Optimizing Cyber Threat Detection in IoT: A Study of Artificial Bee Colony (ABC)-Based Hyperparameter Tuning for Machine Learning

Abstract

In the rapidly evolving landscape of the Internet of Things (IoT), cybersecurity remains a critical challenge due to the diverse and complex nature of network traffic and the increasing sophistication of cyber threats. This study investigates the application of the Artificial Bee Colony (ABC) algorithm for hyperparameter optimization (HPO) in machine learning classifiers, specifically focusing on Decision Trees, Support Vector Machines (SVM), and K-Nearest Neighbors (KNN) for IoT network traffic analysis and malware detection. Initially, the basic machine learning models demonstrated accuracies ranging from 69.68% to 99.07%, reflecting their limitations in fully adapting to the varied IoT environments. Through the employment of the ABC algorithm for HPO, significant improvements were achieved, with optimized classifiers reaching up to 100% accuracy, precision, recall, and F1-scores in both training and testing stages. These results highlight the profound impact of HPO in refining model decision boundaries, reducing overfitting, and enhancing generalization capabilities, thereby contributing to the development of more robust and adaptive security frameworks for IoT environments. This study further demonstrates the ABC algorithm’s generalizability across different IoT networks and threats, positioning it as a valuable tool for advancing cybersecurity in increasingly complex IoT ecosystems.

1. Introduction

In the rapidly evolving landscape of the Internet of Things (IoT), ensuring the reliability and security of operations through effective network traffic analysis and malware detection is paramount [1]. The diversity and volume of cyber threats continuously challenge existing security measures, pushing the adoption of advanced technological solutions tailored to the unique characteristics of IoT environments  [2,3]. Machine learning (ML) has emerged as a powerful tool in this domain, capable of analyzing vast amounts of IoT network traffic data to reveal patterns of malicious behavior [4,5,6], thus improving the ability to detect and respond to security threats in IoT systems. By leveraging ML, organizations can achieve greater accuracy and speed in identifying anomalies and potential threats within IoT networks, enhancing their overall cybersecurity posture [7]. The integration of ML with IoT network traffic analysis and malware detection represents a significant advancement in developing resilient and adaptive security frameworks for IoT ecosystems [8].

Despite the advancements in ML techniques for IoT cybersecurity, challenges remain in optimizing these models for effective malware detection and network traffic analysis within IoT environments [9]. The process of hyperparameter optimization (HPO) is critical for enhancing the performance of ML classifiers [10]. However, existing HPO methods often fall short in efficiently tuning the hyperparameters for IoT cybersecurity applications, leading to suboptimal detection rates and an inability to adapt to evolving IoT-specific threats. This gap highlights the need for novel approaches that can improve the efficiency and accuracy of ML models in detecting and mitigating cyber threats specific to IoT networks [11]. Addressing these challenges is essential for developing robust security systems capable of withstanding the dynamic and complex nature of modern cyber attacks targeting IoT devices and networks [12].

Previous research has highlighted the potential impact of enhancing the performance of ML in IoT network traffic analysis and malware detection. The Artificial Bee Colony (ABC) algorithm has shown promise in various optimization tasks [13], suggesting its potential application in HPO for IoT cybersecurity. However, the role of hyperparameter tuning in significantly enhancing ML models remains debated, with mixed findings regarding its impact, while some studies indicate substantial performance improvements through hyperparameter tuning [14], others suggest minimal gains, underscoring the need for further investigation into effective HPO strategies for IoT cybersecurity applications [15].

The main objective of this research is to investigate the efficacy of the ABC algorithm in hyperparameter optimization for ML classifiers in IoT network traffic analysis and malware detection. This study aims to evaluate the ABC algorithm’s performance in optimizing hyperparameters and its impact on classifier performance within IoT networks. It will compare the ABC algorithm with traditional HPO methods, such as grid search and random search, to determine relative advantages in efficiency, scalability, and outcome quality. Additionally, the research will assess the scalability and computational efficiency of the ABC algorithm, its ability to adapt to evolving IoT cyber threats by re-tuning parameters quickly, and its generalizability across various ML classifiers, including decision trees, support vector machines, and neural networks. Our study presents several contributions, the most important are summarized as follows:

• Novel Application of ABC Algorithm: This study pioneers the use of the Artificial Bee Colony (ABC) algorithm for hyperparameter optimization in ML classifiers for IoT network traffic analysis and malware detection, addressing traditional HPO limitations and enhancing ML model performance in IoT cybersecurity.
• Adaptability to Evolving IoT Threats: The research examines the ABC algorithm’s ability to help ML classifiers adapt to new and evolving IoT cyber threats by re-tuning parameters with minimal delays, addressing the dynamic nature of cyber attacks in IoT environments.
• Generalizability Across Classifiers: The study explores the ABC algorithm’s benefits across different ML classifiers, including decision trees, support vector machines, and neural networks, determining its universal or model-specific advantages and broader applicability in IoT cybersecurity.

This paper explores the application of the Artificial Bee Colony (ABC) algorithm for hyperparameter optimization in machine learning classifiers used for IoT network traffic analysis and malware detection. The remainder of the paper is structured as follows: Section 2 provides a comprehensive review of the existing literature on machine learning applications in IoT cybersecurity, highlighting key gaps that motivate the need for advanced optimization techniques. Section 3 presents the methodology, detailing the datasets used, preprocessing steps, the implementation of machine learning classifiers, and the integration of the ABC algorithm for hyperparameter optimization. Section 4 discusses the results and analysis, comparing the performance of the models before and after optimization, and evaluates the scalability and adaptability of the ABC algorithm in enhancing cybersecurity measures. Finally, Section 5 concludes the paper by summarizing key findings, contributions, and future research directions, particularly the potential for expanding the application of ABC to other machine learning models and IoT domains.

2. Literature Review

The growing complexity of cyberattacks in the Industrial Internet of Things (IIoT) environment necessitates robust intrusion detection systems (IDS) to secure IoT networks. Several studies have focused on utilizing advanced ML and deep learning models to address this challenge, each introducing unique methodologies but often grappling with common limitations. Our research builds upon these efforts by addressing key gaps identified in prior studies, particularly the need for improved accuracy, efficiency, and adaptability across diverse IoT environments.

One prominent study by Tareq et al. [16] investigates the application of Convolutional Neural Networks (CNNs) in IDS, particularly within IIoT environments. The researchers utilize variations such as VGG16 and Xception to process the Edge-IIoT dataset and report that a generic CNN model outperforms these variations, achieving an accuracy of 98.98%. Despite the promising results, their work highlights the challenge of imbalanced data and the limitations of CNNs in constrained IoT environments, particularly with regards to computational efficiency. This gap underscores the need for lighter models or optimization techniques, which aligns with our research focus on optimizing traditional machine learning (ML) models using hyperparameter tuning to enhance both performance and efficiency, while addressing imbalanced datasets.

Similarly, Singh et al. [17] explore the use of deep learning models, including DenseNet and Inception Time, for detecting cyberattacks on prominent IoT datasets like ToN-IoT, Edge-IIoT, and UNSW-NB15. They demonstrate that Inception Time achieves an accuracy of 94.94% on the Edge-IIoT dataset, highlighting the model’s ability to handle complex attack types. However, their study identifies a limitation in adapting models to different IoT environments, a gap that we aim to address by improving model generalization across diverse IoT settings. By refining hyperparameters through optimization algorithms, our research provides an adaptable solution that can maintain high performance across varied IoT contexts.

In contrast to the centralized approaches, de Elias et al. [18] propose a federated learning (FL)-based framework called DETECT to address privacy and scalability challenges in IDS for IoT. Their MEC-based architecture allows for decentralized learning across multiple domains without centralizing sensitive data, while they report impressive results, achieving 99% accuracy on the Edge-IIoTset dataset, federated models can be resource-intensive and may struggle to match the performance of centralized models in certain attack detection scenarios. Our approach aims to strike a balance by utilizing centralized machine learning models, with a focus on optimizing performance through hyperparameter tuning, which reduces computational overhead while maintaining high accuracy.

Furthermore, Abou El Houda et al. [19] propose a hybrid CNN-LSTM model aimed at privacy-aware intrusion detection. Their focus on transport and network layer data ensures privacy without compromising detection capabilities, achieving an accuracy of 97.85% for binary classification and 97.14% for multiclass classification of IIoT traffic, while their model shows promise, its performance could benefit from further optimization. Our research similarly emphasizes privacy, but through a focus on computational efficiency and hyperparameter optimization, we aim to enhance both detection accuracy and model performance in privacy-sensitive IoT environments.

A similar focus on lightweight models is evident in the work of Abdulkareem et al. [20], who introduce a lightweight Stack Ensemble Learner (SEL) for intrusion detection in IIoT networks. Their use of feature selection techniques to reduce the dimensionality of the dataset results in a model that is computationally efficient, yet it only achieves 87.37% accuracy. This trade-off between efficiency and accuracy suggests that there is still room for improvement, a gap we address by utilizing traditional machine learning models and improving their accuracy and performance through the use of the Artificial Bee Colony (ABC) algorithm for hyperparameter optimization.

Lastly, Ramaiah et al. [21] and Javeed et al. [22] explore various machine learning and deep learning models, ranging from Extremely Randomized Trees (ERT) to BiGRU and LSTM architectures, aimed at improving the detection of cyberattacks in IIoT environments. Both studies highlight the need for models that can efficiently handle large, complex datasets, while minimizing false positives and ensuring scalability. Our research aligns with this goal by focusing on enhancing the performance of basic ML models through rigorous optimization, making them more applicable to large-scale, real-world IIoT applications.

