Lightweight Anomaly-Based Detection Using Cuckoo Search Algorithm and Decision Tree to Mitigate Man-in-the-Middle Attacks in DNS

Abstract

As technology advances, the services provided by domain servers require new innovative techniques that can be optimized for frequent changes. Man-in-the-Middle (MitM) attacks on Domain Name Servers (DNS) pose a security threat, enabling attackers to intercept, modify, and redirect network traffic to malicious sites or users. This study designed an anomaly-based detection scheme that identifies and mitigates MitM attacks on DNS. The proposed model utilizes machine learning algorithms and statistical analysis techniques to ensure that the analysis of DNS query patterns can efficiently detect anomalies associated with the MitM. By integrating the Cuckoo Search Algorithm, the scheme minimizes false positives while improving the detection rate. The Proposed scheme was evaluated using the Internet of Things Intrusion Detection (IoTID) and Intrusion Detection System (IDS) datasets, achieving a detection accuracy of 99.6% and demonstrating its effectiveness in minimizing the MitM attacks on DNS.

1. Introduction

As technology evolves and advances, the services provided by these improvements require new adaptive techniques optimized for frequent changes [1]. The Domain Name System (DNS) is a standard protocol that simplifies user interactions with network components and helps locate required resources [2]. It resolves domain names into Internet Protocols (IPs), enabling Unified Resource Locators (URLs) to function for websites and facilitating email communication. While the DNS can be a helpful tool for web browsers, it also exposes users to various types of DNS attacks, such as cache poisoning, where attackers insert corrupted data into the cache of a DNS resolver, causing it to return incorrect IP addresses. These redirected addresses can lead users to malicious websites [3]. Additionally, attackers can manipulate system settings to exploit vulnerabilities further. For instance, if a system is poorly configured with vulnerabilities, it becomes susceptible to Man-in-the-Middle (MitM) attacks [4].

MitM is a cyberattack in which the hacker intercepts, steals, and eavesdrops on communication between parties without their knowledge [5]. In such attacks, attackers can manipulate DNSs to redirect users attempting to access a legitimate website to a malicious clone controlled by the attacker. This enables the attacker to steal login credentials or insert malware into the user’s device without their knowledge [6]. There is, therefore, a need to develop robust anomaly detection schemes to enhance the security of the hosts and DNS to protect sensitive data, minimize false positives, monitor the system, and be adaptive to technological advancements.

Each host on the network is embedded with a lightweight detection scheme to improve the detection of malicious activities in real-time while ensuring low latency in detecting and responding to security incidents. The study also employs the Cuckoo Search Algorithm (CSA), an optimization algorithm inspired by the brood parasitism of some cuckoo species, where they lay eggs in the nests of other host birds [7]. The use of CSA in our detection scheme improves the efficiency of the search space. It can adapt to various data types and achieves high accuracy, robustness, and scalability. Furthermore, a Decision Tree algorithm is utilized to classify the processed data, further enhancing normal and anomalous network traffic classification. The following section reviews the related work and highlights the research issues and gaps while discussing techniques and methods used to improve the accuracy and efficiency of detection schemes [8].

Our study proposes a lightweight anomaly detection scheme for DNS MitM attacks by integrating the CSA for optimized feature selection and a Decision Tree for efficient classification. This integration enhances detection accuracy while maintaining low computational overhead, making it suitable for resource-constrained environments. The proposed approach demonstrates improved performance in detecting various DNS-based MitM attacks compared to existing methodologies.

2. Related Work

The primary goal of this review is to explore and evaluate the current state of research on anomaly-based Intrusion Detection Systems (IDSs) for MitM attacks, using CSA and Decision Tree algorithms for the DNS. By systematically analyzing and synthesizing existing studies, the review aims to identify gaps, summarize key findings, evaluate methodologies, and propose future directions.

2.1. Anomaly-Based Detection System

In cybersecurity, botnets are increasingly used as advanced techniques to generate sophisticated and coordinated attacks. A classic study by [9] introduced foundational concepts of anomaly detection in cybersecurity. Building on these foundations, a study by [10] proposed an anomaly-based system that combines Isolation Forest and Random Forest algorithms to detect malicious devices. The Domain Generation Algorithms search queries to the domain server for anomalous data [11]. The simulation results show that the proposed scheme performed better and achieved an accuracy of 99%. The scalability issues still needed to be addressed. Furthermore, there is a need to investigate whether the scheme is adaptive to evolving threats for real-time detection [12].

Anomaly-based methods suffer from high false positives that affect the performance of detection schemes. The study by [13] proposed a novel approach to minimize the false positives and differentiate between real cyberattacks and industrial failures. The proposed scheme combines two types of IDS with Neural Networks (NNs) integrated through a Decision-Making System (DMS). The performance of the integrated scheme was evaluated in a real industrial environment, achieving high accuracy and a low false positive rate. The scheme may be evaluated in real-time to investigate its adaptiveness and integrated with other cybersecurity tools and techniques to create a more comprehensive security framework [1].

2.2. Cuckoo Search Algorithm

While the CSA has demonstrated effectiveness in optimizing communication in Underwater Wireless Sensor Networks [14] and enhancing security in cloud environments [15], its core characteristics make it a promising solution for lightweight anomaly-based detection against MitM attacks in the DNS. Specifically, CSA is a population-based metaheuristic algorithm inspired by the brood parasitism of cuckoos. It is known for its efficient global search capabilities with fewer control parameters than other evolutionary algorithms. This efficiency is crucial for developing a lightweight detection scheme suitable for resource-constrained environments. Furthermore, CSA’s Levy flight behavior allows it to explore the search space effectively, potentially identifying subtle anomalies in DNS traffic patterns that more localized search strategies might miss.

