Introduction

Smart cars are now a fundamental component of the intelligent traffic systems (ITS) concept, contributing significantly to increased road safety and improved driving experience. Road infrastructure for smart cities depends on information and communications technology, and smart cars are linked to roadside units (RSU) and other vehicles. RSU is used by ITS to improve driving performance and lower accidents1. Because of the way that wireless media is exposed, VANETs are susceptible to a variety of attacks2. Malicious nodes can be able to identify and indicate the messages intended to guide drivers. Another way that attackers might cause accidents is by spreading false information3. Intrusion detection systems are crucial for detecting malicious actions on these networks. They provide administrators and users with the means to identify security holes in computer networks. The anomaly-based detection method is one way to find intrusions; it works by simulating and analyzing patterns of behavior to find suspicious or malicious actions. In addition, hybrid-based detection systems integrate intrusion-based and signature-based detection methods4,5. In addition, IDS that use behavior or analyze detection only cover a subset of possible attacks. Instead, they zero in on patterns of behavior that are malicious or otherwise deviate from the norm and assess them accordingly6. Statistical analysis, artificial intelligence (AI), and machine learning (ML) techniques are used by these state-of-the-art systems to thoroughly examine massive datasets and network traffic to detect any discrepancies or anomalies7. Malware attacks on Internet of Things devices are common, thus we trained ML systems to detect and deal with these threats. Predictive analysis with machine learning can anticipate security weaknesses, such as insider threats that are hard to detect using normal procedures, by analyzing historical data and identifying trends prior to breaches8. However, traditional IDS face difficulties in the large data space, which leads to the use of ML for effective threat detection and categorization in the monitoring of developing threats. The necessity for strong technology and sophisticated AI-powered algorithms to process large amounts of data exacerbates these difficulties9,10.

By facilitating communication between automated vehicles and RSUs, VANETs are an essential component of ITS, which in turn improve road safety and driving efficiency. However, VANETs are especially vulnerable to a variety of security attacks that can drastically impair their performance because to their decentralized structure and inherent wireless architecture. Here a few basic methods to classify these risks:

  • An attacker can carry out a Sybil Attack by assuming several different identities in order to cause havoc with the network and its routing and coordination of vehicles.

  • The goal of a jamming attack is to cause communication delays or failures by overwhelming the network with noise or interference.

  • In a blackhole attack, malicious nodes take up data packets and then throw them out, causing routing systems to break down.

  • A wormhole attack is one in which an attacker compromises trust and disrupts routing by tunneling messages between various sections of the network.

  • The term “eavesdropping” refers to the illegal practice of listening in on private conversations that might reveal private information or patterns of driving behavior.

By incorporating ML methods like decision tree (DT), deep learning (DL), and reinforcement learning (RF), anomaly-based IDSs have taken the lead in IDS11. The vehicle network communication improves the reachability of sensitive data with varying vehicle densities12. Traditional methods like DT are unable to extract deep network information, even while ML increases the accurateness of identifying odd traffic. In recent era, DL has developed as a powerful technology that uses multilayer neural networks to extract crucial information and constantly improves the training data to find the network assaults13. Nevertheless, DL’s capacity to detect unidentified network threats is constrained and heavily reliant on data14. RF enables autonomous decision-making, real-time communication, and learning from environmental signals. Combining deep learning and RF results in a DRL technique that can improves the IDS capacity to detect network threats15.

A double-layer feedforward MLP in conjunction with supervised approach via offline RL was employed by Emmons et al.16,. Their technology, called RvS, demonstrated comparable performance when compared to sophisticated techniques like a transformer for sequence modeling. Dong et al.17suggested utilizing semi-supervised RL called DDQN (SSDDQN) as an optimization technique for anomaly traffic identification of network. They showed that SSDDQN could correctly detect unknown network threats by contrasting it with traditional ML techniques. Multi-agent outlines that use RL for feature selection have been proposed by Liu et al.18, and have demonstrated superior performance over conventional techniques. Furthermore, the Auto-ML framework, a multi-agent body-based recommendation system proposed by Wang et al.19,, adaptively chooses feature fields and integrates efficiency improvements. “Low velocity and overfitting issues in deep learning” are the basis for the suggested BSAR-AE model’s ability to adapt to new data. TSO fine-tunes the learning rate depending on the training progress to produce more rapid and stable convergence, which the model uses to minimize low learning velocity (i.e., sluggish convergence during training). To improve the model’s generalizability and decrease overfitting, dropout regularization is used to randomly disable neurons during training. By standardizing layer inputs, decreasing internal covariate changes, and facilitating the model’s convergence more effectively, batch normalization significantly stabilizes and accelerates up learning. The model’s durable anomaly detection performance under numerous conditions is enhanced through the use of these strategies, which further enhances its capacity to learn from high-dimensional VANET traffic data.

Through the resolution of intricate network problems and the selection of ideal features, these developments show how multi-agent reinforcement learning can enhance IDS, hence enhancing network security and operational efficacy. The research contributions are listed as follows:

  • A model called BSAR-AE for anomaly detection in VANETs, utilizing attention mechanisms and recurrent networks to capture temporal dependencies in traffic patterns for improved detection accuracy.

  • A hybrid intrusion detection system that combines rule-based and machine learning approaches for effective detection of both known and novel attacks through behavior analysis.

  • The false positives in IDS are reduced and detection accuracy is enhanced using Tuna Swarm Optimization.

This paper’s remaining sections are arranged as follows: Background information and a thorough analysis of relevant studies are included in Sect. 2. The study’s methodology and implementation specifics are covered in full in Sect. 3. The research outcomes and discussions are presented in Sect. 4. The paper is concluded, and future directions are suggested in Section.

