Robust DDoS Attack Detection Using Piecewise Harris Hawks Optimizer with Deep Learning for a Secure Internet of Things Environment

Abstract

The Internet of Things (IoT) refers to the network of interconnected physical devices that are embedded with software, sensors, etc., allowing them to exchange and collect information. Although IoT devices have several advantages and can improve people’s efficacy, they also pose a security risk. The malicious actor frequently attempts to find a new way to utilize and exploit specific resources, and an IoT device is an ideal candidate for such exploitation owing to the massive number of active devices. Especially, Distributed Denial of Service (DDoS) attacks include the exploitation of a considerable number of devices like IoT devices, which act as bots and transfer fraudulent requests to the services, thereby obstructing them. There needs to be a robust system of detection based on satisfactory methods for detecting and identifying whether these attacks have occurred or not in a network. The most widely used technique for these purposes is artificial intelligence (AI), which includes the usage of Deep Learning (DL) and Machine Learning (ML) to find cyberattacks. The study presents a Piecewise Harris Hawks Optimizer with an Optimal Deep Learning Classifier (PHHO-ODLC) for a secure IoT environment. The fundamental goal of the PHHO-ODLC algorithm is to detect the existence of DDoS attacks in the IoT platform. The PHHO-ODLC method follows a three-stage process. At the initial stage, the PHHO algorithm can be employed to choose relevant features and thereby enhance the classification performance. Next, an attention-based bidirectional long short-term memory (ABiLSTM) network can be applied to the DDoS attack classification process. Finally, the hyperparameter selection of the ABiLSTM network is carried out by the use of a grey wolf optimizer (GWO). A widespread simulation analysis was performed to exhibit the improved detection accuracy of the PHHO-ODLC technique. The extensive outcomes demonstrated the significance of the PHHO-ODLC technique regarding the DDoS attack detection technique in the IoT platform.

1. Introduction

The Internet of Things (IoT) is an emerging network of physical things which are connected to the internet [1]. With the help of accessible digital data, it assists in the conversion of internet-connected devices from any position and at any time into a connected ecosystem. The physical gadgets which range in size from compact to tremendous equipment interrelate among them without human interference via the internet [2]. Various supporting technologies are available, which include cloud computing, radio frequency identification and wireless sensor networks that have developed as important components of the IoT paradigm’s growth [3]. It has been utilized in many applications like healthcare, personal wearable devices and environmental monitoring to improve the variety, veracity, volume and velocity of information. For example, sensitive data like personal information are managed by the connected system and these devices. Therefore, from manufacturing as well as academia, there has been improved attention to increasing security solutions for IoT devices [4]. Distributed Denial of Service (DDoS) threats are mainly developed to prevent genuine clients from accessing a real service or website. The intended website or service is attacked with requests which come from numerous sources and make it inaccessible to legitimate consumers [5].

In numerous ways, the attack can be produced by fake traffic and pingback. These kinds of attacks are more efficient when the server host of the target webpage is insufficient to handle the expected traffic [6]. Owing to the capability of the present servers to control massive amounts of traffic, an attack performed from a single origin is not feasible. So due to evaluation and growth, DDoS attacks have remained a foremost attack throughout the years [7]. To determine DDoS/DoS threats in IoT networks, classical IDS makes use of effective techniques like machine learning (ML), statistical anomaly and signature-based detection [8]. Moreover, the recognition of DDoS or DoS attacks in IoT systems poses a major problem for classical Intrusion-Detection Systems (IDS). These types of networks usually use methods like signature-based, ML-based and statistical anomaly [9]. The unique features of IoT networks include the huge number of interconnected devices, heterogeneous traffic patterns and varied communication protocols which contribute to the difficulty of threading malicious actions.

The traditional IDS techniques are mainly developed for conventional networks and fight to manage the unpredictable as well as dynamic nature of IoT surroundings [10]. The conventional methods are not more efficient in handling the progressive threats [11]. Advanced deep learning (DL) methods have been developed for abnormal behavior identification (ABN) and automatic intrusion detection (AID). Recently, ML and DL methods have been specially designed and applied for ABN and AID in networks and for their prevention [12].

