Hybrid Deep Neural Network Optimization with Particle Swarm and Grey Wolf Algorithms for Sunburst Attack Detection

Abstract

Deep Neural Networks (DNNs) have been widely used to solve complex problems in natural language processing, image classification, and autonomous systems. The strength of DNNs is derived from their ability to model complex functions and to improve detection engines through deeper architecture. Despite the strengths of DNN engines, they present several crucial challenges, such as the number of hidden layers, the learning rate, and the neuron weight. These parameters are considered to play a crucial role in the ability of DNNs to detect anomalies. Optimizing these parameters could improve the detection engine and expand the utilization of DNNs for various areas of application. Bio-inspired optimization algorithms, especially Particle Swarm Intelligence (PSO) and the Gray Wolf Optimizer (GWO), have been widely used to optimize complex tasks because of their ability to explore the search space and their fast convergence. Despite the significant successes of PSO and GWO, there remains a gap in the literature regarding their hybridization and application in Intrusion Detection Systems (IDSs), such as Sunburst attack detection, especially using DNN. Therefore, in this paper, we introduce a hybrid detection model that investigates the ability to integrate PSO and GWO so as to improve the DNN architecture to detect the Sunburst attack. The PSO algorithm was used to optimize the learning rate and the number of hidden layers, while the GWO algorithm was used to optimize the neuron weight. The hybrid model was tested and evaluated based on open-source Sunburst attacks. The results demonstrate the effectiveness and robustness of the suggested hybrid DNN model. Furthermore, an extensive analysis was conducted by evaluating the suggested hybrid PSO–GWO along with other hybrid optimization techniques, namely Genetic Algorithm (GA), Differential Evolution (DE), and Ant Colony Optimization (ACO). The results demonstrate that the suggested hybrid model outperformed other optimization techniques in terms of accuracy, precision, recall, and F1-score.

1. Introduction

Recently, the advantages of Deep Neural Networks (DNNs) have demonstrated their effectiveness in various areas of application, such as natural language processing, image classification, and autonomous systems. The benefits of DNNs are characterized by their ability to model complex functions and improve the detection engine through deeper architecture [1]. Typically, DNNs include three primary layers. The first layer is the input layer, which is responsible for receiving the raw data/features and forwarding them to the hidden layer layer for extra processing. The second layer is the intermediate hidden layer between the input and output layers, where the crucial computation is performed. The hidden layers offer the ability to learn complex patterns by adjusting weights and biases through backpropagation. Finally, the output layer is responsible for mapping the output to the target class, such as identifying object class or predicting numerical values [2,3]. Figure 1 presents the general architecture of DNNs.

In recent years, hybrid DNN techniques [4,5,6] have been increasingly explored to enhance the detection capabilities of Intrusion Detection Systems. However, hybrid DNN techniques mainly focus on feature extraction and data preprocessing, which can be both time-consuming and resource-intensive, particularly in the context of Sunburst attack detection. Despite the promising achievements of DNNs in various fields, they present a number of challenges that need to be optimized, such as the number of hidden layers, learning rate, and neural weights. These parameters play a crucial role in enhancing the ability of DNNs to detect anomalies. Optimizing the previous parameters beyond just improving the detection engine also offers the opportunity to reduce the computation time as well as the utilized resources. This benefit could result in DNN models being suitable for various applications where there are limited resources. Specifically, the learning rate parameter is a key parameter that controls the convergence speed and model accuracy. A high learning rate could lead to passing over the optimal solution as well as instability in convergence. From another perspective, a slow learning rate could lead to the model issue becoming trapped in the local minima [7]. On the other hand, the number of hidden layers plays an essential role in affecting the ability of the model to learn complex patterns. However, the many hidden layers may lead to the issue of overfitting [8]. Furthermore, the weight of the neurons illustrates their connections, where the updates to these weights during training help reduce the loss function of the DNN model [9]. Therefore, there is an urgent need to build a DNN model that has its own optimized parameters to help improve the detection process, as well as reduce the utilized resources. Bio-inspired optimization algorithms are considered crucial solutions that aim to handle optimization tasks. These algorithms were introduced to find the optimal/near-optimal solution for a complex task [10]. Bio-inspired optimization algorithms were introduced to reflect strategies that simulate the social behavior of animals, humans, the universe, etc. The widespread use of these algorithms proves their ability to handle a large search space and non-linear tasks. In addition, these algorithms were designed to find the optimal/near-optimal solutions in the global search space through exploration and extrapolation techniques [11].

Bio-inspired optimization algorithms address the limitations of the typical optimization methods, such as dealing with high-dimensional space and non-linear tasks by simulating real-world phenomena [12]. Bio-inspired optimization algorithms could be categorized under biological phenomena, and that includes evolutionary algorithms, swarm intelligence, and nature-inspired algorithms [13]. The strength of bio-inspired optimization algorithms derives from their ease of implementation, where there are no complex mathematical equations. Also, bio-inspired optimization algorithms could be suitable candidates to offer parallelism and scalability [14].