Related works

To reduce the reliance of IDS on labeled data, Deng and colleagues20presented a label-constrained IoT intrusion detection technique using a flow topology with graph convolutional network (FT-GCN). They achieved enhanced results on three real-world datasets by taking advantage of the potential traffic topology with limited labels. To correlate alerts that belongs to the similar attack using GCN, Cheng et al.21, created Alert-GCN and the findings shown that Alert-GCN performed better in correlating alerts than conventional classification models. In order to overcome GNN’s susceptibility to unbalanced IDS datasets, Zhou et al.22, developed a novel hierarchical adversarial-attack (HAA) cohort technique and verified the model using the UNSW-SOSR2019 public dataset.

The author23 introduces a groundbreaking method that ranks vehicles’ neighbors for data broadcasting using a unique fuzzy method based on multicriteria decision-making (MCDM). A fuzzy MCDM-based re-broadcasting scheme (FMRBS) is proposed for VANETs in this work. Streamlining data distribution and performing away with broadcast storms are the goals of this approach. Using fuzzy logic, we select the most suitable vehicles for transporting data.

An important part of the effort to make blockchain-based IIoT effective is the Glowworm Swarm Optimization (GSO) algorithm. The GSO algorithm provides a novel way to combine these competing goals, taking inspiration from the cooperative creativity of glowworms in nature. In light of the competing goals of blockchain technology24, this paper suggests an innovative approach to optimize the performance of blockchain-based IIoT using the GSO algorithm. The suggested GSO-algorithm-based blockchain-based IIoT system adapts dynamically to network demands and efficiently manages interactions among nodes, overcoming the scalability issues commonly seen with blockchain technology. With the GSO algorithm, inefficiencies and bottlenecks are minimized through optimal resource allocation and decision-making.

To improve quality of service, Zeynivand et al.25, used a multi-agent learning approach after examining the primary factors influencing VANET network quality. The findings show that the suggested approach performs better than earlier approaches in terms of transaction success rate and packet delivery rate (PDR).

To solve the issue of intrusion detection in IoT, Almotairi et al.26, presents a heterogeneous ML-based attack classifier model for IoT data. This method analyzes and enhances key classification metrics for IoT data intrusion detection using ensemble modeling and feature selection. This approach is divided into two primary components: selecting features using the K-Best algorithm, which extracts the 15 significant features, and creating an ensemble model that combines multiple traditional ML models. Combining these components enhances classification performance by using the combined power of distinct models and feature-specific data. Utilizing the “Ton IoTdataset,” our studies compare the ensemble model to individual models. In order to improve critical classification metrics for IoT-IDS, this study focuses on accuracy, precision, recall, and F1 score.

Unsupervised learning algorithms don’t need labeled data or direct supervision to identify unusual activity in a network. These algorithms have the ability to spot departures from normal network behavior and notify managers when something unusual happens. An example of an unsupervised learning algorithm frequently used in intrusion detection is the K-means clustering technique. A new instance of network traffic that doesn’t fit into any of the pre-established clusters is detected by the k-means algorithm, which puts similar network traffic patterns together and sounds an alarm when it occurs (Gyamfi & Jurcut27).,. In contrast, deep learning-based tech niques for detecting network intrusions employ neu ral networks to evaluate network traffic patterns. These networks are able to recognize patterns in the data and understand intricate relationships that human analysts might not notice right away (Ullah & Mahmoud28). Using ensemble-based techniques, which combine several ML algorithms into a single detection procedure, can greatly increase the accuracy of intrusion detection (Le Jeune et al.29,). Before a final choice is made, the results of these algorithms are averaged. The RF algorithm is a widely used technique for ensemble-based intrusion detection that combines the output of many decision trees (DTs). When compared to employing a single algorithm, the use of ensemble-based intrusion detection techniques has shown a significant improvement in IDS accuracy (Khraisat et al.30,).

Bouneb31., adds to the conversation around hybrid IDSs. Their study creates and defines groups in IoT systems, enabling processes to belong to several groups at once. This creative method fits nicely with the hybrid technique that combines rule-based systems and other ML algorithms for efficient intrusion detection. In addition to providing a theoretical framework, the paper highlights the algorithm’s versatility in real-world situations by showing how it may be used practically in an Internet of Things-based intersection traffic light control system. In order to precisely identify cyberattacks and anomalies in resource-constrained IoT networks, a lightweight intrusion detection framework employing ML approaches was suggested in a paper by Roy et al.32,. The model effectively finds important characteristics for intrusion detection by using various optimization strategies, such as multicollinearity elimination, sampling, and dimensionality reduction, which lessens the requirement for a large volume of training data and effort. The success of the suggested strategy was shown by extensive testing on the CICIDS2017 and NSL-KDD datasets, where the model maintained a low false alarm rate while obtaining a noteworthy degree of detection accuracy. Then the summary of literature survey is described in Table 1.

Table 1 Literature survey summary.
Full size table

Although the existing methodologies effectively analyze the anomalies in VANET, the machine learning techniques face difficulties while exploring the complex patterns. The intricate patterns improve the overall false positive rate which leads to minimizing the anomaly detection efficiency. The research difficulties are addressed with the help of BSAR-AE optimized withTSO in VANET. The optimized feature selection and classification process maximizes the anomaly detection rate up to 98.7%.

For VANET intrusion detection, the Bi-directional BSAR-AE model was selected because it outperformed traditional Long Short-Term Memory (LSTM) and Convolutional Neural Network (CNN) models in handling the temporal dependencies that are essential to vehicular network traffic. To improve anomaly detection while decreasing computing cost, BSAR-AE contains a sparse attention mechanism, which is different from typical models. This mechanism selectively concentrates on key traffic aspects. The structure, which is based on autoencoders, efficiently compresses data with a high dimensionality, which helps reduce noise and improves feature extraction—both of which are essential in the ever-changing environments of VANETs. By using TSO, hyperparameters are fine-tuned even further to enhance detection accuracy and decrease false positives, resulting in BSAR-AE being an efficient and strong solution for VANET security.

