Optimized Machine Learning-Based Intrusion Detection System for Fog and Edge Computing Environment

: As a new paradigm, fog computing (FC) has several characteristics that set it apart from the cloud computing (CC) environment. Fog nodes and edge computing (EC) hosts have limited resources, exposing them to cyberattacks while processing large streams and sending them directly to the cloud. Intrusion detection systems (IDS) can be used to protect against cyberattacks in FC and EC environments, while the large-dimensional features in networking data make processing the massive amount of data difﬁcult, causing lower intrusion detection efﬁciency. Feature selection is typically used to alleviate the curse of dimensionality and has no discernible effect on classiﬁcation outcomes. This is the ﬁrst study to present an Effective Seeker Optimization model in conjunction with a Machine Learning-Enabled Intrusion Detection System (ESOML-IDS) model for the FC and EC environments. The ESOML-IDS model primarily designs a new ESO-based feature selection (FS) approach to choose an optimal subset of features to identify the occurrence of intrusions in the FC and EC environment. We also applied a comprehensive learning particle swarm optimization (CLPSO) with Denoising Autoencoder (DAE) for the detection of intrusions. The development of the ESO algorithm for feature subset selection and the DAE algorithm for parameter optimization results in improved detection efﬁciency and effectiveness. The experimental results demonstrated the improved outcomes of the ESOML-IDS model over recent approaches.

. Fog edge computing. The intrusion detection system for fog and edge computing environments detects intruders in two ways: anomaly-based detection and signature-based detection, The normal behavior of the scheme is taken into account as a model in anomaly-based detection, which then examines the behavior of incoming traffic and categorizes it as either normal or abnormal based on the model that was built [10][11][12]. In contrast, signature-based detection compares incoming traffic to pre-established rules to determine whether to allow or reject it. In the past few years, there have been a variety of study articles developed in the area of intrusion detection systems for fog and edge computing environments [13,14]. Early research concentrated on supervised machine learning and unsupervised machine learning. There have also been attempts to implement advanced applications [15][16][17], such as a conventional detection method that allows the incorporation of the results of various classifications to effectively improve IDS performance.
This study introduces an Effective Seeker Optimization with Machine Learning-Enabled Intrusion Detection System (ESOML-IDS) model for FC and EC environments. The ESOML-IDS model intends to appropriately determine the existence of intrusions in the FC and EC environment. The ESOML-IDS model derives a novel ESO-based feature selection (FS) approach to choose an optimal subset of features. Moreover, comprehensive learning particle swarm optimization (CLPSO) with Denoising Autoencoder (DAE) is applied for the detection and classification of intrusions. In order to demonstrate the enhanced outcomes of the ESOML-IDS model, a wide range of simulations was carried out.

Contributions of This Study
The main contributions of this study are as follows: • We develop a new Effective Seeker Optimization with Machine Learning-Enabled Intrusion Detection System (ESOML-IDS) technique for intrusion detection and classification in FC and EC environments; • To detect and classify intrusions, a group of sub-processes are incorporated with the proposed technique, including pre-processing, ESO-based feature subset selection, a DAE classifier, and CLPSO-based parameter optimization; • To demonstrate the comparative advantages of the proposed technique over recent approaches, a wide variety of exhaustive simulations are carried out.
The rest of the paper is organized as follows. Section 2 surveys relevant research in this area of intrusion detection. Section 3 introduces the proposed model. Section 4 provides performance validation, showing the comparative advantages of applying the proposed techniques in terms of cost, accuracy, and comparative analysis. Finally, Section 5 concludes the paper.