This study presents a Piecewise Harris Hawks Optimizer with an Optimal Deep Learning Classifier (PHHO-ODLC) for a secure IoT environment. The fundamental goal of the PHHO-ODLC technique is to detect the existence of DDoS attacks in the IoT platform. The PHHO-ODLC technique follows a three-stage process. At the initial stage, the PHHO algorithm can be employed to choose relevant features and thereby enhance the classification performance. Next, the attention-based bi-directional long short-term memory (ABiLSTM) model can be applied to the DDoS attack classification process. Finally, the hyperparameter selection of the ABiLSTM network is implemented by the use of a grey wolf optimizer (GWO). A widespread simulation analysis was performed to show the improved detection accuracy of the PHHO-ODLC technique.

2. Literature Survey

Sharifian et al. [13] designed a Binary Improved African Vulture Optimization Algorithm (Sin-Cos BIAVOA) method. This technique utilizes a new Compound Transfer method (Sin-Cos) to improve the exploration. The Gravitational-Fixed Radius NN (GFRNN) is used as a classification algorithm to choose the optimum feature set in this technique. Dora and Laskhmi [14] proposed a DDoS classification technique by incorporating optimized LSTM and CNN, which is referred to as CNN-O-LSTM. The optimal features can be chosen by the Closest Position-Based GWO (CP-GWO) method. The CNN technique is mainly designed to learn features. Lastly, optimized LSTM is utilized for the detection part, and it is investigated on standard datasets. In [15], a new DL technique was introduced. The research presented the CNN technique, which established an effective feature fusion mechanism. Moreover, a symmetric logarithmic loss method is also designed based on the categorical cross-entropy. Additionally, the designed detection structure has been implemented in the GPU-enabled TensorFlow and estimated by utilizing the NSL-KDD datasets.

Matsa et al. [16] developed a Forward Feature Selection (FFS) technique, which is applied in selecting the optimal features for DDoS attacks. The DL and highly advanced ML method was utilized to execute a hybrid technique for combining DM algorithms of deep neural networks and CNNs. Implementation was employed on FS given the need to detect DDoS on the software-defined networks by utilizing the FFS procedure. Rihan et al. [17] projected a method for identifying threats in IoT networks by employing ensemble FS and DL techniques. Ensemble FS integrates filter methods, namely, L1based, Chi-square, mutual information, variance threshold and ANOVA techniques. The wrapper process is named Recursive Feature Elimination (RFE), which is useful in improving the FS. In [18], a Hybrid Sample Selected RNN-ELM (hybrid SSRNN-ELM) method was provided. From the original dataset, the selected features are removed by utilizing a Sequence Forward Selector (SFS) and LR—Recursive Feature Extraction (LR-RFE). Next, RNN is utilized for learning the features. Next, at the end layer, the ELM algorithm is applied. By using the NSL-KDD dataset, this method is verified.

Setitra et al. [19] developed an improved DL technique with the combination of the Extreme Gradient Boosting (XGBoost) and Autoencoder (AE) methods. Initially, the Shapley Additive exPlanations (SHAP) FS procedure is implemented. On the preceding subsets, the AE is trained. The latent symbol is employed as the input which is produced by the AE. Similarly, Grid Search cross-validation (GSCV) is utilized to find out the hyperparameters. Yousuf and Mir [20] projected a Detecting Attack by employing a Live Capture Neural Network (DALCNN) with the model of RNN as well as executing a Software Defined Network (SDN) by utilizing the OpenDayLight stage. Additionally, the three-tier architecture is mainly designed to categorize and identify DDoS threats. This method organizes the type of attack through ML/DL concepts and novel activation functions.

Padmashree and Krishnamoorthi [21] introduced an effective feature selection with the feature fusion method for the recognition of intruders in IoT. From the preprocessed data, the high-order statistical features are chosen according to the presented Decision tree-based Pearson Correlation Recursive Feature Elimination (DT-PCRFE) method. Alzaqebah et al. [22] present a modified bio-inspired algorithm, the Grey Wolf Optimization algorithm (GWO), which improves the efficiency of the IDS in identifying normal and anomalous traffic in the network. The major improvement covers the smart initialization stage, which fuses the filter and wrapper techniques to ensure that the informative features will be included in an early iteration. Toldinas et al. [23] present a new technique for network intrusion detection using multi-stage DL image recognition. The network feature is converted into four-channel (Red, Green, Blue and Alpha) images. Then, the image is used for classification for training and testing the pre-trained DL model ResNet-50.