Proposed architecture

The study procedure starts with the careful collection of data from the CICIDS2018 dataset, which is then preprocessed to make it appropriate for the classifiers. Addressing missing values and transforming categorical variables into numerical equivalents are two aspects of this preprocessing. After that, the dataset is split as testing and training sets. The MDNN classifier is trained using the training set as the arena. In the meantime, classifier performance is measured using the testing set as the testing ground. As shown in Fig. 1, metrics including accuracy, precision and F1-score are used to examine their effectiveness and determine which classifier is the most effective for further study. This section discusses the methodologies used for this study to detect the attacks in VANET.

Fig. 1
figure 1

Overview of proposed VANET IDS architecture.

Full size image

Data set

A collection of data Brute-force, Heartbleed, a DoS, DDoS, Botnet, web assaults, and network penetration from within are among the seven attack scenarios included in the newly created intrusion detection dataset CICIDS2018. This dataset includes 420 victim PCs, 30 servers spread across five departments, and 50 attacker machines. This comprises 80 characteristics that were retrieved through network traffic that was recorded by CICFlowMeter-V3, as well as system logs and network traffic from each computer.

Preprocessing

Initially, the input dataset considered is preprocessed on employing preprocessing stages34. Through providing suitable data for the suggested optimization-based feature selection scheme, this is probable for attaining an optimal range of features with enhanced performance. Therefore, preprocessing is employed by the following steps as shown:

  1. (i)

    Label removal: Each feature of considered dataset comprises of labels. There is a need to remove these labels to adopt dataset with the presented feature selection and classifier technique.

  2. (ii)

    Removal of features: A dataset taken comprises 15 features. Among these, about 50 are attacker machines,

  3. (iii)

    Removal of features: The considered dataset consists of 15 features. Among these, the unwanted or undesired labels need to be deleted as it is the major intention of this step by performing feature reduction.

  4. (iv)

    Label encoding: In the considered dataset, some labels such as service type and protocol state are given as string values. Therefore, this is significant for having these encoded values as numerical values.

  5. (v)

    Data Binarization: The dataset’s numerical data are given in desired range. In the training stage, these data are offered to classifiers which have huge range of challenges for compensating such alterations.

Thus, each feature must be standardized. For this purpose, the least value in each one feature should be 0. However, maximum value should be 1. It makes classifier a homogeneous one highly. it too preserves variation between value of feature. After completing preprocessing step by means of eradicating irrelevant data, normalization is carried by following above steps, after which the preprocessed data is given as an input to feature selection module.

Feature selection using DNN

For feature selection, DNN module35 is employed. To develop the matrix representation of network and for simplifying the feature extraction process, connectivity matrix of about \(\:264\times\:264\) will be defined for each network. Every row and column of the connectivity matrix represents the network node, and every element matrix denotes the edge weights. As represented in the traditional work, varied threshold values are given as T > 0 for the connectivity matrix, \(\:\varvec{A}={\left({\varvec{a}}_{\varvec{i},\varvec{j}}\right)}_{\varvec{n}\times\:\varvec{n}}\) and is denoted as in Eq. (1)

$$a_{i,j} = \begin{cases} 1 & \text{if } \text{cm}_{i,j} \geq T \\-1 & \text{if } \text{cm}_{i,j} \leq -T \\0 & \text{if } i = j \\0 & \text{otherwise}\end{cases}$$
(1)

Then, the Laplacian matrix is estimated for the undirected graph \(\:\varvec{G}=(\varvec{V},\:\varvec{E})\) from the adjacency matrix as shown in Eq. (2)

$$\:L\left(G\right)=D\left(G\right)-A\left(G\right)$$
(2)

In this, A(G) denotes the adjacency matrix and D(G) represents the degree matrix, \(\:\varvec{D}={\left({\varvec{d}}_{\varvec{i},\varvec{j}}\right)}_{\varvec{n}\times\:\varvec{n}}\) which is estimated in Eq. (3)

$$d_{i,j} = \begin{cases} \sum_{k=1}^{n} a_{i,k} & \text{if } i = j \\0 & \text{otherwise}\end{cases}$$
(3)

Consequently, the difference among the adjacency matrix the degree matrix is represented by the Laplacian matrix. The Laplacian matrix, the spectrum, clustering factor, assortative, or average degree are used to pick features as the matrix representation is being generated. The set of this matrix’s eigenvalues is the spectrum matrix. A matrix’s M spectrum \(\:\lambda\:\) might be attained by solving the characteristic expression as shown in Eq. (4)

$$\:P\left(\lambda\:\right)=detdet\:\left(M-\lambda\:I\right)\:=0$$
(4)

Here, I signify identity matrix that equals size M. A spectrum might be computed for Laplacian matrix. Rather than spectrum, topological centralities such as clustering coefficient, average degree, and assortative are likewise estimated. To measure the assortative, and clustering coefficient, A might be transformed to \(\underline{A} = \big(\underline{a}_{i,j}\big)_{n \times n}\) as represented in Eq. (5)

$$\underline{a}_{i,j} = \begin{cases} 1 & \text{if } \underline{a}_{i,j} > 0 \\0 & \text{otherwise}\end{cases}$$
(5)

An assortative might then be computed and clustering coefficient is computed initially on measuring the triangles number for each node signified by \(\:{\beta\:}_{\varvec{G}}\) as given in Eq. (6)

$$\:{\beta\:}_{G}=diag(\underline{A}\times\:U(\underline{A})\times\:\underline{A})$$
(6)

In this case, diag is the function that yields the matrix’s diagonal members and \(\:\varvec{U}\left(\underline{\varvec{A}}\right)\) signifies upper triangular matrix of \(\:\underline{\varvec{A}}\). After that, the clustering coefficient C is signified in Eq. (7)

$$\:\:C=\frac{1}{f}\left(\sum\:_{i\in\:V}2\times\:\left(\frac{{\beta\:}_{G}\left(i\right)}{{d}_{i}\times\:({d}_{i}-1)}\right)\right)$$
(7)