This exploration capability is particularly relevant for detecting sophisticated MitM attacks that may not exhibit drastic deviations from normal behavior. The balance between local and global search inherent in CSA provides the potential to converge to optimal or near-optimal feature subsets for our Decision Tree classifier, leading to improved detection accuracy without excessive computational cost. The application of CSA for optimized feature selection in anomaly detection tasks, as seen in the context of improving IDS performance against large datasets [15], and addressing challenges like high false positive rates and long detection times often encountered with large data volumes in ML-based IDSs [16], highlights its adaptability to the challenges of detecting malicious patterns within network traffic data. Therefore, the inherent efficiency and robust search capabilities of CSA provide a strong rationale for its selection in our lightweight anomaly detection scheme for DNS MitM attacks.

2.3. Man-in-the-Middle Attacks

A classic study by [17] explored initial mitigation techniques for MitM attacks. Building on these foundational works, the study by [18] proposed an address and connection ID mutation to address the service-oriented MitM attack in Kubernetes. This addressed an external Internet Protocol (IP) design flaw. The proposed scheme counters the attacks at the expense of performance degradation. While the scheme has acceptable performance degradation, it requires optimization. The scalability of the scheme may also be investigated. To protect the innovative grid applications, the study by [19] proposed a Hybrid Network Intrusion Detection System approach (HNIDS), where machine learning-based anomaly and signature-based methods are integrated to detect and classify MitM attacks in eavesdropping mode using private area networks (PANs) without compromising customer privacy.

The study outlines vulnerabilities in client–server protocols, hence exploring the use of blockchain technology to secure data transactions between Distributed Energy Resources (DERs) and centralized control systems [20]. In the previous section, we explored challenges that require attention, such as the need for real-time adaptability in anomaly-based detection systems. The schemes suffer scalability challenges, hence the need to design new techniques. In the methodology section, we present and discuss how our detection scheme was developed and implemented.

2.4. Decision Tree-Related Works

The study by [21] evaluated various machine learning algorithms (MLAs), including Decision Trees for detecting MitM attacks. The study focused on leveraging AI to improve threat detection capabilities and preemptive countermeasures. The study identifies the vulnerability of traditional ICT architectures to MitM attacks, which compromise information confidentiality. The authors proposed a scheme that uses AI, demonstrating the good performance of the Random Forest (RF) algorithm (an ensemble of Decision Trees), which achieved high accuracy in detecting MitM attacks. The study primarily focused on the effectiveness of AI algorithms in detecting MitM attacks but did not extensively address the integration of these algorithms into real-world systems or their performance in diverse network environments.

While this study effectively demonstrates the potential of AI, including Decision Trees, for MitM attack detection, it is not lightweight and is not a real-time detection scheme. Our study’s emphasis on lightweight detection using CSA combined with Decision Trees addresses these gaps by ensuring low latency and adaptability to various data types.

This study by [22] developed an anomaly-based Intrusion Detection System using a deep learning model (PCC-CNN) and evaluated its performance on various datasets. The study addressed the challenge of detecting network attacks in IoT, which are increasingly targeted by cybercriminals. They proposed a deep learning model (PCC-CNN) to improve the detection accuracy of network attacks and compared its performance with state-of-the-art machine learning approaches. The study focused on deep learning models and did not explore the potential of combining different machine learning techniques, such as Decision Trees with optimization algorithms such as CSA. While this study highlights the effectiveness of deep learning models for intrusion detection, it does not consider the benefits of lightweight and adaptive schemes. Our study’s approach of integrating CSA and Decision Trees offers a more comprehensive solution that optimizes efficiency, accuracy, and adaptability.

3. Methodology

Our proposed solution is based on the use of a CSA for feature selection and a Decision Tree for classification to detect and mitigate MitM attacks in the DNS. The study selected the CSA and Decision Tree due to their advantages in efficiency, simplicity, robustness, and interpretability. CSA is highly efficient and accurate in feature selection, effectively exploring the search space to find optimal solutions, which are crucial for handling high-dimensional data. Its simple structure with minimal parameters makes it easy to implement and tune. Decision Trees, on the other hand, are robust classifiers capable of handling both numerical and categorical data without assuming any specific distribution. They provide clear and interpretable models essential for understanding the decision-making process. Recent studies have demonstrated that CSA-optimized models, when combined with Decision Trees, outperform traditional machine learning models in terms of classification accuracy and computational efficiency, making this combination an ideal choice for detecting and mitigating Man-in-the-Middle attacks in the Domain Name System.

We compared our proposed work with existing methods by [15], a study that proposes a novel method for anomaly detection using artificial neural networks (ANNs) optimized with CSA. The study enhances the accuracy and efficiency of IDS by leveraging the fast convergence rate and Levy flight mechanism of CSA. The proposed model uses the NSL-KDD dataset for training and testing, achieving good performance such as mean absolute error, mean square error, root-mean-square error, and accuracy compared to standard methods such as fuzzy clustering, ANN, and artificial bee colony. However, the model’s reliance on ANNs may lead to higher computational complexity and resource consumption, which may not be suitable for real-time applications. The model may not adapt to rapidly changing attack patterns and new emerging intrusions without frequent retraining. Meanwhile, our study employs a lightweight approach using CSA and Decision Tree, which provides faster processing and lower resource requirements, making it more suitable for real-time DNS traffic analysis and mitigation of MitM attacks.

