CADC algorithm.

3.1. BC Technology for Cyber Attack Detection

BC is a list of records represented by the Merkle tree related to the cryptographic norm, but all the blocks hold the cryptographic hash of their previous block [25]. BC resists all forms of data modification; meanwhile, modification of data in a single block should modify the subsequent block. Validation of a new block occurs before adding in the chain, and BC is considered more secure than the traditional distributed system, as it displays higher Byzantine fault tolerance despite not being un-modifiable. The distributed ledger records the transaction between both entities in a verifiable and permanent manner, and also aids in increasing trust in social and economic activities.

The development tools such as Oraclize API, truffle suite, and web3.js API were exploited, and smart contract (SC) was introduced in solid language to carry out the necessary transactions among each participant for the implementation of Ethereum BC. The initial activity implemented in the SC is about beginning the attack detection by identifying the financial deals, and the input and output accuracy. InterPlanetory File System (IPFS) is utilized as decentralized storage after learning the local data pattern, which records the parameter related to the attack detection as a hash value that is distributed to decentralized applications (DApp). The assessment of off-chain is implemented, and the result is declared in the DApp. The next action performs the retrieval of assessment in the single node by Web3.js API, within the predetermined threshold by the minimum acceptable fitness rate (MAFR). The analysis, which is superior to MAFR, then interacts with the processing agent through the payable function, which can be performed through BC.

3.2. Pre-Processing

Primarily, the BHMML-CADC technique undergoes preprocessing using min–max normalization [26]. For all the features, the maximum values are changed to $1$, the minimum values are changed to $0$, and each value is converted to a decimal between [0, 1]. The succeeding formula was utilized for normalizing the feature.

$$X_{new}=\frac{X-X_{\mathrm{m}\mathrm{i}\mathrm{n}}}{X_{\mathrm{m}\mathrm{a}\mathrm{x}}-X_{\mathrm{m}\mathrm{i}\mathrm{n}}}$$

(1)

In Equation (1), $X$ represents the group of feature values attained, $X_{\mathrm{m}\mathrm{a}\mathrm{x}}$ and ${ X}_{\mathrm{m}\mathrm{i}\mathrm{n}}$ show the maximal and minimal values in $X$, respectively.

3.3. Feature Selection Using HEGSO Algorithm

The HEGSO method is exploited for the optimum selection of features. The classical GSO method is based on the natural behaviors of the glowworm during nighttime [27]. Based on the luciferin, the glowworm displays a type of interaction with other glowworms in the population. If the light discharged through the glowworm is greater, then the luciferin is greater. There exist three dissimilar stages, namely luciferin update, movement, and the update and neighborhood stage. The number of luciferins is equivalent to the fitness of their existing location on the objective function. Next is the movement phase. Using the HEGSO technique, optimization can be carried out. The optimization technique initiates once the path is found between the beginning and ending points of the vehicle nodes. The steps for the HEGSO technique are shown as follows:

Step1: Initialize the Search Agents (SA), viz., the size of population $Q,$ an initial value of radial gamut of SA $r_o,$ individual glowworm $X$; $z$ shows the step size, iteration counter $N_{it}$, luciferin’s initial value $I_o,$ and time instance $n$.

$$X=\left\{x_1, x_2, \dots , x_Q\right\}$$

(2)

Step2: Evaluate the fitness function (FF) based on Equation (3):

$$F=\sum _{t=1}^n\frac{L}{E{V}_t\left(V_i\right)}$$

(3)

where $E{V}_t$ denotes the average speed of vehicles on the road, $V_i$ indicates the vehicle, and $L$ shows the overall length of the road segments.

Step3: This phase is the luciferin phase. Here, the new SA can be evaluated using the subsequent equation:

$$l_j\left(n+1\right)=\left(1-\rho \right)l_j\left(n\right)+\beta J_j\left(n+1\right)$$

(4)

In Equation (4), $\beta$ shows the luciferin decay constant within [$\mathrm{0,1}$], $l\left(n\right)$ implies the luciferin values of the SA at $n$ time, $l_j(n+1)$ is the luciferin value of the SA at $\left(n+1\right)$ time, and $J_j$ indicates the FF.

Step4: The objective function of the new SA is evaluated according to similar fitness.