In this, for the network G=(V, E), f signifies total number of nodes in network, and \(\:{\varvec{d}}_{\varvec{i}}\) denotes node degree i. The network’s average degree denoted as Q is evaluated directly from adjacency matrix \(\:\varvec{A}={\left({\varvec{a}}_{\varvec{i},\varvec{j}}\right)}_{\varvec{n}\times\:\varvec{n}}\) in Eq. (8)

$$\:Q=\frac{2}{f}\times\:{\sum\:}_{i=1}^{f}{\sum\:}_{j=1}^{f}{a}_{i,j}$$
(8)

Here, for the network, \(\:\varvec{G}=(\varvec{V},\varvec{E})\) signifies total number of nodes in network. Thus, from this selection of features is carried and classifier module is described in subsequent section.

Anomaly detection using optimal BSAR-AE

For the detection of anomaly and classification purposes, BSAR-AE model is employed. The typical idea behind this scheme is to add structure of cell state, Input, forget and output gates36. A tangible estimation of this process and the gate model’s working belief are given as shown in Eqs. (9) and (10).

(a) Input gate: Initially, the cell state assessment is given as \(\:{\stackrel{\sim}{C}}_{t}\) which is to be inputted as per the input dataset \(\:\left[{h}_{t-1},{x}_{t}\right]\) & likewise, it assesses a vector for controlling the way the data must be recorded to cell state \(\:{\stackrel{\sim}{C}}_{t}\).

$$\:{\stackrel{\sim}{C}}_{t}=tanh\left({W}_{C}.\left[{h}_{t-1},{X}_{t}\right]+{b}_{C}\right)$$
(9)
$$\:{i}_{t}=\sigma\:\left({W}_{i}.\left[{h}_{t-1},{X}_{t}\right]+{b}_{i}\right)$$
(10)

In this, \(\:{\stackrel{\sim}{C}}_{t}\), \(\:{W}_{C}\) & \(\:{b}_{C}\) label the cell state value that needs to be stored from novel inputs, cell state upgrading weight, and cell state bias value likewise. The resultant vector, bias value, and weight matrix are too implied as \(\:{i}_{t}\), W, & \(\:{b}_{i}\).

(b) Forget gate: LSTM network links hidden state \(\:{h}_{t-1}\) \(\:hidden\:state\) with that of input \(\:{x}_{t}\) to \(\:\left[{h}_{t-1},{x}_{t}\right]\). A \(\:{vector\:f}_{t}\) is calculated thereby by describing in what way it is needed to forget from cell state \(\:{C}_{t-1}\) in time t-1.

$$\:{f}_{t}=\sigma\:\left({W}_{f}.\left[{h}_{t-1},{x}_{t}\right]+{b}_{f}\right)$$
(11)

In Eq. (11), \(\:\sigma\:\) denotes the sigmoidal function, vector of weighted gate is signified as “\(\:forget\:gate\)” & forget gate’s offset value is given as \(\:{b}_{f}\). This technique is a typical framework given in Fig. 2.

Fig. 2
figure 2

Framework of Bi-directional sparse attention-recurrent auto encoder model.

Full size image

(c) Cell status: The cell state updation is signified as t-1. Then, the outcomes attained from forget gate \(\:{f}_{t}\), dataset \(\:{C}_{t-1}\) which is elapsed are dissimilar. Earlier, \(\:cell\:state\) \(\:{\stackrel{\sim}{C}}_{t}\) will be accessible by a dataset in time t. From the computation of input gate, it is clear to regulate the way in which the data enters and updating function of cell state \(\:{\stackrel{\sim}{C}}_{t}\:in\:time\:t\) might be signified in Eq. (12).

$$\:{C}_{t}={f}_{t}\times\:{C}_{t-1}+{i}_{t}\times\:{\stackrel{\sim}{C}}_{t}$$
(12)

(d) Output gate: An output \(\:{o}_{t}\) of BSAR-AE is intended using “output gate”. Before, cell state \(\:{C}_{t}\) at time t means \(\:the\:amount\:of\:data\:that\:\) are eventually transferred & consequence \(\:of\) previous \(\:output\:are\) \(\:{h}_{t}\).

$$\:{O}_{t}=\sigma\:\left({W}_{o}.\left[{H}_{t-1},{X}_{t}\right]+{b}_{o}\right)$$
(13)
$$\:{H}_{t}={O}_{t}\times\:tanhtanh\:\left({C}_{t}\right)\:$$
(14)

In Eqs. (13) and (14) in output gate, weight vector, output vector, & offset values are indicated as Wo, 0t, and bo, correspondingly. A resultant BSAR-AE standard at time t is revealed by ht.

A BSAR-AE classifier projected is type of unsupervised scheme which comprises of decoding and encoding process. Specifically, it is exploited to detect anomalies. The encoding process in this acquires their inherent feature vectors from raw input X from encoder will be denoted using \(\:f\left(X\right)\). A method \(\:of\:learning\) is recognized as the one which shrinks the \(\:cost\:function\) for ensuring the least error between \(\:raw\:inputs\) & reconstruction datasets:

$$\:min\left\{L(X,\:g\left(f\left(X\right)\right))\right\}$$
(15)

In Eq. (15) X denotes input vector, f signifies encoding process, and g signifies decoding model, L signifies cost function. It is made for enhancing classifier outcomes. By this, the best fitness function value is attained which enhanced detection model performance, Therefore, this model detects anomalies efficiently. The anomaly detection algorithm 1 steps are illustrated as follows. Here, the fitness function is attained by means of employing optimization process.

figure a

Algorithm 1: Anomaly detection

Bio-inspired tuna swarm optimization

To enhance the performance of classifier, optimization process is carried by means of employing Bio-inspired tuna swarm optimization scheme. An optimal prediction thus enhances classifier performance. The details and functional behaviour of this optimization model is given as follows and the flow is shown in Fig. 3.