Another existing method by [23] proposed a hybrid model combining the CSA with a Decision Tree for intrusion detection in network security. The study used the NSL-KDD dataset for training and testing to improve the classification accuracy and minimize false positives. The CSA was used to optimize the Decision Tree by selecting the best features and tuning the tree’s parameters. This hybrid approach leverages the global search capability of CSA and its interpretability of DT to enhance detection accuracy. Despite its advantages, the model may encounter challenges in real-time applications due to the computational overhead of optimizing the Decision Tree with CSA, compared to our proposed study, which provides a more streamlined approach with lower computational complexity. By focusing on DNS traffic and using a lightweight model, our system is better suited for real-time analysis and mitigation of MitM attacks, providing faster processing and adaptability to dynamic network conditions.

Our proposed scheme integrates the CSA with a Decision Tree to optimize the detection capability of the anomaly detection scheme. This integration aims to improve detection accuracy and minimize false positive rates, thereby securing the DNS server [24]. The proposed anomaly-based detection scheme, utilizing the CSA and Decision Tree, is integrated into the DNS server to enhance security against MitM attacks. By placing the scheme on the DNS server, it can monitor and analyze DNS traffic in real time, detecting anomalies that indicate potential MitM attacks as indicated in Figure 1. The CSA optimizes feature selection, ensuring that the most relevant data are used for detection, while the Decision Tree classifier accurately distinguishes between legitimate and malicious activities. This placement is strategic because the DNS server is a critical point in the network where attackers often attempt to intercept and manipulate traffic. By securing the DNS server, the scheme ensures that users receive accurate DNS responses and that any attempts to hijack the connection are promptly detected and mitigated, providing robust protection against MitM attacks.

3.1. Research Design

MitM attacks encompass different types of attacks, including Address Resolution Protocol (ARP) spoofing, DNS spoofing, Secure Sockets Layer (SSL) Stripping, and session hijacking. This study focuses on DNS spoofing attacks. Monitoring multiple attacks simultaneously can strain the resources and lead to performance degradation; hence, focusing on a single attack is convenient to ensure that the proposed scheme remains effective and responsive [18]. DNS spoofing is a well-documented MitM attack, making it a significant threat to network security. Failure to address the attack may result in severe consequences such as data interception, session hijacking, and unauthorized access. Machine learning enables the system to learn and make predictions. The study uses a machine learning-based approach to develop and evaluate the proposed anomaly-based detection scheme for DNS.

The study employs the CSA for feature optimization and search space exploration, while a Decision Tree is used for intrusion detection. This study utilizes secondary data downloaded from Kaggle, which is both time- and cost-efficient, as the data are readily available and reduce the time, effort, and resources required for primary data collection. Kaggle provides access to large and diverse datasets, which improves robustness and comprehensiveness for analysis. These datasets are often well documented and curated, ensuring high quality and reliability. Utilizing secondary data also allows for benchmarking results against other studies, providing valuable context for evaluating the effectiveness of a given scheme.

3.2. Detection Algorithm

Algorithm 1 illustrates the detection scheme that processes input from a dataset. The algorithm consists of two main functions: detect and preprocess. The algorithm receives input data from a dataset. The preprocess function is called to prepare the input data. The detect function iterates through each data point in the pre-processed data, and for each data point, it compares the value to a specified threshold. If a data point exceeds the threshold, the algorithm appends true to the detection results; otherwise, it appends false. The algorithm returns a list of detection results, indicating which data points met the threshold criteria. The threshold in our detection algorithm is derived using the CSA, which optimizes the threshold by evaluating various candidate values based on their detection accuracy and resource efficiency. Through iterative improvements and replacements, CSA identifies the optimal threshold that balances high detection accuracy with minimal false positives and false negatives. This ensures the threshold is well suited for real-time anomaly detection in the IoTD20 dataset.

Algorithm 1: Detection algorithm

1      def detect (input_data, threshold):

2             # Preprocess the input data

3             preprocessed_data = preprocess(input_data)

4             detection_results = [ ]

5

6             # Iterate through each data point in the preprocessed data

7             for data_point in preprocessed_data:

8                    if data_point > threshold:

9                        detection_results.append (True)

10                   else:

11                       detection_results.append (False)

12

13             return detection_results

14

15       def preprocess (input_data):

16            # Add actual preprocessing steps here if needed

17            return input_data

Algorithm 2 describes the CSA, where a cuckoo bird lays its eggs in randomly chosen nests. The fitness of each nest is evaluated, and if the fitness of the new solution Fj is better than the current solution, it is replaced with the best solution [7]. This process will be repeated until the set number of iterations is reached. The algorithm starts by defining an objective function and generating an initial population of host nests. It then iterates, using Levy flights to update cuckoo positions and evaluate their fitness. Unfit solutions are abandoned and replaced, while the best solutions are continuously updated. This algorithm is particularly effective for solving complex optimization problems due to its ability to optimize exploration (searching new areas) and exploitation (refining known good solutions).

It is also suitable for detecting MitM attacks because it can efficiently search for anomalies in network traffic patterns, which are indicative of such attacks. The CSA is suitable for this study due to its ability to explore and exploit the search space effectively, making it ideal for detecting anomalies in DNS traffic, which are often subtle and difficult to detect. Combining it with the Decision Tree, we aim to improve the detection accuracy and provide a robust solution for mitigating MitM attacks.

