African buffalo optimization with deep learning-based intrusion detection in cyber-physical systems

Abstract

Cyber-physical system (CPS) incorporates several computing resources, networking units, interconnected physical processes, and monitoring the development and application of the computing system. Interconnection between the cyber and physical worlds initiates attacks on security problems, particularly with the enhancing complications of transmission networks. Despite the efforts to combat these problems, analyzing and detecting cyber-physical attacks from the complex CPS is challenging. Machine learning (ML)-researcher workers implemented based techniques to examine cyber-physical security systems. A competent network intrusion detection system (IDS) is essential to avoid these attacks. Generally, IDS uses ML techniques to classify attacks. However, the features used for classification are not frequently appropriate or adequate. Moreover, the number of intrusions is much lower than that of non-intrusions. This research presents an African Buffalo Optimizer Algorithm with a Deep Learning Intrusion Detection (ABOADL-IDS) model in a CPS environment. The main intention of the ABOADL-IDS model is to utilize the FS with an optimal DL approach for the intrusion recognition and identification procedure. Initially, the ABOADL-IDS model performs the data normalization process. Furthermore, the ABOADL-IDS model utilizes the ABO technique for feature selection. Moreover, the stacked deep belief network (SDBN) technique is employed for intrusion detection and identification. To improve the SDBN technique solution, the seagull optimization (SGO) technique is implemented for the hyperparameter selection. The assessment of the ABOADL-IDS technique is accomplished under NSLKDD2015 and CICIDS2015 datasets. The performance validation of the ABOADL-IDS technique illustrated a superior accuracy value of 99.28% over existing models concerning various measures.

Introduction

With the assimilations of physical processes and computing resources, a Cyber-physical system (CPS) performs computation and communication via interconnected devices, allowing remote control and access to machines, devices, and systems indispensable in several industrial fields¹. Nonetheless, the comprehensive integration of CPS comes with different security risks, which may cause severe damage to the physical object and harm the users who rely entirely on them². The security mechanism aims to defend CPS devices from exterior attacks that depend on antivirus, firewalls, and encryption methods. However, this mechanism could not avoid all these attacks, particularly allowing the attacker to develop its approaches³ continually. Intrusion Detection Systems (IDS) are essential for identifying malicious behaviours and protecting CPS from security attacks in these contexts. Specific embedded domain device software that allows adversaries to perform arbitrary code and vulnerabilities are exposed by libraries even though the emergence of real-time software for CPS is stringent⁴. This code injection attack has been standard in the general-purpose domain for several years. As more embedded applications, especially CPS applications, utilize networks, they become more vulnerable to these attacks⁵.

Furthermore, most IDSs exploit machine learning (ML) models for attack identification. This necessitates extracting better features for various intrusions used in supervised learning for attack detection. However, appropriate and sufficient traffic data is not available often, which enables proper feature learning⁶. Compared to the number of non-intrusions, the number of intrusions is also much lesser, resulting in more difficulties in training⁷. IDS employs ML techniques for detecting malicious behaviours using training datasets⁸. Still, many researchers exploit datasets taken from the internet protocol. This dataset is not suited for intrusion detection in CPSs because they lack traffic from CPS protocol and have a slight relationship with the present equipment⁹. The classical offline ML technique does not have its models often updated while the behaviour shift occurs. Currently, it is necessary to categorize real-time attacks in vast streams of information without compromising hardware resources, like CPU and memory, with the vulnerability to take data processing to the network node and the enhancing development of Big Data systems generating an ample quantity of heterogeneous data¹⁰. Hence, classical offline ML methods might not be appropriate for processing events from a massive flow of information.

This research presents an African Buffalo Optimizer Algorithm with a Deep Learning Intrusion Detection (ABOADL-IDS) model in a CPS environment. The main intention of the ABOADL-IDS model is to utilize the FS with an optimal DL approach for the intrusion recognition and identification procedure. Initially, the ABOADL-IDS model performs the data normalization process. Furthermore, the ABOADL-IDS model utilizes the ABO technique for feature selection. Moreover, the stacked deep belief network (SDBN) technique is employed for intrusion detection and identification. To improve the SDBN technique solution, the seagull optimization (SGO) technique is implemented for the hyperparameter selection. The assessment of the ABOADL-IDS technique is accomplished under NSLKDD2015 and CICIDS2015 datasets. The key contribution of the ABOADL-IDS technique is listed below.

• The ABOADL-IDS model utilizes min-max scaling to normalize the data, ensuring all features fall within a standardized range. This preprocessing step assists in improving the model’s performance by eliminating bias from features with different scales. It also enables more effective learning, particularly for models sensitive to input range.

