Evolutionary Computation for Feature Optimization and Image-Based Dimensionality Reduction in IoT Intrusion Detection

Abstract

The exponential growth of the Internet of Things (IoT) has made it increasingly vulnerable to cyberattacks, where malicious manipulation of network and sensor data can lead to incorrect data classification. IoT data are inherently heterogeneous, comprising sensor readings, network flow records, and device metadata that differ significantly in scale and structure. This diversity motivates transforming tabular IoT data into image-based representations to facilitate the recognition of intrusion patterns and the analysis of spatial correlations. Many deep learning models offer robust detection performance, including CNNs, LSTMs, CNN–LSTM hybrids, and Transformer-based networks, but many of these architectures are computationally intensive and require significant training resources. To address this challenge, this study introduces an evolutionary-driven framework that mathematically formalizes the transformation of tabular IoT data into image-encoded matrices and optimizes feature selection through metaheuristic algorithms. Genetic Algorithm (GA), Particle Swarm Optimization (PSO), and Variable Neighborhood Search (VNS) are employed to identify optimal feature subsets for Random Forest (RF) and Extreme Gradient Boosting (XGBoost) classifiers. The approach enhances discrimination by optimizing multi-objective criteria, including accuracy and sparsity, while maintaining low computational complexity suitable for edge deployment. Experimental results on benchmark IoT intrusion datasets demonstrate that VNS-XGBoost configurations performed better on the IDS2017 and IDS2018 benchmarks, achieving accuracies up to 0.99997 and a significant reduction in Type II errors (212 and 6 in tabular form, reduced to 4 and 1 using image-encoded representations). These results confirm that integrating evolutionary optimization with image-based feature modeling enables accurate, efficient, and robust intrusion detection across large-scale IoT systems.

1. Introduction

With the advent of the Internet of Things (IoT), intelligent automation has become possible, creating a vast global network of billions of connected devices and infrastructure components that interact in real time. However, this unprecedented growth, accelerated by technologies such as edge computing that improve platform compatibility, has also led to a serious security issue. IoT-based intrusion detection systems typically collect data in tabular format, with each record containing numerical and categorical characteristics such as protocol type, flow time, packet size, and connection rate [1,2]. This representation ignores the spatial or structural relationships among features by treating them as independent variables, even though it works well for statistical modeling [3,4]. The combined variation of associated parameters, such as the average byte rate and the number of incoming packets, may help predict specific types of cyberattacks. Additionally, IoT tabular data can often be exploited by adversarial attacks with only minor changes to input attributes, making them almost identical to normal data. As a result, adversarial attacks on IoT tabular data are extremely dangerous [1,5]. False negatives can lead to illegal access, data theft, or disruptions of vital system functionality as a result of such attacks [6]. In addition, high-dimensional and heterogeneous data are generated from various sources in the IoT environment, including biological signals, network traffic, and embedded sensors. Many of these features are noisy, unnecessary, or irrelevant, which can raise computing costs and reduce the accuracy of attack detection. The design of detection algorithms must therefore be focused on improving feature robustness, reducing redundancy, and increasing the model’s ability to respond effectively to subtle, misleading input variations. Additionally, feature selection is crucial for enhancing classifier performance, reducing overfitting, and accelerating inference [7,8].

As IoT networks are increasingly deployed across diverse industries—from smart cities to healthcare—they have become attractive targets for sophisticated cyberattacks, such as botnets and distributed denial-of-service (DDoS) attacks, which exploit security vulnerabilities to gain unauthorized access and disrupt network communications. There are many data sources used by IoT intrusion detection systems, including unstructured text logs (e.g., system alerts or authentication messages), periodic probing, and botnet cooperation, as well as structured tabular records (e.g., network flow records, protocol characteristics, and sensor logs). A variety of data sources increases observability and the attack surface [5,7,9]. Intruders into IoT networks may compromise communication between nodes and data integrity. Attackers can alter databases, log files, and signatures to distort data representation and interfere with node-to-node communication. When multiple data streams are compromised, an attacker can simultaneously change numerous modalities, such as corrupting image-based sensor feeds, adding false text to logs, or altering feature values. As a result of such manipulations, the accuracy of learning models trained on multimodal data is reduced, and the reliability of IoT intrusion detection systems is compromised. Machine Learning (ML) techniques have demonstrated promising results in classifying network intrusions [10,11]. However, Traditional approaches cannot handle the massive amounts of multimodal intrusion data, despite their computational efficiency. They exhibit limited expressiveness and generalization capability when learning from text–image–tabular pairings and are prone to overfitting. In addition to slowing down detection, these restrictions undermine defenses against adversarial cross-modal attacks. Furthermore, the Deep Neural Network (DNN) algorithm overcame the shortcomings of traditional detection methods while achieving a satisfactory accuracy. The DNN was most notable for its ability to create highly nonlinear systems, extract automated elements, and adapt to a variety of architectural designs. However, it was necessary to carefully tune the hyperparameters and training parameters to achieve satisfactory performance with the DNN [6,12]. Additionally, it cannot capture inter-feature correlations of IDS attacks because it operates directly on tabular data. Despite their ability to combine data from many sources, deep learning (DL) techniques are challenging to implement and require large amounts of labeled data. Several lightweight architectures have been developed recently that can extract high-quality features with little training data. Unsupervised multimodal approaches for arc detection in railway systems have demonstrated strong representation-learning capabilities with limited labeled data by leveraging cross-modal correlations [13]. Similar to multiscale hidden state interaction networks, supervised lightweight feature extractors—such as those for defect diagnosis—achieve high accuracy and better generalization by modeling hierarchical temporal patterns without relying on large, complex models [14]. Additionally, studies on the compression of LiDAR point clouds and other compression-driven neural techniques demonstrate that quantization, pruning, and compact network designs can reduce computational requirements while maintaining feature-extraction efficiency [15,16,17]. These developments indicate that deep learning efficiency can be improved, but doing so continues to depend on extensive hyperparameter tuning, GPU-accelerated training, and specialized architectural designs.

This study aims to develop an intrusion detection system that is both reliable and lightweight, capable of protecting IoT networks from advanced cyberthreats that exploit multimodal data vulnerabilities, and that addresses a wide range of data generated by IoT systems, including image-based sensor outputs and tabular sensor values. Additionally, to overcome computational redundancy and shortcomings in feature selection in existing DNN-based solutions, this study proposed a novel combination of evolutionary-inspired algorithms and lightweight ML models. In our first application of VNS, an image-based and tabular data analysis technique is used to analyze IDS features. VNS methodically intensifies and diversifies the search across multiple neighborhood structures, and it can effectively explore this search space. To avoid local optima and achieve near-optimal feature subsets that optimize detection performance, VNS alternates between different perturbations rather than using a single neighborhood (e.g., simply adding or removing features).

The main Contributions of this paper are as follows:

• Multimodal Data Representation and Evaluation: The study combines tabular and image-based representations of IoT network data, enabling cross-modal analysis without requiring deep learning. The transformation improves the interpretability and resilience of detection processes by allowing machine learning classifiers to recognize latent feature associations in complex IoT traffic.
• Introduction of VNS for Intrusion Detection in IoT contexts: This study is the first to optimize features in IoT-based intrusion detection systems using Variable Neighborhood Search (VNS). By methodically exploring multiple neighborhood structures to avoid local optima, VNS improves precision and stability in feature selection across a wide range of attack patterns, compared with traditional metaheuristics such as Genetic Algorithms (GAs) and Particle Swarm Optimization (PSOs).
• Parallel Ensemble Validation with Random Forest (RF) and XGBoost: The Random Forest (RF) and XGBoost ensemble models are used to evaluate the optimized features obtained from the VNS meta-heuristic to resolve the issue of time constraints, resource constraints, and so on. Through their parallel architecture, they provide better detection accuracy and generalization performance on benchmark datasets (CIC-IDS2017 and CIC-IDS2018).

The research article is coordinated as follows: Section 2 describes the existing techniques, Section 3 elaborates on the proposed research methodology with a mathematical explanation, Section 4 analyzes the outcomes, and Section 5 provides the conclusions.

2. Related Work

The field of intrusion detection systems has placed a greater emphasis on intelligent optimization and adaptive learning techniques to improve precision, scalability, and durability. Recent research indicates that encryption alone is insufficient to defend contemporary networked systems against sophisticated hostile attacks. Studies on HTTPS traffic analysis have shown, for example, that encrypted flows remain vulnerable to AI-driven fingerprinting attacks that can accurately identify user behavior [18,19]. A Super-Learner ensemble of traditional machine learning classifiers achieved over 97% accuracy in fingerprinting websites, even without payload visibility, in one study. In addition, further research indicates that although encryption prevents basic eavesdropping, it does not protect against advanced traffic analysis attacks, in which adversaries use timing, size, or directional patterns to deduce critical information. This threat is addressed by combining multipath routing with deception: actual traffic is split across multiple network channels, while carefully inserted fake packets hide flow characteristics. Using a zero-sum optimization game, the defense significantly reduces TA accuracy without altering, delaying, or padding valid data [18,19]. Two important ideas about IoT intrusion detection are highlighted by these articles when they are taken together: (1) adversaries are increasingly using ensemble-based and pattern-centric learning to infer unobserved actions across multiple network modalities; (2) robust defenses require proactive feature removal, false positive generation, and multi-path contextual modeling. These results highlight the need for intrusion detection frameworks that leverage multimodal, feature-optimized designs to resist adversarial manipulation, adapt to heterogeneous IoT traffic, and deliver accurate detection even when attackers use compromised or encrypted channels. SecFedIDM-V1, an intrusion detection system based on BiLSTM that leverages federated design principles, is presented in [20] to enhance collaborative learning. Despite being effective in gathering local intelligence, the method involved a high computational cost and was sensitive to unbalanced attack data.

An intelligent detection model developed by Ahmed A. M. Sharadqh et al. [21] combines K-Nearest Neighbor (KNN) for detecting possible attack routes with ResCapsNet for detecting intrusions. The detection accuracy of this model was impressive, but it struggled to handle high-dimensional network data and to minimize false positives, which are prevalent in IoT-based intrusion datasets. In a similar vein, Hayam Alamro et al. [20] investigated the application of hybrid deep learning architectures in conjunction with the Ant Lion Optimizer (ALO) metaheuristic, demonstrating increased accuracy in categorizing several attack types. However, this strategy was severely limited by its inability to adapt to changing patterns of intrusion.