While the prior studies have introduced various methodologies for improving IDS in IIoT networks, they often face challenges such as imbalanced data, limited adaptability, high computational costs, or insufficient accuracy in detecting certain attack types as summarized in

Table 1. Summary of related studies and our work.

Citation	Overview of Study	Problem Definition	Methodology Used	Findings (Results)	Research Gap
[16]	Investigates the application of CNNs in IDS for Edge-IIoT environments.	Detecting security threats in IoT networks with diverse and extensive data streams.	Utilizes CNNs and variations like VGG16 and Xception to process the Edge-IIoT dataset.	Generic CNN model outperforms VGG16 and Xception, achieving 98.98% accuracy.	Need for more efficient deep learning models in constrained IoT environments.
[17]	Analyzes the effectiveness of deep learning models like DenseNet and Inception Time for detecting cyber-attacks in IoT networks.	Improving accuracy in multiclass classification tasks in IoT cybersecurity.	Trains DenseNet and Inception Time models on IoT datasets, focusing on diverse attack types.	Inception Time model achieves highest accuracy of 100% on Windows 10 data from ToN-IoT dataset.	Further refinement of model architectures to enhance performance across various IoT contexts.
[18]	Proposes a MEC-based architecture called DETECT using Federated Deep Learning to enhance IoT security.	Inadequacy of traditional centralized IDS in detecting sophisticated IoT attacks while maintaining privacy.	Deploys FL across MEC domains to create a shared learning model without centralizing sensitive data.	DETECT outperforms traditional centralized ML/DL-based IDSs with 99% accuracy on Edge-IIoTset.	Improved detection of zero-day attacks and enhanced privacy in IDS.
[19]	Introduces a hybrid CNN-LSTM model for privacy-aware intrusion detection in IIoT edge environments.	Achieving high accuracy in detecting attacks without compromising user privacy, avoiding application-layer features.	Combines CNN and LSTM networks, focusing on transport and network layer data to ensure privacy.	Model achieves 97.85% accuracy for binary classification and 97.14% for multiclass classification.	Real-time detection of attacks using non-application-layer data.
[20]	Presents a lightweight Stack Ensemble Learner (SEL) for attack detection in IoT/IIoT networks.	Implementing effective NIDS on IoT devices with limited memory and computational resources.	Uses Feature Importance as a filter-based technique to reduce dimensionality, followed by lightweight SEL.	FI-SEL model achieves 87.37% accuracy with significant reduction in training and testing times.	Deploying lightweight yet accurate NIDS models in resource-constrained IoT environments.
[21]	Investigates the performance of various ML and DL models for detecting cyberattacks in Industrial IoT networks.	Need for robust NIDS that can efficiently handle large and complex IIoT datasets while minimizing false positives.	Employs ERT, XGB, and LSTM with PCA for feature dimensionality reduction.	ERT model achieves highest accuracy of 99.93% on Edge-IIoTset dataset.	Improving detection accuracy while reducing computational complexity.
[22]	Proposes a DL-based IDS for edge-envisioned smart agriculture environments.	Vulnerability of IoT devices in smart agriculture environments to attacks due to deployment in harsh conditions.	Combines BiGRU and LSTM with softmax classifier, using TBPTT for handling long sequences.	Proposed IDS achieves validation accuracies of 99.82%, 99.55%, and 98.32% on three datasets.	Efficient, real-time detection of complex and evolving threats in edge environments.
Our Work	Explores the application of the ABC algorithm for hyperparameter optimization in ML classifiers for IoT cybersecurity.	Inefficiency of existing HPO methods in enhancing classifier performance for IoT network traffic analysis and malware detection.	Uses the ABC algorithm to optimize hyperparameters for classifiers like Decision Trees, SVM, and KNN.	ABC algorithm significantly improves classifiers’ accuracy, precision, recall, and F1-score.	Generalizability of the ABC algorithm across different IoT networks and threat landscapes.

. Our research seeks to address these limitations by leveraging hyperparameter optimization with the ABC algorithm, improving accuracy across diverse attack types, and enhancing model generalization while keeping computational costs manageable. This positions our study as a crucial advancement in the ongoing efforts to secure IIoT networks.

3. Methodology

In this study, we employ a systematic approach to investigate the efficacy of hyperparameter optimization for machine learning classifiers in the context of IoT cybersecurity. Our methodology is structured to address the challenges associated with optimizing classifiers such as Decision Trees, Support Vector Machines (SVM), and K-Nearest Neighbors (KNN) for the detection and classification of various cyber threats within IoT networks. The process begins with the selection and preprocessing of the Edge-IIoTset dataset, followed by the application of traditional machine learning models as a baseline. Subsequently, we introduce the Artificial Bee Colony (ABC) algorithm to optimize the hyperparameters of these classifiers, aiming to enhance their performance. The methodology is designed to ensure that the classifiers not only achieve high accuracy but also generalize effectively across different types of cyber threats, making them robust tools for IoT cybersecurity.

Figure 1 illustrates the comprehensive methodology adopted in this study, detailing the steps involved in both the initial machine learning experiments and the subsequent hyperparameter optimization using the Artificial Bee Colony (ABC) algorithm. The process begins with the selection of the Edge-IIoTset dataset, followed by data preprocessing steps that include encoding categorical variables, removing outliers, handling skewed data, and addressing class imbalance using SMOTE. The methodology is divided into two primary experiments: the first experiment involves the utilization of basic machine learning classifiers, including Decision Tree, SVM, and KNN, evaluated using a 10-fold cross-validation process. The second experiment incorporates the ABC algorithm to optimize these classifiers’ hyperparameters, aiming to improve their performance metrics such as accuracy, precision, recall, and F1 score.

3.1. Dataset

The Edge-IIoTset dataset is a specialized cybersecurity dataset tailored for both IoT and IIoT settings, aimed at aiding the development and testing of intrusion detection systems. It features a collection of network traffic data from a variety of IoT devices operating under normal conditions as well as during cybersecurity attacks. The dataset includes a total of 157,800 entries that capture a wide array of both malicious attacks and normal activities as detailed by [23], and it is summarized in

Table 2. Detailed categorization within the Edge-IIoTset dataset, highlighting the variety and magnitude of recorded cybersecurity threats and normal activities.

Category	Count	Description
Backdoor	10,195	System breach using an unauthorized backdoor entry.
DDoS_HTTP	10,561	HTTP-based distributed denial-of-service attacks.
DDoS_ICMP	14,090	ICMP packet-based distributed denial-of-service attacks.
DDoS_TCP	10,247	TCP packet-based distributed denial-of-service attacks.
DDoS_UDP	14,498	UDP packet-based distributed denial-of-service attacks.
Fingerprinting	1001	System analysis techniques for information collection.
MITM	1214	Interception attacks between communication parties.
Normal	24,301	Traffic of securely transmitted data packets.
Password	9989	Password acquisition via brute force or sniffing.
Port_Scanning	10,071	Network and host exploration tactics.
Ransomware	10,925	Encryption of victim’s data for ransom demands.
SQL_injection	10,311	Injection attacks aimed at manipulating SQL database operations.
Uploading	10,269	Unauthorized data upload to servers.
Vulnerability_scanner	10,076	Usage of tools to identify security vulnerabilities.
XSS	10,052	Injection of malicious scripts to modify or steal data.

.

Our methodology includes a detailed description of the dataset, as its structure, features, and characteristics significantly influence the performance of the machine learning models. The chosen dataset, Edge-IIoTset, is a specialized cybersecurity dataset that captures both normal and malicious IoT and IIoT network traffic. Since this research aims to optimize machine learning classifiers for IoT cybersecurity, incorporating the dataset into the methodology is critical. Additionally, including this dataset allows for direct comparisons with previous studies that have employed similar data, which is crucial for demonstrating the effectiveness of the proposed model. By leveraging the same dataset, we can objectively assess how our hyperparameter-optimized models outperform or align with existing research, offering a clearer perspective on the improvements achieved. Therefore, incorporating the dataset validates the experimental framework and benchmarks our results against prior work, reinforcing the effectiveness of our approach.

3.2. Data Preprocessing

Data preprocessing is a critical step in the data analysis pipeline, especially in the context of machine learning where the quality and format of data can significantly influence the outcome of predictive models. This subsection discusses several key preprocessing techniques applied to our dataset to ensure the integrity and usefulness of the data for building robust models. The methods include encoding categorical variables using Target Encoding, removing outliers via statistical thresholds, handling skewed data through transformations, and addressing class imbalance with the Synthetic Minority Over-sampling Technique (SMOTE). Each technique is tailored to specific issues in our data, ensuring that the processed data provides a reliable foundation for subsequent modeling stages. These preprocessing steps are elaborated in the following paragraphs.

3.2.1. Encoding Categorical Variables

We employed Target Encoding to effectively manage categorical variables in our dataset. This method is particularly advantageous for handling features with high cardinality, converting them into a numerical format that retains meaningful information about the relationship between the feature and the target variable [24]. Target Encoding computes a value for each category by blending the conditional probability of the target given that specific category with the overall probability of the target across all categories. This not only provides a way to reduce the dimensionality of the data but also incorporates target-related information directly into the feature representation, which can be crucial for improving model predictions [25]. The mathematical formulation for Target Encoding for a category c in a feature X with respect to a binary target variable Y is given by Equation (1):

$$e_c={\displaystyle \frac{{\sum }_{i=1}^n(Y_i\times [X_i=c])+\lambda \times P\left(Y\right)}{{\sum }_{i=1}^n[X_i=c]+\lambda }}$$

(1)

where

• $[X_i=c]$ is an indicator function that is 1 if $X_i$ is equal to c and 0 otherwise.
• $\lambda$ is a smoothing parameter, often the total count of the category c, which helps balance the influence of categories with very few samples.
• $P\left(Y\right)$ is the prior probability of the target, calculated as the mean of Y over all samples.