Algorithm 2: Cuckoo Search Algorithm

1     Objective function f(x), x = ( x1, x2, …, xd)T

2     Generate initial population of n host nests xi (i = 1, 2, …, n)

3     while t < stop criteria do

4            Get a cuckoo (say i) randomly by Levy distribution

5            Evaluate its fitness Fi

6            Choose a nest among n (say j) randomly

7            Evaluate its fitness Fj

8            if Fi > Fj then

9                    Replace j with the new solution

10         end if

11         A fraction of the worst nests are abandoned and replaced by new ones              using Levy flight

12         Keep the best solutions and continuously update the current best

13     end while

14     Repeat until the end

3.3. Cuckoo Search Detection Scheme

The framework in Algorithm 3 is the CSA detection Scheme algorithm designed to optimize the detection of anomalies in data. It begins by defining an objective function that evaluates the accuracy of detection results. The algorithm preprocesses the input data and uses a threshold to determine if each data point is an anomaly. The CS component generates an initial population of nests (potential solutions) and iteratively improves them using Levy flights. New solutions replace worse ones, and the best solutions are continuously updated. This process repeats until the maximum number of iterations is reached, ensuring that the algorithm converges to an optimal solution.

Algorithm 3: Cuckoo Search Detection Scheme

1     Objective function (params, input_data, threshold):

2          Detection results detects(input_data, threshold, params)

3          Return evaluate_accuracy(detection_results)

4     Detects (input_data, threshold, params):

5          Preprocessed data preprocess(input_data, params)

6          Return$[\mathit{data}\_\mathit{point} > \mathit{threshold} \mathit{for} \mathit{data}\_\mathit{point} \in$preprocessed_data]

7     Preprocessed (input_data, params):

8          Return input_data

9     Cuckoo search (input_data, threshold, n − L, max_iter − n):

10        Nests = np.random.rand(n, len(input_data))

11         best_nest = nests[0]

12         best_fitness = objective_function(best_nest, input_data, threshold)

13 for $\mathit{iter} \in$ range (max_iter) do

14          for $i \in$ range(n) do

15                new_nest = nests[i] + levy_flight( )

16                new_fitness = objective_function(new_nest, input_data, threshold)

17                j = np.random.randint(n)

18                if new_fitness > objective_function(nests[j], input_data, threshold)

then

19              nests[j] – new_nest

20          end if

21          if new_fitness > best_fitness then

22              best_nest, best_fitness = new_nest, new fitness

23          end if

24       end for

25       nests = abandon(nests)

26 end for

27 Return best_nest

28 Levy flight ( ):

29      Return np.random.randn( )

30 Abondon (nests):

31      Return nests

32 Evaluate accuracy (detection_results):

33      Return np.random.rand( )

4. Proposed Model

The study designed an anomaly-based detection scheme to mitigate the effects of MitM attacks and protect users and DNSs. An IoT dataset that contains malicious and regular traffic was used. The dataset was preprocessed to ensure it did not contain missing values, NAN values, and class imbalance, which can impact the scheme’s performance. The dataset was split into 70% training and 30% testing. The hyperparameters were optimized to build the proposed model. The Decision Tree classifier was used to detect the anomalies within the dataset. Since anomaly-based detection models suffer from high false positives, cuckoo search optimization improves exploration efficiency (allowing a global search in the parameter space) and exploitation (finding the best solution). The balance improves the algorithm’s efficiency in searching for the optimal threshold to minimize false positives without over-fitting the model.

Our study advances existing anomaly detection schemes through several key innovations tailored for resource-constrained environments. Prior work, such as CSA-optimized Artificial Neural Networks [25], has demonstrated its effectiveness. Our integration of CSA with Decision Tree classifiers provides a lightweight that is accurate. This is achieved by leveraging the CSA not just for general optimization but specifically for feature selection to identify a minimal subset of highly informative features crucial for detecting MitM attacks in DNS traffic. The focus on feature reduction translates to a less complex and faster Decision Tree model, which is a critical advantage in resource-limited IoT or edge deployments where computational efficiency is paramount. Furthermore, our approach integrates a novel application of Statistical Process Control (SPC) with the Expected Weighted Moving Average (EWMA) as the CSA’s objective function [26].

Unlike conventional objective functions that primarily focus on maximizing classification accuracy, our SPC-EWMA method improves the feature selection process by prioritizing feature subsets that yield high detection rates, demonstrate stability, and minimize false positives. The emphasis on statistical control enhances the robustness and reliability of the detection mechanism, providing a more practical solution for real-world deployment, where consistent performance and low false alarm rates are essential. In contrast to existing methods that face challenges related to scalability and adaptability in response to the dynamic nature of network threats [27], the inherent efficiency of the Decision Tree, coupled with the CSA’s ability to adapt its feature selection based on the specific characteristics of the DNS traffic and evolving MitM attack patterns, ensures a more responsive and scalable solution. The detailed performance metrics, particularly the demonstrated improvements in detection accuracy and the reduction in false positive rates, further underscore the compelling advancement of the lightweight CSA-Decision Tree approach over prior work, providing a more practical and efficient strategy for securing DNS against MitM attacks in resource-sensitive environments.

Figure 2 illustrates the proposed model’s process. The algorithm starts with a root node that represents the entire dataset, preprocesses the data, and splits the dataset into subsets based on the attribute values test. This process is repeated recursively for each derived subset; thus, there are decision nodes where the data are split. The CSA is then used to build and train the model, utilizing a Decision Tree that incorporates a progress bar that dynamically indicates the classification process, distinguishing between normal and anomalous activities.