Therefore, bio-inspired optimization algorithms have been widely used in various application areas including optimizing DNN architecture. Optimized DNN models offer an opportunity to be used in various application areas, especially as an Intrusion Detection System (IDS). Recently, machine learning-based IDSs and DNN-based IDSs achieved signification contributions in detecting various types of intrusions [6,15,16]. The rapid growth of DNN optimization techniques helps reduce the intruder’s attacks effectively because DNN can learn from complex patterns of data, as well as handle the high-dimensional space [17]. Particle Swarm Optimization (PSO) [18] and Grey Wolf Optimizer (GWO) [19] were widely used in optimizing complex tasks due to their effectiveness in exploring the search space and their fast convergence. The PSO algorithm mimics the social behavior of a bird flock, where the candidate solutions are illustrated as particles. On each iteration, the particles change their position regarding the derived information from the swarm [20]. Similarly, GWO was introduced to simulate the social behavior of hunting strategies of gray wolves. The GWO algorithm is initiated by generating a sample of candidate solutions (gray wolves). Afterward, the swarm of wolves aims to encircle the prey, which represents the optimal solution, by updating their positions [21]. GWO and PSO demonstrated their effectiveness in various application areas, including IDS systems.

Despite the significant successes of PSO and GWO, there remains a gap in the literature regarding their hybridization and application to IDS challenges such as Sunburst attack detection, especially using DNN. The Sunburst attack was launched in 2020 and is considered a type of supply chain attack concerned with SolarWinds’ Orion software [22,23,24,25]. According to the Danish report from the Danish Centre for Cyber Security (CFCS) [26], 18,000 organizations were infected by these backdoor attacks. Despite its damage impact, there is a lack of research utilizing deep learning approaches, particularly DNNs optimized by metaheuristics, for detecting such advanced cyberattacks. On the other hand, the PSO algorithm has its key strengths, and the GWO algorithm has its key strengths. Hybridizing both algorithms could overcome the expected limitations of these algorithms and offer more robust results. This work aims to fill this gap by combining PSO-GWO with DNN to detect Sunburst attacks. The suggested hybridization tackles the capabilities of PSO in exploitation as well as the capabilities of GWO in achieving a more balanced and effective optimization process. The main contributions of this work as manifold, as follows:

• Introducing a hybrid optimization model. We have developed a hybrid model that integrates PSO and GWO along with DNN to effectively detect the Sunburst attack.
• Optimization of DNN parameters. We have integrated the GWO algorithm to optimize the weights of DNN as well as integrating PSO to optimize the number of hidden layers and learning rate.
• Comprehensive comparison with other hybrid techniques. We have extensively compared the proposed hybrid model with other hybrid optimization techniques such as GA-PSO, SA-PSO, DE-PSO, and ACO-PSO based on standard evaluation metrics including detection rate, recall, precision, and F1-score.

The rest of the paper is organized as follows. Section 2 presents the recent related works to detect the Sunburst attack along with the recent bio-inspired optimization algorithms. It also highlights the urgent need to introduce a suitable detection model. Section 3 introduces the proposed hybrid technique, mainly the main steps and requirements that are required to use the GWO optimizer to optimize the weights of DNNs along with the PSO optimizer to optimize the number of hidden layers and the learning rate value. Section 4 details the results of the suggested hybrid detection model for the sake of detecting Sunburst attacks. Finally, Section 5 concludes the paper.

2. Related Works

This section presents the recent related works to detect the Sunburst attack along with the recent bio-inspired optimization algorithms and hybridization techniques within the area of IDS. It also highlights the urgent need to introduce a suitable detection approach for supply chain attacks, especially Sunburst attacks.

In [23], Almasri et al. recognized the damaging impact of supply chain attacks, particularly Sunburst attacks. The authors introduced a novel dataset that includes the Sunburst attack. The generated Sunburst dataset includes 81 features along with 50,910 records. The authors proposed a detection approach using the J48 algorithm. The suggested detection approach was initiated by selecting only the top 10 features that were relevant to detecting the Sunburst attack. The achieved results showed that the suggested J48 detection approach was able to successfully detect the Sunburst attack within the studied testbed environment. From another perspective, Chen et al. in [27] are concerned with unsupervised algorithms to mitigate the damage of supply chain attacks. The authors proposed a detection approach based on an unsupervised technique to model the normal behavior of users, forwarded by modeling the anomaly behavior of users. The suggested detection approach defined the privileged escalation cycle to easily detect abnormal behavior. The conducted experiments demonstrated that the unsupervised techniques could achieve promising results for detecting supply chain attacks. Furthermore, Haider et al. in [28] focused on the effects of supply chain attacks, especially Sunburst attacks. The essential challenge of detecting Sunburst attacks was referred to as they employed the use of legitimate channels. The authors proposed a framework to detect Sunburst attacks. In addition, the proposed framework was able to detect Command and Control (C2), which could be used by supply chain attacks. Preventing C2 is considered a critical stage in detecting supply chain attacks, as it is a preliminary stage for launching these attacks. The authors adapted a random forest algorithm as a detection engine, and the results showed the efficiency of the suggested detection framework [29].