Step5: Based on the brightness, the SA moves towards the adjacent glowworm. The movement of SA can be determined by the EDs among the glowworms. During the movement phase, the SA heads for the computed neighborhood based on probabilistic means. It can be mathematically modelled by Equation (5):

$$x_j\left(n+1\right)=x_j\left(n\right)+Z\left(\frac{xk\left(n\right)-x_j\left(n\right)}{‖xk\left(n\right)-x_j\left(n\right)‖}\right)$$

(5)

where $Z$ denotes the step size.

Step6: The decision range and neighborhood range of the SA are updated in this step. The decision rules are used based on the following expression:

$$r_d\left(n+1\right)=\mathrm{m}\mathrm{i}\mathrm{n}\left(r_s,\mathrm{m}\mathrm{a}\mathrm{x}\left(O, r_d\left(n\right)+B\left(n_e-\right|N_j\left(n\right)\right)\right)$$

(6)

In Equation (6), $rd$ shows the prior value of the neighborhood range, $n_e$ represents the SA with a higher luciferin value from the decision range, ${ r}_d(n+1)$ shows the upgrade values of the neighborhood range, $B$ denotes the constant, and $r_s$ indicates the maximum sensing radius of the glowworms.

Step7: If the termination criteria are satisfied, then the fittest solution can be attained. If they are not satisfied, then the mutation and crossover operators can be used. The two-point crossover is exploited.

The FF used in the HEGSO technique is developed to take a balance between the classification accuracy (maximal) and the amount of feature selections (minimal) attained; Equation (10) signifies the FF to evaluate the solution.

$$Fitness=\alpha {\gamma }_R\left(D\right)+\beta \frac{\left|R\right|}{\left|C\right|}$$

(7)

In Equation (7), $\left|R\right|$ refers to the cardinality of the selected subset, ${\gamma }_R\left(D\right)$ indicates the classification error rate, $\left|C\right|$ symbolizes the overall feature count, and parameters $\alpha$ and $\beta$ are respective to the importance of classification quality and subset length. ∈ [1,0] and $\beta =1-\alpha .$

3.4. QRNN-Based Cyber Attack Detection

At this stage, the QRNN architecture is used for the detection and classification of cyber attacks. QRNN is a hybrid NN inspired by the LSTM, which brings the benefits of CNN and LSTM together [28]. CNN is fast and extremely parallelizable, while LSTM has the potential to model long-range dependency. However, LSTMs and RNNs have a slower recurrent step. Actually, $h_t$ relies on $h_{t-1}$, which relies in its turn on $h_{t-2}$, etc., thereby generating an execution bottleneck. Figure 2 depicts the infrastructure of QRNN.

The hidden-hidden matrix multiplication of LSTM is eliminated, and the convolution size of $n$ over input $x$ is provided to diminish the computation effort needed for the recurrent step, t. Furthermore, the forget and input gates are connected, which produces output gate ${\mathrm{o}}_t$ and forget gate $f_t$. The QRNN with $fo$-pooling can be described by the subsequent expression:

$$f_t,{\mathrm{o}}_t=\sigma \cdot \left(U_{f,\mathrm{o}}\cdot x_{t-n+1:t}\right),$$

(8)

$${\tilde{c}}_{\mathrm{t}}=tanh\left(U_c\cdot x_{t-n+1:t}\right).$$

(9)

$$c_t=c_{t-1}\odot f_t+{\tilde{c}}_t\odot \left(1-f_t\right).$$

(10)

$$h_t=c_t\odot o_t.$$

(11)

Subsequently, the recurrent step is a weighted or gated sum, thus effectuating faster implementation. This provides a probability for the unbounded activation function, including the ReLu function, considering that the hidden layer cannot exponentially grow anymore.