5. Objective Function

The CSA’s objective function is computed using Statistical Process Control (SPC). SPC is an advanced method designed to measure and control quality by monitoring ongoing processes. It is a practical approach that continuously improves monitoring. Using the Expected Weighted Moving Average (EWMA), the most recent security attacks are assigned the highest weights, while older attacks are assigned decreasing weights over time. This ensures that EWMA is more responsive to recent security attack changes, making it highly useful for fast decisions. The EWMA utilizes a smoothing parameter λ and control limit L. Thus, increasing λ (closer to 1) makes the chart less sensitive to small shifts and minimizes false positives. Smaller λ values make the EWMA more sensitive to minor variations, enhancing early detection. The objective function can be calculated as follows:

$$\mathrm{M}\mathrm{i}\mathrm{n}\mathrm{J}\left(\mathrm{L},\mathrm{h}\right)=\mathrm{w}1\ast \mathrm{F}\mathrm{A}\mathrm{R}+\mathrm{w}2\ast \mathrm{D}\mathrm{D}$$

where FAR is the false alarm rate, $\mathrm{D}\mathrm{D}$ Is the detection delay, $\mathrm{L}$ (for Shewhart or EWMA charts) are the decision parameters, and $\mathrm{w}1\wedge \mathrm{w}2$ There are weights to show the relative importance of false positives and detection speed. Figure 3 shows the statistical process control used to control the values of the objective function to minimize the false positives while improving the detection accuracy of the proposed model. An emergency action might be required when the process exceeds the upper limit baseline.

6. Experimental Simulation Results

Table 1. Simulation Parameters.

Parameters	Values
Platform	Kaggle
Programming language	Python 3.10
Algorithms	Decision Tree, CSA, SVM, LOF, CSA-ANN, CSA-DT
Datasets	IoTID20, Intrusion Detection Dataset (IDD)
Metrics	Precision, Recall, F1-score, Accuracy
Objective function	Statistical Process Control
Population size	10–20 (nests)
Number of iterations	20–50
Discovery rate	0.2–0.4
Max_depth	10–20
Min_samples_split	5–10
Min_samples_leaf	3–5

presents the key parameters and their corresponding values in this study. These parameters define the framework for implementing and evaluating the proposed anomaly-based detection scheme to mitigate MitM attacks on DNSs. The simulations and experiments are conducted on Kaggle, which provides a collaborative environment with access to powerful computational resources. The implementation of the detection scheme is performed using Python 3.10, a versatile and widely used programming language. The study employs several algorithms to detect anomalies, including Decision Tree, CSA, Support Vector Machine (SVM), and Local Outlier Factor (LOF). Our study utilizes two datasets for training and evaluation. IoTID20 is a dataset specifically designed for intrusion detection in IoT networks. It contains various types of network traffic data, including normal and attack scenarios, and the Intrusion Detection Dataset (IDD). This comprehensive dataset includes a wide range of network intrusion types. It is used to evaluate the performance of detection algorithms in identifying various attacks.

The performance of the detection schemes is evaluated using precision, recall, F1-score, and accuracy. The objective function used in this study is based on SPC, a quality control method that uses statistical techniques to monitor and control processes. The population size ranges from 10 to 20, reducing the number of feature subsets explored in each iteration. The number of iterations is focused between (20–50); limiting the number of iterations prevents the CSA from running excessively long. Our discovery rate ranges from 0.2 to 0.4 because a moderate abandonment rate encourages the exploration of new feature subsets without prematurely converging to a potentially suboptimal solution.

6.1. Dataset

The proposed model was evaluated using a publicly available IoTID20 dataset [20], which was created by the SECLAB at the University of Jyväskylä and the Canadian Institute for Cybersecurity, for anomaly detection in IoT networks. This dataset was designed to provide realistic IoT network traffic data, including normal and anomaly behavior. The dataset comprises 625,783 instances, with 500,000 instances for the training set and 127,783 for the testing set. Each instance is characterized by 83 features, including network flow features such as source and destination IPs, ports, protocols, packet sizes, duration, and statistical features derived from the flow. The dataset exhibits an imbalanced class distribution, as depicted in Figure 4. This comprehensive dataset captures different attacks on IoT devices. Generating a new dataset from scratch is time-consuming and resource-intensive, involving data collection, labeling, and preprocessing. Utilizing the existing dataset allows for a focus on developing and refining the proposed detection scheme.

Handling imbalanced data is crucial for building an effective model. We applied several preprocessing steps to address the class imbalance in the IoTID20 dataset to ensure the model could learn from the data effectively. We cleaned the data to remove duplicates or irrelevant instances, ensuring the dataset’s quality. Feature selection was conducted to reduce dimensionality and enhance accuracy by retaining the most relevant features and ensuring that all features contributed equally to the learning process. To tackle the class imbalance, we employed the Synthetic Minority Over-Sampling Technique (SMOTE), which generates synthetic samples for the minority class, thereby balancing the dataset. This combination of preprocessing steps, data cleaning, normalization, feature selection, and oversampling using SMOTE ensured that our model could learn effectively from the imbalanced data and make accurate predictions.