In the domain of intrusion detection, DNNs have been growing according to their effectiveness in handling high-dimensional space and the ability to learn from complex patterns. For instance, Chauhdary in [30] utilized the strength of DNNs to detect supply chain attacks. The authors introduce a detection approach based on the Deep Belief Network (DBM) along with the extreme learning machine. For the sake of reducing the time complexity, the authors employed the feature selection technique. The feature selection technique was conducted using the Evolution Social Spider Optimization (ESSO) algorithm to select only the relevant features to detect supply chain attacks. Two datasets were used to evaluate the suggested detection approach, and the results showed the ability to detect studied supply chain attacks. In addition, Butt in [31] investigated the effects of supply chain attacks on IDS systems. This investigation was implemented by adapting various machine learning algorithms (random forest, logistic regression, and support vector machine) as detection engines to detect various types of supply chain attacks. The authors performed three sequence scenarios; the first scenario was for normal behavior (no attack was launched), the second scenario employed 20% random label flipping, and the last scenario adapted label flipping based on distance. KDD-99 was used as a testbed environment. The results showed the effect of using label flipping directly on the performance of the studied machine learning algorithms. Moreover, the logistic regression algorithm was the most elastic during the previously studied scenarios. From another perspective, Bassiouni et al. in [32] studied the impact of using DNN architectures to extract the features of the supply chain data. The authors adapted various DNN architectures, including Long Short-Term Memory (LSTM), 1D Convolutional Neural Network (CNN), and Deep-LSTM. These architectures were utilized as feature extractors, while other machine learning algorithms (random forest, artificial neural network, K nearest neighbor, and support vector machine) were adapted to classify the supply chain data. The results showed that the support vector machine achieved the highest accuracy rate.

Son et al. in [33] examined the advantages of supervised and unsupervised learning to detect supply chain attacks. The authors suggested a model based on a semi-supervised technique that was able to detect supply chain attacks within various layers, including the network layer and consensus layer. Deep autoencoder multilayer perception was adapted as a detection engine. The suggested model was evaluated according to the collected dataset. In addition, Yeboah et al. in [34] proposed an extensive analysis to detect supply chain attacks. This extensive analysis was carried out by adapting various machine learning algorithms including logistic regression, support vector machine, and decision tree. The authors adapted the grid search technique to optimize the cross-validation. The studied dataset was the Microsoft malware prediction dataset. The results suggested the decision tree algorithm as a suitable detection engine for supply chain attacks. Some research works focused on adapting meta-heuristic optimization algorithms to detect supply chain attacks as well as blockchain attacks. For instance, Albakri et al. in [35] proposed a detection model for blockchain attacks that integrates the machine learning and deep learning model algorithms along with the meta-heuristic optimization algorithms. The authors proposed a BHMML-CADC model that was utilized based on selecting the optimal features in addition to the optimal deep learning model. Hybrid glowworm swarm optimization was initiated to select the optimal features of the imported dataset. The next step was to adapt the quasi-recurrent neural network as a detection engine. It should be noted that the parameters of the quasi-recurrent neural network were optimized using a hunter–prey optimization algorithm. Bot-IoT was used as a testbed environment to evaluate the suggested detection model. The results showed that the suggested BHMML-CADC model was able to successfully detect the studied attacks; moreover, the results were compared with other typical machine learning techniques (support vector machine, XGBoost, and ensemble learning) and showed the superiority of the suggested model.

Akter et al. in [36] conducted a comprehensive analysis between CNN and Quantum Neural Network (QNN) for the sake of detecting software supply chain attacks. The authors adapted the quantum neural network using an open-source simulator. The ClaMP dataset was used as a testbed environment. The results discuss the execution time for both models. The QNN model recorded slower execution time when using a high percentage of the studied dataset. In addition, the execution time of CNN increased by increasing the percentage of the ClaMP dataset. In the same context, Mohammad et al. in [37] adapted various quantum machine learning techniques, including quantum support vector machine and quantum neural network, to detect software supply chain attacks. Two datasets (the ClaMP dataset and the ReVeal dataset) were adapted to evaluate the studied techniques. Various preprocessing techniques were employed, consisting of converting the categorical features into numerical features along with the normalization scale. The results showed that the classical machine learning techniques outperformed the quantum techniques in terms of detection rate.