3.5. Hyperparameter Tuning Using HPO Algorithm

Finally, the HPO algorithm optimally chooses the hyperparameters related to the QRNN models, including the learning rate, number of epochs, and batch size. The HPO algorithm is a new swarm-based optimization technique that mimics the behaviors between the prey and predators. The HPO imitates the predictor behaviors during hunting the prey; in the meantime, the prey moves towards the safer region to escape from the predator. Consequently, based on the modified site of the safer region, the safer region is updated dynamically, and the predator must update its position. In HPO, Iraj et al. [29] explored the safer region corresponding to the better objective values. As HPO is a metaheuristic algorithm, it begins with the collection of random solutions that are calculated using Equation (12):

$$Z_i=lb+rand\times \left(ub-lb\right) i=\mathrm{1,2}, \dots , N,$$

(12)

where $ub$ and $lb$ denote the upper and lower boundaries of the searching field $($ vector form with dimension $=\mathrm{1,2},\dots , D)$, and $rand\in \left[\mathrm{0,1}\right]$ shows the uniformly distributed random value. The $D$ and $N$ symbols are the numbers of the problem variables and the overall population size, respectively.

The primary group of solutions for detecting the bad and good solutions can calculate the FF. Next, the primary phase of the solution can be updated using the key stages of the HPA method through the set of independent runs. In the HPO, the search process comprises two different stages, the exploitation and exploration phases. During the exploration phase, the agent explores with higher randomness to find the local and global points in the searching space. On the other hand, the exploitation stage repossesses minimal randomization for circulating the potential solution. In this context, Iraj et al. developed the subsequent equation to model the exploration and exploitation stages of the model:

$$\begin{array}{c}{Z}_{im}(t+1)=Z_{im}\left(t\right)+0.5\left[\right(2\alpha \beta Pre{y}_{P\left(m\right)}-Z_{im}\left(t\right))\\ +\left(2\right(1-\alpha )\beta {\mu }_{\left(m\right)}-Z_{im}(t\left)\right)]\end{array}$$

(13)

In Equation (13), $Z_{im}\left(t\right),$ $Z_{im}(t+1)$ refers to the corresponding present and future locations of the ith hunter. The prey location can be represented as $Pre{y}_p$; the $\beta ,$ $\alpha$, and $\mu$ symbols are the balancing parameters, adaptive parameters, and mean of each location, respectively. This parameter is calculated with the following expression:

$$Rand={\overrightarrow{R}}_1<\alpha ;index=(Rand==0);$$

$$\beta =R_2\otimes index+{\overrightarrow{R}}_3\otimes \left(\sim index\right).$$

(14)

$$\alpha =1-it\left(\frac{0.98}{MAXIt}\right).$$

(15)

where $index$ refers to the index number of the vector ${\overrightarrow{R}}_1$ that meets the criteria of $(P==0)$ and $Rand$; $R_2,$ ${\overrightarrow{R}}_1$, and ${\overrightarrow{R}}_3$ denote the random vector within $\left[\mathrm{0,1}\right]$. $MAXIt$ denotes the maximal number of iterations. The balance parameter $\alpha$ is calculated with Equation (15), whose value drops from 1 to 0.02 through the number of iterations. As previously stated, HPO aims to catch the prey; thus, the prey upgrades the place through the average of each location ($\mu$) using Equation (14), and later calculates the distance of all the searching agents from the mean position [30].

$$\mu =\frac{1}{n}\sum _{i=1}^n{\overrightarrow{Z}}_i.$$

(16)

Based on the Euclidean distance, the distance can be evaluated as follows:

$$D_{euc\left(i\right)}={\left(\sum _{m=1}^d(Z_{im}-{\mu }_m{)}^2\right)}^{0.5}.$$

(17)

The searching agent with a maximum distance in the mean of placement is assumed to be the prey $\left(Pre{y}_{P\left(m\right)}\right)$.

$$\overrightarrow{Pre{y}_{P\left(m\right)}}={\overrightarrow{Z}}_i|i is sorted D_{euc}(kbest).$$

(18)

In Equation (18), $est=round(\alpha \times N)$, $N$ denotes the number of solutions. Once the prey are attacked, they attempt to escape toward the safer region. Iraj et al. supposed the optimal safer place is the global optimal location, and the hunter may upgrade the current location to choose another prey via the subsequent equation:

$$Z_{im}\left(t+1\right)=G_{P\left(j\right)}+\alpha \beta cos\left(2\pi R_4\right)\ast \left(G_{P\left(j\right)}-Z_{im}\left(t\right)\right),$$

(19)