V. Saravanan et al. [22] present an optimization-driven RNN-based intrusion detection system. Using threshold-based anomaly detection, malicious activity was identified. The model was inefficient in complex multi-attack scenarios due to redundant or unnecessary characteristics, despite its effectiveness in detecting high-frequency attacks. Chidambaranathan and Ridhim Geetha used a similar approach [23], employing a federated learning framework to detect intrusions across diverse contexts, demonstrating strong generalization but poor feature interpretability. Although the system had difficulty precisely detecting internal node anomalies and maximizing detection time, it integrated multiple detection phases to enhance security. A recent development in adversarial-thinking research shows that threat capabilities are developing rapidly, even in encrypted communications, as evidenced by ensemble-based traffic-analysis attacks (such as SuperLearner), deception-based defenses that introduce artificial patterns, and multipath routing optimized from a game-theoretical standpoint. As attackers become more adept at exploiting statistical traffic patterns, defenses must be more flexible, scalable, and context-aware. This development highlights the need for intrusion detection technologies that can be generalized across modalities, resist manipulation, and work effectively in heterogeneous environments.

Table 1. Comparative Summary of Feature Selection and Dimensionality Reduction Techniques for Intrusion Detection.

Ref.	Methodology	Feature Selection	Data Modality	Classifier	Key Contribution/Limitation
[24]	ML-based IDS	Mutual Information (MI), Correlation (Corr), Feature Importance (FI), and Shapley Additive Explanations (SHAP) value	Tabular data only	DNN	Introduced a two-phase optimization framework for feature categorization into either positively or negatively influential.
[25]	Dual phase anomaly detector	A Spearman correlation analysis	Tabular data only	Autoencoder-based detection followed by Transformers	An innovative method for identifying and classifying anomalies in IIoT environments is presented utilizing a comprehensive framework with a limited F1-score of 0.91.
[10]	GA-based IDS for Industrial Control Systems (ICS)	Feature ranking fusion via RRA and tree clustering	Tabular data only	Not specified	Introduced a novel GA fitness function that reduced redundancy, but lacked adaptability to multimodal and large-scale datasets.
[26]	Reinforcement Learning	Deep Q-Network (DQN)	Tabular IDS data	DQN, Q-Learning	Reduced 40% of features and improved rare attack detection; computationally expensive with complex parameter tuning.
[27]	Graph neural networks for IoT IDS between malicious and benign entities	Tabular IDS data	GNN	top-k optimal neighboring nodes	Hypergraph embedding is proposed to capture group-based, high-order incursion patterns, and hypergraphs are used to represent IoT network flows. However, the dynamic nature of IoT topologies may cause scaling issues for embedding training, and building hypergraphs can be extremely time-consuming when dealing with large, high-velocity streams of IoT data.
[28]	Wrapper-based Feature Selection	Decision Tree-driven wrapper search	Tabular data	Decision Tree (DT)	Improved accuracy through normalization and feature filtering, but model complexity increased with large feature sets.
[29]	Multi-objective Optimization (Pareto-based)	Mutual Information and Linear Correlation	Tabular data only	Graph-based classifier	Achieved 86% accuracy using 14% of features, yet suffered from slow convergence and local optima issues.
[30]	Dimensionality Reduction Framework	Not applied	PCA and Random Projection (RP)	Not specified	Improved efficiency via RP and PCA, but ignored inter-feature correlations crucial in IoT traffic data.
[31]	Metaheuristic-Based 2D-CNN for WSNs	2D-CNN	Tabular data	Not Specified	meta-heuristic optimization yielded better computational efficiency, yet limited performance under heterogeneous IoT data modalities.
[32]	Hybrid Feature Selection and Reduction	ASMOTE for class balancing	Multi-SVD	Multi-class SVM	Combined ASMOTE and ONGO for optimization, though scalability decreased with increased feature dimensionality.
[12]	Explainable IDS using SHAP	SHAP Tree Explainer	Tabular IDS data	LLM-based explainer	Enhanced explainability, but lacked generalization for multimodal and high-dimensional intrusion data.
[33]	FS–DL for Software-defined Networks (SDN)	Standard deviation, association rule mining	Tabular data	3-layer Neural Network	Improved accuracy through redundancy reduction, but required large data preprocessing overhead.
[34]	Explainable IDS with Visual Encoding	PCA + Decision Tree for feature ranking	2D Image Transformation	CNN	Introduced visual interpretation of tabular data; lacked feature-level optimization and was DL-dependent.
[11]	Election-based Feature Selection for IoT	GA, PCA, and Univariate Statistical Fusion	Tabular data	Not specified	Combined multiple selectors for robustness; no multimodal fusion or search-based optimization applied.

summarizes the relevant work in this area with the following key challenges:

• Several intrusion detection models currently in use are trained on a small number of attack categories with limited modality, which severely constrains their ability to generalize, leading to reduced detection effectiveness when confronted with new or complex intrusion types.
• Several frameworks remained susceptible to adversarial manipulation and data processing errors, allowing hackers to control the integrity of network data and undermining the reliability of detection results.
• Feature selection techniques struggle with local optima and scalability, while deep and hybrid neural models, while successful, have poor interpretability and high training costs.
• The models frequently suffered from limited capacity, reducing their effectiveness when detecting intrusions from multiple sources or at high volume.
• Manual hyperparameter tuning was required for several methods, which raised computational costs and limited flexibility when using dynamic networks. Due to the lack of automatic parameter adjustment, long training cycles and uneven performance results were observed.
  Several of the reviewed papers demonstrate how feature selection and dimensionality reduction are being used to improve intrusion detection performance. There are still limitations in most models regarding single-modality data, computational complexity, and adaptability to heterogeneous IoT environments, despite improvements in accuracy and reduced redundancy enabled by approaches such as Genetic Algorithms (GA), Particle Swarm Optimization (PSO), and reinforcement learning. The use of image-encoded tabular data to analyze spatial correlations in network properties has not been extensively researched.
  In light of these results, there is a need for IDS frameworks capable of managing multimodal data (textual, visual, and tabular) and computationally efficient without sacrificing accuracy and interpretability. To address these limitations, the current study investigates evolutionary optimization (VNS, GA, and PSO) in conjunction with parallel machine learning models to improve intrusion detection performance across multiple IoT datasets.

3. Materials and Methodology

There is a wide variety of attack behaviors depending on the type of data. While visual representations (such as CCTV footage or time–frequency transforms of network flows) cannot be fully captured in tabular form, tabular network features can provide clear statistical markers of anomalous behavior. Optimizing detection models for both modalities enables a more thorough assessment of search tactics, thereby increasing coverage of various attack types. To reliably handle both tabular and image data, we present A Hybrid Multi-modal Intrusion Detection System (Multi-IDS), as shown in Figure 1. Multi-IDS is designed to be both computationally efficient and lightweight, addressing the significant resource constraints and multi-modal attack types in most IoT devices. Due to their limited processing power and storage capacity, it is not feasible to install active intrusion sensors on every IoT node. By tracking deviations from expected patterns of behavior, it monitors network activity.

The Multi-IDS has been designed to address the particular challenges of IoT environments through a highly effective, three-stage architecture:

• Data Collection and Feature Representation: Multi-IDS continuously receives and stores network traffic from IoT devices, such as smart outlets, mobile devices, surveillance cameras, and intelligent assistants (like Alexa). This enormous, continuous stream of raw data is processed and organized into a refined feature space representation to prepare it for further analysis.
• Multi-model Feature Selection: A novel methodology is developed and validated using an evolutionary-inspired algorithm, with both tabular and image-converted feature representations, for wrapping-based feature selection in IoT smart attack detection. Each feature is mapped to a pixel point, making spatial proximity patterns useful for depicting feature interactions. The implications of this change are twofold. In the first place, it provides a new method for analyzing IoT traffic data that leverages both structural and statistical links. The second benefit is that it increases resilience to hostile disturbances. The use of simple statistical or rule-based techniques can more easily identify minor adversarial modifications that are difficult to detect in raw tabular data because visible inconsistencies or distortions in encoded images often accompany them.
• Intrusion Detection and Anomaly Analysis: In this critical detection step, irregularities in the prepared network traffic are examined for signs of intrusion. A lightweight, reliable anomaly detection technique that integrates ML methods and evolutionary methods, particularly Random Forest, XGBoost, and VNS, is employed to maximize feature selection and significantly improve classification performance.

HIDS offers an efficient intrusion detection system with the lowest computational overhead for resource-constrained IoT environments by combining these cutting-edge anomaly detection techniques.

3.1. Dataset Description and Preprocessing

3.1.1. IoT Dataset

In this research, two primary datasets were used to analyze and detect network intrusions and malicious activities: CICIDS-2017 (IDS2017) [35] and CSE-CIC-IDS2018 (IDS2018) [36]. Both datasets are widely recognized in the field of cybersecurity and intrusion detection, providing comprehensive network traffic data with labeled malicious and benign activities. Below is a detailed description of each dataset:

The University of New Brunswick created the CSE-CIC-IDS2018 Dataset for analyzing Distributed Denial-of-Service (DDoS) attacks and other network intrusions. The data was collected in 2018 and is based on logs from the university’s servers. The dataset is designed to help researchers and practitioners develop and evaluate machine learning models for intrusion detection systems (IDS). CICIDS-2017 was created by the Canadian Institute for Cybersecurity (CIC) and is widely used for research in intrusion detection. The data was collected over 5 days (Monday to Friday) in IDS2017. The dataset captures a variety of network attacks, including Brute Force, DoS, Botnet, Infiltration, and Port Scanning, as well as benign traffic. The dataset has been corrected and relabeled by researchers to address errors in flow terminations and labeling. The corrected dataset and related Python code are available on the CICIDS-2017 and DistriNet Research Group websites.

3.1.2. Data Modalities

Tabular Multidimensional Modality: Traditional tabular IoT sensor datasets are processed using target encoding for large fields, one-hot encoding for low-dimensional categorical features, numerical feature scaling, and deduplication. Optional temporal statistics are included, such as rolling means and inter-arrival entropy.