• The ABO-based feature selection identifies the most relevant features, improving the technique’s ability to detect intrusions accurately. Concentrating on key features mitigates the data’s dimensionality, resulting in faster computation and less resource consumption. This enhances the efficiency and effectiveness of the intrusion detection process.

• The SDBN model is utilized for intrusion detection. Its DL technique enables the model to learn complex data patterns, effectively detecting advanced and previously unseen attacks. The SDBN technique’s hierarchical feature learning improves the accuracy and robustness of the detection process.

• SGO-based tuning fine-tunes the model’s parameters, improving its overall performance. This methodology optimizes the balance between exploration and exploitation, allowing for more precise parameter selection. As a result, the model attains improved generalization and robustness across diverse datasets.

• The novelty of the ABOADL-IDS model is in seamlessly incorporating advanced techniques like ABO for feature selection, SDBN for DL-based intrusion detection, and SGO for parameter tuning. This integration creates a cohesive framework that improves detection accuracy and minimizes computational complexity. By employing these complementary methods, the model attains enhanced performance in real-time intrusion detection with reduced resource consumption.

Related works

In¹¹, an Explainable AI-Enabled Intrusion Recognition method for protecting CPS (XAIID-SCPS) was designed. A Hybrid Enhanced GSO (HEGSO) technique has been implemented for the FS method. The Improved ENN (IENN) technique could be employed to determine the optimum parameters for IDS. Althobaiti et al.¹² introduced a new intellectual computation-based IDS method. This method includes preprocessing to remove the noise data. Later, this technique employs a binary bacterial foraging optimizer (BBFO) based-FS approach for optimally choosing feature subsets. Also, the GRU approach was implemented to detect intrusions. Lastly, the Nesterov-accelerated Adaptive Moment Estimation (NADAM) technique must be employed for the hyperparameter optimizer of the GRU technique. Mittal et al.¹³ suggested a novel clustering technique for intrusion detection. This approach uses a new gravitational search algorithm (GSA) variant to attain optimum clusters. Kbest was changed to a proportionally reduced process in this developed variant with logistic-mapping-based chaotic behaviours. In¹⁴, a privacy-conserving model named PC-IDS was designed to have two main modules. Initially, a data preprocessing module was developed for cleaning and converting real data into various layouts, achieving privacy conservation; later, an IDS was introduced utilizing PSO-based probabilities of neural networks. Kukkala et al.¹⁵ projected a new DL-based IDS named INDRA that implements a GRU-based recurrent-AE network to identify different cyberattacks in automatic CPSs. The authors¹⁶ suggested innovative AI-aided multimodal fusion-based IDS (AIMMF-IDS). A weighted voting-based ensemble framework combined methods through RNN, deep belief network (DBN), and BiLSTM. In¹⁷, a DL-based IDS was implemented to identify cyberattacks on CPS using a multimodal learning method. This technique reports two IDS methods depending on DL: RNN and CNN. In the first IDS, Gramian Angular Field (GAF) was implemented to transform CPS time-series data into images. The second IDS employed RNN with a multimodal attention method to train the attack detector.

Safavat and Rawat¹⁸ recommended secure federated learning employing an Interpolated private and public keys-ROTation (IPP-ROT)-based ECC and providing Buff; FL using Buffered Asynchronous, Aggregation based Log Sigmoid-MLP (FB-FL-BAA-LS-MLP) approaches. Firstly, the vehicles could be listed with a cloud server by producing cipher text and keys with the help of IPP-ROT and ECC techniques. Shi et al.¹⁹ develop an effective framework for analyzing recurrent spontaneous abortion (RSA) in patients with thyroid disorders, using an integration of the Joint Self-Adaptive Sime Mould Algorithm (JASMA) and Support Vector Machine (SVM) to improve global search, optimization, and convergence for improved diagnosis and treatment. Ji et al.²⁰ propose a hybrid intrusion detection approach for CPSs, incorporating AdaBoost and random forest (RF) methods. It chooses optimal features based on their significance scores and retrains the base models for improved attack detection. Arumugam et al.²¹ develop an intrusion detection system for CPS by extracting statistical and flow-based features, choosing optimal features using Improved LDA, and applying a hybrid CNN-Bi-GRU classifier optimized by the BMEAOA approach for improved detection performance. Chen et al.²² propose an improved Firefly Algorithm integrated with the Extremal Optimization (IFA-EO) approach. It introduces three strategies: a hybrid attraction model, adaptive step size, and EO integration for improved local search, balancing exploration and exploitation to improve performance. Abinash et al.²³ propose HGCNN-LSTM, a DL-based attack detection model for ICS networks, using hypergraphs to optimize CNN-LSTM thresholds and enhance the detection of data injection, DoS, and reconnaissance attacks.