Ismail et al. in [38] examined the damaging effect of supply chain attacks within the Industrial Internet of Things (IIoT). The authors conducted a detailed analysis of different machine learning techniques to introduce a lightweight machine learning model that could detect supply chain attacks within the IIoT environment. The authors focused on supervised learning, including support vector machine, K nearest neighbor, naive Bayes, and decision tree algorithms. The lightweight supervised models were tested based on the WUSTL-IIOT-2021 dataset. The studied dataset includes various attacks, such as SQL injection, reconnaissance, and backdoors. Dual feature selection techniques were applied (mutual information and extra tree). The lightweight models were compared in terms of typical performance metrics such as accuracy and F1-score, and the results showed the ability of the lightweight models to effectively detect various types of attacks. Furthermore, the damaging effect of supply chain attacks, through sharing information within the IoT environment, was discussed by Abosuliman in [39]. The author proposed a detection approach based on machine learning algorithms to detect Distributed Denial of Service (DDoS) attacks to protect the supply chain. The author adapted an optimization technique based on eigenvalues to select only the relevant features. Various machine learning algorithms were implemented to detect the studied attacks, and the results demonstrated the effectiveness of these algorithms for detecting DDoS attacks to secure the supply chain. Additionally, Songa et al. in [40] integrated ensemble feature techniques along with Recurrent Neural Network (RNN). The authors examined various machine learning algorithms to use in ensemble feature selection techniques. They divided ensemble feature techniques into two groups, and each group adapted their machine learning algorithms. The aim behind the separation ensemble feature technique was to select the minimum feature space. The authors successfully reduced the dimension space by 89% and forwarded the selected features to the RNN model. The RNN model was able to detect the studied attacks within the cloud environment. From another perspective, Kim et al. in [41] expand the contributions for protecting IIoT industries from various attacks, including supply chain attacks. The authors proposed a computation malware detection approach by integrating CNN algorithms along with a malware classification task. The suggested solution was evaluated based on the Malimg dataset. The results demonstrated that the suggested CNN malware detection approach was able to effectively detect the studied attacks.

In summary, the previous works introduced signification contributions and highlighted the urgent need to mitigate supply chain attacks. However, there remains a gap in the literature regarding their hybridization and application to IDS challenges, such as Sunburst attack detection, and the capabilities of DNNs against it remain underexplored. Despite the serious damage caused by Sunburst attacks, there is still a lack of contributions to adapting the optimized DNNs, especially using bio-inspired optimization algorithms. Optimized DNNs could be a suitable solution to detect supply chain attacks, such as Sunburst attacks. Integrating bio-inspired optimization algorithms with DNNs offers manifold benefits, as DNNs offer the required learning from complex data patterns. Bio-inspired optimization algorithms provide the required efficiency due to their effectiveness in exploring the search space and fast convergence. Therefore, this work introduces a hybrid technique that adapts the PSO and GWO algorithms to optimize a DNN structure to detect Sunburst attacks.

3. The Proposed Hybrid Detection Approach

This section introduces the proposed hybrid technique, mainly the main steps and requirements that are required to use the GWO optimizer to optimize the weights of DNNs along with the PSO optimizer to optimize the number of hidden layers and the learning rate value.

The effectiveness of the DNN models for solving complex classification tasks demands optimized DNN parameters [42]. The optimized DNN parameters, including the learning rate, the number of hidden layers, and the neuron’s weights, were essential steps in generating an effective DNN model able to handle complex classification tasks such as intrusion detection. During the early phase of adopting the proposed hybrid technique, we used the recent Sunburst attack dataset. The utilized Sunburst attack dataset was introduced by Almasri et al. [23]. The purpose of using this dataset instead of other intrusion datasets is to include the requested case study (Sunburst), offering realistic traffic that was generated by real network devices. Furthermore, it includes full payload capture information. Hence, the previous characteristics ensured its suitability as the testbed environment of the proposed hybrid technique. The utilized Sunburst attack dataset includes 50,910 instances, where 43,713 instances present the Sunburst attack behavior, and the rest of the instances present the legal traffic.

Data preprocessing for the studied Sunburst attack dataset is a critical step. Data preprocessing includes various essential steps. First, the raw data are cleaned by removing any irrelevant or non-numeric features, such as identifiers, timestamps, or IP addresses. This is followed by handling missing values by imputation. Next, categorical variables are encoded into numerical values using one-hot encoding. Feature scaling is essential at this stage; hence, normalization is applied to bring all numerical features into a similar range. These preprocessing steps set the stage for effectively training a hybrid approach, combining both PSO and GWO for optimal parameter tuning. Figure 2 presents the data preprocessing steps for the proposed hybrid detection approach.

The studied Sunburst attack dataset involved 87 features that were extracted from the collected PCAP files. Dealing with large dimension space of features could be time-consuming and could also lead to achieving unrealistic results [11]. Due to this reason, in this work, we have extracted the same top 10 features that are extracted in [23].

The extracted top 10 features are illustrated in

Table 1. The extracted top 10 features.