3.2.2. Removing Outliers

Outliers are data points that significantly deviate from other observations in the dataset and can lead to misleading analytical results and model predictions. We utilized both the Z-Score and Interquartile Range (IQR) methods to detect and mitigate the effects of outliers in our dataset. The Z-Score method calculates the number of standard deviations a data point is from the mean, with data points having a Z-score greater than 3 considered outliers [26]. In contrast, the IQR method identifies outliers by defining thresholds at $Q1-1.5\times \mathrm{IQR}$ and $Q3+1.5\times \mathrm{IQR}$, where $Q1$ and $Q3$ are the first and third quartiles, respectively. These thresholds are mathematically expressed as Equations (2) and (3):

$$\mathrm{Lower}\mathrm{Bound}=Q1-1.5\times \mathrm{IQR}$$

(2)

$$\mathrm{Upper}\mathrm{Bound}=Q3+1.5\times \mathrm{IQR}$$

(3)

Upon identifying outliers, they are either removed or adjusted to the nearest threshold value to minimize their influence, ensuring that our data analysis and subsequent models are robust and reliable. This method is particularly critical for algorithms sensitive to extreme values, ensuring a more accurate representation of the underlying data distribution.

3.2.3. Handling Skewed Data

Skewed data can significantly affect the performance of many machine learning models, particularly those that assume a normal distribution of the input variables. To address this, we applied transformations to normalize the distribution of skewed features in our dataset. Common techniques we used include the Logarithmic Transformation and the Box-Cox Transformation. These methods adjust the distribution of the data, reducing skewness and making the features more symmetrical. The Logarithmic Transformation is particularly effective for right-skewed data, reducing the effect of extreme larger values [27]. This transformation is given by Equation (4):

$$X^{\prime }=log(X+1)$$

(4)

For data that includes negative or zero values, the Box–Cox Transformation provides a more flexible approach, adapting the data through a parameter $\lambda$ to find the best approximation of a normal distribution. The transformation is defined as Equation (5):

$$X^{\prime }=\left\{\begin{array}{cc}{\displaystyle \frac{X^{\lambda }-1}{\lambda }}\hfill & \mathrm{if}\lambda \ne 0,\hfill \\ log\left(X\right)\hfill & \mathrm{if}\lambda =0.\hfill \end{array}\right.$$

(5)

Applying these transformations helps to stabilize the variance, enhance the model’s interpretability, and improve the predictive performance by aligning the data more closely with the assumptions underlying many statistical modeling techniques.

3.2.4. Handling Class Imbalance with SMOTE Synthetic Minority Over-Sampling Technique

Class imbalance is a common issue in machine learning where some classes are significantly underrepresented compared to others. This can lead to biased models that perform poorly on the minority class. To address this, we used the Synthetic Minority Over-sampling Technique (SMOTE), which synthesizes new examples in the minority class to balance the class distribution. SMOTE works by selecting existing instances in the minority class and synthesizing new examples that are similar but randomly altered versions of these instances [28]. This is achieved by choosing between the selected instance and a number of its nearest neighbors. The synthesis of a new sample $x_{new}$ is mathematically represented by Equation (6):

$$x_{new}=x_i+\lambda \times (x_{zi}-x_i)$$

(6)

where

• $x_i$ is a randomly chosen minority class sample;
• $x_{zi}$ is one of its nearest neighbors in the feature space;
• $\lambda$ is a random number between 0 and 1.

Figure 2 demonstrate the class distributions before applying SMOTE.

The original dataset exhibits visible imbalances across classes, as some attack types are underrepresented. After applying SMOTE, the class distribution becomes uniform, with all classes having the same number of instances. This balanced distribution ensures that the models trained on this dataset are less biased towards majority classes, thereby improving their generalization and performance in detecting minority class attacks.

3.3. Artificial Bee Colony Algorithm for Hyperparameter Optimization

The Artificial Bee Colony (ABC) algorithm, inspired by the foraging behavior of honey bees, is a powerful swarm intelligence-based method that we developed for optimizing complex problems, particularly hyperparameter tuning in machine learning models. We divided the implementation of the ABC algorithm into two primary phases: (1) the initialization and employed bee phase and (2) the onlooker bee phase, scout bee phase, and termination. During the initialization phase, we set key parameters and generated an initial population of solutions. Each bee represents a potential solution, and we evaluated their fitness based on a predefined fitness function, allowing us to identify and exploit promising regions in the solution space effectively [29].

In the employed bee phase, each employed bee searches for new solutions in the neighborhood of its current position and updates its solution if an improvement is found. This local search process enabled us to refine the hyperparameter settings and enhance the performance of the machine learning models. In the subsequent onlooker bee phase, we had onlooker bees select solutions based on their fitness probabilities, intensifying the search around high-quality solutions while maintaining diversity. When a solution did not improve over several iterations, we employed scout bees to introduce new random solutions, exploring unvisited areas of the solution space, and preventing premature convergence to local optima.

Figure 3 represent the ABC algorithm’s process for hyperparameter optimization. It begins with the initialization of parameters and the population, followed by the evaluation of the population’s fitness. The algorithm then progresses through the employed bee phase, where solutions are refined. Successful solutions are selected by onlooker bees in the next phase, with the process iterating until the termination condition is met. If needed, scout bees introduce new solutions to escape local optima. This iterative process continues until we find the best solution, effectively optimizing hyperparameters for machine learning models used in network traffic analysis and malware detection.

3.3.1. Initialization and Employed Bee Phase

The first part of the algorithm involves the initialization of parameters and the employed bee phase. The algorithm starts by initializing key parameters, including the population size (N), maximum number of generations ($G_{max}$), the limit for scout bees (L), and the fitness function (f) used to evaluate the solutions. A population of bees is then created with random hyperparameter values. Each bee represents a potential solution, and its fitness is evaluated using the fitness function. The initial population ($\mathbf{P}$) is defined as Equation (7):

$$\mathbf{P}=\{{\mathbf{p}}_1,{\mathbf{p}}_2,\dots ,{\mathbf{p}}_N\}$$

(7)

The fitness function $f\left({\mathbf{p}}_i\right)$ evaluates the performance of each solution ${\mathbf{p}}_i$, which represents a set of hyperparameter values for the i-th bee. The fitness function is designed to minimize the classification error, and it is calculated as Equation (8):

$$f\left({\mathbf{p}}_i\right)=1-\mathrm{Accuracy}\left({\mathbf{p}}_i\right)$$

(8)

For each ${\mathbf{p}}_i\in \mathbf{P}$, where $\mathbf{P}$ represents the population of solutions, and $\mathrm{Accuracy}\left({\mathbf{p}}_i\right)$ is the classification accuracy of the model when trained with the hyperparameters defined by ${\mathbf{p}}_i$. The objective is to minimize the error, meaning that lower values of $f\left({\mathbf{p}}_i\right)$ indicate better-performing solutions. This function effectively guides the ABC algorithm towards the optimal set of hyperparameters that maximize the model’s classification accuracy.

The best solution (${\mathbf{p}}_{\mathrm{best}}$) and its fitness ($f_{\mathrm{best}}$) are initialized as shown in Equations (9) and (10):

$${\mathbf{p}}_{\mathrm{best}}={\mathbf{p}}_{arg maxf\left(\mathbf{p}\right)}$$

(9)

$$f_{\mathrm{best}}=max\left(f\left({\mathbf{p}}_i\right)\right)$$

(10)

In the employed bee phase, each employed bee searches for new solutions around their current position and updates their solution if a better one is found. The update solution function creates new solutions by exploring the neighborhood of the current solution as shown in Equation (11):

$${\mathbf{p}}_i^{\prime }={\mathbf{p}}_i+{\varphi }_{ij}({\mathbf{p}}_i-{\mathbf{p}}_k)$$

(11)

where ${\varphi }_{ij}$ is a random number in the range $[-1,1]$ and k is a randomly chosen index different from i.

If the new solution ${\mathbf{p}}_i^{\prime }$ has a better fitness as shown in Equation (12):

$$f\left({\mathbf{p}}_i^{\prime }\right)>f\left({\mathbf{p}}_i\right)$$

(12)

Then, ${\mathbf{p}}_i$ is updated to ${\mathbf{p}}_i^{\prime }$. This phase is crucial for refining the hyperparameter settings to improve the performance of machine learning models in detecting cyber attacks. By systematically exploring the hyperparameter space, employed bees can identify configurations that enhance model accuracy and robustness, which are essential for effective cybersecurity measures. Algorithm 1 illustrates the initialization and employed bee phase of ABC for hyperparameter optimization in details.