Related Works
Lin et al. [18] presented a resource allocation and IDS architecture in edge computing. In particular, the presented method is developed to aid heterogeneous resource-demanding allocation and resource sharing. An edge computing IDS is introduced, and utilizing this approach is the foundation for resource allocation. Next, a single-layer dominant and max-min fair (SDMMF) allocation was employed. Li et al. [19] employed the game concept in the field of edge computing systems and recommended a data-driven mimicry ID game theory-based named GLIDE. The game income of participants and the utility computation method under distinct positioning approaches were analyzed. Wang et al. [20] presented an architecture for optimizing the smart false alarm reduction for DIDS-based edge computing devices. The proposed method could offer energy efficacy as the data could be treated at the edge for a short response time. The assessment result demonstrated that the architecture could assist in reducing the task for the central server and the delay in comparison with the comparative study.
Sudqi Khater et al. [21] presented a lightweight IDS-based vector space depiction with an MLP method. Next, they estimated the proposed method against the Australian Defense Force Academy Windows Dataset (ADFA-WD) and ADFA with Linux Dataset (ADFA-LD), which is a novel generation system dataset that comprises exploits and attacks on different applications. An et al. [22] presented a hypergraph clustering method based on the Apriori approach. Our study could efficiently determine the relationship among FC that is suffering from the threats of DDoS. Next, they verified that the resource consumption rate of the model could be efficiently promoted via DDoS analysis.
Mourad et al. [23] developed a vehicular edge computing (VEC) fog-assisted system that allows the offloading of IDS tasks to federated vehicle nodes situated within the Adhoc vehicular fog that is implemented with minimum latency. Abdel-Basset et al. [24] introduced a forensics-based DL (Deep-IFS) for identifying intrusions in IIoT traffic. The presented approach learns local representations with LocalGRU and presents an MHA to learn and capture global representations (with longer-range dependency). A residual connection among layers is developed for preventing data loss. Pacheco et al. [25] proposed an Anomaly Behavior Analysis Method based on ANN, to obtain an adaptive IDS that could be able to detect whether a fog node was compromised and also take proper action for ensuring transmission accessibility.

The Proposed Model
In this study, a novel ESOML-IDS approach was developed for intrusion detection and classification in FC and EC environments. The presented ESOML-IDS technique aimed to identify the occurrence of intrusions in the FC and EC environment. The ESOML-IDS technique encompasses a series of sub-processes such as pre-processing, ESO-based feature subset selection, a DAE classifier, and CLPSO-based parameter optimization.

Data Normalization
The z-score is a conventional standardized and normalized approach that signifies the number of standard deviations (SD). It normalizes the data set to the above-mentioned scale for converting every datum with a distinct scale to the default scale.
For normalizing the data utilizing the z-score, it can be subtracted the mean of populations in a rare data point and separated by the SD that offers a score ideally different amongst −3 and +3, thus reflecting that a point is several SDs above/below the mean, as calculated by Equation (1), where x signifies the value of the specific sample, µ stands for the mean and σ denotes the SD.

Design of ESO-Based Feature Selection Technique
The elastic collision seeker optimization algorithm (ESOA) involved in [26] has been employed in our system for feature selection. The seeker optimization algorithm (SOA) implements an in-depth search simulating human search performance. The SOA is optimized as a search for the most optimal solution with a team of explorers in exploring space, using the search team as the population and the seeker as the task approach. Three significant upgrading stages are called ESOs.

Search Direction
The forward orientation of searching is determined as the experience gradient attained in the individual effort and the estimation of another individual searching a past place. The egoistic path The seeker utilizes the technique of an arbitrary weighted average for obtaining the search orientation.
refers to the historical optimum place from the neighborhood, where the ith searching factor was placed; p i,best represents the optimum locality in the ith searching factor to present locality; ψ 1 is an arbitrary number from zero to one, and ω implies the weight of inertia.

Search Step Size
The ESO represents the capability of fuzzy approximation reasoning. The technique adjusts to the best estimate of the objectively optimized problem when it expresses a simple fuzzy rule. Greater significance is associated with longer searching stages, whereas lower fitness corresponds to shorter searching stages. The Gaussian distribution function was adapted for describing the search step measurements.
where α and δ represent the parameters of membership functions. Based on Equation (4), the probability of a resultant variable above [−3δ, 3δ] is less than 0.0111. Thus, µ min = 0.0111. However, for accelerating the convergence speed and attaining an optimum individual to take an undefined step size, µ max is fixed as 0.9.
where µ ij has been defined in Equations (5) and (6), I i refers to the number of sequences X(t) of the current individuals set in higher to lower function values, and the function refers to the real number from some partition [µ i , 1]. It is realized that Equation (5) reflects the arbitrary search performance of human beings. The step measurement of j dimension searching the interspace is defined in the subsequent formula: where δ ij refers to the parameter of the Gaussian distribution function that is demonstrated in Equations (8) and (9): where ω refers to the weight of inertia. While the evolutionary algebra improves, ω reduces linearly from 0.9 to 0.1. − → x min and − → x max , correspondingly, denote the variates of the minimal and maximal values of the function. Figure 2 depicts the flowchart of SOA.