Fig. 3
figure 3

Flow of Tuna swarm Optimization.

Full size image
  1. (a)

    Inspiration: Tuna, named scientifically as tuning, is signified as marine carnivorous fish. Fishtail, a unique and effective swimming strategy, allows tunas to swim continuously while maintaining a rigid body and swiftly swing their long, thin tail. As a result, tuna can serve as a model for the predatory process. To improve detection accuracy and decrease overfitting, the TSO is used to modify a few vital hyperparameters of the BSAR-AE model. The learning rate impacts the stability and speed of convergence; the dropout rate prevents overfitting by randomly deactivating neurons; the batch size determines the frequency of parameter updates; and the number of layers and neurons per layer determine the depth and complexity of the network. To further improve the gathering of temporal relationships in VANET traffic data, TSO optimizes the number of hidden units in the recurrent layers. The model’s performance is enhanced by dynamic hyperparameter tweaking, which guarantee resilience, decrease false positives, and efficiently detect anomalies under different VANET traffic conditions.

  2. (b)

    Initially, foraging behaviour takes place which are spiral. Here, after nursing, tuna may swim in a spiral pattern to obtain their food in shallow water that is easily assaulted. Parabolic foraging is the next strategy. In this case, the equivalent tuna swims after the earlier entity, enclosing its prey in a parabola shape. These two tactics will help tuna forage effectively. Depending on the behaviour modelling that is natural foraging, this model is presented. The mathematical expression is given as follows:

(b) Initialization: Like other swarm dependent meta-heuristic model, this one initially performs optimization thus generating initial population uniformly in a random manner in the search space.

$$\:{X}_{i}^{in}=rand.\left(ub-lb\right)+lb,\:\:\:\:\:\:\:\:i=\text{1,2},\dots\:,NP$$
(16)

In Eq. (16), \(\:{X}_{i}^{in}\) denotes lower and upper bounds of the search space are represented by the first ith individual, lb and ub. The rand is a randomly distributed vector with a uniform distribution between 0 and 1, and NP is the number of tunas in the population.

(c) Foraging spirally: When herring, sardines, and other schooling fish meet hunters, the school of fish creates a solid formation that continuously changes its swimming direction, which makes it harder for predators to look at the victim. Currently, tuna group chases prey thereby forming tight spiral one. Based on this, the mathematical expression is given in Equations (17) to (21)

$$X_i^{(t+1)} = \begin{cases}\alpha_1 \cdot \left(X_{\text{best}}^{t} + \beta \cdot \left| X_{\text{best}}^{t} - X_i^{t} \right|\right) + \alpha_2 \cdot X_i^t, & \text{if } i = 1 \\\alpha_1 \cdot \left(X_{\text{best}}^{t} + \beta \cdot \left| X_{\text{best}}^{t} - X_i^{t} \right|\right) + \alpha_2 \cdot X_{i-1}^t, & \text{if } i = 2, 3, \dots, N_p\end{cases}$$
(17)
$$\:{\alpha\:}_{1}=b+\left(1-b\right).\frac{t}{{t}_{max}}$$
(18)
$$\:{\alpha\:}_{2}=\left(1-b\right)-\left(1-b\right).\frac{t}{{t}_{max}}$$
(19)
$$\:\beta\:={e}^{cl}.cos\left(2\pi\:c\right)$$
(20)
$$\:l={e}^{3cos\left(\left(\left({t}_{max}+\frac{1}{t}\right)-1\right)\pi\:\right)}$$
(21)

In this, \(\:{X}_{i}^{t+1}\) signifies t + 1 iteration of ith individual, \(\:{X}_{best}^{t}\) indicates the current optimal individual (food), \(\:{\alpha\:}_{1}\) & \(\:{\alpha\:}_{2}\) are the weight coefficients which controls individual propensities for stirring to the individual that are previous & the individual that are optimal. A denotes a constant and is used to determine extent of tuna which follows optimal and previous individual in initial phase, t signifies present iteration number, \(\:{t}_{max}\) is maximum iteration, c will be the random number which is uniformly distributed in range 0 & 1.

figure b

Algorithm 2: DNN-BSAR-AE Model

The Algorithm 2 for the proposed DNN-BSAR-AE model integrates DNN with recurrent autoencoders and tuna swarm optimization for network traffic anomaly detection. Initially the model preprocesses the data, detects anomalies using optimized model parameters based on hidden state \(\:{h}_{t}\) updates and loss calculations. This optimization explores and exploits the search space through spiral and parabolic foraging strategies \(\:\left({X}_{rand}^{t}+\beta\:.\left|{X}_{rand}^{t}-{X}_{i}^{t}\right|\right)\). The model analyzes and identify anomalies by adapting to the dynamic traffic patterns.

Once the whole tuna forages spirally round the food, they have the improved capability of search space exploitation. Therefore, arbitrary generation coordinates in a search space and is regarded as reference point intended for spiral search. It eases every individual to search wide space thus making this model good in having exploration ability. The mathematical expression is given in Eq. (22).

$$X_i^{(t+1)} = \begin{cases}\alpha_1 \cdot \left(X_{\text{rand}}^t + \beta \cdot \left|X_{\text{rand}}^t - X_i^t\right|\right) + \alpha_2 \cdot X_i^t, & \text{if } i = 1 \\\alpha_1 \cdot \left(X_{\text{rand}}^t + \beta \cdot \left|X_{\text{rand}}^t - X_i^t\right|\right) + \alpha_2 \cdot X_{i-1}^t, & \text{if } i = 2, 3, \dots, N_p\end{cases}$$
(22)