Algorithm 1: Initialization and Employed Bee Phase of ABC for Hyperparameter Optimization

3.3.2. Onlooker Bee Phase, Scout Bee Phase, and Termination

In the onlooker bee phase, onlooker bees select employed bees based on their fitness and search for new solutions in the neighborhood of the chosen solutions. This phase leverages the information gathered by employed bees to focus the search on promising areas of the solution space. The probability of selecting a solution ${\mathbf{p}}_i$ is proportional to its fitness, ensuring that better solutions have a higher chance of being chosen. If a solution does not improve after a specified number of iterations, the scout bee phase is triggered, where scout bees randomly generate new solutions to explore unvisited regions of the solution space, thus preventing premature convergence to local optima. The algorithm continues iterating through these phases until the maximum number of generations is reached. The best solution found during the search process is then returned as the best configuration, ensuring an efficient balance between exploration and exploitation throughout the optimization process [30]. The probability of selecting a solution ${\mathbf{p}}_i$ is given by Equation (13):

$$P\left({\mathbf{p}}_i\right)={\displaystyle \frac{f\left({\mathbf{p}}_i\right)}{{\sum }_{j=1}^{N}f\left({\mathbf{p}}_j\right)}}$$

(13)

Onlooker bees then generate new solutions similar to the employed bees as shown in Equation (14):

$${\mathbf{p}}_i^{\prime }={\mathbf{p}}_i+{\varphi }_{ij}({\mathbf{p}}_i-{\mathbf{p}}_k)$$

(14)

If a solution does not improve over a specified number of trials (L), the employed bee becomes a scout bee and generates a new random solution as shown in Equation (15):

$${\mathbf{p}}_i=\mathrm{random}\_\mathrm{hyperparameters}\left(\right)$$

(15)

The stagnation counter is reset as shown in Equation (16):

$${\mathrm{stagnation}\_\mathrm{count}}_i=0$$

(16)

The algorithm tracks the stagnation of solutions and updates counters to determine when to abandon a solution and search for new ones as shown in Equation (17):

$${\mathrm{stagnation}\_\mathrm{count}}_i\leftarrow {\mathrm{stagnation}\_\mathrm{count}}_i+1$$

(17)

The main loop continues until the maximum number of generations ($G_{max}$) is reached. The best solution found during the search is returned as the optimal hyperparameter configuration as shown in Equation (18):

$$\mathrm{Return}{\mathbf{p}}_{\mathrm{best}},f_{\mathrm{best}}$$

(18)

This phase ensures that the algorithm not only focuses on exploiting the most promising solutions but also explores new areas of the solution space to avoid local optima. This comprehensive search strategy is vital for optimizing hyperparameters in machine learning models for cybersecurity, enhancing their ability to detect and respond to sophisticated cyber attacks effectively. Algorithm 2 illustrates the onlooker bee phase, scout bee phase, and termination of ABC for hyperparameter optimization in detail.

Algorithm 2: Onlooker Bee Phase, Scout Bee Phase, and Termination of ABC for Hyperparameter Optimization

   By efficiently exploring the hyperparameter space, the ABC algorithm leads to optimal configurations for machine learning models used in network traffic analysis and malware detection, ensuring enhanced performance and robustness. This structured methodology ensures that the ABC algorithm efficiently explores the hyperparameter space, leading to optimal configurations for machine learning models used in network traffic analysis and malware detection.

3.4. Machine Learning Classifiers and Hyperparameter Optimization

Machine learning classifiers are essential tools for analyzing and interpreting complex datasets in various domains, including cybersecurity, healthcare, finance, and more. The performance of these classifiers significantly depends on their hyperparameters, which control various aspects of the learning process. Hyperparameter optimization is a crucial step in developing robust and efficient machine learning models. This section explores three widely used classifiers, Decision Tree, Support Vector Machine (SVM), and K-Nearest Neighbors (KNN), and discusses the application of the Artificial Bee Colony (ABC) algorithm to optimize their hyperparameters. By fine-tuning the hyperparameters, we aim to enhance the accuracy, generalization ability, and overall performance of these classifiers in tasks such as network traffic analysis and malware detection.

3.4.1. Decision Tree Classifier

The Decision Tree is a widely used machine learning algorithm for both classification and regression tasks. It operates by recursively splitting the data into subsets based on the value of input features, forming a tree-like model of decisions. The structure of a Decision Tree includes root nodes, internal nodes, and leaf nodes. The root node represents the entire dataset, which is then split into homogeneous subsets. Internal nodes represent tests on attributes, with each branch indicating the outcome of the test, while leaf nodes represent class labels or continuous values in regression trees. The primary goal is to select splits that maximize data separation into distinct classes, using criteria involving Gini Impurity, which measures the impurity of a dataset, and Information Gain (Entropy), which measures the reduction in entropy after a dataset is split on an attribute. Key hyperparameters that influence the performance of a Decision Tree include Max Depth, Min Samples Split, Min Samples Leaf, and Criterion. Optimizing these hyperparameters helps balance the model’s complexity and generalization ability, preventing issues like overfitting [31].

We employ the ABC algorithm to optimize the hyperparameters of the Decision Tree classifier. The ABC algorithm, inspired by the foraging behavior of honey bees, is used to search for the best configuration of hyperparameters, namely Max Depth, Min Samples Split, Min Samples Leaf, and Criterion. Algorithm 3 starts by generating a population of random hyperparameter values, which are evaluated using a fitness function like classification accuracy. It then cycles through three phases: (1) employed bee phase, where bees adjust and update solutions; (2) onlooker bee phase, where bees refine high-quality solutions; and (3) scout bee phase, where new random solutions are generated to avoid local optima. This process continues until the best hyperparameter configuration is found, ensuring the Decision Tree model is efficient for tasks like network traffic analysis and malware detection.

3.4.2. Support Vector Machine (SVM) Classifier

The Support Vector Machine (SVM) is a powerful and widely used machine learning algorithm for both classification and regression tasks. It works by finding the hyperplane that best separates the data into different classes. The goal of SVM is to find a hyperplane that maximizes the margin between the two classes, where the margin is defined as the distance between the hyperplane and the closest data points from each class, known as support vectors. The SVM can handle non-linearly separable data by using a technique called the kernel trick, which maps the input features into higher-dimensional space where a linear separation is possible. Common kernel functions include the linear kernel, polynomial kernel, and radial basis function (RBF) kernel. The choice of kernel and its parameters significantly influence the performance of the SVM. Key hyperparameters that influence the performance of an SVM include the regularization parameter C, which controls the trade-off between achieving a low training error and a low testing error (thus preventing overfitting), and the kernel parameters such as gamma ($\gamma$) for the RBF kernel. Optimizing these hyperparameters helps improve the classifier’s accuracy and generalization ability.

We employ the ABC algorithm to optimize the hyperparameters of the SVM classifier. The ABC algorithm, inspired by the foraging behavior of honey bees, is used to search for the best configuration of hyperparameters, namely C and gamma ($\gamma$) for the RBF kernel. Algorithm 4 generates random hyperparameter solutions evaluated by classification accuracy. It refines them through employed, onlooker, and scout bee phases, iterating until the best configuration is found. This ensures the SVM model is robust and efficient for tasks like network traffic analysis and malware detection.

Algorithm 3: ABC Algorithm for Decision Tree Hyperparameter Optimization

3.4.3. K-Nearest Neighbors (KNN) Classifier

The KNN algorithm is a simple, yet powerful, machine learning algorithm used for both classification and regression tasks. It operates by identifying the k nearest data points (neighbors) to a given input and making predictions based on the majority class (for classification) or the average value (for regression) of these neighbors. The distance between data points is typically measured using Euclidean distance, although other distance metrics such as Manhattan distance or Minkowski distance can also be used. The performance of the KNN algorithm is significantly influenced by key hyperparameters, including the number of neighbors (k) and the choice of distance metric. The number of neighbors determines the size of the neighborhood used for making predictions, where a smaller k can capture more local patterns, while a larger k provides more generalization but may overlook local variations. The choice of distance metric affects how the similarity between data points is calculated and can impact the algorithm’s effectiveness in different scenarios [25].    

Algorithm 4: ABC Algorithm for SVM Hyperparameter Optimization

We utilize the ABC algorithm to fine-tune the hyperparameters of the KNN classifier. This algorithm, which mimics the foraging behavior of honey bees, aims to find the best hyperparameter settings, specifically the number of neighbors (k) and the distance metric. Algorithm 5 generates a population of random hyperparameters evaluated by a fitness function. It then cycles through the employed, onlooker, and scout bee phases to refine solutions and explore new areas. This iterative process continues until the best configuration is found, ensuring the KNN model is efficient for network traffic analysis and malware detection.

Algorithm 5: ABC Algorithm for KNN Hyperparameter Optimization

3.5. Evaluation Metrics

To evaluate the performance of our machine learning models we split the dataset into 70% for training and 30% for testing, we adopted several key metrics: accuracy, precision, recall, and F1 score. These metrics provide a comprehensive understanding of the model’s effectiveness in detecting and classifying network traffic and malware data [32].

• Accuracy is the ratio of correctly predicted instances to the total instances in the dataset. It provides a general measure of how often the model makes correct predictions [33]. The formula for accuracy is given by Equation (19):

  $$\mathrm{Accuracy}={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

  (19)

  where $TP$ is the number of true positives, $TN$ is the number of true negatives, $FP$ is the number of false positives, and $FN$ is the number of false negatives.
• Precision measures the proportion of true positive predictions among all positive predictions made by the model. It indicates the accuracy of the positive predictions [34]. The formula for precision is given by Equation (20):

  $$\mathrm{Precision}={\displaystyle \frac{TP}{TP+FP}}$$

  (20)
• Recall also known as sensitivity or true positive rate, measures the proportion of true positive predictions among all actual positive instances. It reflects the model’s ability to identify positive instances [35]. The formula for recall is given by Equation (21):

  $$\mathrm{Recall}={\displaystyle \frac{TP}{TP+FN}}$$

  (21)
• The F1 score is the harmonic mean of precision and recall, providing a balance between the two metrics. It is particularly useful when the dataset has an imbalanced class distribution. The formula for the F1 score is given by Equation (22):

  $$\mathrm{F}1\mathrm{Score}=2\times {\displaystyle \frac{\mathrm{Precision}\times \mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}}$$

  (22)

3.6. Experiments

To validate the effectiveness of the preprocessing techniques and the proposed Artificial Bee Colony (ABC) algorithm for hyperparameter optimization, we conducted a series of experiments. These experiments are designed to compare the performance of traditional machine learning classifiers with our novel approach under controlled conditions.