3. The Proposed Model

In this study, we have designed an automatic PHHO-ODLC algorithm for a secure IoT environment. The fundamental goal of the PHHO-ODLC technique is to detect the existence of DDoS attacks in the IoT platform. The PHHO-ODLC technique follows three-stage processes such as PHHO PHHO-based FS, ABiLSTM-based DDoS attack detection and GWO-based hyperparameter tuning. Figure 1 depicts the entire flow of the PHHO-ODLC algorithm.

Figure 1. Overall flow of the PHHO-ODLC algorithm.

3.1. Design of the PHHO Algorithm

Primarily, the PHHO algorithm can be employed to choose relevant features and thereby enhance the classification performance. Heidari et al., in 2019, introduced a gradient-free metaheuristic and population-based algorithm to HHO, which emulates the pursuing behaviors of the hawk group to find an optimum solution [24]. The HHO comprises three stages: the local development, global search and transition stages.

• Global search stage

The Hawk individuals split up to enlarge the search space and improve the chances of finding the target. Individuals in the population will perch on any place, and the two selection tactics for the perch location are as follows:

$$X\left(t+1\right)=\left\{\begin{array}{c}{X}_{rand}\left(t\right)-r_1\left|X_{rand}\left(t\right)-2r_{2}X\left(t\right)\right|, q\ge 0.5\\ \left(X_{rabbit}\left(t\right)-X_m\left(t\right)\right)-r_3\left(LB+r_4\left(UB-LB\right)\right), q<0.5\end{array}\right.$$

(1)

In Equation (1), $r_1,r_2,r_3,r_4$ and $q$ are the random number ranges within [0, 1], $X_{rabbit}$ represents the prey location, $X_{and}$ shows an individual random location in the present hawk group, $UB$ and $LB$ denote the upper and lower limitations of the search area, $N$ indicates the population number, $X_m$ refers to the average location of the individual in the existing hawk group and $X\left(t\right)$ shows the individual location as follows:

$$X_m\left(t\right)=\frac{1}{N}\sum _{i=1}^N{X}_i\left(t\right)$$

(2)

• Transition stage

The individual hawk chooses the hunting strategy based on the changes in the escaping energy of the prey. Now, the HHO technique transits from the search to exploitation phases using the subsequent escaping energy equation.

$$E=2E_0\left(1-\frac{t}{T}\right)$$

(3)

In Equation (3), the escaping energy at the initial state is $E_0$ and is a randomly generated value within $[-1, 1$],$T$ represents the overall iteration counter and $t$ shows the existing iteration counter.

• Local development phase

Based on the escaping route of the prey, the hawk adopts a pursuit strategy. The HHO technique exploits the subsequent four social behaviors for stimulating the roundup behaviors of hawks. The escaping possibility of prey is represented as $r,$ where $r\ge 0.5$ implies failure and $r<0.5$ implies success.

Soft roundup: if $r\ge 0.5$ and $\left|E\right|\ge 0.5$, then the prey has sufficient escaping energy and the prey is energetic; hence, the hawk uses a soft strategy, as follows:

$$X\left(t+1\right)=\Delta X\left(t\right)-E\left|J{X}_{rabbit}\left(t\right)-X\left(t\right)\right|$$

(4)

$$X\left(t\right)=X_{rabbit}\left(t\right)-X\left(t\right)$$

(5)

From the expression, the difference between the prey and the existing location of individuals at iteration $t$ is $\Delta X\left(t\right)$, and the random escaping strength of the prey is $J$, which is a randomly generated value within [0, 2].