Feature Name	Feature Description	Used Feature
Timestamp	Time at which the flow started (timestamp)	No
Src port	Source port number used in the flow	No
Dst port	Destination port number used in the flow	No
Flow duration	Total time duration of the flow	Yes
Bwd Pkts/s	Backward packets per second in the flow	Yes
Flow IAT mean	Mean inter-arrival time of packets in the flow	Yes
Pkt size avg	Average packet size in the flow	Yes
Flow IAT max	Maximum inter-arrival time between packets in the flow	Yes
Pkt len mean	Mean length of packets in the flow	Yes
Bwd Pkt len mean	Mean length of backward packets in the flow	Yes

. The identifier features were removed to offer more reliability and generalizability of the suggested hybrid DNN detection model. The identifier features, such as time stamp and source IP address, could lead to bias and lead the model to overfit training and testing processes. The optimization technique for the DNNs aimed to reduce the loss function, which presents the error/misclassification between the actual target and the predicted target [43]. Typically, the loss function is the binary cross-entropy, which is defined as follows:

$$Loss=-\sum _{i=1}^n\left(y_{i}log\left({\widehat{y}}_i\right)+(1-y_i)log(1-{\widehat{y}}_i)\right)$$

(1)

where $y_i$ is the actual target and ${\widehat{y}}_i$ is the predicted probability. In terms of the optimization of DNNs, the neuron’s weight could employ any values in a continuous range except for some restrictions, such as limitation bounds. The number of hidden layers was typically restricted according to predefined discrete sets [44]. Therefore, the optimization process for the parameters and hyperparameters of DNNs is considered an essential demand to generate a DNN model capable of accurately solving the classification problems. The bio-inspired optimization algorithms have demonstrated their effectiveness for solving complex optimization problems due to their ability to explore the search space effectively [10]. In this work, the suggested hybrid optimization technique was conducted as follows:

• The implementation of the PSO algorithm for the sake of optimizing the learning rate and number of hidden layers.
• The implementation of the GWO algorithm for the sake of optimizing the neuron’s weights.

Figure 3 shows the general architecture of the suggested hybrid PSO-GWO DNNs. At the early stage of constructing the suggested hybrid optimization technique, the normalization preprocessing technique was employed to ensure that the studied features would equally contribute to the model within the same scale and offer more computation stability. Afterward, the PSO algorithm was adapted to optimize the hyperparameters (learning rate and the number of hidden layers) of the DNN. In the PSO algorithm, each particle had an initial position, and the updated initial position concerning its new velocity to ensure the particle position moved to the near-optimal solution. The initial position represents the initial candidate solutions, which are a combination of the hyperparameter values (learning rate and the number of hidden layers). In other words, each particle had a position vector that included two parts; the first part represented the learning rate ($\eta$), and the second part represented the number of hidden layers (h).

$$\mathrm{Particle}\mathrm{Position}=({\eta }_i,h_i)$$

The following equations determine the new position of the particle concerning its velocity:

$$v_i^{(t+1)}=w·v_i^{\left(t\right)}+c_1·r_1·(p_i^{\mathrm{best}}-x_i^{\left(t\right)})+c_2·r_2·(g^{\mathrm{best}}-x_i^{\left(t\right)})$$

(2)

$$x_i^{(t+1)}=x_i^{\left(t\right)}+v_i^{(t+1)}$$

(3)

where $\omega$ is the inertia weight, which controls how much of the previous velocity is retained. $c_1$ and $c_2$ are the cognitive and social coefficients, respectively. They control the influence of the particle’s personal best and the global best on the velocity update. $r_1$ and $r_2$ are random numbers in the range [0, 1], which introduce randomness in the exploration. $p_i$ is the personal best position of the particle. g is the global best position of the swarm. $x_i\left(t\right)$ is the current position of the particle.

The utilized fitness function was designed to measure the performance of the DNN according to the optimized learning rate and number of hidden layers; as PSO was designed to minimize the fitness function, the adapted fitness function is described as follows:

$$\mathrm{Fitness}=-\mathrm{Accuracy}$$

(4)

This optimization phase ensures that the global best values of learning rate ($\eta$) and hidden layer size (h) were achieved as well as maximizing the performance of the DNN. Following the optimization of the hyperparameters (learning rate ($\eta$) and hidden layer size (h)), we feed the optimized parameters to the GWO optimizers for the sake of optimizing the neuron’s weight. The GWO optimizer simulated the hunting behavior of gray wolves in nature. The best solution (leader) in the GWO algorithm is presented as the ($\alpha$) parameter. The second-best solution is presented as the ($\beta$) parameter, and the third-best solution is presented as the ($\delta$) parameter. The rest of the solutions were presented as ($\omega$) wolf parameters.