In this, \(\:{X}_{rand}^{t}\) signifies reference points randomly generated in search space. The algorithm is usually metaheuristic, which may carry out a lot of global exploration in the beginning before progressively moving on to a stage of precise local exploitation. When a result, when the number of iterations increases, this model changes the spiral foraging reference point from random individuals to ideal individuals. A concluding mathematical expression of foraging model is given in Eq. (23).

$$X_i^{(t+1)} =\begin{cases}\alpha_1 \cdot \left(X_{\text{rand}}^t + \beta \cdot \left| X_{\text{rand}}^t - X_i^t \right|\right) + \alpha_2 \cdot X_i^t, & \text{if } \text{rand} < \frac{t}{t_{\text{max}}},\ i = 1 \\\alpha_1 \cdot \left(X_{\text{rand}}^t + \beta \cdot \left| X_{\text{rand}}^t - X_i^t \right|\right) + \alpha_2 \cdot X_{i-1}^t, & \text{if } \text{rand} < \frac{t}{t_{\text{max}}},\ i = 2,3,\dots,N_p \\\alpha_1 \cdot \left(X_{\text{best}}^t + \beta \cdot \left| X_{\text{best}}^t - X_i^t \right|\right) + \alpha_2 \cdot X_i^t, & \text{if } \text{rand} \geq \frac{t}{t_{\text{max}}},\ i = 1 \\\alpha_1 \cdot \left(X_{\text{best}}^t + \beta \cdot \left| X_{\text{best}}^t - X_i^t \right|\right) + \alpha_2 \cdot X_{i-1}^t, & \text{if } \text{rand} \geq \frac{t}{t_{\text{max}}},\ i = 2,3,\dots,N_p\end{cases}$$
(23)

(d) Parabolic-Foraging:

In addition to the spiral shape, tunas also establish a parabolic collaborative feeding pattern. Tuna creates a parabolic shape when food is used as a reference point. Similarly, tuna searches among them for nourishment. Under the assumption of probability selection, it is carried out concurrently for both. This mathematical expression can be found in Eqs. (24) and (25).

$$X_i^{t+1} = \begin{cases}X_{\text{best}}^t + \text{rand} \cdot (X_{\text{best}}^t - X_i^t) + TF \cdot p^2 \cdot (X_{\text{best}}^t - X_i^t) & \text{if } \text{rand} < 0.5 \\TF \cdot p^2 \cdot X_i^t & \text{if } \text{rand} \geq 0.5\end{cases}$$
(24)
$$\:\:p={\left(1-\frac{t}{{t}_{max}}\right)}^{(t/{t}_{max})}$$
(25)

In Eq. (25), TF stands for a random number either 1 or −1. The tuna hunt recognizes prey by cooperating over two foraging strategies. The population in the search space is then created at random. One of these two approaches—foraging to perform regenerating the space of search position at which the value of z will be engaged in the experimental simulation setup of parameters—is chosen for each iteration. The optimal health value is ultimately reached after the complete optimization model’s individuals are updated and evaluated continually while the condition is satisfied.

Experimental results and discussions

The experimental hardware and environmental setups are described under “Hardware & Environment setting” The CSE-CIC-IDS2018 dataset was used in this investigation. They are employed to assess the performance of the model. The Evaluation Metrics section discusses standard performance metrics for IDS, including accuracy, the F1 score, and ROC curve. The burning experiment results are shown first in the “Results” section, which is followed by an evaluation of the MAFS the model’s overall efficacy, which includes the ROC curve and confusion matrix. Lastly, we contrast our model with various traditional machine learning techniques.

Simulation setup

The setting for these experiments was created to test the efficiency of the BSAR-AE based IDS model in VANET. The tests were performed with the use of Windows 11 and AMD Ryzen 7–5800 H processor, 32 GB RAM and NVIDIA RTX 3600 GPU which resulted in having sufficient computing power. Using Python 3.8 and VSCode, Tensorflow was utilized for model building, alongside Matplotlib, Numpy, Pandas and Scikit-Learn, which were used for data processing and visualization.

The CICIDS2017 dataset was modified for this study to accommodate the specific features of VANETs, such as their dynamic topologies, node mobility, and different message types. The original dataset was created for more conventional network intrusion detection. A number of preprocessing and feature engineering processes have been carried out to make it more relevant. The first step was the elimination of any redundant characteristics, such as those associated with static networking settings. Then, in order to represent the ever-changing communication patterns of vehicles, VANET-specific features were given precedence. These features include packet inter-arrival time (IAT), packet forwarding rate, and header length. It is essential to apply data normalization to scale characteristics to a consistent range in order to handle traffic variances in VANETs. Categorical information, such as protocol status, has been preserved as numerical values. The dataset is better prepared for testing the suggested intrusion detection system in actual vehicular network conditions after these preparation processes, which improved its temporal and geographical characterization of VANET traffic.

Evaluation metrics

Precisely detecting attack traffic is given precedence over correctly classifying regular traffic by IDSs. In addition to accuracy, a model’s performance is assessed using a few metrics, including F1-score, precision, recall, and ROC.

The evaluating measures F1-score, accuracy, recollection, and ROC are calculated using a confusion matrix. We can view the model’s performance as a grid thanks to the confusion matrix. Attack traffic was correctly predicted, as indicated by the number of true positives, or TP. The number of true negatives is reflected in TN, suggesting that regular traffic was correctly predicted. FP stands for false positives, or the quantity of legitimate traffic that is mistakenly classified as attack traffic. The number of FN or attack traffic that is mistakenly categorized as regular traffic is reflected in FN. FN is the most relevant of indicators since a low number means that the IDS is less likely to mistakenly identify attack traffic. Thus, lowering the FN value is our approach.