Hard round-up: if $r\ge 0.5$ but $\left|E\right|<0.5,$ then the prey has low energy to escape and is exhausted; hence, the individual hawk adopts a hard strategy as:

$$X\left(t+1\right)=X_{rabbit}\left(t\right)-E\left|\Delta X\left(t\right)\right|$$

(6)

Soft round-up with progressive quick dive: if $r<0.5$ and $\left|E\right|\ge 0.5$, then the target has the possibility of effective escape and the prey is energetic, so the hawk individuals adopt a gentle encirclement to perform the surprise attacks. The study introduced a Levy flight (LF) to emulate the behaviors and escaping route of the target, and the updating location strategy is given below:

$$Y=X_{rabbit}\left(t\right)-E\left|J{X}_{rabbit}\left(t\right)-X\left(t\right)\right|$$

(7)

$$Z=Y+S\times LF\left(D\right)$$

(8)

$$X\left(t+1\right)=\left\{\begin{array}{l}Y,F\left(Y\right)<F\left(X\left(t\right)\right)\\ Z,F\left(Z\right)<F\left(X\left(t\right)\right)\end{array}\right.$$

(9)

where the random vector of size $1\times D$ dimension is $S$, $D$ shows the problem dimension, the Levy flight function is $LP\left(\right)$ and the fitness function is $F\left(\right)$. Hard round-up with progressive quick dive: if $r<0.5$ and $\left|E\right|<0.5$, then the prey does not have sufficient energy to escape; hence, a progressive quick-dive tough roundup approach is applied.

$$Y=X_{rabbit}\left(t\right)-E\left|J{X}_{rabbit}\left(t\right)-X_m\left(t\right)\right|$$

(10)

$$Z=Y+S\times LF\left(D\right)$$

(11)

$$X\left(t+1\right)=\left\{\begin{array}{l}Y,F\left(Y\right)<F\left(X\left(t\right)\right)\\ Z,F\left(Z\right)<F\left(X\left(t\right)\right)\end{array}\right.$$

(12)

3.2. Piecewise Chaotic Map

A standard representative of a chaotic map is a piecewise chaotic map, which is randomized and more ergodic. The piecewise chaotic map is introduced to increase the initial population for increasing the probability of escaping from local optima and also enhancing the population diversity of HHO. The mathematical equation is given below:

$$x\left(t+1\right)=\left\{\begin{array}{cc}\frac{x\left(t\right)}{p},\hfill & 0\le x\left(t\right)<p\hfill \\ \frac{x\left(t\right)-p}{0.5-p},\hfill & p\le x\left(t\right)<0.5\hfill \\ \frac{1-p-x\left(t\right)}{0.5-p},\hfill & 0.5\le x\left(t\right)<1-p\hfill \\ \frac{1-x\left(t\right)}{p},\hfill & 1-p\le x\left(t\right)<1\hfill \end{array}\right.$$

(13)

In the PHHO technique, the FF is used to balance between the number of features selected in the solution (minimum) and the classification outcome (maximum) attained by the selected features. Equation (10) shows the FF for calculating the solution.

$$Fitness=\alpha {\gamma }_R\left(D\right)+\beta \frac{\left|R\right|}{\left|C\right|}$$

(14)

In Equation (14), the parameters $\alpha$ and $\beta$ correspond to the significance of the classification quality and subset length. ∈ [1, 0] and $\beta =1-\alpha .{\gamma }_R\left(D\right)$ shows the classifier error rate. $\left|R\right|$ shows the cardinality of the selected subset, and the total number of features in the dataset is represented as $\left|C\right|$.

3.3. Structure of the ABiLSTM Model

The ABiLSTM model can be used for attack detection. The classical LSTM is only capable of using prior context [25]. The Bi-LSTM is used to access long-range data to better grab two-direction context dependency. At the same time, Bi-directional architecture extracts the context data from both directions with forward and backward layers.

The hidden sequence and output of the forward layer are computed repeatedly by the input in a sequential order from step 1 to step $t$, and the hidden sequence and output of the backward layer are repeated from step $t$ to 1. $\overrightarrow{h_t}$ and ${\overleftarrow{h}}_t$ indicate the output of the forward and backward layers computed by the typical LSTM, correspondingly. The Bi-LSTM layer produces an output vector, $Y$, where every component is evaluated by the following equation:

$${\mathrm{y}}_{\mathrm{t}}=\sigma \left(\overrightarrow{h_t},{\overleftarrow{h}}_t\right)$$

(15)

where function $\sigma$ is used for coupling the two $\overrightarrow{h_t}$ and ${\overleftarrow{h}}_t$ series. The last output of the Bi-LSTM layer is formulated as $Y=\left[y_1,y_2,\dots ,y_t\right]$, where the final component, $y_t$, refers to the predicted well-log values for the next depth once the Bi-LSTM implements well-logging prediction. Figure 2 represents the structure of ABiLSTM.