In Equation (19), $G_P$ denotes the safe place (global optimal location) and $R_4\in [-\mathrm{1,1}]$ shows the random integer. Iraj et al. considered the subsequent Equation (8) to differentiate between the hunters and prey.

$$Flag=\left\{\begin{array}{l}{Z}_{im}(t+1)=Z_{im}\left(t\right)+0.5\left[\right(2\alpha \beta Pre{y}_{P\left(m\right)}-Z_{im}\left(t\right))\\ +\left(2\right(1-\alpha )\beta {\mu }_{\left(m\right)}-Z_{im}(t\left)\right)] if R_5\le \gamma \\ Z_{im}\left(t+1\right)=G_{P\left(j\right)}+\alpha \beta \cos \left(2\pi R_4\right)\ast \left(G_{P\left(j\right)}-Z_{im}\left(t\right)\right)\\ if else\end{array}\right.,$$

(20)

In Equation (20), $R_5$ denotes a random number that lies in [$\mathrm{0,1}$], and $\gamma$ shows the regulatory parameter set as $0.1$. The HPO approach develops an FF to obtain a greater classifier solution. It defines a positive integer to indicate the fittest solution for candidate performances. In this case, the decline in the classifier error rate could be regarded to be FF.

$$\begin{array}{c}fitness\left(x_i\right)=ClassifierErrorRate\left(x_i\right)\\ =\frac{No. of misclassified samples}{Total No. of samples}\ast 100\end{array}$$

(21)

4. Results and Discussion

The proposed model was simulated using Python 3.6.5 tool on a PC i5-8600k, GeForce 1050Ti 4 GB, 250 GB SSD, 1 TB HDD, with 16 GB RAM. The followingparameter settings were provided: batch size: 5, dropout: 0.5, learning rate: 0.01, epoch count: 50, and activation: ReLU.

In this section, the cyber attack detection performance of the BHMML-CADC algorithm is tested on the BOT-IoT dataset [31,32], comprising 4500 samples and 9 classes, as represented in

Table 1. Details of the database.

Class	Labels	No. of Samples
Service Scanning	L1	500
OS Fingerprinting	L2	500
DDoS TCP	L3	500
DDoS UDP	L4	500
DDoS HTTP	L5	500
DoS TCP	L6	500
DoS UDP	L7	500
DoS HTTP	L8	500
Normal	L9	500
Total Number of Samples		4500

.

The cyber attack classification outcomes of the BHMML-CADC technique are demonstrated in Figure 3. The experimental outcome was that the BHMML-CADC method achieved effective outcomes, with the distinct categorization of the class labels.

In

Table 2. Cyber attack detection outcome of BHMML-CADC approach for the 80:20 TR set/TS set.

Class Labels	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{R}\mathit{e}\mathit{c}{\mathit{a}}_{\mathit{l}}$	MCC	${\mathit{G}}_{\mathit{M}\mathit{e}\mathit{a}\mathit{s}\mathit{u}\mathit{r}\mathit{e}}$
Training Phase (80%)
Service Scanning (L1)	99.78	98.95	98.95	98.83	98.95
OS Fingerprinting (L2)	99.22	95.63	97.52	96.14	96.57
DDoS TCP (L3)	99.53	97.96	97.72	97.57	97.84
DdoS UDP (L4)	99.64	98.75	98.02	98.18	98.39
DdoS HTTP (L5)	99.69	97.53	99.75	98.46	98.63
DoS TCP (L6)	99.64	98.25	98.50	98.17	98.37
DoS UDP (L7)	99.58	98.99	97.28	97.90	98.13
DoS HTTP (L8)	99.78	99.24	98.75	98.87	99.00
Normal (L9)	99.58	98.79	97.61	97.96	98.20
Average	99.60	98.23	98.23	98.01	98.23
Testing Phase (20%)
Service Scanning (L1)	99.78	98.33	100.00	99.04	99.16
OS Fingerprinting (L2)	99.67	97.94	98.96	98.26	98.45
DdoS TCP (L3)	99.44	98.10	97.17	97.32	97.63
DdoS UDP (L4)	99.78	100.00	97.92	98.83	98.95
DdoS HTTP (L5)	99.33	95.37	99.04	96.81	97.19
DoS TCP (L6)	99.67	100.00	97.03	98.32	98.50
DoS UDP (L7)	99.56	97.92	97.92	97.67	97.92
DoS HTTP (L8)	99.67	99.00	98.02	98.32	98.51
Normal (L9)	99.78	98.78	98.78	98.66	98.78
Average	99.63	98.38	98.31	98.14	98.34

and Figure 4, the overall cyber attack detection outcome of the BHMML-CADC method is highlighted at 80:20 of the TR set/TS set. The outcomes shows that the BHMML-CADC method categorizes different kinds of attacks proficiently.