Feng et al.²⁴ propose the dConvLSTM-DCN framework, incorporating dual ConvLSTM and Dense Convolutional Network to predict VPS availability short-term (within 30 min) and long-term (over 30 min). It effectively captures temporal and spatial correlations and utilizes a two-layer linear network for feature extraction, with direct and iterative methods for long-term predictions. Al Mazroa et al.²⁵ propose an automated Cyberattack Detection using Binary Metaheuristics with DL (ACAD-BMDL) method for automated cyberattack detection in CPS environments, using Z-score normalization, binary grey wolf optimizer (BGWO) for feature selection, Enhanced Elman Spike Neural Network (EESNN) for attack detection, and Archimedes Optimization Algorithm (AOA) for hyperparameter optimization. Rahim and Manoharan²⁶ propose a framework for CPS intrusion detection and mitigation utilizing Fractional Artificial Protozoa Optimization (FAPO)-enabled Spiking VGG-16. It involves normalizing input logs with Quantile Normalization, selecting features via Skill Optimization Algorithm (SOA), detecting intrusions with Spiking VGG-16, and classifying attacks with FAPO for mitigation. Chen et al.²⁷ present a hybrid 3DMA scheme for multi-user multiple-input multiple-output visible light communication (MU-MIMO-VLC) approaches, optimizing 3D resources to improve performance. It uses user grouping, frequency pairing, power multiplexing with superposition coding, and an optimal power allocation strategy, achieving higher sum rates than benchmark schemes. Markkandeyan et al.²⁸ propose a hybrid DL strategy for detecting malware in IoT environments, utilizing an Adaptive TensorFlow DNN with Improved Particle Swarm Optimization (IPSO) for SC duplication detection and E-LSTM for identifying suspicious actions.

Despite the improvements in intrusion detection and mitigation systems for CPS, several limitations and research gaps remain. Many existing methods encounter challenges in handling high-dimensional data, resulting in issues with feature selection and computational efficiency. Furthermore, there is a lack of scalability in several techniques when applied to large-scale, real-time CPS environments. Many approaches also face difficulty generalizing across diverse attack scenarios, limiting their efficiency in dynamic settings. Furthermore, while improving detection accuracy, optimization techniques often overlook the trade-off between exploration and exploitation. Lastly, while hybrid models exhibit potential, their complexity and requirement for extensive training data remain significant barriers to their practical deployment. Therefore, more efficient, scalable, and adaptable solutions are required to address these gaps in current research.

The proposed model

This manuscript proposes automatic intrusion recognition using the ABOADL-IDS method in the CPS platform. The main intention of the ABOADL-IDS technique is to utilize the FS with an optimal DL approach for the intrusion recognition and identification procedure. It comprises data normalization, ABO-based FS, SGO-based hyperparameter tuning, and SDBN-based intrusion recognition. Figure 1 represents the workflow of the ABOADL-IDS technique.

Fig. 1

Workflow of ABOADL-IDS technique.

Data normalization

Data normalization using a min-max scaling approach is mainly utilized²⁹. This model is chosen due to its simplicity and effectiveness in transforming data into a standard range, typically between 0 and 1. This method ensures that all features contribute equally to the model, preventing features with larger numerical ranges from dominating the learning process. Unlike other normalization techniques, such as Z-score normalization, Min-Max scaling preserves the original distribution of the data and averts distortion. It is particularly advantageous when the model requires a specific input range, such as in neural networks, where activation functions like sigmoid or tanh work best within a bounded range. Furthermore, Min-Max scaling is computationally efficient and easy to implement, making it a preferred choice for preprocessing data in many ML tasks.

MinMax Scaler shrinks the data from the provided range, generally from zero to one. It converts data by scaling features to the offered range. It scales the values to a specific range without altering the original distributions’ shape. This equation of the Min-Max normalizer method \(\:{X}_{-}norm\) is represented in Eq. (1).

$$X\_norm = \frac{{\left( {X - X\_{\text{min~}}} \right)}}{{X\_{\text{max}} - X\_{\text{min~}}}}$$

(1)

In this case, the normalizer computation is carried out only for unknown validation, training, and testing sets.