The main idea of GWO optimizers is that the rest of the wolves ($\omega$) follow the leaders ($\alpha$), ($\beta$), ($\delta$) to find the best solution (optimal neuron weight). In nature, gray wolves focus on surrounding their victim during hunting. This procedure was represented as the distance between the current solution (wolf) and the best solution. Therefore, the position (neuron weights) of each wolf is updated in terms of following the leader’s positions $\alpha$ as follows:

$$D_{\alpha }=|C_1·\alpha -X|$$

(5)

$$X_1=\alpha -A_1·D_{\alpha }$$

(6)

where A and C are coefficient vectors. In addition, the wolf position was updated to follow the rest of the leaders, $\beta$ and $\delta$, as follows:

$$\begin{array}{cc}\hfill D_{\beta }& =|C_2·\beta -X|\hfill \\ \hfill X_2& =\beta -A_2·D_{\beta }\hfill \\ \hfill D_{\delta }& =|C_3·\delta -X|\hfill \\ \hfill X_3& =\delta -A_3·D_{\delta }\hfill \end{array}$$

(7)

The final updated position is the average of these three leaders’ positions:

$$X(t+1)={\displaystyle \frac{X_1+X_2+X_3}{3}}$$

(8)

Algorithm 1 summarizes the adaptation of the PSO algorithm to optimize the learning rate and the number of hidden layers, while the GWO algorithm optimized the neuron’s weights.

Table 2. Explanation of symbols.

Symbol	Description
D	Sunburst attack dataset
N	Population size for PSO/GWO
T	Number of iterations
w	Inertia weight in PSO
$c_1,c_2$	Acceleration coefficients in PSO
$A,C$	Coefficients for GWO search mechanism
$X_{\mathrm{PSO}}^i$	Position of $i\mathrm{th}$ PSO particle (learning rate, hidden layers)
$X_{\mathrm{GWO}}^j$	Position of $j\mathrm{th}$ GWO wolf (DNN weights)
$v_i^t$	Velocity of $i\mathrm{th}$ PSO particle at iteration t
$p_{\mathrm{best}}$	Best position of a PSO particle (personal best)
$g_{\mathrm{best}}$	Best position of the entire PSO swarm (global best)
$l{r}_{\mathrm{best}}$	Optimal learning rate
$L_{\mathrm{best}}$	Optimal number of hidden layers
$W_{\mathrm{best}}$	Optimal neural network weights
$D_{\alpha },D_{\beta },D_{\delta }$	Distance of wolf from Alpha, Beta, Delta leaders
$X_{\alpha },X_{\beta },X_{\delta }$	Alpha, Beta, Delta wolves (top three best solutions)
$\mathcal{L}$	Loss function (cross-entropy for classification, MSE for regression)

shows the symbols used in the algorithm.

Algorithm 1 Hybrid PSO-GWO-based DNN for Sunburst attack detection.

1: Input: Dataset D (Sunburst attack dataset), population size N, number of iterations T, PSO hyperparameters $(w,c_1,c_2)$, and GWO coefficients $(A,C)$. 2: Output: Optimized Deep Neural Network (DNN) model. 3: Initialize the population of particles $X_{\mathrm{PSO}}$ (learning rate and hidden layers) and wolves $X_{\mathrm{GWO}}$ (weights). Step 1: PSO for Learning Rate and Hidden Layer Optimization 4: for each particle i in PSO population do 5:       Initialize position $X_{\mathrm{PSO}}^i=(lr,L)$. 6:       Evaluate fitness $f\left(X_{\mathrm{PSO}}^i\right)$ using cross-validation accuracy. 7:       for each iteration $t=1$ to T do 8:             Update velocity: $$v_i^{t+1}=w{v}_i^t+c_1{r}_1(p_{\mathrm{best}}-X_{\mathrm{PSO}}^i)+c_2{r}_2(g_{\mathrm{best}}-X_{\mathrm{PSO}}^i)$$ 9:             Update position: $$X_{\mathrm{PSO}}^{i,t+1}=X_{\mathrm{PSO}}^{i,t}+v_i^{t+1}$$ 10:           Evaluate new fitness $f\left(X_{\mathrm{PSO}}^i\right)$. 11:           Update personal best $p_{\mathrm{best}}$ and global best $g_{\mathrm{best}}$ if fitness improves. 12:       end for 13: end for 14: Set optimized learning rate $l{r}_{\mathrm{best}}$ and hidden layers $L_{\mathrm{best}}$ from best particle. Step 2: GWO for Neural Network Weight Optimization 15: for each wolf j in GWO population do 16:       Initialize position $X_{\mathrm{GWO}}^j$ representing neural network weights. 17:       Train DNN using $l{r}_{\mathrm{best}},L_{\mathrm{best}}$. 18:       Evaluate fitness $f\left(X_{\mathrm{GWO}}^j\right)$ using accuracy. 19:       for each iteration $t=1$ to T do 20:             Compute distance from leaders: $$D_{\alpha }=|C_1·X_{\alpha }-X_{\mathrm{GWO}}^j|$$ $$D_{\beta }=|C_2·X_{\beta }-X_{\mathrm{GWO}}^j|$$ $$D_{\delta }=|C_3·X_{\delta }-X_{\mathrm{GWO}}^j|$$ 21:             Update position: $$X_{\mathrm{GWO}}^{j,t+1}={\displaystyle \frac{X_{\alpha }+X_{\beta }+X_{\delta }}{3}}$$ 22:             Evaluate new fitness $f\left(X_{\mathrm{GWO}}^j\right)$. 23:             Update Alpha $X_{\alpha }$, Beta $X_{\beta }$, and Delta $X_{\delta }$ if necessary. 24:       end for 25: end for 26: Set optimized weights $W_{\mathrm{best}}$ based on Alpha wolf. Step 3: Train Final DNN 27: Train DNN with $l{r}_{\mathrm{best}},L_{\mathrm{best}},W_{\mathrm{best}}$. 28: Use loss function: $$\mathcal{L}=\left\{\begin{array}{c}\mathrm{Cross-}\mathrm{Entropy}\mathrm{Loss}, \mathrm{if}\mathrm{classification}\hfill \\ \mathrm{Mean}\mathrm{Squared}\mathrm{Error}, \mathrm{if}\mathrm{regression}\hfill \end{array}\right.$$ 29: Return: Final trained DNN model.