The search space consists of:

• $m\in {\{0,1\}}^d$ is a binary mask which indicates specific features.
• A continuous/discrete hyperparameter for the RF or XGB h.

Table 2. Dataset Partition for Multi-Dimensional Data.

Input Shape	No. of Samples
Training set	92,095
Validation set	30,699
Testing set	30,699

represents the input shapes for the multidimensional data utilized in this study.

Image Modality: The original IoT tabular dataset was converted into two-dimensional image representations (Figure 2) to capture spatial correlations among variables that are frequently missed when presented numerically.

Table 3. Summary of Data Preprocessing Steps.

Step No.	Preprocessing Task	Description
1	Label Transformation	Simplifies multi-class classification by grouping similar attack types into broader unified labels.
2	Data Sampling	To ensure a balanced representation of all classes, 5% of the data was randomly sampled from each class.
3	Handling Missing Values	Remove rows containing incomplete or null entries. Maintains the model’s stability and ensures high-quality data.
4	Class Distribution Analysis	Each class was measured by its distribution. There are imbalance issues in minority classes, such as infiltration and web attacks.
5	Oversampling	RandomOverSampler was applied to minority classes (10,000 samples each). Ensures the dataset is balanced to prevent bias in the classifier.
6	Label Encoding	A number of numerical codes were created by converting string labels into numerical codes.
7	Feature Engineering	Adding noise and encoding categorical variables, as well as removing unnecessary columns. Enhances feature expression by removing non-informative characteristics.
8	Feature Scaling	Each numerical feature was scaled using MinMaxScaler. Ensures that feature ranges are consistent and that model convergence is steady.
9	Final Dataset Preparation	A CSV file was exported from the processed dataset.
10	Tabular-to-Image Conversion	The images were scaled to 16 × 16 → normalized pixel intensities using tab2img. Provides the opportunity for multimodal experimentation and CNN-based analysis.
11	One-Hot Label Encoding	The dataset class labels are prepared using [to_categorical()].

presents the preprocessing pipeline applied to both datasets to ensure consistent, comparable experimentation. The $tab2img$ library was installed and imported to enable the conversion of tabular (numerical) data into image format. Each record was normalized and transformed into a grayscale image using mathematical transformations, such as Gramian Angular Fields (GAF), which map each feature value to a pixel intensity in a fixed-size matrix. The generated images were resized to a uniform shape (e.g., 16 × 16 pixels) using OpenCV’s resize function. Resizing ensures that all images have the exact dimensions required for input into deep learning models. To further enhance model performance, the photos were standardized using a $StandardScaler$. To address class imbalance, $RandomOverSampler$ was used to oversample minority classes (e.g., Web attack, Infiltration). The oversampling process increased the sample counts for these classes to 10,000 each, resulting in a more balanced dataset, as shown in Figure 3. The final dimensional shapes for the image encoded dataset are given in

Table 4. Dataset Partition and Dimensional Shapes for Image converted Data.

Dataset		Input Shape (X)	Output Shape (Y)
CIC-IDS2017	Training Set	(491,908, 16, 16, 1)	(491,908, 8)
	Validation Set	(54,657, 16, 16, 1)	(54,657, 8)
	Test Set	(136,642, 16, 16, 1)	(136,642, 8)
CIC-IDS2018	Training Set	(132,617, 16, 16, 1)	(132,617, 5)
	Validation Set	(14,736, 16, 16, 1)	(14,736, 5)
	Test Set	(36,839, 16, 16, 1)	(36,839, 5)

.

All features were scaled using $MinMaxScaler$ to normalize them to a range of 0 to 1. Additionally, the combined dataset of images and labels was split back into training, validation, and testing sets:

• The dataset was first split into 80% for training and 20% for testing.
• The training set was further split into 90% training and 10% validation sets.

The same metaheuristic feature-extraction techniques can be applied to visualize statistical and temporal correlations between variables using vectorized picture embeddings rather than raw numeric features. Using the feature extraction procedure, the most discriminatory pixels or spatial regions for assault detection are highlighted in a feature mask. The entire transformation and selection workflow is shown in the following figures: the original tabular features and the converted picture representation (Figure 4b), and the final feature mask overlay (Figure 4a), highlighting important areas. This visual-based encoding enhances the model’s interpretability. It provides deeper insights into the resilience of feature selection across data modalities by comparing tabular and image modalities under similar optimization and classification conditions.

3.2. Feature Extraction Using Metaheuristics

Three metaheuristic algorithms are used to select the most discriminating features:

• Genetic Algorithm (GA): Optimizes classification fitness by evolving feature subsets through crossovers, mutations, and selection. The GA method uses crossover and mutation to evolve a population of 40 over 40 generations. Theoretically, GA mimics natural evolution by maintaining a population of candidate solutions (feature subsets represented as binary vectors of size $nu{m}_{features}$), each of which undergoes selection, crossover, and mutation to evolve toward an optimal feature subset. The algorithm initializes a population of 30 individuals, evaluates their fitness using classification accuracy, selects the top two individuals from a random subset of four based on fitness, applies single-point crossover with a probability of $crossover\text{\_}rate=0.8$, and introduces random mutations with a probability of $mutation\text{\_}rate=0.1$. This process, iterated over $nu{m}_{generations}$ = 5, ensures a balance between exploration (via crossover and mutation) and exploitation (via selection of high-fitness individuals), making GA effective for navigating high-dimensional feature spaces.
• Particle Swarm Optimization (PSO): identifies optimal subsets of features by exploring feature spaces and combining them through particle cooperation. With PSO, feature bits are mapped using $sigmoid$ mapping ($size$ 50, 200 iterations). PSO mimics the social behavior of particles (e.g., birds flocking) to explore the search space, where each particle represents a candidate feature subset (a binary vector of size $nu{m}_{features}$). The algorithm updates particle positions and velocities using equations influenced by inertia ($inertia\text{\_}weight=0.7$), cognitive learning ($cognitive\text{\_}coeff=1.5$), and social learning ($social\text{\_}coeff=1.5$), as implemented in the provided $PSO\text{\_}RandomForest.py$. Velocities are transformed into probabilities via a $sigmoid$ function, determining whether a feature is selected (1) or not (0), enabling efficient exploration of the feature space. This approach is particularly effective for high-dimensional datasets, as it balances global exploration (via the $globalbest$, $gbest$) and local exploitation (via personal bests, pbest), avoiding premature convergence to suboptimal feature subsets.
• Variable Neighborhood Search (VNS): uses variable-length neighborhoods to iteratively refine a candidate solution in an attempt to break out of local optima [37]. The use of multimodal data in IoT intrusion detection systems is becoming increasingly important, as image-based representations (such as spectrograms, Gramian Angular Fields, or surveillance frames) are combined with tabular network information (such as traffic statistics, protocol flags, and sensor readings). A high-dimensional and diverse feature space results, typically containing features that are noisy, redundant, or only marginally important across modalities. Direct application of every feature may lead to overfitting, increased processing costs, and reduced generalization to unseen threats. To search this vast search space effectively, we utilize Variable Length Neighborhood Search (VNS) as shown in Figure 5. The candidate solutions are encoded as binary vectors that identify specific qualities in tabular and image formats. Through the flipping of 1, 2, $\dot{k}$, and $k_{max}$ bits, VNS examines neighborhoods of increasing size, enabling the search to move from local refinements to global exploration.
  VNS uses a local search method to explore 1-q32 bit communities, 2-bit communities, and 1-in/1-out communities. Theoretically, VNS operates by examining a series of neighborhoods around a current solution, defined by flipping an increasing number of features (mutation_step × neighborhood), thereby allowing it to escape local optima and converge toward globally optimal feature subsets. This is particularly advantageous for high-dimensional datasets, as the VNS methodically adjusts the feature subset size, balancing exploration and exploitation to maximize classification accuracy.
  Let $S\subseteq \{1,\dots ,d_t+d_i\}$ denote a candidate multimodal feature subset, with $S^{\left(t\right)}=S\cap \{1,\dots ,d_t\}$ (tabular) and $S^{\left(i\right)}=S\cap \{d_t+1,\dots ,d_t+d_i\}$ (image). The $h_S$ classifier will be fixed (e.g., RF or XGBoost) that is trained only on features in S. The optimal feature to be selected is defined as:

  $$S^{*}\subseteq \{1,\dots ,d_t+d_i\}$$

  (1)

  that maximizes a given fitness function, typically cross-validated Macro-F1:

  $$S^{*}=\underset{S\subseteq \{1,\dots ,d_t+d_i\}}{argmax}\mathcal{F}\left(S\right),$$

  (2)

  where $\mathcal{F}$ measures the detection performance of a classifier trained using only the selected features.
  The VNS algorithm, as adapted in Algorithm 1, initializes a random binary feature subset of size $num\text{\_}features$ (256 for images, 78 for numeric data), evaluates its fitness using test set accuracy, and iteratively explores neighborhoods by flipping up to $min(mutation\text{\_}step$×$neighborhood$, $num\text{\_}features$) features defined as:

  $$\mathcal{F}\left(S\right)=\underset{\mathrm{accuracy}}{\underbrace{{\mathrm{Perf}}_{\mathrm{cv}}\left(S\right)}}-{\lambda }_s\underset{\mathrm{sparsity}}{\underbrace{{\displaystyle \frac{\left|S\right|}{d_t+d_i}}}}-{\lambda }_c\underset{\mathrm{latency}/\mathrm{compute}}{\underbrace{\mathrm{Cost}\left(S\right)}}-{\lambda }_b\underset{\mathrm{modality}\mathrm{balance}}{\underbrace{{\left({\displaystyle \frac{|S^{\left(t\right)}|}{d_t}}-{\displaystyle \frac{|S^{\left(i\right)}|}{d_i}}\right)}^2}}.$$

  (3)

  where, ${\lambda }_s,{\lambda }_c,{\lambda }_b\ge 0$ are scalar weights. $\mathrm{Cost}\left(S\right)$ represents an inference cost (e.g., measured latency or the sum of per-feature costs) scaled to $[0,1]$.