The model’s accuracy is expressed as the proportion of accurate forecasts to all predictions. according to Eq. (26).

$$\:Accuracy=\frac{Tp+Tn}{Tp+Tn+Fp+Fn}\:$$
(26)

Precision is a statistically defined parameter that quantifies the proportion of attack traffic that is accurately identified as such. according to Eq. (27).

$$\:Precision=\frac{Tp}{Tp+Fp}$$
(27)

Model accuracy and sensitivity are combined to provide F1-Scores, which are a reconciled average of the two metrics. Our study focuses on the metric that stronger F1-Scores in an unbalanced dataset suggest fewer misclassified flows. according to Eq. (28).

$$\:F1 score=\frac{Tp}{Tp+0.5(Fp+Fn)}$$
(28)

A set of continuous specific and response sensitivity variables, the receiving operating features curve (ROC) may illustrate the link among specificity and sensitivity; the maximum the curve area, the better the model works. based on Eq. (29).

$$\:AuC\_RoC={\int\:}_{0}^{1}\frac{Tp}{Tp+Fn}d\frac{Fp}{Tn+Fp}$$
(29)

Analysis

For the considered dataset, Fig. 4 shows how the benign classes are sampled to balance the dataset. Initially, the proposed model is experimented with ablation study to assess the performance of the model by comparing it with the prevalent ML approaches based on the evaluation metrics such as accuracy, F1 score and precision. The performance of the proposed BSAR-AE model based on confusion matrices, RoC curves on the considered datasets are discussed. Finally, the comparison among the proposed and conventional ML approaches in the literature is discussed.

Fig. 4
figure 4

Intrusion Categories Frequencies.

Full size image

Ablation study

It is the study of experimenting with the importance of the preprocessing and feature selection approaches before implementing with attack detection model. This experiment shows the importance of feature selection by choosing the most relevant inputs to the classifier for better detection rate. The considered DNN based feature selection is compared with three baseline models such as Decision Tree (DT), Deep Q Network (DQN) and Recursive Feature Elimination (RFE). The purpose of these ablation experiments was to determine how each component of the suggested model contributed to the intrusion detection performance. Table 2 displays the outcomes of the experiment. We found that DNN performed better than the DT model on considered dataset when we compared the test results of DT, DQN, RFE, and DNN. This implies that DNN outperforms conventional machine learning techniques in precisely detecting network traffic.

Table 2 Experimental analysis of considered methods based on accuracy and F1 score on CICIDS2018 dataset.
Full size table

Based on the ablation study, it has been proven that the feature selection process improves the overall system performance. According to DNN, the selected features are listed in Table 3. The suggested model selects 15 features for giving as input to the attack detection system. Notably, the suggested model efficiently reduces 82% of employed features in contrast to the real set of features.

Table 3 Features ranking using DNN on CICIDS2018 dataset.
Full size table

Performance analysis of proposed IDS system

The BSAR-AE-TS model’s performance evaluation on the CSECIC-IDS2018 is shown in Fig. 5. When compared to the DQN, RFE model on the CIC-IDS2018 dataset, the model produced an increased Accuracy 0.981 with F1-Score 0.972, with the F1-Score showing a significant improvement. This demonstrates how well the DNN FS model works when applied to imbalanced datasets. These outcomes highlight how effective the suggested model is at intrusion detection tasks.

Fig. 5
figure 5

Performance of proposed model.

Full size image

Figure 6 illustrates the confusion matrices of the proposed model for multi-class and binary classification which is used to evaluate the performance of the proposed system.

Fig. 6
figure 6

Confusion matrix for multi-class classification for proposed model.

Full size image
Fig. 7
figure 7

Confusion matrix for Binary-class classification.

Full size image

On the CIC-IDS2018 dataset, Fig. 7 demonstrates that the method can correctly find the Normal, DoS/DDoS, Bot, and Brute Force categories. Because there aren’t enough training examples for the Web and Infiltration categories, it is less effective for them and usually incorrectly classifies the latter as the Normal category. The model’s confusion matrix for binary classification on the CIC-IDS2018 dataset is shown in Fig. 6, where the Normal detection accuracy is one and the Attack category’s accuracy is 0.98.

To assess the accuracy of the model’s predictions, they displayed the dichotomous ROC lines in Fig. 8 and calculated the AUC area of each curve using the dataset and every one of the four models such as DT, DQN, RFE, MAFS33, and DNN FS. The AUC regions of the DT and DQN models without FS approaches are only 0.951 and 0.961, respectively, whereas the AUC regions of the DQN, RFE, and proposed systems that employ feature selection techniques are larger. The models show remarkable detection capabilities, and the ROC curves show how well different models recognize on this dataset.

Fig. 8
figure 8

RoC Comparison.

Full size image

Comparative study

The performance of the BSAR-AE model is contrasted in this section with that of many machine learning models that were applied to the CIC-IDS2018 dataset, including MLP, CNN, Logistic Regression, DDQN, DQN, the RFE, SVM ML models, and MAFIDS33. To assess the performance of our proposed model with other traditional ML techniques based on evaluation metrics and test cost of time (ms) to find a single data point for every model in Table 4.

Table 4 Comparative analysis of detection methods.
Full size table

The recommended model performs optimally in Accuracy and F1-Score, as indicated in Table 4, with the values of 0.981 and 0.972, respectively. By contrast, our recommended model outperforms the XGBoost method, a new ML model introduced in recent years, by 2.3% and 3.1%, respectively. Test time was greatly decreased, and the F1-Score improved by 2.4% when compared to the DQN model. So, consider both the accuracy of the predictions of each model and the test time for recognizing a single piece of data, as denoted in Table 4. It has been demonstrated that models with minimum run times typically perform poorly in terms of prediction, while models with maximum run times perform noticeably better. The DDQN model took the longest (141 ms), two orders of magnitude more than NB. This suggests that runtime and prediction performance have a positive relationship. The suggested model uses an FS technique to reduce redundant features, which lowers the testing time into 28.91 ms for single data.

Traffic Attack Scenario Performance Comparison.