4. Experiments and Results

This section details the results of the suggested hybrid detection model for the sake of detecting Sunburst attacks. The performance of the suggested hybrid detection model was evaluated according to the standard performance metrics, including detection rate, recall, precision, F1-score, and confusion matrices. These performance metrics assisted in highlighting the model’s performance according to various scenarios. The experiments were conducted on Ryzen 7 5800U with 8 GB of RAM, which offered sufficient computational power for our hybrid approach. Although using higher-end hardware could enhance processing speed, the current setup was sufficient to effectively demonstrate the efficiency of our hybrid approach.

In the beginning, we employed the first experiment, which aimed to compare the performance of the hybrid PSO-GWO model versus the Adam optimizer [45] and standalone PSO, as well as standalone GWO algorithms. Each studied model applied the same DNN architecture to offer a fair comparison using the same Sunburst dataset. The suggested hybrid PSO-GWO model recorded 87% as the detection rate, which is superior to other baseline typical methods (standalone PSO, standalone GWO, Adam optimizer individually). Furthermore, the precision, recall, and F1-score were also outperformed compared to the baseline typical methods. During the training process and for the sake of avoiding overfitting, early stopping and dropout were employed. The parameter values of the utilized PSO for tuning the learning rate, the number of hidden layers, and GWO for tuning the neuron’s weight [46,47] are presented in

Table 3. The hyperparameter values of the GWO and PSO optimizers.

Optimizer	Hyperparameter	Value
	Inertia Factor	0.9
PSO	c1	2
	c2	2
GWO	Convergence Parameter a	0.9

.

The experimental results demonstrated the effectiveness of the suggested PSO-GWO detection model in terms of detecting Sunburst attacks. The optimized hyperparameters identified by PSO included a learning rate of $9.4\times {10}^{-3}$, and the number of hidden layers was 45. The optimized weights, subsequently tuned by the GWO algorithm, further enhanced the model’s ability to effectively detect Sunburst attacks. Figure 4 illustrates the obtained 5-fold cross-validation accuracy metrics of the suggested hybrid PSO-GWO for detecting Sunburst attacks. In addition, Figure 5 introduces the distribution of the neurons’ weights before adapting the optimization and after adapting the optimization technique. Figure 6 and Figure 7 illustrate the achieved ROC curve as well as the performance metrics, respectively.

The hybrid PSO-GWO optimization techniques demonstrate effectiveness in detecting Sunburst attacks as well as being superior to the typical methods, such as Adam optimizer. The histogram of weight distribution before and after optimization is presented in Figure 5 and indicates that the initial histograms of weight values are around the zero value. This indication could lead to limited variability and insufficient learning. From another perspective, this histogram of weight values is spread out, which could lead to enhanced learning capabilities. The presentation of weights in variability indicates that the GWO successfully contributed by optimizing the weights to enhance the model’s performance. The ROC curve in Figure 6 shows that the AUC value was 0.85, which indicates that the hybrid optimization model could distinguish effectively between classes. However, there is still room for improvement. The achieved performance metric results, which are presented in Figure 7, indicate that the hybrid model’s recall is higher than other metrics. This demonstrates the effectiveness of the suggested hybrid model for detecting positive cases (Sunburst attacks) effectively. Moreover, the F1-score recorded a good balance of model robustness. In addition, the detection rate was around 86% across 5-fold, which could indicate good generalizability.

Furthermore, for more extensive analysis, a second experiment was conducted to evaluate the suggested hybrid PSO-GWO along with other hybrid optimization techniques. The design of the second experiment was based on the strong foundation that the PSO algorithm is widely known for its robust global search capabilities, simplicity, and efficiency in exploring large, complex search spaces [48,49]. The studied hybrid optimization techniques are Genetic Algorithm (GA) [50], Differential Evolution (DE) [51], Ant Colony Optimization (ACO), and Simulated Annealing (SA) [52]. The studied optimization algorithms were used to optimize the neuron’s weight (instead of the GWO algorithm), while the PSO algorithm was used to optimize the learning rate and the number of hidden layers. In comparison with the suggested hybrid model (PSO-GWO), Figure 8 illustrates the achieved results of the studied optimization techniques in terms of convergence speed, measured by the number of required iterations to reach a detection rate of 80%.