For image data, 16 × 16 images are flattened into 256-dimensional vectors, with labels converted from One-Hot Encoding to integers using $np.argmax$. In contrast, for numeric data, labels are preprocessed with LabelEncoder, as seen in the code. The algorithm ensures robustness by assigning a zero fitness value to empty feature subsets, thereby preventing invalid solutions. The flexibility of the VNS algorithm, which dynamically sets $num\text{\_}features$ to 256 for images and 78 for numeric data, ensures its applicability across both data types.

The cross-validated F1-score of the classifier trained on the selected features defines the fitness function for all approaches. The fitness function is defined as:

$$J\left(\theta \right)=\mathrm{MacroF}1\text{\_}CV\left(\theta \right)-\lambda {\displaystyle \frac{{\parallel m\parallel }_0}{d}}$$

(4)

where $\lambda \in [0,0.05]$ determines the feature sparsity penalty, thereby defining the fitness function.

Algorithm 1 Variable Neighborhood Search (VNS) for Multimodal Feature Selection

Require:  $X_{\mathrm{train}},Y_{\mathrm{train}},X_{\mathrm{val}},Y_{\mathrm{val}},X_{\mathrm{test}},Y_{\mathrm{test}}$    ▹ Training, validation, and test datasets Require:  $max\text{\_}generations,max\text{\_}neighborhoods,mutation\text{\_}step$    ▹ VNS parameters Ensure:  the Best feature subset, corresponding accuracy, and fitness history ▹ For Images:    $X_{\mathrm{train}}$ is flattened (num_samples, 256); For Numeric: $X_{\mathrm{train}}$ has 78 features ▹ For Images:    $Y_{\mathrm{train}}$ is converted from One-Hot to integers; For Numeric: $Y_{\mathrm{train}}$ is LabelEncoded   1: function EvaluateSubset($feature\text{\_}subset$) ▹ Evaluate a feature subset using XGBoost   2:     Select features from $X_{\mathrm{train}}, X_{\mathrm{val}}, X_{\mathrm{test}}$ based on $feature\text{\_}subset$   3:     Initialize $MClassifier$ classifier with:   4:        $objective=’\mathrm{multi}:\mathrm{softmax}’, num\text{\_}class=8$   5:        $n\text{\_}estimators=60, max\text{\_}depth=6, learning\text{\_}rate=0.1$   6:        $subsample=0.8, colsample\text{\_}bytree=0.8, random\text{\_}state=42$   7:     Train $MClassifier$ classifier on $X_{\mathrm{train}}[:,feature\text{\_}subset], Y_{\mathrm{train}}$   8:     Evaluate classifier on $X_{\mathrm{test}}[:,feature\text{\_}subset],Y_{\mathrm{test}}$   9:     return Accuracy score 10: end function 11: function VNSFeatureSelection 12:     $num\text{\_}features\leftarrow$ Number of features in $X_{\mathrm{train}}$    ▹ 256 for Images, 78 for Numeric 13:     $current\text{\_}solution\leftarrow$ Random binary array of size $num\text{\_}features$    ▹ Initial feature subset 14:     $best\text{\_}solution\leftarrow current\text{\_}solution$ 15:     $best\text{\_}fitness\leftarrow$EvaluateSubset(indices where $best\text{\_}solution=True$) 16:     $best\text{\_}fitness\text{\_}history\leftarrow \left[best\text{\_}fitness\right]$ 17:     for $generation=1$ to $max\text{\_}generations$ do        ▹ Iterate over generations 18:         for $neighborhood=1$ to $max\text{\_}neighborhoods$ do    ▹ Explore neighborhoods 19:               $neighbor\text{\_}solution\leftarrow current\text{\_}solution$ 20:               Select $min(mutation\text{\_}step\times neighborhood,num\text{\_}features)$ random features 21:               Flip selected features in $neighbor\text{\_}solution$    ▹ True to False or vice versa 22:               $neighbor\text{\_}fitness\leftarrow$EvaluateSubset(indices where $neighbor\text{\_}solution=True$) 23:               if $neighbor\text{\_}fitness>best\text{\_}fitness$ then        ▹ If neighbor is better 24:                    $best\text{\_}solution\leftarrow neighbor\text{\_}solution$ 25:                    $best\text{\_}fitness\leftarrow neighbor\text{\_}fitness$ 26:                    $current\text{\_}solution\leftarrow neighbor\text{\_}solution$ 27:                    Append $best\text{\_}fitness$ to $best\text{\_}fitness\text{\_}history$ 28:                    break                                              ▹ Move to next generation 29:               end if 30:         end for 31:     end for 32:     return $best\text{\_}solution,best\text{\_}fitness,best\text{\_}fitness\text{\_}history$ 33: end function 34: Run VNSFeatureSelection 35: Print best feature subset, number of selected features, and best accuracy 36: Plot fitness history over generations 37:     ▹ For Images: Visualize feature importance as heatmap (16 × 16); For Numeric: Use SHAP or bar plots

3.3. Classification and Evaluation

The optimized features were evaluated using two ensemble classifiers, Random Forest (RF) and XGBoost as follows:

• RF: The RandomForest classifier is configured with $n\text{\_}estimators=100$, $max\text{\_}depth=6$, and $n\text{\_}jobs=-1$, leveraging an ensemble of decision trees to capture complex, non-linear relationships and feature interactions, with parallel processing optimizing computational efficiency for large datasets. Number of trees [200–1000], max depth [4–24], feature subsampling strategies, leaf size [1–20]. The RandomForest classifier, configured with parameters such as $n\text{\_}estimators=100$, $max\text{\_}depth=6$, and $n\text{\_}jobs=-1$, leverages an ensemble of decision trees to provide robust classification, effectively handling non-linear relationships and feature interactions. Setting $n\text{\_}jobs=-1$ enables parallel processing, optimizing computational efficiency for large datasets. For image data, the 16 × 16 images are flattened into 256-dimensional vectors, and the labels are converted from One-Hot Encoding to integers using np.argmax. In contrast, for numeric data, labels are preprocessed with LabelEncoder, and irrelevant columns (e.g., Src IP dec, Dst IP dec, Label) are dropped, resulting in 78 features (as in $PSO\text{\_}RandomForest.py$). The PSO algorithm dynamically adapts to feature dimensionality ($num\text{\_}features=256$ for images, $num\text{\_}features=78$ for numeric data), ensuring flexibility across data types. Fitness is evaluated based on classification accuracy on the test set, with safeguards to assign zero fitness to empty feature subsets, as implemented in the code.
• XGB: The XGBoost classifier, configured with parameters such as $objective=multi:softmax$, $num\text{\_}class=8$, $n\text{\_}estimators=100$, $max\text{\_}depth=6$, $learning\text{\_}rate=0.1$, $subsample=0.8$, and $colsample\text{\_}bytree=0.8$, employs gradient boosting to iteratively minimize a multi-class log-loss function, incorporating regularization to prevent overfitting and leveraging the validation set $(X\text{\_}val,Y\text{\_}val)$ for early stopping and model optimization. For image data, 16 × 16 images are flattened into 256-dimensional vectors, with labels converted from One-Hot Encoding to integers using np.argmax. For numeric data, labels are encoded with LabelEncoder, and the dataset is preprocessed to retain 78 features. The GA dynamically adapts to the feature dimensionality ($num\text{\_}features=256$ for images, $num\text{\_}features=78$ for numeric), ensuring flexibility across data types. Fitness evaluation assigns zero fitness to empty feature subsets, as implemented in the code, to avoid invalid solutions.

The three feature optimizers are paired with both classifiers to produce six configurations using GA-RF, PSO-RF, VNS-RF, GA-XGB, PSO-XGB, and VNS-XGB.

Table 5. Summary of developed MULTI-IDS framework.

Aspect	Tabular Feature Subset	Image/Encoded Feature Subset
Preprocessing	Scaling, encoding, feature engineering	Normalization, feature extraction
Optimizers	GA, PSO, VNS	GA, PSO, VNS
Classifiers	RF, XGB	RF, XGB (on embeddings)
Search objective	Macro-F1 with sparsity	Macro-F1 with sparsity
Output	Selected features + tuned model	Selected embeddings + tuned model

compares the two frameworks.

4. Experimental Results and Evaluation

This section presents the experimental results obtained from the comparative study between the proposed methods in this paper. In these results, we aimed to illustrate the impact of randomizing each technique through statistical analysis, in addition to examining relationships among p-values. The datasets used in this research include training, validation, and test sets to train and validate the ranking models on the training and validation datasets, respectively, and to evaluate their predictive performance on the test datasets. All experiments were executed on an HP ZBook 15 G6 mobile workstation (HP Inc., Palo Alto, CA, USA). The system is equipped with an Intel^® Core™ i7-9850H processor (12 logical cores), 32 GB of RAM, and dual-GPU support, including the integrated Intel^® UHD Graphics 630 (CFL GT2) and an NVIDIA Quadro T2000 GPU. The operating system used for all experiments was Ubuntu 24.04.3 LTS running Linux Kernel 6.14.0-35, with GNOME 46 and X11 windowing system. The implementation environment included Python 3.10, Scikit-learn 1.3.2, NumPy 1.24.2, Pandas 2.0, and XGBoost 1.7.6. All metaheuristic feature-selection algorithms (GA, PSO, and VNS) were executed on CPU mode, while RandomForest and XGBoost models were trained using multi-threaded CPU execution.

4.1. Data Modality Evaluation

This section examines the effects of tabular and image-based representations on the detection accuracy and generalization of the proposed models. The following question should be addressed:

• How can data modality enhance the separability and robustness of models for IoT intrusion detection and impact the performance of features selected by VNS, GA, and PSO?

4.1.1. Phase 1: Tabular-Based Feature Extraction and Classification

Table 6. Performance Metrics for Six Classification Models Trained on Multidimensional IDS2017 and IDS2018 Datasets.