To solve the overfitting of the model, our study uses CS to select the most relevant features from the preprocessed data, minimize dimensionality, and focus on the most relevant information. Furthermore, the CS optimizes the hyperparameters of the Decision Tree classifier, tuning its complexity to avoid memorizing noise in the training data. The trained model was evaluated using cross-validation on a separate dataset to ensure its generalization capability and confirm that the selected features and optimized hyperparameters lead to effective anomaly detection without overfitting the specific characteristics of the training set.

Our evaluation benchmarks the proposed lightweight anomaly detection framework against contemporary state-of-the-art methods, encompassing ensemble techniques like Random Forests and deep learning architectures such as Convolutional Neural Networks (CNNs). The comparative analysis reveals that while our approach prioritizes computational efficiency and maintains a lean profile suitable for real-world deployment, it achieves comparative performance in detecting MitM attacks in DNS. By directly contrasting our method with these established approaches, we provide a clear and compelling context for its effectiveness, underscoring its advantages in balancing detection accuracy with the need for resource-conscious operation in practical security implementations. Since the CSA optimizes feature selection, the main ten features are shown in

Table 2. Feature Importance.

Feature	Importance
Source IP	High
Destination IP	High
Source Port	Medium
Destination Port	Medium
Protocol	High
Flow Duration	High
Total Fwd Packets	Medium
Total Backward Packets	Medium
Fwd Packet Length Mean	High
Bwd Packet Length Mean	High
Flow Bytes/s	Medium
Flow Packets/s	Medium
Bwd IAT Mean	High
Fwd PSH Flags	Medium

, and their importance is extracted by the CSA.

Figure 5 shows the confusion matrix of the proposed scheme, indicating that the positives and negatives were identified, which suggests good performance. It also shows that false positives and negatives are minimized. The proposed scheme was implemented on the Kaggle platform using Python. Our proposed scheme was implemented on Kaggle using Python, employing the CSA to optimize the Decision Tree’s hyperparameters. Given the CSA’s complexity and dynamic nature, we opted for 20 nests and 10 iterations. This configuration aimed to balance exploration of the hyperparameter space with computational efficiency; a larger number of iterations could increase processing time and costs, while too few may prevent convergence to a satisfactory solution. The permissible ranges for these hyperparameters were defined by the lower (2) and upper (50) bounds of the CS.

To ensure the stability and reliability of the optimized hyperparameters, we integrated SPC to monitor the best parameter values identified by the CSA in the 10 iterations. As recorded by the SPC, the optimal parameters converged to a max_depth of 20, min_samples_split of 5, and min_samples_leaf of 3, achieving an average accuracy of 0.9881. Figure 5 illustrates the parameter values explored by the CS algorithm over the iterations, along with the overall mean (29.59) and the expected normal range centered around this mean. This approach provides a degree of control over the selected parameters, although a more formal sensitivity analysis to justify the initial CSA parameters (20 nests, 20 iterations) would further strengthen the robustness of our results.

This helps to evaluate whether the proposed model is underperforming and identify sudden spikes indicating abnormal behavior, which can be recorded in the control chart. Figure 6 further shows that lower values are above the lower bound, while upper values are above the mean but below the upper limit.

The proposed model was compared to the Support Vector Machine (SVM), the Local Outlier Factor (LOF), the CSA-DT, and CSA-ANN, with CSA-DT and CSA-ANN both optimized using the same CS approach as our proposed model. We included SVM for its ability to perform well with imbalanced datasets and LOF for its specific design in anomaly and outlier detection. The Decision Tree component of our proposed model, such as CSA-DT and CSA-ANN, was also optimized using the CSA to handle the inherent class imbalance in the data effectively. All models were evaluated using the Internet of Things Intrusion Detection (IoTID20) dataset.

Table 3. Performance comparison of the proposed model with existing methods.

Model	Precision	Recall	F1-Score	Accuracy
Proposed Model	0.9987	0.9886	0.9936	0.9976
CSA-ANN	0.9780	0.9700	0.9740	0.9876
CSA-DT	0.9845	0.9789	0.9817	0.9912
SVM	0.9621	0.7713	0.8444	0.9723
LOF	0.9042	0.8754	0.8501	0.8721

details the performance metrics for all the compared algorithms across Precision, Recall, F1-score, and Accuracy, providing a comprehensive evaluation of their performance on the IoTID20 dataset.

Figure 7 shows the simulation results from Table 3, indicating that the proposed model outperformed the SVM, LOF, CSA-ANN, and CSA-DT models. The proposed model achieved the highest accuracy of 99.76%. Compared to CSA-ANN, which had an accuracy of 98.76%, the proposed model improved by 1.01% compared to CSA-DT (99.12%), which achieved a 0.64% improvement. The improvement over the traditional SVM model (97.23% accuracy) was 2.53%, and compared to LOF (87.21% accuracy), it was a significant 12.55% difference. CSA optimization contributed to better performance in both CSA-ANN and CSA-DT by selecting the most relevant features, which enhanced generalization and accuracy. However, despite these gains, they did not outperform the proposed model.

The SVM model achieved a precision of 0.9621 but had a low recall of 0.7713 and an F1-score of 0.8444, indicating issues with imbalanced data and a higher rate of false negatives. SVM also becomes computationally intensive as the dataset size increases. The LOF model had the lowest performance, with an accurate score of 87.21% and lower scores in all metrics. Its assumption of uniformly distributed data makes it ineffective for data points that are uniformly distributed; thus, it struggles with highly skewed distributions, failing to identify outliers effectively.