Figure 5 presents the training accuracies $TR\_acc{u}_y$ and $VL\_acc{u}_y$ of the BHMML-CADC method for the 80:20 TR set/TS set. The $TL\_acc{u}_y$ can be defined by the approximation of the BHMML-CADC method on the TR database, whereas the $VL\_acc{u}_y$ is calculated by estimating the performance of the different testing databases. The experimental outcomes demonstrated that $TR\_acc{u}_y$ and $VL\_acc{u}_y$ increase with an increase in epochs. Consequently, the performance of the BHMML-CADC method improves to enhance the TR and TS databases with upsurges in many epochs.

In Figure 6, examination of the $TR\_loss$ and $VR\_loss$ of the BHMML-CADC algorithm for the 80:20 TR set/TS set is presented. The $TR\_loss$ defines the error between the predicted performance and original values on the TR database. The $VR\_loss$ indicates the measured performance of the BHMML-CADC method on the validation data. The outcomes show that the $TR\_loss$ and $VR\_loss$ tend to decrease with maximum epochs. This depicts the superior performance of the BHMML-CADC approach, and its capability to produce an accurate classification. The reduced values of the $TR\_loss$ and $VR\_loss$ show the maximum performance of the BHMML-CADC method in obtaining the patterns and relationships.

A summary precision–recall (PR) curve of the BHMML-CADC approach is shown for the 80:20 TR set/TS set in Figure 7. The analysis shows the BHMML-CADC method outcomes in raising the PR values. Moreover, it was observed that the BHMML-CADC method achieved superior PR values on all of the class labels.

In Figure 8, an ROC investigation of the BHMML-CADC method is shown for the 80:20 TR set/TS set. The figure portrays that the BHMML-CADC method yielded increased ROC values. Moreover, the BHMML-CADC method can be extended for the enhancement of ROC values on all class labels.

In

Table 3. Cyber attack detection outcomes of BHMML-CADC approach for the 70:30 TR set/TS set.

Class Labels	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{R}\mathit{e}\mathit{c}{\mathit{a}}_{\mathit{l}}$	MCC	${\mathit{G}}_{\mathit{M}\mathit{e}\mathit{a}\mathit{s}\mathit{u}\mathit{r}\mathit{e}}$
Training Phase (70%)
Service Scanning (L1)	99.71	98.60	98.87	98.57	98.73
OS Fingerprinting (L2)	99.56	98.48	97.30	97.64	97.89
DDoS TCP (L3)	99.78	99.12	98.82	98.84	98.97
DDoS UDP (L4)	99.56	97.08	98.81	97.70	97.94
DDoS HTTP (L5)	99.62	98.41	98.41	98.20	98.41
DoS TCP (L6)	99.78	99.15	98.88	98.89	99.02
DoS UDP (L7)	99.68	98.31	98.86	98.41	98.58
DoS HTTP (L8)	99.75	99.14	98.58	98.71	98.86
Normal (L9)	99.71	98.85	98.56	98.54	98.71
Average	99.68	98.57	98.57	98.39	98.57
Testing Phase (30%)
Service Scanning (L1)	99.63	99.30	97.24	98.06	98.26
OS Fingerprinting (L2)	99.70	98.22	99.40	98.64	98.81
DDoS TCP (L3)	99.85	99.38	99.38	99.29	99.38
DDoS UDP (L4)	99.93	100.00	99.39	99.65	99.69
DDoS HTTP (L5)	99.78	97.60	100.00	98.67	98.79
DoS TCP (L6)	99.63	99.29	97.22	98.05	98.25
DoS UDP (L7)	99.85	98.67	100.00	99.25	99.33
DoS HTTP (L8)	99.78	99.32	98.66	98.87	98.99
Normal (L9)	99.48	97.39	98.03	97.41	97.71
Average	99.74	98.80	98.81	98.65	98.80