• Experiment 1: Traditional Machine Learning Models
  In the first experiment, we assessed the performance of basic machine learning models on the preprocessed dataset. This set of experiments involved applying various classifiers: (Decision Tree, SVM, KNN). These models were chosen due to their widespread use and robustness in handling various types of data distributions and their ability to provide a baseline performance metric for our dataset.
• Experiment 2: Artificial Bee Colony Algorithm for Hyperparameter Optimization
  The second experiment focused on our contribution to the field, utilizing the Artificial Bee Colony (ABC) algorithm for hyperparameter optimization for traditional ML algorithms. This experiment aimed to demonstrate the improvements in model performance that can be achieved by optimizing the hyperparameters of the same set of classifiers used in the first experiment. The ABC algorithm, inspired by the natural foraging behavior of honey bees, was particularly leveraged to find the optimal hyperparameters that maximize the performance of each classifier.
  By comparing the outcomes of these two sets of experiments, we aim to highlight the advantages of using an advanced hyperparameter optimization technique like the ABC algorithm over traditional methods. Each experiment was conducted using a consistent evaluation framework to ensure comparability of results. Metrics such as accuracy, precision, recall, and F1-score were employed to assess the performance of the classifiers before and after the application of the ABC algorithm. The detailed results of these experiments provide insights into the scalability, efficiency, and effectiveness of hyperparameter optimization in improving the robustness and accuracy of machine learning classifiers in detecting cybersecurity threats.

4. Results and Discussion

In this section, we present the findings from our experiments, which were conducted to evaluate the performance of machine learning classifiers in the context of network traffic analysis and malware detection. The experiments were carried out in two phases: the first phase involved the evaluation of basic machine learning models, while the second phase focused on the application of the ABC algorithm for hyperparameter optimization. The results are analyzed in terms of accuracy, precision, recall, and F1-score, which are critical metrics for assessing the effectiveness of the models in detecting various types of cyber threats.

4.1. Results of the First Experiment

The first experiment aimed to establish a baseline performance for the machine learning classifiers without any hyperparameter optimization. Three widely used classifiers—Decision Tree, Support Vector Machine (SVM), and K-Nearest Neighbors (KNN)—were applied to the dataset to classify different types of cyber attacks and normal traffic. The classifiers’ performance was measured in both the training and testing stages to ensure a comprehensive evaluation. The metrics of accuracy, precision, recall, and F1-score were calculated for each class of attacks to provide a detailed analysis of the models’ capabilities.

Table 3. Results of the basic ML models.

Algorithm	Class	Accuracy		Precision		Recall		F1-Score
		Train Stage	Test Stage	Train Stage	Test Stage	Train Stage	Test Stage	Train Stage	Test Stage
Decision Tree	Backdoor	0.8967	0.8899	0.8967	0.8898	0.9397	0.9399	0.9177	0.9142
	DDoS_HTTP	0.9333	0.9321	0.9333	0.9321	0.9121	0.9090	0.9226	0.9204
	DDoS_ICMP	0.9649	0.9676	0.9649	0.9676	0.9436	0.9414	0.9541	0.9543
	DDoS_TCP	0.9742	0.9781	0.9742	0.9781	0.9423	0.9481	0.9580	0.9629
	DDoS_UDP	0.9821	0.9903	0.9821	0.9903	0.9127	0.9175	0.9461	0.9525
	Fingerprinting	0.8778	0.8810	0.8778	0.8809	0.9861	0.9907	0.9288	0.9326
	MITM	0.9712	0.9714	0.9712	0.9715	0.9152	0.7973	0.9424	0.8758
	Normal	0.9641	0.9632	0.9641	0.9632	0.9340	0.8481	0.9488	0.9020
	Password	0.6288	0.6188	0.8800	0.6188	0.9706	0.9584	0.9231	0.7520
	Port_Scanning	0.8700	0.8604	0.8700	0.8604	0.9246	0.9195	0.8965	0.8890
	Ransomware	0.9800	0.9816	0.9800	0.9816	0.8703	0.8609	0.9219	0.9173
	SQL_injection	0.8900	0.8786	0.8900	0.8786	0.9539	0.9507	0.9209	0.9132
	Uploading	0.7800	0.7834	0.7800	0.7834	0.7677	0.7703	0.7738	0.7768
	Vulnerability_scanner	0.7900	0.7921	0.7900	0.7920	0.7996	0.8019	0.7948	0.7970
	XSS	0.7800	0.7823	0.7800	0.7823	0.7831	0.7860	0.7816	0.7841
SVM	Backdoor	0.9016	0.9054	0.9016	0.9053	0.9434	0.9445	0.9220	0.9245
	DDoS_HTTP	0.9367	0.9369	0.9367	0.9369	0.9168	0.9199	0.9266	0.9283
	DDoS_ICMP	0.9678	0.9693	0.9678	0.9693	0.9464	0.9476	0.9570	0.9583
	DDoS_TCP	0.9711	0.9709	0.9711	0.9709	0.9165	0.9145	0.9430	0.9418
	DDoS_UDP	0.9895	0.9892	0.9895	0.9892	0.8710	0.8685	0.9265	0.9249
	Fingerprinting	0.7945	0.7891	0.7945	0.7891	0.9876	0.9873	0.8806	0.8772
	MITM	0.9733	0.9735	0.9733	0.9735	0.8357	0.8354	0.8992	0.8992
	Normal	0.9863	0.9866	0.9863	0.9866	0.8743	0.8743	0.9269	0.9270
	Password	0.6923	0.6917	0.6923	0.6917	0.9790	0.9792	0.8110	0.8107
	Port_Scanning	0.8744	0.8746	0.8744	0.8746	0.8895	0.8930	0.8819	0.8837
	Ransomware	0.9432	0.9468	0.9432	0.9468	0.8619	0.8631	0.9007	0.9030
	SQL_injection	0.8736	0.8753	0.8736	0.8753	0.9469	0.9477	0.9088	0.9101
	Uploading	0.7933	0.7938	0.7933	0.7938	0.7711	0.7693	0.7820	0.7814
	Vulnerability_scanner	0.7937	0.7891	0.7937	0.7891	0.8032	0.8027	0.7985	0.7959
	XSS	0.7765	0.7769	0.7765	0.7769	0.7899	0.7887	0.7831	0.7828
KNN	Backdoor	0.9100	0.9164	0.9100	0.9165	0.9366	0.9382	0.9231	0.9272
	DDoS_HTTP	0.9378	0.9386	0.9378	0.9385	0.9177	0.9230	0.9277	0.9307
	DDoS_ICMP	0.9699	0.9712	0.9699	0.9712	0.9636	0.9651	0.9667	0.9681
	DDoS_TCP	0.9754	0.9763	0.9754	0.9763	0.9001	0.9013	0.9363	0.9373
	DDoS_UDP	0.9901	0.9907	0.9901	0.9907	0.8895	0.8908	0.9371	0.9381
	Fingerprinting	0.7983	0.8001	0.7983	0.8001	0.9939	0.9942	0.8854	0.8867
	MITM	0.9798	0.9801	0.9798	0.9801	0.8178	0.8182	0.8915	0.8918
	Normal	0.9904	0.9907	0.9904	0.9907	0.9023	0.9026	0.9443	0.9446
	Password	0.6963	0.6968	0.6963	0.6968	0.9888	0.9891	0.8172	0.8176
	Port_Scanning	0.8813	0.8823	0.8813	0.8823	0.8834	0.8850	0.8823	0.8836
	Ransomware	0.9443	0.9461	0.9443	0.9461	0.8760	0.8768	0.9089	0.9101
	SQL_injection	0.8745	0.8747	0.8745	0.8748	0.9460	0.9467	0.9088	0.9093
	Uploading	0.7889	0.7892	0.7889	0.7892	0.7271	0.7376	0.7567	0.7625
	Vulnerability_scanner	0.7799	0.8001	0.7799	0.8001	0.7934	0.7982	0.7866	0.7992
	XSS	0.7816	0.7832	0.7816	0.7833	0.8386	0.8444	0.8091	0.8127

presents the results of the first experiment.

The results of the first experiment indicate that all three classifiers—Decision Tree, SVM, and KNN—exhibited varying levels of effectiveness across different classes of cyber threats. The Decision Tree classifier, for instance, demonstrated fairly strong performance in detecting DDoS-related attacks. For DDoS_TCP, the Decision Tree achieved an accuracy of 0.9742 in the training stage and 0.9781 in the testing stage, with F1-scores of 0.9579 and 0.9628, respectively. This reflects the model’s ability to generalize well to unseen data for certain types of attacks. However, the Decision Tree’s performance was less impressive for classes like Password attacks, where the accuracy dropped to 0.6288 during training and further declined to 0.6188 in testing. The corresponding F1-scores were also notably lower, at 0.9231 for training and 0.7520 for testing, indicating significant overfitting and poor generalization.

The Support Vector Machine (SVM) classifier generally outperformed the Decision Tree, especially in terms of precision and recall across most classes. For instance, in detecting DDoS_ICMP attacks, SVM achieved a training accuracy of 0.9678 and a testing accuracy of 0.9693, with corresponding F1-scores of 0.9569 and 0.9583. This indicates that SVM maintained consistent performance across both stages, suggesting that the model is less prone to overfitting compared to the Decision Tree. However, similar to the Decision Tree, SVM also struggled with Password and Uploading classes, where the testing F1-scores were 0.8107 and 0.7813, respectively, compared to higher training F1-scores, highlighting areas where the model could be further optimized.