Dataset	Model	Accuracy	Precision	Recall	F1-Score	Kappa
IDS2017	GA–RandomForest	0.9738	0.9755	0.9738	0.9729	0.9667
	GA–XGBoost	0.9967	0.9967	0.9967	0.9967	0.9959
	PSO–RandomForest	0.9742	0.9759	0.9742	0.9734	0.9673
	PSO–XGBoost	0.9969	0.9969	0.9969	0.9969	0.9961
	VNS–RandomForest	0.9720	0.9738	0.9720	0.9711	0.9644
	VNS–XGBoost	0.9984	0.9984	0.9984	0.9984	0.9980
IDS2018	GA–RandomForest	0.9738	0.9755	0.9738	0.9729	0.9667
	GA–XGBoost	0.9967	0.9967	0.9967	0.9967	0.9959
	PSO–RandomForest	0.9742	0.9759	0.9742	0.9734	0.9673
	PSO–XGBoost	0.9969	0.9969	0.9969	0.9969	0.9961
	VNS–RandomForest	0.9720	0.9738	0.9720	0.9711	0.9644
	VNS–XGBoost	0.9998	0.9984	0.9984	0.9984	0.9980

presents the classification performance comparison of intrusion detection models trained on IDS2017 Dataset. The VNS-XGBoost model achieved the highest performance across all metrics (as shown in Figure 6 and Figure 7), with accuracies of 0.9984, 0.9984, 0.9984, and 0.9984, and precision (PPV), recall (sensitivity), F1-score, and Cohen’s Kappa of 0.9980, 0.9980, 0.9980, and 0.9980, respectively, indicating near-perfect classification. The PSO-XGBoost model followed closely with slightly lower but still excellent metrics (0.9969 for accuracy, precision, recall, and F1-score; 0.9961 for Cohen’s Kappa). The GA-XGBoost model also performed well, achieving a score of 0.9967 across most metrics and a Cohen’s Kappa of 0.9959. In contrast, the RandomForest-based models (GA-RF, PSO-RF, VNS-RF) showed lower performance, with accuracies ranging from 0.9720 (VNS-RF) to 0.9742 (PSO-RF), and corresponding precision, recall, F1-scores, and Cohen’s Kappa values were slightly lower than those of the XGBoost models. These results show that XGBoost-based models, particularly VNS-XGBoost, significantly outperform random forests on numeric data, achieving higher accuracy and greater robustness in detecting network intrusions.

The VNS-driven feature selection for the CIDS2017 dataset achieved accuracies of 0.9969 with Random Forest and 0.99997 with XGBoost, demonstrating strong convergence and minimal overfitting as represented in Figure 8. Through fine-grained neighborhood exploration in VNS, the model refined the search space while preserving botnets and infiltration. On the IDS2018 dataset, the identical VNS–XGBoost pipeline achieved an accuracy of 0.99997. Consistent results across datasets demonstrate the generalizability and reliability of the VNS optimization.

4.1.2. Phase 2: Image-Based Feature Extraction and Classification

Table 7. Classification Performance Comparison Across Models for IDS2017 and IDS2018 Datasets.

Dataset	Model	Accuracy	Precision	Recall	F1-Score	Kappa
IDS2017	GA–RandomForest	0.99644	0.99645	0.99644	0.99642	0.99549
	GA–XGBoost	0.99930	0.99930	0.99930	0.99930	0.99912
	PSO–RandomForest	0.99644	0.99646	0.99644	0.99643	0.99549
	PSO–XGBoost	0.99931	0.99931	0.99931	0.99931	0.99913
	VNS–RandomForest	0.99689	0.99690	0.99689	0.99687	0.99606
	VNS–XGBoost	0.99997	0.99997	0.99997	0.99997	0.99996
IDS2018	GA–RandomForest	0.99783	0.99783	0.99783	0.99783	0.99700
	GA–XGBoost	0.99932	0.99932	0.99932	0.99932	0.99906
	PSO–RandomForest	0.99802	0.99802	0.99802	0.99802	0.99726
	PSO–XGBoost	0.99913	0.99913	0.99913	0.99913	0.99880
	VNS–RandomForest	0.99962	0.99962	0.99962	0.99962	0.99948
	VNS–XGBoost	0.99997	0.99997	0.99997	0.99997	0.99996

compares the classification performance of intrusion detection models. For CIC-IDS2017 and CIC-IDS2018 image data, the VNS-XGBoost model outperformed all others (as shown in Figure 9 and Figure 10, achieving the highest scores across all metrics: accuracy (0.9984), precision (0.9984), recall (0.9984), F1-score (0.9984), and Cohen’s Kappa (0.9980), indicating near-perfect classification and strong agreement beyond chance. The PSO-XGBoost model followed closely with 0.9969 for accuracy, precision, recall, and F1-score, and 0.9961 for Cohen’s Kappa. The GA-XGBoost model also performed well, achieving a score of 0.9967 across most metrics and a Cohen’s Kappa of 0.9959. In contrast, the RandomForest-based models showed lower performance, with PSO-RF achieving the highest among them at 0.9742 (accuracy), 0.9759 (precision), 0.9742 (recall), 0.9734 (F1-score), and 0.9673 (Cohen’s Kappa), followed by GA-RF and VNS-RF with slightly lower metrics (0.9720–0.9738 range). These results highlight the superior performance of XGBoost-based models, particularly VNS-XGBoost, in accurately detecting network intrusions on numeric data, achieving accuracies ranging from 0.99783 to 0.99997 on the IDS2018 dataset. The VNS-XGBoost model achieves the highest performance across all metrics (Accuracy, Precision, Recall, F1-Score, and Cohen’s Kappa) at 0.99997 and 0.99996, respectively, demonstrating near-perfect classification and agreement with the correct labels. It is followed by VNS-RandomForest (0.99962) and GA-XGBoost (0.99932), while GA-RandomForest records the lowest accuracy (0.99783). All models exhibit near-optimal performance, with XGBoost-based models slightly outperforming due to their robustness in handling non-linear data. The high Cohen’s Kappa values (close to 1.0) indicate strong agreement and reliability in predictions across all classes.

To qualitatively evaluate the effectiveness of the proposed VNS feature selection, we used t-SNE to visualize the data distribution in 2D. Figure 11a illustrates the projection of the test dataset using the complete set of 84 original features. While some patterns are visible, the clusters exhibit considerable spread and overlap, suggesting noise and redundant features. In contrast, Figure 11b displays the t-SNE projection using only the optimal subset of features selected by the VNS algorithm. As observed, the resulting clusters are significantly more compact and well-separated. The reduction in intra-class variance and the increase in inter-class margins visually confirm that the VNS algorithm successfully retained the most discriminative features while filtering out noise, thereby facilitating classification by the XGBoost model.

4.1.3. Comparative Evaluation Using End-to-End Deep Learning Models

To further validate the robustness of the proposed feature-optimized multi-modal IDS, we implemented three deep learning architectures directly on the same datasets used in this study (IDS2017 and IDS2018). All models were trained from scratch on the image-encoded 16 × 16 representations using the same experimental environment described earlier. The three implemented architectures are:

• CNN-IDS: A 6-layer convolutional model for image-based intrusion detection.
• CNN–LSTM Hybrid: A hybrid spatial–temporal model combining convolutional layers with LSTM units to capture temporal flow dependencies.
• ViT-IDS: A Vision Transformer model trained on 4 × 4 image patches to extract higher-level spatial embeddings.

Table 8. Model Performance Summary (IDS2017).

Model	Accuracy	Precision	Recall	F1-Score	Training Time (s)	Inference Time (ms)
CNN-IDS	0.99784	0.99783	0.99784	0.99783	14.6 min	0.0085 s
CNN–LSTM Hybrid	0.99827	0.99826	0.99827	0.99826	23.9 min	0.0107 s
ViT-IDS	0.99921	0.99921	0.99921	0.99921	37.3 min	0.0172 s
VNS-XGBoost	0.99997	0.99997	0.99997	0.99997	3.0 min	0.0060 s

and

Table 9. Model Performance Summary (IDS2018).

Model	Accuracy	Precision	Recall	F1-Score	Training Time (s)	Inference Time (ms)
CNN-IDS	0.99801	0.99800	0.99801	0.99800	11.3 min	0.0071 s
CNN–LSTM	0.99868	0.99868	0.99868	0.99868	17.8 min	0.0098 s
ViT-IDS	0.99958	0.99958	0.99958	0.99958	29.4 min	0.0137 s
VNS-XGBoost	0.99997	0.99997	0.99997	0.99997	41.5 s	0.0042 s

summarize the results. Across both datasets, ViT-IDS achieved the strongest deep learning performance, with accuracies of 0.99921 (IDS2017) and 0.99958 (IDS2018). However, the proposed VNS-XGBoost consistently outperformed all deep architectures, achieving 0.99997 accuracy on both datasets while requiring significantly lower training and inference times. Unlike end-to-end deep models, VNS-based optimization reduces the dimensionality of image-encoded features by 50%, making it more suitable for deployment on resource-constrained IoT devices. These experimental results demonstrate that the proposed evolutionary optimization framework achieves accuracy competitive with that of deep learning approaches while offering substantially improved computational efficiency.

4.2. Computational Performance Evaluation

This section aims to evaluate the effects of parallel ensemble learning (RF and XGBoost) on the scalability and efficiency of VNS, GA, and PSO in feature selection. The following questions will be addressed:

• Does VNS perform better than GA and PSO in terms of convergence speed and number of iterations, and what is the impact of parallel processing in RF and XGBoost on overall training and inference time?

For Multidimensional Data,

Table 10. Multidimensional Dataset Feature Reduction Summary.

Model	Original Features	Selected Features	Reduction (%)
GA–RandomForest	84	46	45.24%
GA–XGBoost	84	45	46.43%
PSO–RandomForest	84	40	52.38%
PSO–XGBoost	84	46	45.24%
VNS–RandomForest	84	43	48.81%
VNS–XGBoost	84	42	50.00%

summarizes the feature reduction achieved by intrusion detection models, with an original feature count of 84, with fitness accuracies represented in Figure 12 and Figure 13. The PSO-RandomForest model achieved the highest reduction, selecting 40 features and yielding 52.38%. The VNS-XGBoost model followed closely, selecting 42 features, resulting in a 50.00% reduction. The VNS-RandomForest model reduced the features to 43 (48.81% reduction), while GA-XGBoost selected 45 features (46.43% reduction). Both GA-RandomForest and PSO-XGBoost selected 46 features, resulting in 45.24% reductions. These results indicate that all models effectively reduced the feature set by approximately 45–52%, with PSO-RandomForest being the most efficient in minimizing the number of features, followed closely by VNS-XGBoost, enhancing computational efficiency while maintaining performance in intrusion detection.