The proposed model was evaluated using an Intrusion Detection Dataset consisting of regular and anomalous traffic. The training dataset comprises 25,192 instances and 42 features, while the testing dataset consists of 22,544 instances and 41 features, without a class label. The proposed model was evaluated using two sets of datasets: one for general intrusion detection and another for Internet of Things (IoT) intrusion detection, to evaluate its performance in real-world IoT environments. The best parameters generated by the cuckoo search are max_depth = 50, min_samples_split = 2, and min_samples_leaf = 1, with an average accuracy of 0.996.

Table 4. Comparison of the proposed model with existing methods using the IDD.

Model	Precision	Recall	F1-Score	Accuracy
Proposed Model	0.99631	0.98835	0.99801	0.99591
CSA-ANN	0.9725	0.9655	0.9690	0.9890
CSA-DT	0.9631	0.9585	0.9671	0.9776
SVM	0.96864	0.95905	0.95884	0.95889
LOF	0.76652	0.72774	0.74518	0.75844

shows the simulation results using the Intrusion Detection Dataset.

Figure 8 depicts the results of the proposed model, highlighting its superior performance compared to the SVM, LOF, CSA-ANN, and CSA-DT models. The dataset used has fewer instances compared to the IoTID dataset and is likely skewed, which significantly impacts the performance of the LOF model. LOF, designed to detect local outliers, struggles with skewed distributions and is also affected by noise, leading to lower performance metrics, achieving only 75.84% accuracy. The proposed model achieved the highest performance with an accuracy of 99.59%, reflecting an improvement of 3.68% compared to-CSA-ANN, 1.83% compared to CSA-DT, 3.67% compared to SVM, and 23.75% compared to the LOF across all models. The CSA-ANN and CSA-DT models benefited from optimization through CSA, improving feature selection and generalization. Among them, CSA-DT showed solid performance but lagged behind the proposed model. While the SVM maintained a balanced precision and recall, its lower overall accuracy and F1-score highlight that it is less effective with skewed or imbalanced datasets. While SVM is known for its interpretability and reliability, it falls short compared to the proposed model’s robustness and accuracy.

Datasets Comparison

Figure 9 shows the performance analysis of the proposed model against SVM, LOF, CSA-ANN, and CSA-DT methods across two benchmark datasets. The proposed model consistently performs well, demonstrating good accuracy, precision, recall, and robustness. This demonstrates not only its strong predictive capability but also its robustness in varied data environments. The CSA-ANN, though it benefits from CSA for feature selection, exhibits slightly lower performance. Although it achieves comparative accuracy, its overall performance is limited by the inherent limitations of ANN, its black-box nature, and reliance on extensive training data and hyperparameter tuning. The CSA-DT performs better than both SVM and LOF, likely due to its structural resemblance to the proposed model and its use of Decision Trees. However, without further optimization, such as through CSA in the classification phase, its performance is less consistent, likely due to data complexity and distribution sensitivity, leading to overfitting or underfitting.

The SVM performs better on the IoTID20 dataset than the IDD but is outperformed by the top-performing models. While SVM maintains reasonable precision and accuracy, its recall drops significantly, especially on the IDD, indicating difficulty in detecting all relevant anomalies. While the LOF consistently yields the lowest results in both datasets, its poor scalability in dynamic environments where data distributions evolve limits its effectiveness. The drastic drop in recall and F1-score, particularly in Dataset 2, highlights its inability to adapt to new or emerging anomaly patterns, making it less suitable for real-time intrusion detection applications. Thus, this clearly shows that the proposed scheme is most effective and reliable across datasets, keeping a good balance between accuracy and robustness, which is essential for practical deployment in dynamic cybersecurity environments.

Figure 10 shows the control chart of our proposed model. Due to a lack of access to the actual DNS for live evaluation of our model, the study used the PUF dataset, a labeled flow-based DNS dataset, specifically designed for anomaly detection. The data were captured from the computer center of Panjab University, encompassing real network traffic, which is approximately 298,463 instances, with 260,343 labeled as benign and 38,120 as malicious. The features include statistically derived and entropy-based features, facilitating the detection of compromised hosts and anomalous sub-networks. By choosing the 20% control range, we ensure that our model’s performance is monitored effectively, with a clear threshold for identifying significant deviations. This helps maintain the reliability and accuracy of the model while quickly addressing any potential issues. The intervals help detect subtle changes, monitor consistency, identify trends, and pinpoint outliers. This approach ensures we can make informed decisions to improve our model’s accuracy and reliability.

The CSA and Decision Trees provide a good combination for lightweight anomaly detection, achieving high accuracy with minimal computational overhead and resource consumption. The CSA’s efficient search mechanism narrows the search space, while Decision Trees are simple and fast, requiring less memory and processing power than complex models such as deep learning. This synergy provides a unique balance, making it an ideal choice for real-time applications where low latency and efficient resource utilization are critical, outperforming other lightweight methods such as LOF and Isolation Forest in memory usage and CPU-intensive techniques such as Autoencoders and CNNs [25].

Acknowledging Python’s limitations for precise, real-time system-level monitoring, this study validates the lightweight nature of the proposed scheme by monitoring resource consumption during training and evaluation, with comparative results for CPU usage, memory usage, disk I/O, and execution time presented in Figure 11. Due to resource constraints during training, a lightweight detection scheme was proposed. The results show that the SVM, LOF, CSA-ANN, and CSA-DT models consume more resources than the proposed model. Specifically, SVMs’ computational cost and training time increase with high-dimensional data, and while LOF avoids kernel functions, it remains computationally expensive in such scenarios. CSA-ANN is significantly more resource-intensive than CSA-DT due to the inherent demands of ANNs, especially with large feature spaces and without heavy optimization. While CSA-DT showed slightly higher resource usage in the study, the specific features and search space were unclear, suggesting the potential for resource intensiveness if not adequately controlled.