Feature selection using ABO model

To choose a feature, the ABOADL-IDS technique designs a new ABO technique for FS³⁰. This model is preferred due to its unique capability to explore the solution space and balance exploration and exploitation effectually. Inspired by the herd behaviour of African buffaloes, the ABO model utilizes a cooperative search mechanism that replicates the way buffaloes work together to find optimal grazing areas. This behaviour allows the model to avert local optima and improves the accuracy of feature selection. Compared to other optimization techniques, the ABO model is more robust in handling complex, high-dimensional datasets and is less prone to getting stuck in suboptimal solutions. Its strong global search capability and fast convergence make it an ideal choice for feature selection in ML tasks, ensuring that only the most relevant features are chosen to improve model performance. Figure 2 illustrates the ABO model.

Fig. 2

Steps involved in the ABO model.

The African buffalo’s behaviour from the vast forests and grasslands of Africa assisted as a simulation for the ABO technique. While African buffaloes are consistently identified as exceptionally planned and remarkably effective herbivores, this meta-heuristic system tries to influence the natural intellect of buffaloes to generate higher-quality meta-heuristics. During this method, once the position (solution) of all the buffalo is, an optimum preceding position of that buffalo can continuously be comprised in the computation for simulating the remarkable memory capacity of these animals. Additionally, it is transferred efficiently by its vocalizations; mainly, it is distinctive “was” calls that assist various purposes like signalling danger or determining an optimum food source. This performance can be established in the method, such that the computation of novel solutions of all the buffaloes also assumes the position of the existing buffalo, which is near other buffaloes of the group are also affected. By executing this earlier defined performance of constantly upgrading the solution of all the buffalo is dependent upon their historical optimum solution and existing solution of the entire optimum buffalo from the herd, this method ABO effectively resolves the difficulty of early convergence or stagnation in the optimizer method, permitting for a wide-ranging exploration of searching space.

Algorithm 1

Pseudocode of ABO

The primary formula in the ABO method defines the parameter \(\:mk\) that affects the novel solution of separate bison (solution) comparative to its old optimum solution (separate’s optimum bison) and comparative to existing best solution (the global optimum position) as:

$$mk = mk + lp1^{{\text{*}}} \left( {bg_{{{\text{max}}}} - P_{j} } \right) + lp2^{{\text{*}}} \left( {PLocal_{{{\text{max}},j}} - P_{j} } \right),$$

(2)

In this case, \(\:{P}_{j}\) signifies the existing solution of buffalos \(\:j,\) \(\:{b}_{gax}\) denotes the global optimum position, and \(\:PLoca{l}_{max,j}\) represents the old optimum position of buffalos \(\:j\). The parameter \(\:mk\) determines the novel solution \(\:{P}_{j}\) of buffalos \(\:j\). The parameters \(\:lp1\) and \(\:lp2\) define if the bison follows its optimum solution or the solution of optimum global position. During all the iterations of the ABO approach, the global optimum position and old optimum position of all the bison can also be upgraded once there is a alter. Afterwards, the procedure is repeated, and the condition for the end of the method is met.

The allocated FF evaluates the quality solution of the ABO-based FS technique³¹. The function depends primarily on the regression or classification error rate, and the feature is chosen from the input data. The fittest solution can rely on a series of features that provide minimal features with a minimal classifier error rate. The subsequent formula is used to assess the solutions’ quality.

$$F_{n} = \alpha Err\left( O \right) + \beta \frac{{\left| s \right|}}{{\left| f \right|}}$$

(3)

In Eq. (18), \(\:Err\left(O\right)\) is the optimizer error rate,\(\:\:s\) denotes the selected set of features, and\(\:\:f\) shows the overall amount of existing features. The \(\:\alpha\:\in\:\left[\text{0,1}\right],\beta\:=1-{h}_{1}\) value is accountable for the classifier errors and the quantity of nominated features. Here, \(\:{h}_{1}\) depicts a parameter related to the classifier’s performance or a specific aspect of the feature selection process, and its value is used to adjust the weight parameter \(\:\beta\:\), affecting the overall model optimization.

Intrusion detection using SDBN model

The SDBN technique is employed to detect intrusion³². This model is chosen because it can automatically learn hierarchical feature representations from raw data. By stacking multiple Restricted Boltzmann Machines (RBMs) layers, SDBN captures intrinsic patterns and correlations within the data, which is significant for detecting advanced intrusions. Unlike conventional ML techniques requiring manual feature extraction, SDBN learns high-level abstractions from the raw input, improving its ability to detect unknown or zero-day attacks. Furthermore, the DL structure of SDBN allows for improved generalization, making it highly effectual on diverse and large-scale datasets. Compared to other models, SDBN’s multi-layered architecture improves its robustness and performance in intrusion detection tasks by efficiently processing high-dimensional data and distinguishing subtle malicious behaviour patterns.