The K-Nearest Neighbors (KNN) classifier also showed strong performance in certain areas, particularly in detecting Backdoor attacks, with an accuracy of 0.9100 in training and 0.9164 in testing. The F1-scores were similarly high, at 0.9231 and 0.9272 for training and testing, respectively. However, KNN’s performance was somewhat inconsistent across other classes. For example, in detecting SQL_injection attacks, the F1-scores were 0.9088 for training and 0.9093 for testing, showing minimal improvement. Additionally, KNN struggled with classes like Uploading, where the accuracy was 0.7889 in training and 0.7892 in testing, with corresponding F1-scores of 0.7567 and 0.7625, suggesting that the model’s performance heavily depends on the quality and distribution of the training data.

The first experiment reveals that while traditional machine learning models like Decision Tree, SVM, and KNN can effectively detect certain types of cyber attacks, their performance is inconsistent across all classes. The variability in performance metrics, such as precision, recall, and F1-score, between the training and testing stages suggests that these models may benefit from further refinement, particularly in hyperparameter tuning, to improve their generalization capabilities. This highlights the necessity of exploring advanced optimization techniques, such as the Artificial Bee Colony algorithm, to enhance the robustness and accuracy of these classifiers in cybersecurity applications. The observed differences between the training and testing stages across different classifiers further emphasize the importance of addressing overfitting and ensuring that models are well-tuned to handle the complexity and variability inherent in real-world cyber threats.

Figure 4 presents the confusion matrix for the Decision Tree during the training stage, indicating robust classification performance across most attack classes, as evidenced by the high number of correctly classified instances along the diagonal. For instance, the model correctly identified 15,253 instances of the Backdoor attack and 15,875 instances of the DDoS_HTTP attack. However, there are some areas where the model struggled, particularly with the Fingerprinting and Vulnerability Scanner classes. For example, 1247 instances of Fingerprinting were misclassified as DDoS_TCP, and 2143 instances of Vulnerability Scanner were incorrectly labeled as DDoS_HTTP. These misclassifications suggest that the Decision Tree had difficulty distinguishing between these specific attack types, likely due to overlapping feature spaces or similarities in the patterns within these classes.

During the testing stage, the Decision Tree’s performance remained strong but showed some signs of reduced accuracy compared to the training stage as shown in Figure 5. The model correctly classified 6487 instances of Backdoor and 6795 instances of DDoS_HTTP, slightly lower than the training stage results. Notably, the Password class saw significant misclassifications, with 1667 instances incorrectly classified as SQL_injection. The increase in misclassification errors, such as the 910 instances of Vulnerability Scanner being mislabeled as DDoS_HTTP, indicates that the model may have overfitted during training. This overfitting likely led to reduced generalization when exposed to new, unseen data, particularly for classes with less distinct or more complex feature distributions.

Figure 6 presents the confusion matrix for the SVM model during the training stage, showing high accuracy across most classes, reflecting the model’s capability in handling linearly separable data. For instance, the model correctly classified 16,462 instances of DDoS_ICMP and 16,831 instances of DDoS_UDP. However, some misclassifications were observed, such as 2098 instances of Fingerprinting being misclassified as DDoS_TCP and 1398 instances misclassified as Backdoor, and 2105 instances misclassified of Vulnerability Scanner incorrectly classified as DDoS_HTTP. These errors suggest that while SVM is generally effective, there are challenges in distinguishing between certain classes, particularly when they have overlapping characteristics or are underrepresented in the training set.

In the testing stage, SVM maintained strong performance as shown in Figure 7, with 7066 instances of DDoS_ICMP and 7211 instances of DDoS_UDP correctly classified. However, the model exhibited an increase in misclassifications compared to the training stage. For example, 884 instances of XSS were incorrectly classified as Backdoor, and 922 instances of Vulnerability Scanner were mislabeled as DDoS_HTTP. The increase in these errors suggests that while the SVM model was well-tuned for the training data, it struggled slightly to generalize to the testing data, particularly for classes like Password and Vulnerability Scanner, where the feature distributions in the test set may differ from those seen during training.

The KNN model’s training stage confusion matrix highlights its effectiveness in classifying the majority of attack classes as shown in Figure 8, with 15,479 instances of Backdoor and 16,592 instances of DDoS_TCP correctly identified. However, there were notable misclassifications, such as 1716 instances of Fingerprinting being mislabeled as Backdoor and 1123 instances of Vulnerability Scanner incorrectly classified as DDoS_HTTP. These errors may stem from KNN’s reliance on the proximity of data points in the feature space, which can lead to confusion when different classes have overlapping or closely situated data points.

During the testing stage, the KNN model showed a slight decline in performance, with 7080 instances of DDoS_ICMP and 7117 instances of DDoS_TCP correctly classified, compared to higher numbers in the training stage. There was an increase in misclassifications, such as 729 instances of Fingerprinting being mislabeled as Backdoor and 437 instances of Vulnerability Scanner incorrectly identified as DDoS_HTTP. This decline in performance suggests that the KNN model may be sensitive to variations in the test data, particularly when test instances are not as close to the training data in the feature space. The increase in false positives and negatives highlights the model’s challenges in generalizing effectively, especially for classes with complex or less distinct feature distributions. Figure 9 presents the confusion matrix for the KNN classifier over the testing stage.

4.2. Results of the Second Experiment

The second experiment, which applied hyperparameter tuning using the Artificial Bee Colony (ABC) algorithm to the basic machine learning models, demonstrates a significant improvement in the performance metrics across all algorithms compared to the first experiment. The enhancements are particularly evident in the accuracy, precision, recall, and F1-score for both the training and testing stages, highlighting the effectiveness of the optimization process.

Table 4. Results of the hyperparameter tuning for the basic ML models.

Algorithm	Class	Accuracy		Precision		Recall		F1-Score
		Train Stage	Test Stage	Train Stage	Test Stage	Train Stage	Test Stage	Train Stage	Test Stage
Decision Tree	Backdoor	0.9899	0.9931	0.9899	0.9931	0.9947	0.9968	0.9923	0.9950
	DDoS_HTTP	0.9991	1	0.9991	1	0.9889	0.9924	0.9940	0.9962
	DDoS_ICMP	0.9923	0.9947	0.9923	0.9947	0.9977	0.9986	0.9950	0.9966
	DDoS_TCP	0.9951	0.9976	0.9951	0.9977	0.9920	0.9955	0.9935	0.9966
	DDoS_UDP	0.9994	1	0.9994	1	0.9881	0.9935	0.9937	0.9967
	Fingerprinting	0.9847	0.991	0.9847	0.991	0.9993	0.9997	0.9920	0.9953
	MITM	1	1	1	1	0.9815	0.9863	0.9907	0.9931
	Normal	1	1	1	1	0.9920	0.9941	0.9960	0.9971
	Password	0.973	0.9802	0.9730	0.9802	1	1	0.9863	0.9900
	Port_Scanning	0.9673	0.97	0.9673	0.97	0.9852	0.9878	0.9762	0.9788
	Ransomware	1	1	1	1	0.9680	0.9716	0.9837	0.9856
	SQL_injection	0.9736	0.9783	0.9736	0.9783	0.9884	0.9893	0.9809	0.9838
	Uploading	0.9498	0.9499	0.9498	0.9499	0.9737	0.9869	0.9616	0.9681
	Vulnerability_scanner	0.9831	0.9991	0.9831	0.999	0.9632	0.9648	0.9731	0.9816
	XSS	0.9787	0.9816	0.9787	0.9816	0.9749	0.9797	0.9768	0.9807
SVM	Backdoor	0.9912	0.9973	0.9912	0.9973	1	1	0.9956	0.9986
	DDoS_HTTP	1	1	1	1	0.9930	0.9978	0.9965	0.9989
	DDoS_ICMP	1	1	1	1	0.9982	0.9995	0.9991	0.9997
	DDoS_TCP	1	1	1	1	0.9929	0.9950	0.9964	0.9975
	DDoS_UDP	1	1	1	1	0.9928	0.9950	0.9964	0.9975
	Fingerprinting	0.9856	0.9899	0.9856	0.9898	1	1	0.9927	0.9949
	MITM	1	1	1	1	0.9870	0.9885	0.9935	0.9942
	Normal	1	1	1	1	0.9944	0.9951	0.9972	0.9975
	Password	0.9812	0.9834	0.9812	0.9834	1	1	0.9905	0.9916
	Port_Scanning	0.9782	0.9799	0.9782	0.9798	0.9895	0.9944	0.9838	0.9871
	Ransomware	1	1	1	1	0.9779	0.9827	0.9888	0.9913
	SQL_injection	0.9812	0.9901	0.9812	0.9901	0.9923	0.9930	0.9867	0.9916
	Uploading	0.9657	0.9684	0.9657	0.9684	0.9776	0.9793	0.9716	0.9739
	Vulnerability_scanner	0.9859	0.986	0.9859	0.986	0.9732	0.9756	0.9795	0.9808
	XSS	0.9812	0.9836	0.9812	0.9835	0.9821	0.9831	0.9816	0.9833
KNN	Backdoor	1	1	1	1	1	1	1	1
	DDoS_HTTP	1	1	1	1	1	1	1	1
	DDoS_ICMP	1	1	1	1	1	1	1	1
	DDoS_TCP	1	1	1	1	0.9957	1	0.9979	1
	DDoS_UDP	1	1	1	1	0.9957	1	0.9979	1
	Fingerprinting	0.9914	1	0.9914	1	1	1	0.9957	1
	MITM	1	1	1	1	0.9939	0.9952	0.9970	0.9976
	Normal	1	1	1	1	0.9974	0.9979	0.9987	0.9990
	Password	0.9913	0.9932	0.9913	0.9931	1	1	0.9956	0.9966
	Port_Scanning	0.9921	0.9938	0.9921	0.9938	0.9931	0.9933	0.9926	0.9936
	Ransomware	1	1	1	1	0.9894	0.9905	0.9946	0.9952
	SQL_injection	0.9875	0.9877	0.9875	0.9877	0.9972	0.9978	0.9923	0.9927
	Uploading	0.982	0.9834	0.982	0.9834	0.9829	0.9913	0.9825	0.9873
	Vulnerability_scanner	0.9899	0.999	0.9899	0.999	0.9839	0.9859	0.9869	0.9924
	XSS	0.9846	0.9878	0.9846	0.9878	0.9897	0.9931	0.9872	0.9904

presents the results of the second experiment.