Figure 2. Architecture of ABiLSTM.

In recent times, the attention model-based NN has illustrated success in a large number of tasks. In Bi-LSTM with an attention model, the attention mechanism aligns with the input cell state at the existing step through the implicit state of Bi-LSTM or to exploit the final cell state of the Bi-LSTM, Next, the relationship between the outputs and the candidate intermediate states is evaluated. The relevant data are highlighted, and the unrelated data are suppressed to optimize the efficiency and accuracy of prediction in the learning method:

$$M=\mathrm{t}\mathrm{a}\mathrm{n}\mathrm{h}\left(Y\right)$$

(16)

$$\alpha =softmax\left(w_a^{T}M\right)$$

(17)

$$A=Y{\alpha }^T$$

(18)

where $Y$ refers to a matrix and shows the features taken by the Bi-LSTM networks in the above-mentioned matrix $Y=[y_1,y_2,\dots ,y_t$]. $T$ indicates the transpose function. The weight coefficient matrix of the attention layer can be represented as $w_a$. $\alpha$ signifies the attention weight for features Y.

3.4. Process Involved in GWO-Based Parameter Selection

The GWO approach is employed to tune the hyperparameter values of the ABiLSTM model. GWO is a global random search approach presented by inspiring searching and hunting behaviors of grey wolves [26]. There are four levels of GW population from low to high: $\alpha$, $\beta$, $\delta$ and $\omega$ wolves. Target hunting is performed strictly based on the order of the wolf pack. The hunting procedure of GW can be separated into three parts, namely, searching and attacking prey, encircling prey and hunting. GWs move closer and encircle prey once they start searching for prey, and the performance is represented in Equations (19) and (20) as:

$$D=\left|M\cdot X_p\left(t\right)-X\left(t\right)\right|$$

(19)

$$X\left(t+1\right)=X_p\left(t\right)-A\cdot D$$

(20)

whereas $t$ denotes the count of existing iterations, $X\left(t\right)$ and $X\left(t\right)$ imply the location vectors of prey and GW $x,\left(t+1\right)$ is the novel place of GW and $D$ denotes the distance between GW and targets. $M$ and $A$ are co-ordination coefficient vectors which are determined by Equations (21) and (22):

$$A=2a\cdot r_1-a$$

(21)

$$M=2\cdot r_2$$

(22)

where $a$ represents the convergence factor to be linearly reduced from two to zero in the iteration method, and $r_1$ and $r_2$ denote the random numbers between zero and one.

In the control of optimum wolves, wolves recognize the place of prey and get closer towards it. This performance is represented by Equations (23)–(26):

$$D_{\alpha }=\left|M_1\cdot X_{\alpha }-X\left(t\right)\right|,X_1=X_{\alpha }-A_1\cdot D_{\alpha }$$

(23)

$$D_{\beta }=\left|M_2\cdot X_{\beta }-X\left(t\right)\right|,X_2=X_{\beta }-A_2\cdot D_{\beta }$$

(24)

$$D_{\delta }=\left|M_3\cdot X_{\delta }-X\left(t\right)\right|,X_3=X_{\delta }-A_3\cdot D_{\delta }$$

(25)

$$X\left(t+1\right)=\frac{X_1+X_2+X_3}{3}$$

(26)

whereas $\alpha$ stands for the neighboring wolf to prey, $\beta$ denotes the second nearby wolf towards the target and $\delta$ implies the third adjoining wolf towards the target. The upgraded average of $\alpha$, $\beta$ and $\delta$ wolves provides the novel GW place.

GW groups mostly hunt based on the information of $\alpha$, $\beta$ and $\delta$ wolves. During the mathematical process, the values of the co-ordination coefficient vector can be deployed for controlling if the GW is exploring for an attacking target. If |A|$>1$, then GW in the prey increases their searching possibility to place the prey efficiently. If |A|$<1$, then GW restricts the searching region to attack the target. The fitness selection is a primary factor in the GWO technique. An encoded solution is employed to evaluate the outcome of the solution candidate. At this point, the accuracy values are the major condition exploited to design a FF.

$$Fitness=\mathrm{m}\mathrm{a}\mathrm{x}\left(P\right)$$

(27)

$$P=\frac{TP}{TP+FP}$$

(28)

where $TP$ and $FP$ represent the true- and false-positive values.