A DBN is a DNN stacked with the multi-layer infrastructure of RBMs. The RBM architecture comprises hidden and visible layers with hidden neurons, respectively. Visible neurons are FC with hidden neurons; no intra-layer from the VL or HL exists. There exist two major learning models: supervised and unsupervised learning. The RBM and backpropagation network (BPN) implement unsupervised and supervised learning. After implementing the RBM operation, the hidden neuron is conditionally independent once the visible state is given. Therefore, once the input vector is given, it rapidly takes unbiased samples in the posterior distribution. The two primary functions represent these models— the probability distribution and energy functions.

$$E\left( {v,h;\theta } \right) = - \sum\limits_{{i = 1}}^{n} {\sum\limits_{{j = 1}}^{m} {v_{i} h_{j} w_{{ij}} } - \sum\limits_{{i = 1}}^{n} {v_{i} a_{i} } - \sum\limits_{{j = 1}}^{m} {h_{j} b_{j} } }$$

(4)

In Eq. (4), \(\:E\) shows the energy with configuration on \(\:v\) and \(\:h\) visible and hidden neurons, \(\:{v}_{i}\) represents the binary state of \(\:{i}^{th}\) visible neurons, \(\:{h}_{j}\) signifies the binary state of \(\:{j}^{th}\) hidden neurons, and \(\:{w}_{ij}\) shows the weight between \(\:{i}^{th}\) and \(\:{j}^{th}\) neurons, for the parameter \(\:\theta\:\) of \(\:\left\{W,\:b,\:a\right\}\) and \(\:{v}_{i},\) \(\:{h}_{j}\in\:\left\{\text{0,1}\right\}\). Now, \(\:W\) refers to the symmetric weight with \(\:n\times\:m\) dimension\(\:,\) \(\:a\) designates the bias of visible neuron, and \(\:b\) denotes the bias of hidden neuron. The energy defines the probability of configuration.

$$p\left( {v_{i} ,h_{j} } \right) = \frac{{e^{{ - E\left( {v_{i} ,h_{j} } \right)}} }}{{\sum\nolimits_{{v_{i} ,h_{j} }} {e^{{ - E\left( {v_{i} ,h_{j} } \right)}} } }}$$

(5)

The denominator in Eq. (5) defines the partition function and is attained by adding each pair of hidden and visible vectors. According to the function of probability distribution, the conditional probability distribution function is resulting and given below:

$$h_{j} = sigmoid\left( {\sum\limits_{i} {v_{i} W_{{ij}} + b_{j} } } \right)$$

(6)

$$v_{i} = sigmoid\left( {\sum\limits_{j} {h_{j} W_{{ij}}^{T} + a_{i} } } \right)$$

(7)

Here, \(\:{h}_{j}\) indicates the probability distribution once \(\:{v}_{i}\) is provided, and \(\:{v}_{i}\) shows the probability distribution once \(\:{h}_{j}\) is provided.

DBN exploits pre-training, fine-tuning, and prediction. Pre-training and fine-tuning allow this method to forecast a correct outcome. During the pre-training, a series of primary parameters are attained in the input vector. SDBN is a kind of ANN design that integrates several layers of RBMs to procedure a DL approach. During the stacked DBN, several RBMs are trained greedy layer-wise. This suggests that you begin with the primary RBM and train it to capture features from the data. Afterwards, the outcome of this RBM is employed as input for the next RBM. This procedure is frequent for several layers as desired. Figure 3 signifies the structure of DBN.

Fig. 3

Architecture of DBN.

Parameter tuning using the SGO model

Finally, the SGO model optimally chooses the parameter linked to the SDBN model³³. This model is chosen due to its unique bio-inspired search mechanism, which replicates the intelligent foraging behaviour of seagulls. This model effectually balances exploration and exploitation, allowing it to search a vast solution space while converging towards the optimal solution. Compared to other optimization techniques, SGO is less likely to get trapped in local optima, making it more robust in finding the best parameter set. The adaptability of SGO to various optimization problems, comprising parameter tuning, improves its flexibility and effectiveness. Additionally, SGO needs fewer computational resources and iterations than some conventional methods, improving efficiency. Its ability to work well on complex, high-dimensional parameter spaces makes it an ideal choice for fine-tuning models in ML tasks. Figure 4 specifies the flow chart of the SGO technique.