The Decision Tree classifier, after hyperparameter tuning, exhibited a marked improvement in accuracy across all classes. For instance, the accuracy for the Backdoor class increased from 0.8967 in the training stage of the first experiment to 0.9899 in the second experiment, with the testing stage accuracy similarly improving from 0.8899 to 0.9931. This indicates that the hyperparameter tuning significantly reduced overfitting, as evidenced by the closer alignment of training and testing stage metrics. Moreover, precision, recall, and F1-score saw notable increases across various classes, such as the DDoS_HTTP class, where the F1-score improved from 0.9226/0.9204 (training/testing) in the first experiment to 0.9940/0.9962 in the second experiment. These enhancements demonstrate the ABC algorithm’s ability to fine-tune the model parameters effectively, resulting in better generalization to unseen data and a substantial reduction in misclassifications.

The SVM model, which already performed well in the first experiment, showed further enhancements after hyperparameter tuning. The accuracy for several classes reached 1.0 in both training and testing stages, reflecting near-perfect classification performance in nearly half of the classes. For instance, the Backdoor class accuracy improved from 0.9016 (training) and 0.9054 (testing) in the first experiment to 0.9912 and 0.9973, respectively, in the second experiment. This improvement is also mirrored in other performance metrics such as precision, recall, and F1-score, particularly for classes like DDoS_ICMP, where the F1-score reached 0.9991/0.9997 (training/testing) post-tuning. These results highlight the SVM model’s enhanced ability to handle diverse attack patterns with minimal misclassification, thanks to the optimization process. The improvements suggest that hyperparameter tuning effectively addressed the minor generalization issues observed in the first experiment.

The KNN classifier also benefited significantly from hyperparameter tuning, with accuracy for several classes reaching 1.0 in both training and testing stages. The Backdoor class, for instance, achieved perfect accuracy and F1-score across both stages, a marked improvement from the first experiment where the accuracy was 0.9100/0.9164 (training/testing). The enhancement is particularly noteworthy in the DDoS_UDP class, where the F1-score increased to 0.9979/1.0, indicating that the KNN model, after tuning, was able to effectively distinguish between classes that previously posed challenges. The reduction in false positives and negatives across various classes further emphasizes the model’s improved generalization ability. The hyperparameter tuning successfully addressed the sensitivity issues observed in the KNN model during the first experiment, leading to a more robust and accurate classification performance.

When we compare the results of the first and second experiments, the impact of hyperparameter tuning becomes abundantly clear. Across all models, there is a consistent trend of improved accuracy, precision, recall, and F1-score in the second experiment, reflecting better model performance and reduced overfitting. The ABC algorithm’s role in optimizing the hyperparameters of each model is evident in the substantial gains observed, particularly in the consistency between training and testing stage results.

The decision to apply hyperparameter tuning resulted in more balanced models capable of generalizing better to unseen data, as shown by the reduced gap between training and testing metrics. This enhancement is crucial in cybersecurity applications, where the ability to accurately identify and classify a wide range of attack types with minimal error is paramount. The results of the second experiment strongly suggest that the use of advanced optimization techniques, such as the ABC algorithm, is highly effective in enhancing the performance of machine learning models in complex, real-world scenarios.

The confusion matrices for the Decision Tree model in the second experiment, as represented in Figure 10, show significant improvements in classification accuracy and generalization compared to the first experiment. During the training stage, the hyperparameter-optimized model achieved higher precision and recall across most classes, with notable reductions in misclassification rates. For instance, the “Backdoor” class saw 16,838 correct classifications with 138 misclassified instances as DDoS_TCP and 34 as Fingerprinting, and the “DDoS_UDP” class achieved 17,000 correct classifications with just 10 misclassifications. Classes that previously exhibited overfitting, such as “Password” and “Port_Scanning”, now demonstrate robust performance with 16,551 and 16,454 correct classifications, respectively, indicating that the model has been fine-tuned to better capture complex patterns in the data. This enhancement is particularly evident in the “Vulnerability_scanner” and “XSS” classes, where the model now shows 16,723 and 16,648 correct classifications, reflecting the positive impact of the ABC algorithm on the model’s ability to distinguish between closely related classes.

In the testing stage, the Decision Tree model continues to perform well, maintaining high accuracy with minimal decline compared to the training results, which indicates good generalization as shown in Figure 11. For example, the “Backdoor” class had 7240 correct classifications out of 7290 instances, with only 50 misclassified, while the “DDoS_TCP” and “DDoS_UDP” classes had 7273 and 7290 correct classifications, respectively, with minimal misclassifications. The improvements are especially prominent in classes that were challenging in the first experiment, such as “Password” and “Port_Scanning”, where the optimized model shows substantially fewer misclassifications, with 7146 and 7071 correct classifications, respectively. These results highlight the effectiveness of hyperparameter optimization in reducing overfitting and enhancing the model’s overall performance, making it more reliable for real-world cybersecurity applications. The success of the ABC algorithm in optimizing the Decision Tree model underscores its value in improving machine learning classifiers’ accuracy and robustness in detecting and mitigating cyber threats.

The confusion matrices for the SVM model in the second experiment, as depicted in Figure 12, demonstrate significant enhancements in classification accuracy and generalization when compared to the first experiment. The hyperparameter optimization process led to higher precision and recall during the training stage across most classes, coupled with a notable reduction in misclassification rates. For example, the “Backdoor” class achieved 16,860 correct classifications with only 120 instances misclassified as DDoS_TCP and 30 as Fingerprinting. Similarly, the “DDoS_UDP” class saw perfect classification with all 17,010 instances accurately identified. Classes that had previously suffered from overfitting, such as “Password” and “Port_Scanning”, now display a much-improved performance, with 16,690 and 16,639 correct classifications, respectively. These results suggest that the hyperparameter-tuned model has become more adept at distinguishing subtle differences between closely related classes, leading to more accurate predictions.

In the testing stage, illustrated in Figure 13, the SVM model continued to exhibit robust performance, retaining high accuracy with minimal decline from the training results, indicating strong generalization capabilities. For instance, the “Backdoor” class correctly classified 7270 out of 7290 instances, with only 16 misclassifications, showcasing the model’s effectiveness in handling new, unseen data. The “DDoS_TCP” and “DDoS_UDP” classes also maintained perfect classification rates, underscoring the model’s strength in dealing with DDoS attacks. The improvement in challenging classes from the first experiment, such as “Password” and “Port_Scanning”, is particularly notable, with 7169 and 7143 correct classifications, respectively. These findings highlight the success of the ABC algorithm in refining the SVM model, making it more reliable and effective in real-world cybersecurity scenarios by enhancing its accuracy and robustness in detecting and mitigating various cyber threats.

The confusion matrices for the KNN model in the second experiment, as represented in Figure 14, indicate marked improvements in classification accuracy and a significant decrease in misclassification rates when compared to the first experiment. During the training stage, the hyperparameter-optimized KNN model achieved perfect classification for several classes, including “Backdoor” and “DDoS_UDP”, with all 17,010 instances correctly identified. This illustrates a substantial enhancement in the model’s ability to differentiate between various attack types. Moreover, classes that were challenging in the first experiment, such as “Password” and “Port_Scanning”, showed notable improvements, with 16,862 and 16,876 correct classifications, respectively. These results suggest that the hyperparameter tuning process has successfully enhanced the model’s precision and recall, allowing it to better capture the nuances between closely related classes and improve overall performance.

In the testing stage as shown in Figure 15, the KNN model sustained its high level of performance, with minimal decline from the training results. For example, the “Backdoor”, “DDoS_TCP”, and “DDoS_UDP” classes achieved perfect classification, correctly identifying all 7290 instances, which underscores the model’s robustness and its strong generalization abilities. Additionally, the “Password” and “Port_Scanning” classes showed significant progress, with 7240 and 7245 correct classifications, respectively, further demonstrating the effectiveness of the hyperparameter optimization. These improvements make the KNN model a more reliable tool for real-world cybersecurity applications, as it now more accurately detects and mitigates a broad range of cyber threats with improved consistency.

The comparative analysis between the first and second experiments underscores the effectiveness of hyperparameter tuning in enhancing machine learning models’ performance. The second experiment’s confusion matrices reveal fewer misclassifications and higher accuracy across all classes, demonstrating improved generalization from training to testing data, which is crucial for reliable detection of diverse cyberattacks. The ABC algorithm optimized decision boundaries and reduced overfitting, as indicated by the closer alignment between training and testing results. However, this improvement in performance came with additional computational costs. As outlined in

Table 5. Computational costs comparison between the first and second experiments.

Metric	First Experiment (Baseline Model)	Second Experiment (ABC Optimized)
Training Time (s)	1500	2200
Inference Time (s)	300	350
Memory Usage (MB)	1024	1280
CPU Utilization (%)	70%	80%

, the training time increased from 1500 s in the first experiment to 2200 s in the second experiment due to the iterative nature of the ABC optimization process. Memory usage also increased from 1024 MB to 1280 MB, along with a slight increase in CPU utilization from 70% to 80%. Despite these additional costs, the improved accuracy and generalization make the trade-off worthwhile, particularly for real-world applications requiring high reliability in diverse and variable data environments. The second experiment highlights the significant improvements achieved through hyperparameter tuning, validating the ABC algorithm as a powerful tool for refining model parameters and enhancing machine learning-based threat detection systems.