Individual Location Updates
After obtaining the scout path and scout step measurement of individuals, the place upgrade is expressed as in Equation (10): i refers to the ith searching individual; j signifies the individual dimensional; f ij (t) and α ij (t), correspondingly, represent the seekers' path and searching step size at time t; and x ij (t) and x ij (t + 1), correspondingly, define the seekers' site at time t and (t + 1).
The mathematical model of the ESO-FS approach was established. Usually, the classification (for instance, supervised learning) requires some datasets that are of size N S × N F , whereas N S signifies the count of samples and N F defines the count of features. The main function of the FS problem is selecting a subset of features S in the entire amount of features (N F ), whereas the size of S is less than N F . It is attained by minimizing the subsequent main function: where γ s implies the classifier error utilizing S and |S| as the count of chosen features. λ is utilized for balancing amongst ( |S| N F ) and γ s .

Process Involved in DAE-Based Classification
During the intrusion detection process, the chosen features are fed into the DAE model to classify intrusions [27]. DAE is dependent upon the AE. Noise (Gaussian noise usually, or setting the data to zero arbitrarily) is present in trained data, and AE is required to be learned for removing noise so as to obtain uncontaminated input data. In the case of corrupted input, the AE is defined further as a stable and suitable feature that establishes a further advanced description of the input data and improves the robustness of the total method. At this point, x is the primary input data, x 1 is the corrupted input data, y is the novel feature attained by the encoded x 1 , and z represents the outcome attained by the decoded y. The reconstructing error is calculated by Equation (12): The cost function is computed as: Generally, it is only required to arbitrarily fix the unit from x to zero based on the noise figure k (k ∈ [0, 1]); afterward, x 1 is attained. This technique of resolving the parameters is similar to that of AE. Figure 3 displays the infrastructure of DAE.

Parameter Tuning Using CLPSO Algorithm
We used the CLPSO algorithm, developed by [28], to achieve optimal tuning of the parameters involved in the DAE model. PSO is a typical evolutionary computing approach stimulated in the analysis of the predation performance of birds; the basic concept of the PSO technique is sharing cooperation and data amongst individuals for finding the optimum solutions. The velocity signifies the speed and direction in which the particle moves. The position signifies the particle's position. In order to process all the particles, only the individual optimum experience and the global optimum experience of the total swarm are learned. Assume  (14) and (15): where i = 1, 2, . . . , N and d = 1, 2, . . . , D. However, w refers to the inertia weight, c 1 and c 2 stand for the acceleration co-efficient, and rand 1 (0, 1) and rand 2 (0, 1) are uniform arbitrary numbers. The CLPSO algorithm adapts the approach of comprehensive learning for selecting an object for learning, rather than learning by themselves, and the global optimum individual [28]. The velocity upgrading formula in CLPSO is determined as: where f i determines that particle pbests is the particle that i must follow, and rand(0, 1) ∈ [0, 1] refers to a uniform arbitrary number. The CLPSO allocates the learning probability Pc i to all the particles i utilizing the subsequent formula: In order to obtain all the solutions x i , it is learned from several particles rather than only two particles. All the components of particles i learn by themselves or by another particle depending upon learning probability Pc i . Arbitrary components of particles i will learn from another particle when all their elements learn by themselves. The superior fitness value of a solution is the superior possibility in which a particle is learned.
The CPSO technique is used for determining FF with the objective of minimizing the classifier error rate, as provided below. The solution with the minimum classifier error rate is assumed as a better solution.