Fig. 4

Flowchart of the SGO technique.

The SGO approach is a recent metaheuristic intelligent approach based on seagulls’ attacking and migratory strategies. Its underlying principle is to search for the global optima solution by relating local and global search development of different population individuals. At the same time, attack is a local optimization, and migration is a global optimization. Over other optimization techniques, the SGO gives the succeeding two advantages:

1. (1)

   The structure of the algorithm is open, and there aren’t multiple parameters to organize, so it is very simple to resolve different types of problems;

2. (2)

   A global optimizer algorithm called SGO has increased proficiency for global search and local exploitation and deals with the problem of substantial dimension.

During the flight, it affects the local development capacity of the SGO; however, attack behaviour is the seagull attacks for food in the water and on the ground. A migration strategy is the seagull’s flight in many directions suitable for survival at the existing stage but not in another location.

Migration

The SGO performs a global search by mimicking seagulls’ random flying in all directions. Every random seagull should gradually meet the above three requirements in this process.

1. (1)

   Avoiding collision

The SGO evaluates the seagull’s post-migration location \(\:{C}_{s}\left(t\right)\) by dealing with the existing location of the seagull \(\:{P}_{s}\left(t\right)\) and the additional parameter \(\:A\) to avoid collision between neighbouring seagull individuals:

$$C_{s} \left( t \right) = A \times P_{s} \left( t \right)$$

(8)

\(t\)—represents the existing iterations count; \(A\)—indicates the drive of seagulls in space;

$$A = f_{c} - \left( {t \times \frac{{f_{c} }}{{{\text{Max}}_{{iteration}} }}} \right)$$

(9)

\({f}_{c}\)—linear function reduces the \(A\) value linearly from \({f}_{c}\) to \(0\); \({\text{Max}}_{{iteration}}\)—shows the maximal iteration count.

1. (2)

   Best position orientation

On the basis that the seagulls don’t crash with one another, seagulls must shift towards the optimal location \(\:{M}_{s}\left(t\right)\) :

$$M_{s} \left( t \right) = B \times \left( {P_{{best}} \left( t \right) - P_{s} \left( t \right)} \right)$$

(10)

\({P}_{best}\left(t\right)\)—optimal position for seagulls; \(B\)—random value that balances local and global optima;

$$B = 2 \times A^{2} \times rd$$

(11)

rd—randomly generated integer [0,1].

1. (3)

   Move to the finest location

Once the abovementioned dual conditions are met, the seagull needs to travel towards the optimum location till it attains the newest location \(\:{D}_{s}\left(t\right)\) that is formulated by the subsequent equation:

$$D_{s} \left( t \right) = \left| {C_{s} \left( t \right) + M_{s} \left( t \right)} \right|$$

(12)

Attack behavior

Seagulls use their weight and wings during migration to keep a specific altitude. They dive in a spiral movement near the target after discovering an objective to attack. These behaviours of seagulls in the air are represented as x\(\:,\) \(\:y\), and \(\:z\) 3D planes:

$$x = r \times {\text{cos}}\left( \theta \right)$$

(13)

$$y = r \times {\text{sin}}\left( \theta \right)$$

(14)

$$z = r \times \theta$$

(15)

$$r = u \times e^{{\theta v}}$$

(16)

\(r\)—the radius of the helix; θ angle value in [0,2π]; \(u\), \(nu\)—correlation constant for helix;

Computation equation of seagull attack location:

$$P_{s} \left( t \right) = D_{s} \left( t \right) \times x \times y \times z + P_{{best}} \left( t \right)$$

(17)

The fitness function (FF) is a critical feature of the SGO technique. The encrypted solution is organized to calculate the best solution for candidate results. The accuracy values are the main state developed to project an FF.

$$Fitness = {\text{max}}\left( P \right)$$

(18)

$$P = \frac{{TP}}{{TP + FP}}$$

(19)

\(\:FP\) and \(\:TP\) represent the positive values of false and true.

Results and discussion

This section examines the ABOADL-IDS methodology’s recognition of intrusion results on dual databases: the NSLKDD2015 and CICIDS2015 datasets. Table 1 provides a comprehensive description of the NSLKDD2015 database.

Table 1 Details of the NSLKDD2015 dataset.