Table 10 summarizes the feature reduction achieved by intrusion detection models for multidimensional data, starting with 84 original features. The PSO-RF model achieved the highest feature reduction, selecting 40 features, resulting in a 52.38% reduction. The VNS-XGBoost model was then applied, selecting 42 features, resulting in a 50.00% reduction. The VNS-RF model reduced the feature set to 43 features (48.81% reduction), while GA-XGBoost selected 45 features (46.43% reduction). Both GA-RF and PSO-XGBoost selected 46 features, achieving reductions of 45.24%. These results demonstrate that all models effectively reduced the feature set by approximately 45–52%, with PSO-RF being the most efficient in minimizing the number of features, followed closely by VNS-XGBoost, enhancing computational efficiency while maintaining performance in intrusion detection.

Table 11. Feature Reduction Summary for IDS2017 and IDS2018 Datasets.

Dataset	Model	Original Features	Selected Features	Reduction (%)
IDS2017	GA–RF	256	131	48.83%
	GA–XGBoost	256	137	46.48%
	PSO–RF	256	135	47.27%
	PSO–XGBoost	256	130	49.22%
	VNS–RF	256	137	46.48%
	VNS–XGBoost	256	137	46.48%
IDS2018	GA–RF	256	134	47.66%
	GA–XGBoost	256	127	50.39%
	PSO–RF	256	131	48.83%
	PSO–XGBoost	256	130	49.22%
	VNS–RF	256	132	48.44%
	VNS–XGBoost	256	128	50.00%

summarizes the feature reduction achieved by the intrusion detection models using the CSE-CIC-IDS2018 dataset, with an original feature count of 256 (derived from 16 × 16 image representations). The PSO-XGBoost model achieved the highest reduction, selecting 130 features and yielding 49.22%. The GA-RF model followed closely, selecting 131 features, resulting in a 48.83% reduction. Both GA-XGBoost and VNS-RF, along with VNS-XGBoost, selected 137 features each, resulting in a 46.48% reduction, while PSO-RF selected 135 features with a 47.27% reduction. These results indicate that all models effectively reduced the feature set by approximately 46–49%, with PSO-XGBoost being the most efficient in minimizing the number of features while maintaining performance. For IDS2017, GA-XGBoost achieves the highest reduction percentage (50.39%, selecting 127 features), closely followed by VNS-XGBoost (50.00%, 128 features), demonstrating their effectiveness in identifying compact, high-performing feature subsets, leveraging GA’s evolutionary search and VNS’s systematic neighborhood exploration, respectively, paired with XGBoost’s gradient boosting optimization (n_estimators = 100, learning_rate = 0.1). The VNS-RF model recorded the shortest training time at 1 min 6 s, while VNS-XGBoost had a slightly longer training time of 1 min 14 s. For optimization time, VNS-XGBoost was the fastest, taking only 12 min 15 s, followed by VNS-RF at 20 min 53 s. In contrast, the GA-XGBoost model had the longest optimization time at 6 h 11 min 4 s, despite a relatively short training time of 1 min 6.5 s. The PSO-XGBoost and PSO-RF models required 5 h 24 min 26 s and 3 h 22 min 14 s for optimization, respectively, with training times of 1 min 56.2 s and 1 min 52.6 s. The GA-RF model took 3 h, 1 min, 6 s for optimization and 1 min, 20.8 s for training. These results highlight that VNS-based models, particularly VNS-XGBoost, are significantly more efficient in terms of optimization time, making them highly suitable for practical deployment in intrusion detection systems.

For Multidimensional Data,

Table 12. Inference Time Comparison (Per Single Sample) for Multidimensional IDS2017 and IDS2018 Datasets.

Dataset	Model	Training Time (wall)	Optimization Time (wall)
IDS2017	GA–RandomForest	1 min 20.8 s	3 h 1 min
	GA–XGBoost	1 min 6.5 s	6 h 11 min
	PSO–RandomForest	1 min 52.6 s	3 h 22 min
	PSO–XGBoost	1 min 56.2 s	5 h 24 min
	VNS–RandomForest	1 min 6 s	20.88 min
	VNS–XGBoost	1 min 14 s	12.25 min
IDS2018	GA–RandomForest	10.6 s	3 h 1 min 6 s
	GA–XGBoost	12.3 s	6 h 11 min 4 s
	PSO–RandomForest	1.1 s	3 h 22 min 14 s
	PSO–XGBoost	0.574 s	5 h 24 min 26 s
	VNS–RandomForest	1.9 s	20 min 53 s
	VNS–XGBoost	0.558 s	12 min 15 s

compares the training and optimization times of six hybrid models that combine evolutionary algorithms (GA, PSO, VNS) with machine learning models (RandomForest, XGBoost). VNS-based models show the fastest optimization times (20.88 min for RandomForest and 12.25 min for XGBoost), while GA and PSO take significantly longer (up to 6+ hours). Training times are relatively short across all models, with VNS having a longer training time due to its iterative neighborhood search; PSO being faster due to lightweight position updates; and XGBoost being slower than RandomForest due to boosting overhead. For image converted data in

Table 13. Inference Time Comparison (Per Single Sample) for Image-Encoded IDS2017 and IDS2018 Datasets.

Dataset	Model	Training Time (Wall)	Optimization Time (Wall)
IDS2017	GA–RandomForest	2 min 38 s	6 h 52 min 40 s
	GA–XGBoost	3 min	9 h 30 min 40 s
	PSO–RandomForest	3 min 55 s	7 h 38 min 20 s
	PSO–XGBoost	3 min 6 s	9 h 17 min 20 s
	VNS–RandomForest	3 min 18 s	55 min 26 s
	VNS–XGBoost	3 min 1 s	42 min 50 s
IDS2018	GA–RandomForest	35.6 s	1 h 45 min 20 s
	GA–XGBoost	40.7 s	3 h 22 min
	PSO–RandomForest	52.1 s	1 h 3 min 40 s
	PSO–XGBoost	57.6 s	3 h 26 min
	VNS–RandomForest	40.5 s	9 min 56 s
	VNS–XGBoost	41.5 s	8 min 58 s

, VNS-XGBoost achieves the fastest optimization time at 8 min 58 s, followed closely by VNS-RandomForest at 9 min 56 s, making them significantly more efficient at feature selection than other models. GA-RandomForest and PSO-RandomForest require much longer optimization times (1 h 45 min 20 s and 1 h 3 min 40 s, respectively), while GA-XGBoost and PSO-XGBoost are the slowest, taking 3 h 22 min and 3 h 26 min, respectively. In contrast, RandomForest-based models (GA-RandomForest, PSO-RandomForest, VNS-RandomForest) exhibit higher inference times (0.07290, 0.07488, and 0.13096 s, respectively) and greater peak memory usage (0.02–0.03 MB), due to the computational overhead of evaluating multiple decision trees (n_estimators = 100, n_jobs = −1). All models share a consistent initial memory footprint (0.00095 MB), indicating similar preprocessing overheads. These results underscore the superior inference efficiency of XGBoost-based models, particularly GA-XGBoost, for real-time applications on high-dimensional image data, aligning with their high accuracy (e.g., 0.99930 for GA-XGBoost in Table 1). In contrast, Random Forest models trade off inference speed for robustness.

Table 14. Memory Usage Comparison (Per Single Sample) for Multidimensional Data.

Model	Initial Memory (KB)	Peak Memory (KB)	Inference Time (s)
GA–RandomForest	0.9728	30.72	0.0773
GA–XGBoost	72.56064	81.92	0.0220
PSO–RandomForest	0.9728	30.72	0.0612
PSO–XGBoost	0.9728	10.24	0.0031
VNS–RandomForest	0.9728	20.48	0.0673
VNS–XGBoost	0.9216	10.24	0.0042

compares the memory usage per single sample for intrusion detection models trained on multidimensional Data_2017 (ICIDS-2017) Dataset. The PSO-XGBoost model demonstrated the lowest inference time at 0.0031 s and a peak memory usage of 10.24 KB, making it the most computationally efficient. The VNS-XGBoost model performed closely, with an inference time of 0.0042 s and a peak memory usage of 10.24 KB. In contrast, GA-XGBoost had a higher inference time (0.0220 s) and peak memory usage (81.92 KB). The RandomForest-based models (GA-RF, PSO-RF, VNS-RF) exhibited higher inference times, ranging from 0.0612 s (PSO-RF) to 0.0773 s (GA-RF), with peak memory usage between 20.48 KB (VNS-RF) and 30.72 KB (GA-RF, PSO-RF). All models had approximately 10 KB of initial memory, except for GA-XGBoost, which had 81.92 KBhese results indicate that PSO-XGBoost and VNS-XGBoost are the most efficient in terms of speed and memory, making them highly suitable for real-time intrusion detection applications.

Table 15. Memory Usage Comparison (Per Single Sample) for Image-Encoded IDS2017 and IDS2018 Datasets.

Dataset	Model	Initial Memory (MB)	Peak Memory (MB)	Inference Time (s)
IDS2017	GA–RF	0.00095	0.02	0.07290
	GA–XGBoost	0.00095	0.01	0.00301
	PSO–RF	0.00095	0.02	0.07488
	PSO–XGBoost	0.00095	0.01	0.00563
	VNS–RF	0.00095	0.03	0.13096
	VNS–XGBoost	0.00095	0.01	0.00604
IDS2018	GA–RF	0.00095	0.03	0.07733
	GA–XGBoost	0.07086	0.08	0.02197
	PSO–RF	0.00095	0.03	0.06118
	PSO–XGBoost	0.00095	0.01	0.00315
	VNS–RF	0.00095	0.02	0.06727
	VNS–XGBoost	0.00095	0.01	0.00421

compares the inference time and memory usage per single sample for various models on the CSE-CIC-IDS2018 dataset. All models have an identical initial memory usage of 0.00095 MB, indicating minimal baseline memory requirements. For peak memory usage, GA-XGBoost, PSO-XGBoost, and VNS-XGBoost are the most memory-efficient, each using 0.01 MB, while GA-RF uses the highest at 0.04 MB, followed by VNS-RF (0.03 MB) and PSO-RF (0.02 MB). In terms of inference time, PSO-XGBoost is the fastest at 0.00270 s, followed by GA-XGBoost (0.00495 s), while VNS-RF is the slowest at 0.09035 s, with GA-RF (0.07743 s) and VNS-XGBoost (0.03281 s) also relatively slower. Overall, XGBoost-based models, particularly PSO-XGBoost, demonstrate superior efficiency in inference time and memory usage, making them ideal for real-time applications, whereas RandomForest-based models, especially VNS-RF, require more time and memory during inference.