Empirical Results and Validation
This section discusses the effectiveness of applying the ECSOML-IDS technique to detect and classify intrusions under several varieties of FS methods and class labels. It demonstrates and validates the enhanced outcomes of employing the ECSOML-IDS technique in terms of a wide set of accuracy metrics. Thus, the experimental work of this manuscript, together with the cost and performance analysis, is described below.

Cost Analysis
The UNSW-NB15 datasets are used for experimental validation because they have significant potential for attack pattern recognition and analysis, as well as being effective in enhancing the effectiveness of intrusion classifiers. In contrast to NSL-KDD and KDD-CUP'99, Zhang et al. [28] claim that the UNSW-NB15 dataset better simulates the current network traffic environment; the dataset holds a set of 42 features, including 3 categorical and 39 numeric features. Table 1

Performance Measures and Analysis
In this subsection, the impact of accuracy derived from utilizing the ECSOML-IDS technique, for different numbers of epochs, and label classes, is examined. Several performance metrics have been discussed in [*] for evaluating the effectiveness and quantifying errors resulting from using certain class types with a distinct number of epochs. In this paper, for performance validation purposes, several accuracy metrics have been used, such as training accuracy, validation accuracy, testing accuracy, precision, recall, and F1 score, which are denoted by tr a ccu, val a ccu, test a ccu, prec n , reca l , and F s core, respectively. Generally, classification accuracy is the ratio of the number of correct predictions to the total number of input samples.