Figure 5 illustrates the classifier study of the ABOADL-IDS approach in the NSLKDD2015 database. Figure 5a and b establishes the confusion matrices obtainable by the ABOADL-IDS approach on 70% of TRAS:30% of TESS. The simulation value indicated that the ABOADL-IDS method has exactly predicted and classified all two classes. In the same way, Fig. 5c displays the PR study of the ABOADL-IDS technique. The outcome value specified that the ABOADL-IDS method could reach greater PR analysis on 2 class labels. Yet, Fig. 5d determines the ROC performance of the ABOADL-IDS technique. The outcome signified that the ABOADL-IDS model had caused the abilities of simulated results with developed values of ROC in 2 classes.

Fig. 5

NSLKDD2015 dataset (a, b) Confusion matrices, (c, d) PR and ROC curves.

The detection simulated result of the ABOADL-IDS approach on the NSLKDD 2015 dataset is revealed in Table 2; Fig. 6. The experimentation simulation displays that the ABOADL-IDS method accomplishes effective standard and anomaly classification. With a 70% TRAS, the ABOADL-IDS technique presents an average \(\:acc{u}_{y}\), \(\:pre{c}_{n}\), \(\:rec{a}_{l}\), \(\:{F}_{score}\), and \(\:AU{C}_{score}\) of 99.28%, 99.25%, 99.28%, 99.27%, and 99.28%, respectively. Also, with a 30% TESS, the ABOADL-IDS technique presents an average \(\:acc{u}_{y}\), \(\:pre{c}_{n}\), \(\:rec{a}_{l}\), \(\:{F}_{score}\), and \(\:AU{C}_{score}\) of 99.27%, 99.25%, 99.27%, 99.26%, and 99.27%, respectively.

Table 2 Detection outcome of ABOADL-IDS technique on NSLKDD2015 dataset.

Fig. 6

Average of ABOADL-IDS technique on the NSLKDD2015 dataset.

To assess the performance of the ABOADL-IDS approach on the NSLKDD2015 dataset, the curves of TRAS and TESS \(\:acc{u}_{y}\) are definite, as revealed in Fig. 7. The TES and TRA \(\:acc{u}_{y}\) curves display the performance of the ABOADL-IDS model over many epochs. The figure provides facts about the task of learning and generalized skills of the ABOADL-IDS method. With an increase in epoch counts, it is experimental that the TES and TRA \(\:acc{u}_{y}\) curves get enhanced. It is shown that the ABOADL-IDS techniques get higher TES accuracy, which makes them able to categorize the designs in both data sets.

Fig. 7

\(Accu_{y}\) curve of ABOADL-IDS technique on NSLKDD 015 dataset

Figure 8 establishes the ample TES and TRA loss values of the ABOADL-IDS method on the NSLKDD2015 dataset over epochs. The TRA loss shows that the model loss obtained decreased over epochs. Initially, the loss value acquired decreases as the model alters the weight to decline the error of prediction on the TES and TRA data. The loss curves exhibit the level where the method fits the TRA data. Both data losses are slowly condensed, which signifies that the ABOADL-IDS technique proficiently absorbs the patterns revealed in the TRA and TES data. It is also experimental that the ABOADL-IDS technique adapts the parameters to decline the modification amid the prediction and new TRA label.

Fig. 8

Loss curve of ABOADL-IDS technique on NSLKDD2015 dataset.

Table 3 exemplifies the detailed explanation of the CICIDS2015 database.

Table 3 Details of the CICIDS2015 dataset.

Figure 9 shows the classifier simulated analysis of the ABOADL-IDS methodology under the CICIDS2015 dataset. Figure 9a and b exemplifies the confusion matrices increased by the ABOADL-IDS methodology on 70% TRAS and 30% TESS. The simulation value indicated that the ABOADL-IDS model is well-known and that each 2-class label is classified precisely. Also, Fig. 9c determines the PR outcome of the ABOADL-IDS model. The result showed that the ABOADL-IDS model has better PR performance in 2 class labels. But, Fig. 9d describes the ROC study of the ABOADL-IDS technique. The experimental value described that the ABOADL-IDS technique generates excellent resultants with improved values of ROC in 2 classes.

Fig. 9

CICIDS2015 dataset (a, b) Confusion matrices, (c, d) PR and ROC curves.

The detection analysis of the ABOADL-IDS method on the CICIDS2015 dataset is exposed in Table 4; Fig. 10. The simulated result demonstrates that the ABOADL-IDS method gets effectual anomaly and normal classification. With a 70% TRAS, the ABOADL-IDS technique provides an average \(\:acc{u}_{y}\), \(\:pre{c}_{n}\), \(\:rec{a}_{l}\), \(\:{F}_{score}\), and \(\:AU{C}_{score}\) of 98.84%, 98.85%, 98.84%, 98.85%, and 98.84% correspondingly. Also, with a 30% TESS, the ABOADL-IDS technique provides an average \(\:acc{u}_{y}\), \(\:pre{c}_{n}\), \(\:rec{a}_{l}\), \(\:{F}_{score}\), and \(\:AU{C}_{score}\) of 98.77%, 98.77%, 98.77%, 98.76%, and 98.77% individually.