and Figure 9, the overall cyber attack identification performance of the BHMML-CADC method is evaluated for the 70:30 TR set/TS set. The outcomes denote that the BHMML-CADC method classifies various types of attacks efficiently. For instance, for the 70% TR set, the BHMML-CADC method provides average $acc{u}_y$, $pre{c}_n$, $rec{a}_l$, MCC, and $G_{measure}$ of 99.68%, 98.57%, 98.57%, 98.39%, and 98.57%, respectively. Therefore, for the 30% TS set, the BHMML-CADC approach appropriately provides average $acc{u}_y$, $pre{c}_n$, $rec{a}_l$, MCC, and $G_{measure}$ of 99.74%, 98.80%, 98.81%, 98.65%, and 98.80%, respectively.

Figure 10 demonstrates the training accuracies $TR\_acc{u}_y$ and $VL\_acc{u}_y$ of the BHMML-CADC approach for the 70:30 TR set/TS set. The $TL\_acc{u}_y$ is defined by the estimation of the BHMML-CADC method on the TR database, whereas the $VL\_acc{u}_y$ is calculated by approximating the performance on the individual testing dataset. The outcomes show that $TR\_acc{u}_y$ and $VL\_acc{u}_y$ increase with increasing epochs. As an outcome, the performance of the BHMML-CADC method was required to enhance the TR and TS databases with upsurges in many epochs.

In Figure 11, the $TR\_loss$ and $VR\_loss$ outcomes of the BHMML-CADC system for the 70:30 TR set/TS set are revealed. The $TR\_loss$ defines the error between the predicted performance and original values on the TR data. The $VR\_loss$ illustrates the measured performance of the BHMML-CADC method on separate validation data. The outcomes indicate that the $TR\_loss$ and $VR\_loss$ tend to decrease with growing epochs. These represent the enhanced outcomes of the BHMML-CADC method and its capability to produce an accurate classification. The reduced values of the $TR\_loss$ and $VR\_loss$ exhibit the greater performance of the BHMML-CADC approach on catching patterns and relationships.

A summary of the analysis of the PR curve of the BHMML-CADC approach is shown for the 70:30 TR set/TS set in Figure 12. The analysis illustrates that the BHMML-CADC methodology raises the PR values. Moreover, it can be seen that the BHMML-CADC method can obtain better PR values on all class labels.

In Figure 13, an ROC investigation of the BHMML-CADC method is demonstrated for the 70:30 TR set/TS set. The figure shows that the BHMML-CADC method enhanced the ROC values. Additionally, the BHMML-CADC method can be extended for the enhancement of ROC values on all class labels.

In

Table 4. Comparative outcomes of BHMML-CADC algorithm with other techniques.

Classifier	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{R}\mathit{e}\mathit{c}{\mathit{a}}_{\mathit{l}}$	MCC
Ensemble learning	92.66	98.12	96.67	97.10
Sparse autoencoder	98.10	96.96	97.48	96.25
XGBoost	98.90	97.19	97.67	96.44
SVM Algorithm	98.37	97.06	97.66	96.92
CNN Model	98.37	97.61	98.04	97.96
LSTM Model	99.01	97.70	96.63	96.95
KNN Algorithm	99.26	96.74	96.50	97.75
BHMML-CADC	99.74	98.80	98.81	98.65

and Figure 14, detailed classification results of the BHMML-CADC technique are clearly illustrated [33,34,35]. The experimental values highlight that the ensemble learning model achieves worse results. Simultaneously, the SAE, XGBoost, SVM, and CNN models show slightly boosted results. Along with that, the KNN model reported considerable performance with $acc{u}_y$, $pre{c}_n$, $rec{a}_l$, and MCC values of 99.26%, 96.74%, 95.60%, and 97.75%, respectively. Nevertheless, the BHMML-CADC technique accomplished improved performance with maximum $acc{u}_y$, $pre{c}_n$, $rec{a}_l$, and MCC values of 99.74%, 98.80%, 98.81%, and 98.65%, respectively. Therefore, the BHMML-CADC technique is an effective tool for the automated cyber attack detection process.