4.3. Accuracy per Iteration Analysis

In this section, we present the accuracy per iteration plots for the best model, KNN algorithm during both the training and testing stages to provide a clear visualization of how the hyperparameter optimization process enhanced the model’s performance over time. These plots show a consistent trend of improvement across all classes, with the accuracy gradually increasing as the number of iterations progresses, ultimately reaching higher accuracy values near the end of the process.

In the accuracy by iteration analysis, we introduce a threshold $ϵ=0.05$, meaning we track when the accuracy exceeds $1-ϵ=0.95$. This threshold is used to evaluate the point at which the model achieves near-optimal performance. As shown in Figure 16a, during the training stage, the accuracy for most classes surpasses the $1-ϵ=0.95$ threshold between iterations 9 and 14. Specifically, the “DDoS_TCP”, “DDoS_UDP”, “Backdoor”, and “XSS” classes exceed 95% accuracy by iteration 12, while others like “Password” and “Port_Scanning” reach this point around iteration 14. By iteration 20, the accuracy of most classes approaches near-optimal levels, close to 1.0. Similarly, as seen in Figure 16b, the testing stage reveals similar trends, with many classes crossing the 95% threshold between iterations 13 and 17. By the final iteration, all classes demonstrate a high level of accuracy, converging near 1.0, showcasing the robustness of the model. This analysis highlights the efficiency of the ABC optimization process, allowing for the model to reach high accuracy with minimal iterations, making it suitable for real-world applications.

Figure 16a presents accuracy per iteration during the training stage, the KNN model exhibited a steady and significant improvement in accuracy across almost all classes. The initial iterations reflect lower accuracy levels, particularly in more challenging classes such as “Password” and “Port_Scanning”. However, as the iterations advance, the model’s accuracy increases progressively, indicating that the hyperparameter tuning is effectively refining the decision boundaries and reducing the error rate. By the 20th iteration, most classes achieved near-perfect accuracy, with values closely approaching 1.0. This highlights the success of the optimization process in minimizing overfitting and improving the model’s ability to learn complex patterns within the training data. The consistent upward trend across all classes demonstrates the robustness of the KNN model when enhanced by the Artificial Bee Colony (ABC) algorithm for hyperparameter tuning.

Figure 16b presents accuracy per iteration during the testing stage that mirrors the improvements seen in the training stage, although with a slightly more varied trajectory. The initial accuracy values during the early iterations are lower compared to the final ones, particularly for classes that are inherently more difficult to classify, such as “Uploading” and “SQL_injection”. As the iterations increase, the accuracy steadily improves, reflecting the model’s enhanced generalization capabilities. Notably, by the final iterations, most classes achieve accuracy levels very close to or at 1.0, underscoring the effectiveness of the hyperparameter tuning in making the model more reliable when exposed to new, unseen data. The convergence of accuracy values in both the training and testing stages by the end of the optimization process indicates that the model has successfully balanced learning from the training data while maintaining strong generalization performance on the testing data.

4.4. Comparison with Related Works

The comparison of our research with existing studies, as shown in

Table 6. Comparison of class-specific accuracies between [16,18], and our study.

Dataset	Class	Accuracy
		Ref [16]	Ref [18]	Our Results
Edge-IIoTset	Backdoor	98%	79%	100%
	DDoS_HTTP	95%	100%	100%
	DDoS_ICMP	100%	94%	100%
	DDoS_TCP	100%	100%	100%
	DDoS_UDP	100%	100%	100%
	Fingerprinting	63%	96%	99.14%
	MITM	100%	74%	100%
	Normal	100%	100%	100%
	Password	19%	74%	99.13%
	Port Scanning	49%	73%	99.21%
	Ransomware	88%	99%	100%
	SQL Injection	91%	100%	98.75%
	Uploading	47%	100%	98.2%
	Vulnerability Scanner	85%	95%	98.99%
	XSS	25%	81%	98.46%

, presents a comparative analysis between our study and the works of [16,18] highlights significant differences in class-specific accuracy, particularly in handling difficult-to-detect attacks within the Edge-IIoTset dataset. In [16], the authors applied Convolutional Neural Networks (CNNs) to intrusion detection, achieving good results in detecting attacks such as DDoS_ICMP, DDoS_TCP, and MITM, with accuracies of 100% for these classes. However, they struggled with imbalanced classes like “Password” and “Port Scanning”, where they achieved 19% and 49% accuracy, respectively. Our approach, utilizing traditional machine learning models optimized with the ABC algorithm, significantly outperformed their model, achieving 99.13% accuracy for “Password” and 99.21% for “Port Scanning”. Similarly, our study improved upon their results for “XSS” and “Uploading” attacks, where [16] attained 25% and 47%, respectively, while we achieved 98.46% for “XSS” and 98.2% for “Uploading”. Our model’s ability to handle imbalanced data more effectively led to higher accuracy across the majority of classes, including perfect scores (100%) for “Backdoor”, “DDoS_HTTP”, “DDoS_ICMP”, “DDoS_TCP”, and “DDoS_UDP”, compared to their scores of 98%, 95%, 100%, 100%, and 100%, respectively.

In comparison to [18], who utilized Federated Learning (FL) in a MEC-based architecture to enhance intrusion detection, our results also show marked improvements across several key classes, while their model achieved perfect accuracy (100%) in detecting “DDoS_HTTP”, “DDoS_TCP”, “DDoS_UDP”, and “Uploading”, it underperformed in other areas. For instance, they achieved only 79% for “Backdoor”, compared to our 100%, and 74% for “Password” versus our 99.13%. Similarly, our model surpassed their accuracy for “Port Scanning” (99.21% versus 73%), “Fingerprinting” (99.14% versus 96%), and “XSS” (98.46% versus 81%). Even in classes where their model performed well, such as “Ransomware” and “Vulnerability Scanner” with 99% and 95%, our approach still achieved slightly better accuracy, with 100% for “Ransomware” and 98.99% for “Vulnerability Scanner”. These results emphasize the effectiveness of hyperparameter tuning using the ABC algorithm in optimizing traditional machine learning models, resulting in higher overall accuracy compared to both CNN-based and Federated Learning-based approaches, especially in handling imbalanced and diverse classes in the Edge-IIoTset dataset.

5. Discussion of Computational Costs

The experiments were conducted on a Windows 11 Home 64-bit operating system using an ASUS TUF Gaming F15 laptop equipped with an Intel Core i5-10300H CPU (2.50 GHz, 4 cores, 8 threads), 32 GB of RAM, and an NVIDIA GeForce GTX 1650 GPU with 4 GB. The algorithms and models were implemented in Python, utilizing libraries such as Scikit-learn for building and evaluating ML models (Decision Tree, SVM, KNN), NumPy and Pandas for data manipulation and numerical computations, Matplotlib for visualizations, and a custom ABC (Artificial Bee Colony) module integrated with Scikit-learn for hyperparameter optimization.

Table 7. Computational costs and resources.

Task	Details
Training/Evaluation Time (No Optimization)	15 min
Population Size	30 bees (solutions)
Generations	50 generations
Total Time (with ABC Optimization)	45 min
Additional Time Due to ABC	30 min
Memory Usage Impact	Moderate increase in memory usage

outlines the computational costs and resources involved in implementing and optimizing ML models, specifically focusing on the KNN algorithm enhanced by the ABC algorithm for hyperparameter optimization. The table provides a detailed breakdown of the time taken to train and evaluate models without optimization, as well as the additional costs introduced by the ABC algorithm. Without optimization, the training and evaluation of the models take approximately 15 min. The inclusion of the ABC algorithm, with a population size of 30 bees and 50 generations, adds 30 min to the total computational time, bringing the total to 45 min. This increase reflects the iterative process in which multiple hyperparameter configurations are explored and refined over several generations. Additionally, the ABC module causes a moderate increase in memory usage due to the need to store the hyperparameter configurations and fitness values for each bee, while the ABC algorithm adds some computational overhead, it significantly enhances the model’s performance by ensuring an optimized set of hyperparameters, balancing computational costs with improved model accuracy.

6. Conclusions

In this paper, we have demonstrated the effectiveness of the Artificial Bee Colony (ABC) algorithm for hyperparameter optimization in enhancing the performance of machine learning classifiers within IoT cybersecurity. Our results have shown significant improvements in accuracy, precision, recall, and F1-scores for Decision Trees, SVM, and KNN models. We successfully addressed the research questions by showing that the ABC algorithm enhances the detection of diverse cyberattacks, optimizes decision boundaries, and reduces overfitting, leading to improved generalization across unseen data. From a research standpoint, this study demonstrates that ABC-based optimization is a powerful tool in developing more robust and adaptive machine learning security frameworks. Additionally, ABC’s ability to handle class imbalances and improve model performance positions it as a valuable contribution to the ongoing research in IoT cybersecurity. From a practical perspective, the improved model accuracy and efficiency suggest that ABC can be effectively applied in real-world IoT environments.

7. Limitations and Future Work

Despite the promising results of this study, certain limitations should be acknowledged. The computational overhead associated with the ABC algorithm’s optimization process, although manageable, may pose challenges in highly resource-constrained IoT environments. Additionally, while the models demonstrated strong performance on the Edge-IIoTset dataset, further validation is necessary across different datasets and in real-time detection scenarios to confirm their broader applicability. Future research should aim to optimize the algorithm for more resource-limited devices, investigate hybrid optimization techniques, and extend the models to address emerging threats such as adversarial attacks. Addressing these aspects will further enhance the scalability and practical deployment of the proposed approach in diverse and rapidly evolving IoT ecosystems.