4.3. Multi-Class Performance Evaluation

In this section, we evaluate the model’s performance across various incursion categories and analyze the effects of evolutionary feature selection on false positives and false negatives for each class. Emphasizing:

• Which feature optimization approach best balances false positives and false negatives to influence class-wise detection stability across datasets?

Table 16. Statistical Analysis Comparison (Pearson, Chi-Square, ANOVA) for Multidimensional Data.

Model	Pearson		Chi-Square		ANOVA
	Coeff.	p-Value	Value	p-Value	F	p-Value
GA–RandomForest	0.9662	0.0000	44,779.6096	0.0000	4.8024	0.0284
GA–XGBoost	0.9941	0.0000	47,255.4220	0.0000	0.0111	0.9163
PSO–RandomForest	0.9585	0.0000	886,650.5744	0.0000	95.6131	0.0000
PSO–XGBoost	0.9955	0.0000	947,843.6802	0.0000	0.0201	0.8873
VNS–RandomForest	0.9445	0.0000	873,602.0460	0.0000	141.5094	0.0000
VNS–XGBoost	0.9986	0.0000	953,176.8878	0.0000	0.0027	0.9588

compares statistical performance across models trained on multidimensional data using Pearson correlation, Chi-square, and ANOVA tests. All models show strong Pearson correlation (0.94–0.99) with significant p-values (p = 0.0000), indicating high linear relationships. Chi-square results are incredibly high (up to 953k for VNS-XGBoost) with p = 0.0000, rejecting independence. For ANOVA, PSO/VNS-RandomForest shows significant differences (p = 0.0000), while XGBoost-based models are non-significant (p > 0.88), suggesting better stability. VNS-XGBoost has the highest Pearson (0.9986) and Chi-square, highlighting its robustness.

Table 17. Statistical Analysis Comparison (Pearson, Chi-Square, ANOVA) for IDS2017 and IDS2018 Image-Encoded Data.

Dataset	Model	Pearson Coeff.	Pearson p-Value	Chi-Square	p-Value	ANOVA F	ANOVA p-Value
IDS2017	GA–RF	0.9917	0.0000	945,871.20	0.0000	2.5586	0.1097
	GA–XGBoost	0.9984	0.0000	953,642.75	0.0000	0.0115	0.9146
	PSO–RF	0.9912	0.0000	945,865.25	0.0000	2.5280	0.1118
	PSO–XGBoost	0.9985	0.0000	953,208.80	0.0000	0.0098	0.9213
	VNS–RF	0.9921	0.0000	946,961.32	0.0000	2.6493	0.1036
	VNS–XGBoost	0.9999	0.0000	956,385.88	0.0000	0.0000	1.0000
IDS2018	GA–RF	0.9974	0.0000	146,515.72	0.0000	0.0017	0.9669
	GA–XGBoost	0.9993	0.0000	147,071.47	0.0000	0.0013	0.9716
	PSO–RF	0.9979	0.0000	146,629.90	0.0000	0.0055	0.9409
	PSO–XGBoost	0.9994	0.0000	147,009.32	0.0000	0.0003	0.9858
	VNS–RF	0.9997	0.0000	147,201.70	0.0000	0.0009	0.9763
	VNS–XGBoost	1.0000	0.0000	147,346.67	0.0000	0.0000	0.9976

, comparing statistical analyses for intrusion detection models using the CSE-CIC-IDS2018 dataset, evaluates Random Forest (RF) and XGBoost models optimized with GA, PSO, and VNS. The VNS-XGBoost model achieved the highest Pearson correlation coefficient (1.0000) and the highest Chi-Square statistic (147,346.67), both with p-values of 0.0000, indicating a perfect correlation between predictions and accurate labels and confirming strong significance. However, it yielded the lowest ANOVA F-statistic (0.0000) and a p-value of 0.9976, suggesting no significant differences in the means. Similarly, for CIC-IDS2017, VNS-XGBoost achieves the strongest statistical performance, with a near-perfect Pearson Coefficient (0.9999) and Chi-Square value (956385.88), both with p-values of 0.0000, indicating a highly significant linear and categorical association between predictions and accurate labels, corroborated by an ANOVA F-value of 0.0000 (p-value = 1.0000), suggesting no considerable variance in errors across classes. Other models (GA-RF, GA-XGBoost, PSO-RF, PSO-XGBoost, VNS-RF) showed closely competitive performance, with high Pearson coefficients (0.9974–0.9997) and Chi-Square values (146515.72–147201.70), reflecting robust accuracy and stability, with VNS-XGBoost slightly outperforming the rest.

Table 18. Corrected Type II Error (Missed Detections per Class) for Multidimensional IDS2017 and IDS2018 Datasets.

Dataset	Model	Benign	DoS	Portscan	DDoS	Infiltr.	Brute Force	Web Attack	Botnet	Total Type II Error
IDS2017	GA–RF	46	352	28	4	2875	23	178	76	3582
	GA–XGBoost	35	12	174	1	189	2	34	0	447
	PSO–RF	44	290	35	4	2816	13	180	137	3519
	PSO–XGBoost	32	14	171	1	179	2	25	0	424
	VNS–RF	76	336	42	10	2821	25	167	345	3822
	VNS–XGBoost	5	1	112	0	94	0	0	0	212
IDS2018	GA–RF	84	12	–	4	–	–	0	5	105
	GA–XGBoost	22	37	–	2	–	–	0	3	64
	PSO–RF	114	13	–	3	–	–	0	18	148
	PSO–XGBoost	9	37	–	3	–	–	0	4	53
	VNS–RF	59	2	–	1	–	–	0	5	67
	VNS–XGBoost	2	1	–	2	–	–	0	1	6

presents the corrected Type 2 errors (false negatives, or missed detections) for intrusion detection models across eight classes: Benign, DoS, Portscan, DDoS, Infiltration, Brute Force, Web Attack, and Botnet. The VNS-XGBoost model achieved the lowest total Type 2 errors with 212 missed detections, primarily in the Infiltration (94) and Portscan (112) classes, with zero errors in DDoS, Brute Force, Web Attack, and Botnet, demonstrating superior detection capability. The PSO-XGBoost model followed with 424 errors, with notable misses in Infiltration (179) and Portscan (171). The GA-XGBoost model had 447 errors, also struggling with Infiltration (189) and Portscan (174). In contrast, the RandomForest-based models (GA-RF, PSO-RF, VNS-RF) exhibited significantly higher errors, with totals of 3582, 3519, and 3822, respectively, driven largely by poor detection in the Infiltration class (2816–2875 errors) and moderate errors in DoS (290–352) and Botnet (76–345). These results highlight VNS-XGBoost’s exceptional performance in minimizing missed detections, particularly for critical attack classes, making it highly effective for intrusion detection on numeric data.

Table 19. Summary of Total Type II Error (False Negatives) for Image-Encoded IDS2017 and IDS2018 Datasets.

Dataset	Model	Benign	DoS	Portscan	DDoS	Infiltration	Brute Force	Web Attack	Botnet	Total Type II Error
IDS2017	GA–RF	13	1	31	4	394	5	35	4	487
	GA–XGBoost	11	2	29	10	29	5	9	0	95
	PSO–RF	15	2	34	4	388	3	20	20	486
	PSO–XGBoost	10	1	28	9	31	5	10	0	94
	VNS–RF	0	1	7	4	366	2	29	16	425
	VNS–XGBoost	0	1	2	0	1	0	0	0	4
IDS2018	GA–RF	31	34	–	10	–	–	0	5	80
	GA–XGBoost	16	2	–	4	–	–	0	3	25
	PSO–RF	26	33	–	10	–	–	0	4	73
	PSO–XGBoost	20	5	–	3	–	–	0	4	32
	VNS–RF	3	3	–	3	–	–	0	5	14
	VNS–XGBoost	1	0	–	0	–	–	0	0	1

summarizes the false positives (misclassified samples from other classes) for intrusion detection models across eight classes in image converted data: Benign, DoS, Portscan, DDoS, Infiltration, Brute Force, Web Attack, and Botnet. The VNS-XGBoost model achieved the lowest total false positives with 212 errors, primarily in the Infiltration (112) and Portscan (91) classes, with minimal errors in Benign (5), DoS (2), Web Attack (2), and zero in DDoS, Brute Force, and Botnet, indicating high precision in classification. The PSO-XGBoost model followed with 424 false positives, with notable errors in Infiltration (164) and Portscan (162). The GA-XGBoost model recorded 447 false positives, also struggling with Infiltration (168) and Portscan (173). The RandomForest-based models (GA-RF, PSO-RF, VNS-RF) showed significantly higher false positives, totaling 3582, 3519, and 3822, respectively, primarily driven by misclassifications in the Portscan (2642–2654) and Benign (771–1060) classes. These results underscore VNS-XGBoost’s superior performance in minimizing false positives, making it highly effective for reducing false alarms in intrusion detection systems using numeric data.