Table 5. TRT and TST outcomes of BHMML-CADC algorithm compared with other techniques.

Classifier	Training Time (s)	Testing Time (s)
Ensemble learning	18.06	8.86
Sparse autoencoder	10.14	6.88
XGBoost	18.78	7.52
SVM Algorithm	18.78	9.44
CNN Model	12.73	7.87
LSTM Model	12.82	5.10
KNN Algorithm	13.05	8.88
BHMML-CADC	06.60	3.01

and Figure 15 demonstrate the comparative TRT and TST investigations of the BHMML-CADC method with other current algorithms. The outcomes highlight that the BHMML-CADC system achieves superior performance over the other models.

Based on the TRT outcomes, the BHMML-CADC technique demonstrates a reduced TRT of 6.60 s, while the Ensemble learning, Sparse autoencoder, XGBoost, SVM, CNN, LSTM, and KNN approaches obtained higher TRTs of 18.06 s, 10.14 s, 18.78 s, 18.78 s, 12.73 s, 12.82 s, and 13.05 s, respectively. Afterwards, based on the TST, the BHMML-CADC approach achieved a minimized TST of 3.01 s, whereas the XGBoost, Ensemble learning, Sparse autoencoder, LSTM, KNN, SVM, and CNN techniques achieved greater TST values of 8.86 s, 6.88 s, 7.52 s, 9.44 s, 7.87 s, 5.10 s, and 8.88 s, respectively.

Figure 16 illustrates the security rate of the proposed model with and without BC technology. The security rate of the proposed model with BC was found to be higher than that of the proposed model without BC. The use of BC technology helps to achieve an enhanced security rate of the proposed model. It was also observed that the security rate increases with an increase in the number of transactions (

Table 6. Security rate analysis of BHMML-CADC algorithm.

Security Rate (%)
No. of Transactions	With Blockchain	Without Blockchain
20	97.50	96.06
40	97.91	96.24
60	98.06	97.08
80	98.68	97.72
100	99.45	98.91

).

In summary, the proposed model shows improved performance over the other techniques, which is due to the integration of the HEGSO-based FS and HPO-based hyperparameter tuning. The HEGSO technique chooses the related and useful features from the available set of features. With the removal of irrelevant features, the BHMML-CADC technique can focus on crucial factors that contribute to the classification process. This leads to an increase in classification performance. Simultaneously, the HPO optimizer chooses the optimal value for the hyperparameter of the given QRNN model. Hyperparameters are settings that are not learned during training, but must be set before training. They may have a considerable effect on system performance, and selecting the optimum values can result in better accuracy. By combining HPO optimizer-based hyperparameter tuning and the HEGSO algorithm, the BHMML-CADC model achieved the best outcomes by focusing on the most relevant features and selecting the optimum settings for the model. These outcomes ensured superior performance of the BHMML-CADC method over the other current approaches.

5. Conclusions

In this research, we developed the BHMML-CADC algorithm for the identification and classification of cyber attacks. The purpose of the BHMML-CADC technique is to exploit BC technology with FS and an optimal DL model for cyber attack recognition. To accomplish this, the BHMML-CADC technique follows several stages of operations, namely BC technology, pre-processing, HEGSO-based FS, QRNN-based detection, and HPO-based hyperparameter tuning. Furthermore, the BHMML-CADC technique employs BC technology using Ethereum BC for attack detection. The design of HEGSO-based FS and HPO-based parameter optimization processes helps in achieving enhanced detection outcomes. The experimental results of the BHMML-CADC method were validated on the benchmark BOT-IoT dataset. The wide-ranging simulation analysis illustrates the significant performance of the BHMML-CADC method over other approaches with a maximum accuracy of 99.74%, a precision of 98.80%, a recall of 98.81%, and an MCC of 98.65%. Future research can explore the applicability of blockchain-assisted machine learning for cyber attack detection in different domains beyond traditional IT networks, such as critical infrastructure protection, autonomous vehicles, or smart cities. In addition, privacy-preserving methods for cyber attack detection using blockchain can be designed to ensure that sensitive data, such as network traffic logs, can be securely analyzed without exposing sensitive information.