4. Performance Evaluation

The DDoS attack detection results of the PHHO-ODLC technique are tested by applying the BoT-IoT dataset [27] in terms of two aspects: the binary dataset and multi-class dataset. Table 1 shows the details of the binary database.

Table 1. Details on the binary database.

Binary Database
Classes	No. of Samples
Attack	1579
Normal	477
Total No. of Instances	2056

Figure 3 illustrates the classifier analysis of the PHHO-ODLC algorithm on the binary database. Figure 3a,b show the confusion matrices provided with the PHHO-ODLC system at 80:20 of the TR Phase/TS Phase. The figure signified that the PHHO-ODLC algorithm has recognized and classified two class labels. Also, Figure 3c exhibits the PR curve of the PHHO-ODLC algorithm. The outcome illustrated that the PHHO-ODLC methodology has attained improved PR performance in two classes. However, Figure 3d shows the ROC analysis of the PHHO-ODLC method. The outcome described that the PHHO-ODLC algorithm resulted in an efficient outcome with high ROC values in different class labels.

Figure 3. Binary database. (a,b) Confusion matrices, (c) PR_curve and (d) ROC.

The attack detection outcomes of the PHHO-ODLC method are tested on the binary dataset in Table 2 and Figure 4. The simulation value indicated that the PHHO-ODLC algorithm appropriately recognizes the attacks and normal samples. On 80% of the TR Phase, the PHHO-ODLC system provides an average $acc{u}_y$ of 97.64%, $pre{c}_n$ of 97.01%, $rec{a}_l$ of 97.64%, $F_{score}$ of 97.32% and $AU{C}_{score}$ of 97.64%. Additionally, with 20% of the TS Phase, the PHHO-ODLC approach offers an average $acc{u}_y$ of 99.20%, $pre{c}_n$ of 98.90%, $rec{a}_l$ of 99.20%, $F_{score}$ of 99.05% and $AU{C}_{score}$ of 99.20%, correspondingly.

Table 2. Attack detection outcome of the PHHO-ODLC algorithm on a binary database.

Classes	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{R}\mathit{e}\mathit{c}{\mathit{a}}_{\mathit{l}}$	${\mathit{F}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$	$\mathit{A}\mathit{U}{\mathit{C}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$
TR Phase (80%)
Attack	98.51	99.05	98.51	98.78	97.64
Normal	96.77	94.97	96.77	95.86	97.64
Average	97.64	97.01	97.64	97.32	97.64
TS Phase (20%)
Attack	99.35	99.67	99.35	99.51	99.20
Normal	99.06	98.13	99.06	98.59	99.20
Average	99.20	98.90	99.20	99.05	99.20

Figure 4. Average of the PHHO-ODLC algorithm on a binary database.

To calculate the performance of the PHHO-ODLC approach on the binary dataset, TR and TS $acc{u}_y$ curves are described, as demonstrated in Figure 5. The TR and TS $acc{u}_y$ curves exhibit the performance of the PHHO-ODLC method over numerous epochs. The figure provided meaningful details about the learning task and generalization capabilities of the PHHO-ODLC model. With a rise in the epoch count, it is observed that the TR and TS $acc{u}_y$ curves are enhanced. It is noted that the PHHO-ODLC system achieves enriched testing accuracy that has the potential to recognize the patterns in the TR and TS data.

Figure 5. $Acc{u}_y$ curve of the PHHO-ODLC algorithm on a binary database.

Figure 6 shows the overall TR and TS loss values of the PHHO-ODLC system on a binary dataset over epochs. The TR loss indicates the model loss is minimized over epochs. Mainly, the loss values obtained decreased as the model adapted the weight for diminishing the predicted error on the TR and TS data. The loss curves exhibit the extent to which the model fits the training data. It is noted that the TR and TS loss is progressively minimized and represents that the PHHO-ODLC system efficiently learns the patterns demonstrated in the TR and TS data. It is also evidenced that the PHHO-ODLC methodology modifies the parameters for decreasing the difference between the actual and predicted training labels.

Figure 6. Loss curve of the PHHO-ODLC algorithm on a binary database.