Table 5. Performance Resource Consumption.

Model	CPU Usage (%)	Memory (MB)	Disk I/O (Bytes)	Execution Time (s)
LOF	14.0	320	110,000	3.5
SVM	17.5	480	190,000	4.6
Proposed Model	12.5	290	100,000	3.0
CSA-ANN	25	650	250,000	7.8
CSA-DT	15.6	350	125,000	4.5

illustrates that the proposed model, leveraging CSA for efficient feature selection and a Decision Tree for rapid classification, demonstrates superior resource efficiency compared to the LOF, SVM, CSA-ANN, and CSA-DT models. As shown in the resource consumption analysis, our proposed model exhibits the lowest CPU usage, memory usage, and disk I/O, coupled with the fastest execution time, making it ideal for resource-constrained environments. This optimizes high detection performance with minimal overhead, underscoring its practical advantage for mitigating MitM attacks in DNS.

In Figure 12, we have included the AUC-ROC score of 0.91, indicating that the proposed scheme, the CSA-optimized Decision Tree model, exhibits the ability to differentiate between the two classes, signifying a high actual positive rate with a low false positive rate. This good performance highlights that the model is very effective at correctly identifying instances of one class versus the other, translating to accurate anomaly detection with minimal false alarms. The high AUC highlights the potential of our approach in distinguishing between normal and malicious DNS traffic, showcasing the benefits of addressing class imbalance and employing intelligent feature selection and/or hyperparameter tuning, as indicated in Figure 11.

7. Discussion

The lightweight CSA-optimized Decision Tree was evaluated in different datasets, which highlights the effectiveness of this hybrid approach for DNS MitM attack detection, especially in resource-constrained IoT environments. The CSA’s efficient feature selection enables the Decision Tree to accurately classify network traffic with low computational overhead, outperforming traditional methods such as SVM, LOF, and the more resource-intensive CSA-ANN and CSA-DT methods, as using CSA is inherently resource-intensive. Studies that used CSA lack clarity on the number of batch sizes allowed for the CSA search space. This balance between high detection accuracy and low resource consumption highlights the potential of metaheuristic optimization in enhancing machine learning-based intrusion detection for complex network environments. These findings have significant implications for securing IoT and other resource-limited networks against sophisticated DNS-based attacks. Our lightweight and effective scheme provides a practical alternative to heavier, less adaptable methods. CSA’s success in feature optimization presents a valuable strategy for handling high-dimensional network data, making it possible to develop more efficient and deployable security solutions.

Table 6. Comparative analysis table.

Aspect	Proposed Model	CSA-ANN [28]	DT-CSA [23]	Coarse Tree ABD Model [29]
Technique	Lightweight CSA-DT	CSA optimized ANN	Decision Tree optimized with CSA	Coarse Tree Algorithm-based model
Performance metrics	High accuracy and minimal execution time	High accuracy (R2 = 0.97) in prediction tasks	Reliable classification with reduced bias	Effective detection of unstructured cyberattacks
Novelty	Combines CSA with DT for lightweight anomaly detection in DNS	Combines CSA with ANN for enhanced prediction	Integrates CSA with DT for improved decision-making	Lightweight and tailored for process control networks
Application	Cybersecurity in Domain Name Server	Water quality prediction	Soil classification	Cybersecurity in oil and gas networks
Limitations	Struggles with datasets with high variability, affecting its effectiveness.	Lower sensitivity for minority classes	May exhibit reduced accuracy in complex datasets	Limited to specific types of cyber-attacks

presents a comprehensive overview of existing studies focusing on their contributions, approaches, and targeted attacks. While prior works like CSA-ANN and DT-CSA demonstrated notable advancements, they often experience challenges such as resource intensity and reduced efficacy in high-dimensional datasets. In comparison, our proposed lightweight model combines efficiency and precision to address DNS MitM attacks with minimal computational overhead. Its innovative feature optimization technique through CSA ensures robust anomaly detection, even in resource-constrained IoT environments. Furthermore, leveraging a streamlined hybrid approach, our model outperforms traditional methods in detecting accuracy and adaptability, addressing a research gap in the field. These improvements demonstrate the potential of our model as a reliable and scalable solution for enhancing cybersecurity in complex networks.

8. Conclusions

Domain Name Servers are crucial systems that must be protected against MitM attacks, such as eavesdropping and interception, which can lead to severe consequences if not addressed. The study developed a lightweight anomaly-based model to counter these attacks on secure DNSs. Two datasets were used to evaluate the proposed model. The results show that it outperformed the traditional SVM, LOF, CSA-ANN, and CSA-DT models, achieving an accuracy of 99.6%. These findings indicate that the model can potentially improve cybersecurity measures and harden DNS. Its adaptability proposes that it could be extended to other domains where MitM attacks are a challenge.

The CSA-DT model, while innovative and leveraging CSA techniques, also performed well but was less effective compared to the proposed model. It shows good precision and recall, but its effectiveness is slightly lower due to challenges in handling dynamic and high-dimensional data. Future research could involve a broader comparison with contemporary machine learning and optimization techniques. Methods such as deep learning algorithms, ensemble learning approaches, and advanced evolutionary algorithms could be considered to validate and benchmark the performance of the proposed scheme more thoroughly.