Accuracy =
Number o f correct predictions Total numbero f predictions made (19) Moreover, the precision metric reflects the proportion of positive identifications that was actually correct. Therefore, precision is computed as follows: Meanwhile, the recall is the fraction of relevant instances that were retrieved. The recall can be mathematically defined as: where TP, FP, and FN are True Positive, False Positive, and False Negative outcomes, respectively. Moreover, the F1-score is the traditional F-measure or balanced F score F1score) and is defined as the harmonic mean of precision and obtained as:  Figure 5 portray the classification outcomes of the ESOML-IDS model under 1000 epochs and distinct classes. The results indicated that the ESOML-IDS model resulted in effective outcomes under every class. For instance, with a normal class, the ESOML-IDS model has obtained tr accu , val accu , test accu , prec n , reca l , and F score of 83.38%, 83.56%, 78.22%, 82.72%, 81.50%, and 80.59% respectively. At the same time, with the DoS class, the ESOML-IDS model has obtained tr accu , val accu , test accu , prec n , reca l , and F score of 83.14%, 83.50%, 80.18%, 82.10%, 83.47%, and 81.99%, correspondingly. Moreover, with the generic class, the ESOML-IDS system has obtained tr accu , val accu , test accu , prec n , reca l , and F score of 82.46%, 82.88%, 80.43%, 82.08%, 81.21%, and 80.87%, correspondingly.  Furthermore, with the shellcode class, the ESOML-IDS method has obtained tr accu ,val accu , test accu , prec n , reca l , and F score of 83.52%, 81.65%, 77.33%, 82.88%, 82.82%, and 80.34%, respectively. Eventually, with the worms class, the ESOML-IDS approach has obtained tr accu ,val accu , test accu , prec n , reca l , and F score of 81.17%, 82.49%, 78.24%, 81.51%, 81.74%, and 81.26%, correspondingly.
The accuracy outcome analysis of the ESOML-IDS approach on test data is exhibited in Figure 6. The results demonstrated that the ESOML-IDS technique achieved improved validation accuracy related to training accuracy. It is also observable that the accuracy values become saturated with the epoch count of 1000.   Table 3 and Figure 8 portray the classification outcomes of the ESOML-IDS algorithm under 2000 epochs and distinct classes. The results indicated that the ESOML-IDS model resulted in effective outcomes under every class. For example, with the normal class, the ESOML-IDS technique has obtained tr accu , val accu , test accu , prec n , reca l , and F score of 81.54%, 82.64%, 83.02%, 81.92%, 83.49%, and 82.18%, correspondingly. Simultaneously, with the DoS class, the ESOML-IDS approach has obtained tr accu , val accu , test accu , prec n , reca l , and F score of 82.72%, 83.10%, 84.78%, 83.08%, 81.46%, and 83.82%, respectively. Moreover, with the generic class, the ESOML-IDS methodology has obtained tr accu , val accu , test accu , prec n , reca l , and F score of 83.80%, 81.09%, 83.92%, 82.29%, 83.19%, and 83.97%, respectively. Moreover, with the shellcode class, the ESOML-IDS model has obtained tr accu ,val accu , test accu , prec n , reca l , and F score of 83.42%, 81.37%, 83.29%, 83.35%, 82.15%, and 82.55%, correspondingly. At last, with the worms class, the ESOML-IDS model has obtained tr accu , val accu , test accu , prec n , reca l , and F score of 82.64%, 83.59%, 82.82%, 82.74%, 82.68%, and 83.75%, correspondingly.  The accuracy outcome analysis of the ESOML-IDS approach on test data is showcased in Figure 9. The results demonstrated that the ESOML-IDS technique achieved improved validation accuracy related to training accuracy. It can be also observed that the accuracy values become saturated with the epoch count of 2000. The loss outcome analysis of the ESOML-IDS technique on test data is displayed in Figure 10. The figure reveals that the ESOML-IDS system resulted in reduced validation loss in terms of the training loss. It is additionally noticed that the loss values become saturated with an epoch count of 2000.   Table 4 and Figure 11 provide a comparative study of the DAE-IDS technique with existing techniques in terms of distinct measures. The results indicated that the SVM technique gained ineffective results, with accu y of 0.6109, prec n of 0.4747, reca l of 0.6200, and F1 score of 0.5377. In line with, the LR technique offered somewhat increased outcomes, with accu y of 0.6553, prec n of 0.7691, reca l of 0.6554, and F1 score of 0.6662. Then, the DT technique yielded moderate results, with accu y of 0.6603, prec n of 0.7982, reca l of 0.6604, and F1 score of 0.5112. Although the ANN and KNN techniques achieved reasonable classification results, the DAE-IDS technique showed enhanced performance, with accu y of 0.7834, prec n of 0.8010, reca l of 0.7786, and F1 score of 0.7946.   Table 5 and Figure 12 provide a comparative study of the ESOML-IDS model with existing models in terms of distinct measures. The results indicated that the SVM approach yielded ineffectual results, with accu y of 0.6153, prec n of 0.5395, reca l of 0.6152, and F1 score of 0.5131. Likewise, the LR system offered slightly increased outcomes, with accu y of 0.6529, prec n of 0.7088, reca l of 0.6529, and F1 s core of 0.6569.  Then, the DT approach yielded moderate results, with accu y of 0.6757, prec n of 0.7966, reca l of 0.6756, and F1 score of 0.6926. Afterward, the ANN and KNN models reached reasonable classification results, and the ESOML-IDS method accomplished enhanced performance, with accu y of 0.8309, prec n of 0.8248, reca l of 0.8250, and F1 score of 0.8308. After examining the above-mentioned tables and figures, it is apparent that the presented model achieved superior intrusion detection outcomes over the other techniques.

Conclusions
For intrusion detection and classification in FC and EC environments, a new ESOML-IDS technique has been developed in this manuscript, aiming to identify the occurrence of intrusions. The ESOML-IDS technique consists of a series of sub-processes including pre-processing, ESO-based feature subset selection, a DAE classifier, and CLPSO-based parameter optimization. For improving the detection efficiency in the aforementioned environments, the ESO algorithm for feature subset selection and DAE for parameter optimization have been utilized. Additionally, to demonstrate the enhanced outcomes of the ESOML-IDS model, a wide variety of empirical experiments with exhaustive simulations were carried out. The experimental results reported the enhanced outcomes of the ESOML-IDS model over the recent approaches, showing the superiority of the proposed technique in terms of accuracy, precision, recall, and F1 score. We believe that the proposed technique can be used to extract manifold benefits with a minimal loss in accuracy for detecting intrusions in FC and EC environments.

Data Availability Statement:
The datasets analyzed during this study are available from the corresponding author upon reasonable request.

Conflicts of Interest:
The authors declare no conflict of interest.