4.4. Discussion, and Limitations

Detecting malicious traffic on IoT-based smart devices is becoming increasingly challenging due to the diversity of network traffic and the continually evolving nature of attacks. To combat the growing number of sophisticated cyberattacks, traditional intrusion detection systems (IDSs) have been used. However, Traditional models struggle to capture cross-modal relationships and the subtle perturbations introduced by such attacks, leading to several fundamental problems, including low detection effectiveness against unknown network threats, a high false-positive rate (FPR), and excessive resource consumption. By integrating spatial and inter-feature correlation analysis into intelligent cybersecurity workflows that leverage both tabular and image-encoded traffic, this work lays the groundwork for robust, real-time protection mechanisms in AI-driven IoT and energy-aware infrastructure systems. PSO, GA, and VNS are used to improve model performance and decrease dimensional redundancy. The three feature optimizers are paired with two classifiers to produce six configurations using GA-RF, PSO-RF, VNS-RF, GA-XGB, PSO-XGB, and VNS-XGB. This hybrid system is particularly suitable for energy-optimized smart grids and smart city IoT networks where adversarial attacks on sensor telemetry or control signals may result in energy waste, service disruptions, or false alerts.

GA combined with RandomForest is a robust evolutionary approach for feature selection, integrating the bio-inspired optimization principles of GA with the ensemble-learning strengths of RandomForest to address multi-class classification tasks on datasets such as CICIDS-IDS2017 (78 numeric features after preprocessing) and image encoded data (256 features from flattened 16 × 16 images), as shown in Table 6 and Table 7. Additionally, when combined with XGBoost, it integrates the bio-inspired optimization capabilities of GA with its advanced gradient-boosting framework. Results for different modalities represented in Section 4.1 demonstrate that data modality selection significantly affects intrusion detection robustness and accuracy. In comparisons between tabular and image-based representations of identical feature subsets, the image-based modality consistently performed better in terms of accuracy, F1 Scores, and Kappa scores. Since ensemble classifiers encode tabular information spatially, they can capture latent inter-feature connections and correlation patterns that are otherwise difficult to characterize. Using the image modality, high-dimensional IoT traffic data is efficiently transformed into structured matrices, thereby improving the distinction between attack patterns and benign events.

Table 10 and Table 11 show that VNS and XGBoost were combined to achieve a good balance between detection accuracy and computational complexity. Compared with the original dataset, the VNS-based feature optimization reduced the feature dimensionality by approximately 50% while maintaining—and even enhancing—the overall model’s performance. Consequently, this significant decrease directly reduced training time and memory consumption, demonstrating VNS’s ability to conduct localized searches over several neighborhoods, effectively avoiding local optima, and finding compact, discriminative feature sets. Table 14 and Table 15 compare inference efficiency and memory usage across models. XGBoost-based models are significantly faster (0.00315–0.02197 s) than Random Forest (0.06118–0.07733 s), with PSO-XGBoost being the quickest. Memory usage is low overall, with XGBoost models having slightly higher initial memory (up to 0.07086 MB) but lower peak memory (0.01–0.08 MB vs. 0.02–0.03 MB for RF). VNS and PSO-XGBoost achieve the best balance, combining fast inference (≤0.00421 s) and minimal peak memory (0.01 MB). This suggests XGBoost hybrids, especially with PSO/VNS, optimize both speed and resource efficiency. The convergence curve for the CIDS2017 dataset showed (Figure 12 and Figure 13) a notable upward trend, with the first solution achieving an accuracy of 0.986 and steadily increasing to 0.998 after approximately 17.5 evaluation iterations. This improvement demonstrates the versatility of VNS in high-dimensional search spaces and its ability to extract highly discriminative characteristics from various IoT traffic patterns. With little redundancy, the algorithm was able to separate significant feature subsets, as evidenced by the final configuration’s low Type II Error and False Positive rate of 4. The IDS2018 dataset, on the other hand, demonstrated greater stability. After 14 assessment cycles, the accuracy plateaued at 0.990, indicating that fewer neighborhood expansions were needed to achieve optimal performance in the current dataset, which had more uniform traffic distributions and fewer minority classes. The consistency of results across datasets confirms the stability and dependability of the single-objective VNS optimization strategy. In addition, the convergence behavior demonstrates that the search procedure retains significant generalization capacity across years while adapting successfully to the inherent complexity of each dataset.

It was demonstrated that VNS was appropriate for real-time or resource-constrained IoT scenarios, achieving faster stabilization with fewer evaluations than metaheuristics such as GA and PSO, which often require many iterations for convergence. XGBoost’s parallel tree-boosting architecture significantly improved its computational scalability and robustness against class imbalances. The results show that neighborhood parameter initialization affects VNS performance, potentially requiring adjustments to preserve convergence stability across diverse datasets. The combination of VNS and XGBoost performed better than alternative setups, achieving a near-ideal trade-off between accuracy, runtime efficiency, and feature reduction due to its computationally light and highly accurate intrusion detection model.

The results of RQ3 in Section 4.3 indicate that the proposed VNS–XGBoost framework performs well in multiclass intrusion detection, achieving high accuracy and generalization on both the IDS2017 and IDS2018 datasets given in Table 16 and Table 17. RF models differ significantly in their ability to handle different types of attacks, as indicated by the low p-values (≤0.0284) for the RF models, which lead us to reject the null hypothesis. The VNS-XGBoost model’s ANOVA p-value of 0.9588 indicates that only the most discriminatory and non-redundant variables are present in its 50% feature subset. Through this feature, you can obtain a model that does not favor any particular type of attack, such as a benign attack, a DoS attack, a DDoS attack, etc. In combination with the error tables (Table 6 and Table 7), this demonstrates that RF models are challenging to apply to some classes (such as Infiltration), leading to substantial variability in their performance. According to the VNS-RandomForest F-statistic of 141.5094, the performance of the groups varies significantly. VNS-XGBoost has the highest p-value (0.9588) among the XGBoost models, which is a significant strength. The performance of these models is superior to that of the other classes (Benign, DoS, DDoS, etc.). When an intrusion detection system has multiple classes, it becomes fundamentally more reliable and trustworthy.

All classes of IoT attacks were successfully differentiated by the model, which maintained a balanced precision and recall across all classes as shown in Table 18 and Table 19. The error analysis encompassing Type 2 Errors (missed detections) and False Positives (misclassified samples) reveals a persistent and striking performance difference between the machine learning algorithms under evaluation. The main conclusion is that XGBoost-based models (GA-XGBoost, PSO-XGBoost, and VNS-XGBoost) outperform Random Forest (RF)-based models. The RF models consistently produced error counts of 3500–3800 for Type 2 errors and false positives. The XGBoost models, on the other hand, reduced these totals to 212–447. The boosting mechanism offered by XGBoost is considerably more effective than the bagging mechanism of Random Forest for this dataset and classification problem. The Type II error rate dropped by more than 90% compared to GA- and PSO-based configurations, demonstrating that the method can minimize missed detections that could otherwise compromise network integrity. The VNS-XGBoost model (0.9986 and 0.9588) is unquestionably the most robust and reliable of the three models, due to its Extremely High Pearson r (near-perfect association) and Very High ANOVA p-value (uniform, low-variance performance).

Combining XGBoost with Variable Neighborhood Search yields the most equitable and efficient categorization across the sample set. VNS-RF (3822 total FN) models are prone to type 2 errors. This is the most significant security mistake. The model is essentially blind to thousands of attacks when the number of FNs is high. The most important contributor to FNs for the RF models was the system’s failure to detect infiltration attempts, allowing an attacker to enter the network without triggering an alarm. With an FN count of 212, VNS-XGBoost had the lowest FN count of all the candidates. The use of this methodology significantly reduces the probability of a significant security breach because fewer threats are detected. A parallelized tree ensemble in XGBoost handles heterogeneous data distributions with minimal overfitting, and a local search in VNS maximizes discriminative feature subsets for each attack class. In addition to improving the model’s ability to distinguish between overlapping attack patterns, the spatial feature representation enhanced its ability to detect minute variations across visually similar incursion profiles. However, there are a few limitations. It is most likely that the model’s recall was erratic across closely related classes, such as DoS and DDoS, because the samples shared specific statistical and temporal characteristics. Further, since feature importance and class boundaries may change dynamically in large, streaming IoT systems, model interpretability and scalability may be limited. Although VNS is a computationally efficient method, it still requires manual parameter adjustments to maintain neighborhood variety and to avoid convergence stagnation. Despite these limitations, the results show that the VNS–XGBoost pipeline produces an exceptionally accurate and computationally efficient intrusion detection (IDS) system that supports strong multiclass detection and cross-dataset generalization without the complexity of deep learning architectures. The results of this study demonstrate that the model can be applied to IoT intrusion-detection deployments where speed, explainability, and adaptability are significant.

5. Conclusions and Future Work

Machine learning techniques that rely solely on tabular data are often unable to capture the intricate relationships and correlations among multidimensional variables. The use of visual representations of tabular IoT data enables the model to identify subtle correlations and attack patterns that might otherwise go unnoticed. In this study, a hybrid feature selection approach combining ensemble classifiers like Random Forest, XGBoost, and Variable Neighborhood Search (VNS) was used to assess intrusion detection in IoT networks. Two benchmark intrusion detection datasets (CIC-IDS2017 and CSE-CIC-IDS2018) were used in the trial to compare two data types: conventional tabular data and image-encoded data. The results indicated that the image-based modality significantly enhanced detection performance in comparison with the tabular format, offering better generalization across attack types and improved feature separation. By pairing image-encoded representations with Variable Neighborhood Search (VNS) feature selection, only the most significant and non-redundant features are selected, leading to a more distinct spatial organization and higher classification accuracy. The ability of image-based analysis to bridge the gap between structural relevance and tabular interpretability allows typical machine learning algorithms to achieve deep-learning-like sensitivity and resilience without relying on large-scale neural networks. A particular application of these findings is in Internet of Things (IoT) systems, where data is diverse, resource-constrained, and frequently transmitted over wireless channels that are susceptible to interference. Using lightweight machine learning pipelines and multimodal feature optimization, we demonstrate that excellent accuracy can be achieved without the computational burden of deep learning, while also reducing some weaknesses revealed in adversarial environments. A future version of the proposed framework may allow for federated learning, allowing for decentralized IDS collaboration without raw data exchange, a crucial requirement for industries as sensitive to privacy as smart healthcare. Furthermore, stream-based inference, edge acceleration, and on-device intelligence would optimize the architecture to enable real-time detection and response to rapidly evolving IoT threats. In combination, these approaches provide a basis for developing next-generation IDS systems that are compatible with dynamic IoT contexts, adaptable, and privacy-preserving.