Table 3 demonstrates the details of the multiclass dataset.

Table 3. Details on the multiclass database.

Multiclass Database
Class	No. of Instances
DDoS	500
DoS	500
Recon	500
Theft	79
Normal	477
Total No. of Samples	2056

Figure 7 demonstrates the classifier analysis of the PHHO-ODLC algorithm on the multiclass database. Figure 7a,b represent the confusion matrix provided with the PHHO-ODLC technique at 80:20 of the TR Phase/TS Phase. The outcome demonstrated that the PHHO-ODLC algorithm has detection and is categorized on five class labels. Figure 7c defines the PR curve of the PHHO-ODLC model. The figure indicates that the PHHO-ODLC method has attained improved PR outcomes in five classes. Figure 7d reveals the ROC analysis of the PHHO-ODLC system. The experimental outcome indicated that the PHHO-ODLC method resulted in an effectual solution with improved ROC outcomes in various class labels.

Figure 7. Multiclass database. (a,b) Confusion matrices, (c) PR_curve and (d) ROC.

The attack detection analysis of the PHHO-ODLC approach is tested on the multiclass database in Table 4 and Figure 8. The observation data indicate that the PHHO-ODLC method properly recognizes all five classes. On 80% of the TR Phase, the PHHO-ODLC method provides an average $acc{u}_y$ of 98.88%, $pre{c}_n$ of 96.80%, $rec{a}_l$ of 95.14%, $F_{score}$ of 95.91% and $AU{C}_{score}$ of 97.21%. Additionally, with 20% of the TS Phase, the PHHO-ODLC technique offers an average $acc{u}_y$ of 98.83%, $pre{c}_n$ of 95.96%, $rec{a}_l$ of 93.66%, $F_{score}$ of 94.69% and $AU{C}_{score}$ of 96.45%, correspondingly.

Table 4. Attack detection outcome of the PHHO-ODLC algorithm on a multiclass database.

Class	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{R}\mathit{e}\mathit{c}{\mathit{a}}_{\mathit{l}}$	${\mathit{F}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$	$\mathit{A}\mathit{U}{\mathit{C}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$
TR Phase (80%)
DDoS	98.48	97.69	95.97	96.82	97.62
DoS	98.48	95.40	98.16	96.76	98.37
Recon	99.21	98.30	98.54	98.42	98.98
Theft	99.21	94.92	84.85	89.60	92.33
Normal	99.03	97.71	98.21	97.96	98.75
Average	98.88	96.80	95.14	95.91	97.21
TS Phase (20%)
DDoS	99.51	99.03	99.03	99.03	99.35
DoS	97.82	96.64	95.83	96.23	97.23
Recon	99.51	97.83	100.00	98.90	99.69
Theft	99.03	90.91	76.92	83.33	88.34
Normal	98.30	95.40	96.51	95.95	97.64
Average	98.83	95.96	93.66	94.69	96.45

Figure 8. Average of the PHHO-ODLC algorithm on a multiclass database.

To determine the performance of the PHHO-ODLC system on the multiclass dataset, TR and TS $acc{u}_y$ curves are defined, as shown in Figure 9. The TR and TS $acc{u}_y$ curves indicate the performance of the PHHO-ODLC approach over several epochs. The figure offered meaningful details about the learning tasks and generalization capacity of the PHHO-ODLC technique. With an improvement in the epoch count, it is noted that the TR and TS $acc{u}_y$ curves get enriched. It is evident that the PHHO-ODLC method attains better testing accuracy and can recognize the patterns in the TR and TS data.

Figure 9. $Acc{u}_y$ curve of the PHHO-ODLC algorithm on a multiclass database.

Figure 10 illustrates the overall TR and TS loss values of the PHHO-ODLC method on a multiclass dataset over epochs. The TR loss specifies the model loss decreases over epochs. Generally, the loss values get reduced as the model adjusts the weight to reduce the predictable error on the TR and TS data. The loss curves show the extent to which the model fits the training data. It is observed that the TR and TS loss is gradually diminishing, signifying that the PHHO-ODLC algorithm efficiently learns the patterns demonstrated in the TR and TS data. It is also evidenced that the PHHO-ODLC technique adapts the parameters to lessen the dissimilarity between the predicted and actual training labels.