It could be concluded that the suggested GWO-PSO hybrid technique was the fastest technique to achieve 80% for detecting Sunburst attacks. For in-depth analysis based on performance metrics such as detection rate and recall, Figure 9 compares the achieved results for the studied optimization techniques along with the proposed GWO-PSO hybrid model across various performance metrics.

To summarize the achieved results, the suggested incorporation of the PSO and GWO algorithms for optimizing the DNN structure was superior to other optimization techniques in terms of recall performance metrics. In addition, it could be concluded that precision, accuracy, and F1-score were balanced between 0.85 and 0.92. These results demonstrate that the PSO-GWO effectively detected the positive cases (Sunburst attack). In terms of the PSO-GA technique, it was lower than the suggested hybrid model for all performance metrics. The PSO-GA technique shows uniform performance between 0.80 and 0.85, which could imply a consistent but less effective performance. From another perspective, the PSO-SA technique continued the decreasing performance, converging around 0.80. These limitations of variation may highlight the difficulty of this hybrid technique to improve the performance successfully. It is worth noting that the PSO-DE was better than PSO-GA and PSO-SA in the Recall and F1-Score metrics. This improvement in performance metrics could highlight that PSO-DE could be a suitable candidate for detecting positive cases. Finally, PSO-ACO dropped in all studied performance metrics, which indicates that there was no significant improvement in various performance metrics. Consequently, the hybrid PSO-GWO outperformed other study techniques and recorded an exceptionally high score in the recall performance metric. The results demonstrate the effectiveness of the suggested hybrid model in cases where detecting positive cases is crucial. Moreover, the hybrid model was able to effectively tune the DNN parameters, which could enhance the performance metrics of the DNN in various aspects.

Although the results of the proposed solution are promising, there are some limitations to be considered. One limitation is that the suggested approach’s performance depends on the quality of the training data. In particular, the suggested approach may not generalize well to unseen datasets with different characteristics or patterns. Furthermore, adapting the model for real-time applications would require optimizing its computational efficiency and ensuring it can effectively handle dynamic and evolving network traffic.

5. Conclusions

This work has introduced a hybrid model that integrates PSO and GWO along with DNN to effectively detect Sunburst attacks. The integration of PSO was for optimizing the learning rate and the number of hidden layers. Moreover, the GWO algorithm was used to optimize the neuron’s weight. The aim behind the integration of these two optimization algorithms (PSO and GWO) was to fill the research gap by combining PSO-GWO with DNN to detect Sunburst attacks. The suggested hybridization takes advantage of the capabilities of PSO in exploitation as well as the capabilities of GWO in achieving a more balanced and effective optimization process. An open-source Sunburst attack dataset was used to evaluate the suggested hybrid DNN model. The purpose of using this dataset instead of other intrusion datasets was to include the requested case study (Sunburst), offering realistic traffic that was generated by real network devices. Furthermore, it includes full payload capture information. Hence, the previous characteristics ensured its suitability as the testbed environment of the proposed hybrid technique. At the early stage of constructing the suggested hybrid optimization technique, the normalization preprocessing technique was employed to ensure that the studied features would equally contribute to the model within the same scale and offer more computation stability. Afterwards, the PSO algorithm was adapted to optimize the hyperparameters (learning rate and the number of hidden layers) of DNN. Subsequently, after receiving the value of the number of hidden layers and the optimized learning rate value, the next step was to adapt the GWO algorithm to optimize the neuron’s weight. The experimental results demonstrated the suggested PSO-GWO detection model’s effectiveness in detecting Sunburst attacks. The optimized hyperparameters identified by PSO included a learning rate of $9.4\times {10}^{-3}$, and the number of hidden layers was 45. The optimized weights, subsequently tuned by the GWO algorithm, further enhanced the model’s ability to effectively detect Sunburst attacks.

In addition, a more in-depth analysis was conducted by adapting other optimization techniques: Genetic Algorithm (GA), Differential Evolution (DE), and Ant Colony Optimization (ACO). The suggested incorporation of the PSO and GWO algorithms for optimizing the DNN structure was superior to other optimization techniques, particularly in terms of the recall performance metric. In addition, it could be concluded that precision, accuracy, and F1-score were balanced between 0.85 and 0.92. These results demonstrated that PSO-GWO was able to effectively detect the positive cases (Sunburst attacks).

For future work, experimenting with a diverse range of intrusion datasets to evaluate the suggested approach’s performance in various real-world applications could be a promising direction. Additionally, incorporating other optimization techniques alongside PSO and GWO could lead to more robust approaches with improved performance.