Table 4 Detection outcome of ABOADL-IDS technique on the CICIDS2015 dataset.

Fig. 10

Average of ABOADL-IDS technique on CICIDS2015 dataset.

To calculate the execution of the ABOADL-IDS model on the CICIDS2015 database, TES and TRA \(\:acc{u}_{y}\) curves are well-said, as exposed in Fig. 11. The TES and TRA \(\:acc{u}_{y}\) curves show the concert of the ABOADL-IDS approach over some epochs. The figure provides meaningful facts about the tasks of learning and generalizer capacities of the ABOADL-IDS approach. With a rise in epoch counts, it is experimental that the TES and TRA \(\:acc{u}_{y}\) curves become higher. The ABOADL-IDS approach is perceived to have enhanced TES accuracy in classifying the designs in both data.

Fig. 11

\(\:Acc{u}_{y}\) curve of ABOADL-IDS technique on CICIDS2015 dataset

Figure 12 shows the complete TRA and TES loss values of the ABOADL-IDS approach on the CICIDS2015 dataset over epochs. The TRA loss demonstrated the method loss is minimized over epochs. Notably, the loss values get condensed as the model alters the weight to reduce the analytical mistakes in the TES and TRA data. The loss curves determine the range where the model fits the TRA. It is seen that both data loss is slowly reduced and represents that the ABOADL-IDS model well acquires the designs revealed in the TES and TRA data. It is also evidenced that the ABOADL-IDS regulates the parameters for reducing the modification amongst the new and forecast TRA classes.

Fig. 12

Loss curve of ABOADL-IDS technique on CICIDS2015 dataset.

The comparative recognition outcomes of the ABOADL-IDS model with existing techniques are performed in Table 5; Fig. 13¹¹. The experimentation result indicates that the ForestPA, WI-SARD, and LIBSVM approaches have worse outcomes, but the AERF and G-SAE models have demonstrated better-increased performance. Concurrently, the XAIIDS-CPS and FU-RIA approaches have obtained considerable results. However, the ABOADL-IDS technique showed promising performance with maximum \(\:acc{u}_{y}\), \(\:pre{c}_{n}\), \(\:rec{a}_{l}\), and \(\:{F}_{score}\) of 99.28%, 99.25%, 99.28%, and 99.27%, respectively. Therefore, the ABOADL IDS technique is effective in achieving recognition results.

Table 5 Comparative analysis of ABOADL-IDS approach with existing models¹¹.

Fig. 13

Comparative outcome of ABOADL-IDS approach with existing models.

Conclusion

This paper presents automatic intrusion recognition using the ABOADL-IDS methodology in the CPS platform. The main intention of the ABOADL-IDS methodology is to utilize the FS with an optimal DL approach for the intrusion detection and identification procedure. It comprises data normalization, ABO-based FS, SDBN-based intrusion recognition, and SGO-based hyperparameter tuning. To select features, the ABOADL-IDS technique utilizes a new ABO approach for FS. Besides, the SDBN approach is used for intrusion detection and classification. To improve the solution of the SDBN model, the SGO method is implemented for the hyperparameter-selection process. The assessment of the ABOADL-IDS technique is accomplished under NSLKDD2015 and CICIDS2015 datasets. The performance validation of the ABOADL-IDS technique illustrated a superior accuracy value of 99.28% over existing models concerning various measures. The limitations of the ABOADL-IDS technique comprise the reliance on predefined datasets, which may not fully represent the diversity of real-world CPS environments and emerging cyber threats. Furthermore, the computational complexity of specific detection models can affect their real-time application, particularly in resource-constrained systems. The study also assumes a relatively static system setup, which may not be effective in highly dynamic or evolving environments. Moreover, the feature selection process may not capture all relevant patterns, resulting in suboptimal detection accuracy in some cases. Future work should concentrate on developing adaptive models that can continuously learn and update in real time, improving their capability to detect previously unseen attacks. Also, improving model efficiency to balance detection accuracy with computational feasibility will be significant for large-scale implementations. Lastly, integrating privacy-preserving techniques while maintaining high detection performance should be a key focus in future research.