Specifically, the research evaluates the proposed DNN-BSAR-AE, ICVAE-BSM, DKNN, and MP-CVAE machine learning models’ abilities to identify anomalies in traffic (Fig. 9). Regardless of the traffic situation, the proposed DNN-BSAR-AE model always performs the best, with the best lowest FPR and improved detection rate on varying traffic behavior low, medium, high, and peak traffic scenarios.

$$\:{FPR}_{DNN-BSAR-AE}=\frac{FP}{FP+TN}$$
(30)
$$\:{DR}_{DNN-BSAR-AE}=\frac{TP}{TP+FN}$$
(31)
Fig. 9
figure 9

Traffic attack condition analysis (a) FPR analysis (b) Detection Rate Analysis.

Full size image

Wherein Eqs. (30) and (31) represent the parameter \(\:FP\) idnciates the normal traffic periods incorrectly identified as anomalies and \(\:TN\) defines the no. of correctly predicted normal traffic periods during the attack scenario. Then the \(\:TP\) indicates the no. of traffic anomalies correctly identified, and \(\:FN\) is the no. of missed traffic anomalies. Based on these results, it seems like a good option for detecting anomalies in traffic data in real time, which could improve traffic monitoring systems by reducing the number of false alarms and increasing the accuracy of detections.

Table 5 Comparison of state of the Art approaches on CICIDS2018 dataset.
Full size table

Using the CSE-CIC-IDS2018 dataset(https://www.unb.ca/cic/datasets/ids-2018.html), we also conducted a comparative study with proposed model’s AUC and F1-Score versus other current methodologies, as shown in Table 5. The findings show that our model performs better than alternative approaches, with higher AUC and F1-Score values. Conventional ML methods, such as Random Forest and Decision Tree, show greater F1-Scores but comparatively lower AUC values. On the other hand, cutting-edge research methodologies like ID-RDRL, which identify network attacks using deep reinforcement learning techniques, produce slightly lower F1 scores but higher AUC values. These results indicate that our model performs exceptionally well in managing the difficulties presented by unbalanced datasets, rendering it a more potent intrusion detection solution. The attack analysis consists of preprocessing attack datasets, extracting relevant features, and applying the BSAR-AE for anomaly detection in network traffic. The TSO assists in feature selection, improving detection accuracy and efficiency while lowering optimization costs. The performance of the IDS framework is analyzed under different network conditions to evaluate its effectiveness against realistic VANET threats. Detailed assessments are performed on the labelled and unlabeled attack datasets, revealing the model’s strength and areas where improvement is needed. The outcome is assessed with benchmarked IDS approaches to prove the effectiveness of BSAR-AE against more complicated cyber-attacks. This step refines the system for operational VANET security and improves its protection from sophisticated intrusions.

Evaluating precision, recall, F1-score, false positive rate (FPR), and false negative rate (FNR) is a better way to evaluate the effectiveness of the proposed IDS system than only reporting an accuracy of 98.7%. Both recall and precision shed light on the model’s ability to differentiate between benign and malicious communication, which is particularly beneficial when dealing with class imbalance. A comprehensive assessment that takes into consideration both true positives and false negatives is given by the F1-score, which is a harmonic mean of recall and accuracy. Furthermore, FPR and FNR serve as key metrics for intrusion detection systems; a low FNR shows that real attacks are effectively detected, while a low FPR shows that there are fewer false alarms. By including these indicators, we can gain a more comprehensive image of the model’s strengths and mistakes. This will enhance the review process and allow for more accurate comparisons with other IDS techniques.

Both the accuracy (98.7%) and the F1-score (97.2%), which measure detection capabilities, are greatest for the proposed BSAR-AE-based IDS. Meeting the low-latency needs of VANET settings, the enhanced feature selection and sparse attention technique decrease inference time to 28.91 milliseconds. The suggested method strikes a good mix of computational efficiency, scalability, and detection performance, as opposed to blockchain-based IDS or federated learning-based IDS, which both have the potential drawbacks of significant consensus overhead or complicated coordination, respectively. The suggested system’s practical benefits for real-time VANET intrusion detection are shown by this comparison.

Numerous improvements make the proposed BSAR-AE-based IDS real-time practical in VANET systems for low-latency and fast decision-making. The model uses sparse attention to focus on essential traits to reduce inference delays and computations. The TSO adjusts learning rate and batch size to improve training and inference. To assist real-time applications, we measure the BSAR-AE model’s computational cost and inference time per sample. Preliminary testing shows that the model satisfies VANET intrusion detection low-latency standards with an average inference time of X milliseconds per sample. Lightweight design from feature selection and dimensionality reduction reduces processing overhead for vehicle systems with limited resources. These changes allow the recommended IDS to identify intrusions quickly and accurately, perfect for real-time VANET structure.

Conclusion

Intelligent IDSs are quickly becoming a crucial security element in modern systems like autonomous and semi-self-driving cars. The development and application of self-driving cars are directly impacted by the various forms of attacks that are launched against these vehicles, networks, and gadgets. Attackers constantly create new methods to compromise system data, and in the case of VANET, the likelihood of an accident increases if the attacker alters or hacks the data. Intrusion detection is required to prevent accidents and offer road safety. By examining and categorizing communications in the VANET, the IDS efficiently identifies assaults and addresses VANET security concerns. The precision and effectiveness of the IDS in VANET are increased when DL algorithms are applied, as opposed to the prior approach, which used artificial intelligence and ML to construct the system. Thus, we suggest using DNN for feature selection and BSAR and advanced autoencoders optimized by LSO to increase the detection rate of anomalous behaviors in the vehicle system, based on an examination of the present security issues with the vehicle network. The suggested model secured the improved accuracy of 98.1% with the F1 score of 97.2% which is superior to considered conventional ML and DL approaches. We intend to further explore the use of various deep learning technologies in the future to guarantee the security of the in-car system and discover a more effective solution. The work wishes to encourage the application of these technologies in conjunction with artificial intelligence techniques for network security. Thus, the effort can help solve network security issues more effectively.