Figure 10. Loss curve of the PHHO-ODLC algorithm on a multiclass database.

Finally, a comprehensive outcome of the PHHO-ODLC system with other methods is represented in Table 5 and Figure 11 [28]. The outcomes highlight the enhanced results of the PHHO-ODLC technique. Based on $acc{u}_y$, the PHHO-ODLC technique gains an increased $acc{u}_y$ of 99.20%, while the H3SC-DLIDS, AE-MLP, IDS-IoT, XGBoost, RF and DT models obtain decreased $acc{u}_y$ values of 99.05%, 98.19%, 97.40%, 97.09%, 97.00% and 95.21%, respectively. Also, based on ${prec}_n$, the PHHO-ODLC method achieves an improved ${prec}_n$ of 98.90%, whereas the H3SC-DLIDS, AE-MLP, IDS-IoT, XGBoost, RF and DT methodologies obtain reduced ${prec}_n$ values of 96.65%, 95.91%, 95.80%, 94.28%, 94.98% and 92.43%, individually. Finally, based on ${reca}_l$, the PHHO-ODLC approach gains a raised ${reca}_l$ of 99.20%, but the H3SC-DLIDS, AE-MLP, IDS-IoT, XGBoost, RF and DT systems acquire minimized ${reca}_l$ values of 95.67%, 93.31%, 94.90%, 92.13%, 93.69% and 92.51%, correspondingly.

Table 5. Comparative outcome of the PHHO-ODLC system with other approaches.

Methods	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{R}\mathit{e}\mathit{c}{\mathit{a}}_{\mathit{l}}$	${\mathit{F}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$
PHHO-ODLC	99.20	98.90	99.20	99.05
H3SC-DLIDS	99.05	96.65	95.67	96.14
AE-MLP	98.19	95.91	93.31	95.13
IDS-IoT	97.40	95.80	94.90	95.53
XGBoost	97.09	94.28	92.13	95.05
RF	97.00	94.98	93.69	94.57
DT	95.21	92.43	92.51	93.26

Figure 11. Comparative outcome of the PHHO-ODLC methodology with other approaches.

These outcomes confirmed the better solution of the PHHO-ODLC technique on the DDoS attack detection algorithm. The PHHO-ODLC method’s superiority in performance over other techniques can be justified through its novel approach to DDoS attack recognition in IoT environments. In the initial stage, the usage of the PHHO enables highly effective feature selection, ensuring that only the most relevant data attributes are used for classification. This tailored feature set minimizes noise and augments the model’s precision, a crucial benefit in distinguishing genuine threats from noise in IoT data. In the second stage, the incorporation of the ABiLSTM network equips the PHHO-ODLC technique with deep learning abilities, facilitating the analysis of sequential data patterns. This enables the effective detection of complex attack patterns and further increases accuracy in DDoS attack classification. Furthermore, the third stage, using the GWO for hyperparameter tuning, ensures that the model is fine-tuned to its highest performance, improving its capability to adapt to various IoT environments and attack scenarios. In summary, the PHHO-ODLC technique excels due to its holistic method, including deep learning, feature selection and hyperparameter optimization, which collectively improve its accuracy and resilience in DDoS attack detection, setting it apart as a robust solution in the IoT security landscape.

5. Conclusions

In this manuscript, we have developed an automatic PHHO-ODLC technique for a secure IoT environment. The fundamental goal of the PHHO-ODLC method is to detect the presence of DDoS attacks in the IoT platform. The PHHO-ODLC algorithm follows three-stage processes such as PHHO-based FS, ABiLSTM-based DDoS attack detection and GWO-based hyperparameter tuning. A detailed comparative result analysis indicated that the proposed model achieves a better performance over other models, with a maximum accuracy of 99.20%. The PHHO-ODLC technique provides a robust solution for detecting DDoS attacks in the IoT environment, ensuring the security and integrity of interconnected devices. Its real-world applications extend to safeguarding critical IoT systems, such as smart cities, healthcare and industrial automation, from disruptive cyber threats. Future research will explore the scalability of the PHHO-ODLC technique in dealing with large IoT networks and a wide range of attack types. Moreover, the development of adaptive mechanisms to respond to evolving DDoS attack strategies and the integration of anomaly detection methods will be integral to further improving IoT security.